WordPress Security Guide: 14 Actionable Tips to Harden WordPress

If you have a website running on WordPress then ensuring its security should be your foremost concern. But before you even begin to harden WordPress, you should first know…

Why WordPress Security is Important?

  1. WordPress accounted for 90% of all hacked sites that were fixed by Sucuri in 2018 as per this report.
  2. WordPress sets the default username to Admin which is child’s play to guess for anyone.
  3. WordPress reveals the username in the author slug by default.
  4. An intruder can access your site’s database tables which are, by default, set to wp_prefix and can be guessed easily, unless modified.
  5. Your site is vulnerable to DoS (denial of service) attacks which can result in prolonged downtime.
  6. A hacker can inject malicious code in your website’s database without your knowledge.
  7. And many more reasons as revealed by this WordPress security infographic.

This WordPress Security guide provides only the most useful tips for securing and hardening your WordPress site that you can implement right away, leaving you with ample time to focus on other important aspects of your website.

So let’s start.WordPress Security Checklist

1. Keep a Strong Password that is Hard to Crack

When you install WordPress on your site for the first time, you have to fill in the password among other details. An easy to crack password is the simplest way a hacker can gain access to your website. So what’s the solution?

Make sure you set a strong password containing a combination of uppercase and lowercase alphabets, characters and numbers that cannot be guessed. Please don’t keep a hacker-friendly password like “your name” or “password”.

The second tip is that you should never disclose your site password to anyone. If you have to provide your login details for support purposes to some 3rd party, make sure to change your password once the support issue is resolved.

2. Keep a Username that Cannot be Guessed

By default, WordPress sets the username to ‘admin’ at the time of installation. Nothing could be easier to guess than this. So please make sure to set a hard-to-guess username when you install WordPress.

But this is just the first step.

The second step is to hide your username from the site visitors since WordPress reveals your username in the author profile.

So head over to Admin menu>Users>Your Profile and change your Nickname from your admin username to something different, most probably your real name, and then select your newly created Nickname from the ‘Display name publicly as‘ dropdown.

3. Change the Author Slug to Hide Your Username

But even after you change the author nickname, WordPress reveals your real username in the author ‘slug’ or URL whenever anyone hovers over the author name. So, you should hide your real username in the author ‘slug’.

But how do you hide your username in the author slug or URL? There are two easy ways to do this.

The first method is by using a free plugin like Edit Author Slug.

Or if you’re like me and would rather do it manually rather than installing a plugin, then the second method is the best solution and hardly takes 5 minutes to implement.

Head over to phpMyadmin in your cPanel (hopefully your web host allows access to the php database). Once inside phpMyAdmin panel, from the left menu of scroll to the wp_users table (replace ‘wp’ with your database tables prefix).

You will see your login details here. You should change the user_nicename from your actual username to something different and then save the changes. That’s it; your real username will no longer be displayed on your author slug.

4. Setup 2-Factor Authentication for Login

Want to ensure fool-proof login security? Then consider setting up 2-factor authentication (2FA) for your login page. This way no intruder can gain access to your site even he manages to crack your password.

Now, you should know that different types of 2FA are available like SMS based or app-based. For the purpose of this step, we will use an app-based 2FA for securing the WordPress login page.

First, install the Google Authenticator plugin on your site. Of course, you must have the Google Authenticator app installed on your phone. If you have not already installed it, do it before proceeding to the next step.

Now in the settings page of the plugin, click on the Configure button under the Google Authenticator tab. It will ask you to first create a mini orange account (the plugin creator) which will take about 10 seconds. Now onto the next step.

Then scan the bar code using the Google Authenticator app on your mobile. Notice that you can also use the LastPass authenticator here if you prefer this app.

Finally, just enter the one time code and you are all set. But don’t forget to tick the “Enable 2FA prompt on the WP Login Page” checkbox.

Now when you log in to your site the next time, you will see an additional 2FA prompt below the email and password boxes like this.

5. Secure your .htaccess File for First Line of Defence

The .htaccess file is an Apache Web Server file that enables basic redirects and is also useful for enhancing your website security.

It is a good first line of defence for securing your website.

Your .htaccess file can secure your website in the following ways by:

  1. Restricting access to important files and folders
  2. Disabling directory browsing
  3. Allowing only specific IPs to access the Admin area
  4. Disabling access to XML-RPC File
  5. Blocking author scans

Now let’s start adding the code snippets for each of the above steps. Remember, you need to add the snippets listed in the following steps in your .htaccess file outside the #Begin WordPress and #End WordPress tags.

1. Restrict access to important files and folders

You should restrict access to important files such as wp-config.php, php.ini and .htaccess itself since no one but yourself should have a concern with these files. Just add the following snippet to restrict access.

# Block wp-config, php.ini and .htaccess
<FilesMatch "^.*(error_log|wp-config\.php|php.ini|\.[hH][tT][aApP].*)$">
Order deny,allow
Deny from all

Next, you should disable access to the wp-includes folder since this folder contains files that are required to run the WordPress core minus the plugins and themes. So why should anyone snoop around in this folder?

# Block wp-includes folder and files
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]

2. Disable directory browsing

What’s easier to break into for a thief, a home whose plan details are known or one whose are unknown? Similarly, if your site’s file and directory structure is visible, it will be easier for hackers to break into your site.

To prevent this, you should disable directory browsing by adding the following code.

Options -Indexes

3. Allow only specific IPs to access the Admin area

If you’re running a single author blog and access your site from known IPs, then you can only allow these known IPs to access the WordPress admin area by inserting the following snippet.

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "WordPress Admin Access Control"
AuthType Basic
order deny,allow
deny from all
# whitelist Syed's IP address
allow from xx.xx.xx.xxx
# whitelist David's IP address
allow from xx.xx.xx.xxx

Remember to replace the xx in the snippet above with your IP. If you access your site from multiple IPs, then insert all the IPs in the ‘all from’ line.

4. Disable access to XML-RPC File

The XML-RPC file enables 3rd party application access to your website. If you’re not giving access to any 3rd party app, it’s advisable to disable access to the XML-RPC file since it could be used by hackers gain backdoor entry to your site.

Just add the following code in the .htaccess file to do this.

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all

5. Block author scans

Another way hackers can gain entry to your WordPress site is by scanning all the usernames used on your site and then trying to crack your admin password with those usernames. This is typical of a brute force attack.

To prevent anyone from fishing for usernames, you should block author scans by adding the following snippet in the .htaccess file.

# BEGIN block author scans
RewriteEngine On
RewriteBase /
RewriteCond %{QUERY_STRING} (author=\d+) [NC]
RewriteRule .* - [F]
# END block author scans 

6. Use a Security Plugin for All-round Protection

A good security plugin is essential to enhance your WordPress site’s security. There are many plugins available to boost your site’s security but some of the better ones include All-In-One WP Security & Firewall (which I use and recommend), BulletProof Security and iThemes Security.

Why I Recommend the All-in-One WP Security and Firewall plugin?

The free All-In-One WP Security & Firewall plugin has very useful features, including:

  1. It checks whether you have changed the default ‘admin’ username or not. It also checks your password strength using a Password Strength Tool.
  2. It has many user login options, including, options for preventing rogue sign-ins and site lockout features.
  3. If you allow user registration, you can implement captcha on the registration and login pages.
  4. Checks whether you still use the default wp_ prefix for your database tables and provides the option to change the database prefix.
  5. Enables automated backups of your database.
  6. Has multiple file security options, including, setting the default file permissions, disabling PHP file editing within the dashboard etc.
  7. You can ban multiple users by IPs or user agents.
  8. Has advanced firewall rules to completely secure your WordPress site.
  9. Prevents brute force attacks by using advanced options.
  10. Prevents comment spam by deploying captcha on the comment form and blocking comment spambots.
  11. WordPress scanner to detect changes in files
  12. And many more features.

7. Protect Your Site from DDoS Attacks

If you’re running a popular WordPress website with high traffic, your site could be vulnerable to DDoS (Distributed Denial of Service) attacks that can result in unscheduled downtime and loss of revenue.

There are multiple ways to prevent such an attack from occurring. The first is at the server or hosting level. Your hosting company could offer a DoS attack protection. If you haven’t decided on your web host yet, you can consider WPX Hosting that offers comprehensive website security for free.

The second method is to use a free CDN like Cloudflare that offers free DoS mitigation plans at the entry-level which are good enough for sites with moderate traffic.

8. Make Regular Backups for Unforeseen Situations

In the event of any disruption on your site, you could lose all your hard work, including, your posts. To prevent such an extreme event from occurring it is always advisable to maintain regular backups of your WordPress site.

Again, there are two ways to do this.

The first method is to find a web host that offers free daily backups. If you’re using managed WordPress hosting, chances are your web host already offers free daily backups. Even if not, you can check out with your host regarding this must-have feature.

The second method is to use a free plugin like UpdraftPlus that allows you to schedule daily automatic backups directly to Dropbox, Google Drive, Amazon S3 etc.

9. Use SSL to Encrypt the Connection between Your Site and Users

Secure Socket Layer (SSL) encrypts the information between your web host server and the visitors’ browser preventing leaking of sensitive information like their payment credentials to curious eavesdroppers.

Apart from the security aspect, SSL is also a ranking factor in Google’s search results and you would do well to implement it on your site. That’s why I recommend implementing SSL on your website. You can also get free SSL from some web hosts. Read on to know more.

10. Use Secure Hosting to Fortify Your Site

You may have taken the utmost care to secure your WordPress site, but what if your web server is prone to malicious attacks? There isn’t much you can do in this case.

But what you can and should do is to choose a web host that provides the maximum security to your websites. What kind of security am I talking about?

Well, the most important security feature your web host can provide is free malware scanning. After all, malware removal can cost an arm and length once your site is hit by a malware.

Fortunately, help is at hand.

We use WPX hosting for hosting all our websites since they provide the following three crucial features for securing my website, absolutely free of cost:

  1. Free malware scanning and removal
  2. Free SSL certificate for all my sites
  3. Free daily backups

I also have to add that WPX Hosting provides free cloud-based CDN (content delivery network) and a managed WordPress hosting support experience that I absolutely love.

11. Change the Database Table Prefix to Deter Hackers

Your WordPress database is vulnerable to MySQL injection if a hacker can get his hands on it. You cannot completely secure your WordPress database but you sure can make it difficult for hackers to find your database tables by changing their default prefix from “wp_” to something difficult to guess.

The easiest way to change your database table prefix is by using the terrific (and free) security plugin All-in-One WP Security and Firewall.

12. Update Your Plugins and Themes to Prevent Backdoor Access

Plugins are arguably the primary reason to use WordPress over any other CMS. They extend WordPress capabilities in a limitless manner. But they are also a source of malicious code which could play havoc with your website.

To avoid this possibility, make sure you install only legitimate plugins on your site and avoid any hacked or nulled plugin like the plague since the person who nulled the plugin could also embed some unsuspecting malware into the plugin.

Also, make sure to install the latest version of the plugin since these usually contain many bug fixes. If the plugin hasn’t been updated in a long time, it may be wiser to switch to an alternative.

Speaking of the latest version, make sure to…

13. Enable Auto Updates for Plugins and Themes

If you use many plugins, there may be frequent updates and updating these plugins will in itself become a chore for you. One easy fix for this is to use the JetPack plugin by Automattic (the creators of WordPress).

Jetpack has this wonderful option to enable auto-updates for all plugins that you install from WordPress.org repository. Remember, you will still need to update any 3rd party plugin manually.

But I am assuming that the bulk of your plugins will be free plugins installed from WordPress.org and you can enable auto-updates for all of these.

The second method is even better since you can auto-update not just your plugins but also themes and even the major versions of WordPress. However, you should not use this if there is a possibility of the updates breaking your site.

Just insert the following code in the wp-config.php file, which is located in the public_html directory.

define('WP_AUTO_UPDATE_CORE', true);
 add_filter( 'auto_update_plugin', '__return_true' );
 add_filter( 'auto_update_theme', '__return_true' );

14. Disable the Theme and Plugin Editor

You should also consider disabling access to the theme and plugin editor within your WordPress admin dashboard as an added security measure to prevent users with admin access to tinker with your database.

Just add the following single line of code in the wp-config.php file.

define('DISALLOW_FILE_EDIT', true);

And there we have it. 14 in-depth tips to take your WordPress security to the next level and protect your site from most of the attacks that could be directed its way.

What do you feel about these tips to harden WordPress security and how many have you implemented on tour site? Let me know in the comments.

Please Note: This page contains affiliate links to products or services that are tried and tested by us. If you buy the product or service using our affiliate links, at no additional cost to you, it will help us to maintain this site and publish useful content regularly. Thank you.

Source :