10 Tips to Secure your WordPress Website

WordPress is the most popular blogging platform and is used by millions of users around the world. Owning a WordPress website can be incredibly rewarding since it can be a revenue channel, and give your thoughts and vision an online presence.

However, the high number of users on the WordPress platform has also made it one of the most targeted CMSes by hackers. WordPress security is a concern for every website owner who uses it as a CMS (Content Management System) for their blog or online store. Hackers are always targeting websites built on the WordPress platform, – the number of attacks reaching as high as 123084 per minute! The need of the hour for WordPress users is to learn how to secure their website and start with basics. Firstly, you need a robust WordPress host if you are serious about security. Best web hosting for WordPress will automate several backend processes for the user and will provide excellent customer support in case of a mishap.

Here’s how you can secure your WordPress website

1. Keep WordPress up-to-date

If your WordPress website is running on an outdated version, there is a substantial risk of it being compromised. Update the WordPress core frequently to patch any security vulnerabilities. Choosing the best web hosting for WordPress will give you an option to update WordPress automatically. With the latest version installed, a WordPress website will be more secure and stable than the previous versions. Make sure you check the changelog and see the revisions with the updated version. You should also delete the version number from both the head file and RSS feeds to make your website more secure. To do this, add the following function to your functions.php file.

function wpbeginner_remove_version() {

return ”;

}

add_filter(‘the_generator’, ‘wpbeginner_remove_version’);

2. Keep Themes and Plugins Updated

WordPress uses third-party themes and plugins to enhance performance, usability, and aesthetics. Older versions with security loopholes can act as a backdoor into a WordPress website’s admin. It is easy to break into old themes and plugins, so make sure you are using plugins and themes that are regularly updated and have positive reviews. Your personal information can be compromised if an attacker finds a vulnerability in of your plugin. When updating the themes and plugins, delete the ones that are not in use to further secure your site’s backend. Remember to delete and not deactivate the theme or plugin.

3. Change File Permissions

If improperly set, file and directory permissions can compromise your WordPress website. The directories where your files are stored must be carefully vetted for permissions. Always avoid configuring directories with 777 permissions, instead opt for 750 or 755 for security purposes. For files, use 640 or 644 permissions. Make sure the wp-config.php file is set to 600 to ensure a secure filesystem. However, this will only work if you are using best web hosting for WordPress that gives file manager/FTP access.

4. Don’t Use ‘admin’ as Username

Most beginners who are starting their WordPress journey make this grave mistake of using admin as their username. Since admin is the default name given by WordPress it’s easily guessable & therefore is a loophole for a hacker to take advantage of. Make sure you change it at the earliest. By changing your username from admin to a different name, you can block several brute-force attacks by hackers. Change your current admin username by inputting an SQL query in phpMyAdmin.

Additionally, you can change the admin URL and make your website’s backend more secure. You can do it by following the steps given below –

• Add Constants to wp-config.php file

define(‘WP_ADMIN_DIR’, ‘secret-folder’);

define(‘ADMIN_COOKIE_PATH’, SITECOOKIEPATH . WP_ADMIN_DIR);

• Add the following code in the php file of your active theme

add_filter(‘site_url’, ‘wpadmin_filter’, 10, 3);

function wpadmin_filter( $url, $path, $orig_scheme ) {

$old = array(“/(wp-admin)/”);

$admin_dir = WP_ADMIN_DIR;

$new = array($admin_dir);

return preg_replace($old, $new, $url, 1);

}

• Add the following code to .htaccess file

RewriteRule ^secret-folder/(.*) wp-admin/$1?%{QUERY_STRING} [L]

Furthermore, you should change default WordPress database table names and secure your website from hackers. Since the WordPress database stores every single information of the website, it is targeted by spammers and hackers through automated codes for SQL injections. You can do it in following steps –

• Change Table Prefix in wp-config.php file

For example,

$table_prefix  = ‘wp_a123456_’;

• Change all Database Table Names

Add the following SQL query in wp-config.php file

RENAME table `wp_commentmeta` TO `wp_a123456_commentmeta`;

RENAME table `wp_comments` TO `wp_a123456_comments`;

RENAME table `wp_links` TO `wp_a123456_links`;

RENAME table `wp_options` TO `wp_a123456_options`;

RENAME table `wp_postmeta` TO `wp_a123456_postmeta`;

RENAME table `wp_posts` TO `wp_a123456_posts`;

RENAME table `wp_terms` TO `wp_a123456_terms`;

RENAME table `wp_termmeta` TO `wp_a123456_termmeta`;

RENAME table `wp_term_relationships` TO `wp_a123456_term_relationships`;

RENAME table `wp_term_taxonomy` TO `wp_a123456_term_taxonomy`;

RENAME table `wp_usermeta` TO `wp_a123456_usermeta`;

RENAME table `wp_users` TO `wp_a123456_users`;

5. Add two-step authentication

Use two-step authentication when logging into your WordPress website. This will prevent brute-force attacks and lessen your chances of being hacked. With a two-step authentication, the user will have to input the password and a security code which is sent to a different device such as a phone. The security code is usually sent via SMS on the registered phone number. There are dedicated plugins like Google Authenticator, Clef and Duo Two-factor Authentication which can be used to add two-step authentication

6. Add a Firewall

With a firewall, a user can set rules for filtering incoming, outgoing and forwarding packets. By monitoring your network traffic, you can restrain certain applications from using the internet. A firewall acts as a filter that can keep malicious requests away from your system.

7. Frequent Backups

Since the world has gone digital, the power of backing up data is often understated. Backup is the most crucial aspect when it comes to the website. In an event where a mishap occurs and your website is compromised, you will lose all the data, and the website will be nullified. With frequent backups, you can restore your website to the previous image, with all your data intact. Scheduling regular backups for a peace of mind is essential. Usually, the best web hosting for WordPress will provide automated backups. Move WordPress site to a new host if your current hosting provider does not provide regular automated backups.

8. Limit User Access and Logins

Limiting logins will stop hackers from using brute-force attacks on your website. Alternatively, you can use certain plugins like Logic LockDown to limit login attempts by unknown users. Restricting the number of users who have access to your website will further ensure that a password leak does not compromise your website. Different users will access the site from their machines which are calibrated differently than your device. Therefore, it can lead to unforeseen security loops. Also, it is wise to limit tasks and give users less permission than the administrator.

9. Eliminate PHP Error Reporting

It is important to get rid of any weak spots and simultaneously work to improve the backend of your website. In case you have a redundant plugin or theme, or if it malfunctions, it is bound to create an error message. However, the catch here is that – this message will include your server path. If a hacker lands on your website and views the error reports, they will know the server path and can find a way to your website’s backend. Disable the PHP error reporting by entering the following command in the wp-config.php file

error_reporting(0);

@ini_set(‘display_errors’, 0);

• Protect the Pertinent Files using .htaccess

.htaccess file is at the heart of your WordPress website and directly affects how your website structures permalinks and how it handles security. There are several snippets available from the user community that can enhance usability and patch vulnerabilities. This is only accessible if cPanel, FTP and, File Manager is available from the hosting provider.

There are several things you must do with .htaccess –

• Hide wp-config.php file by inserting the following code in .htaccess file

<files wp-config.php>

order allow,deny

deny from all

</files>

• Block your Website’s directories

options all -indexes

Securing a WordPress website is a comprehensive approach, and requires more than just installing a couple of plugins. If you want your website to be robust, the first step is to choose the best web hosting for WordPress. A reliable website host will provide automated backups, SSL certificates, SiteLock, and even encryption. Make sure you choose wisely!