Mind Mingles Logo

How To Secure A WordPress Website 2024: 20 Best Security Tips

By

|

Published on

How to secure a wordpress website

Table of Contents

A research conducted by W3Techs suggests that WordPress holds 62.6% of the market share at present, being the most preferred CMS used by 44% of site builders. However, if its security isn’t avant-garde, then no matter how embellished your site is, it is going to stand in deep waters. Security concerns are the key to maintaining a healthy and safe website which makes it quintessential to learn how to secure a wordpress website. In this blog, we’ll discuss the WordPress security recommendations for contouring the vulnerabilities 

What Are The Benefits Of Securing WordPress Site? 

  • Protects site from data breaches.
  • Builds trust among customers/audience
  • Improves SERP rankings
  • Serves as defence against unwanted legal actions
  • Enhances website maintenance

Common Threats To Website Security

  1. Weak Passwords
  2. Brute Force Attacks
  3. Cross-Site Scripting (XSS)
  4. SQL Injections
  5. Cross Site Request Forgery (CSRF)
  6. Phishing
  7. Outdated Software/Versions
  8. DDoS
  9. Spam
  10. Malware

WordPress Security Checklist 

In this section, we’ll discuss typical security measures that don’t require technical know-how:

1. Update your website regularly 

Updating your WordPress website regularly is a basic yet great idea if you’re bothered about unwanted security concerns.. Minor updates are usually done automatically by the platform itself, major updates releases however need site owners’ attention. In addition, plugins and themes also require timely upgrades for security enhancement. 

Retain a backup of your existing WordPress site beforehand so that you won’t lose any data in case the plugin or theme updates aren’t compatible with the new WordPress version or don’t go your way.

Follow these steps to update your WordPress website: 

  • Log in to your website admin panel.
  • Locate the Dashboard option in the left-side menu and then click on Updates, check whether the version of WordPress you’re using is outdated or not. 

 

How to secure a wordpress website

 

  • Update it for the current available version. Scroll down a little to the plugins section and update them, and just below that you’ll find the theme section. 

Alternatively, follow the below-stated steps to update the themes and plugins integrated into your WordPress site: 

  • Access the WordPress admin panel with your credentials. 
  • On seeing the Menu to the left, select Dashboard and then go to Updates. 
  • Go to the Themes and Plugins section and see for the updates if any. 

You can also leverage the automated updates feature with these steps: 

  • From Dashboard navigate to Websites then click on WordPress, then Security.
  • Scroll down a little, and click Automatic Updates Configuration.
  • Enable Automatic Updates. 

If you’re a WordPress Business user or have access to any of its Cloud hosting plans, simply go to Show Advanced Settings and select Yes, Enable All Updates option for core updates, themes as well as plugin updates. This will allow automatic update installs and make it easier to manage this setting. 

Regular updates with improved security patches will keep your WordPress site healthy. 

2. Setup safelist and blocklist

Building a safelist – a list of all the trustworthy domains or IP addresses, and a blocklist- a list of malicious domains/IPs to restrict them from accessing your website, is an excellent way to secure your WordPress website from falling into the trap of hackers. 

This can be done through plugins or WAF, for instance – you can use Wordfence or Sucuri to block certain IP addresses. Follow these simple steps to do this: 

  • First things first- ensure to keep a backup of your .htaccess file or WordPress site for restoring it because the procure we’re about to discuss can be a little tricky.
  • Log in to wp-admin dashboard.
  • Go to the Plugins > Add New.
  • Search for the File Manager Plugin, and install it. 
  • Activate the plugin and go back to the WordPress Dashboard. Hover over to the Plugins > Htaccess Editor. 

Or else, you can do this through cpanel:

  • Keep the backup of your WordPress site intact in any case.
  • Log in to your hosting account’s control panel and go to the File Manager. 
  • On the left-hand side menu, search and click on the public_html folder. 
  • Then access the .htaccess file. Now insert a line before # BEGIN WordPress in the file. And with this, you’re all set to add your desired code and configuration

NOTE: In case, you’re unable to find the .htaccess file as stated in the last step, open the “public_html” folder > Settings > Preferences > check the box next to Show Hidden Files. 

3. Remove unused plugins and themes 

Any inactive or outdated theme or plugin can be prone to fall prey to hackers. That’s why you must relinquish keeping them on your website. In addition to this, unused themes/plugins that aren’t serving any purpose must also be deleted.

To disavow outdated themes and plugins, follow these easy steps:

    • Open the WordPress Dashboard.
    • Navigate to Plugins → Installed Plugins.

 

WordPress Security Checklist 2024

 

    • In order to activate the delete button you first need to deactivate the plugin, so click on Deactivate. 

 

WordPress Security Checklist

 

    • You’ll see the list of all installed plugins. Click Delete under the plugin’s name, which is not updated and thus vulnerable to cyberattacks.

However, if you are willing to delete an unused theme:

  • On your WordPress admin dashboard, click on Appearance > Themes.
  • Click on the theme that you don’t need anymore. 
  • A pop-up window will appear on your screen, showing the theme details. Click the Delete button on the bottom-right corner.

4. Use a unique WP admin login name

With the shift to technological advancements, password-based protections have become an inevitable part. Without them, hackers can provide an unimaginable level of harm to online files. That’s why we suggest using strong credentials for your wp-admin login panel. While doing so, you must remember not to use usernames that are prone to brute force attacks such as– “admin” or “administrator,” as they are easy to guess. 

In case you’ve already made this blunder, then follow the below-stated steps and create a new WP Administrator account:

  1. On your WordPress Dashboard, find and click on Users, then Add New.
  2. Create the account as an Administrator. Provide a strong password with a combination of:
  • uppercase and lowercase letters
  • numbers
  • Symbols.
  1. Then click on Add New User. 

Furthermore, enabling auto log-out is another crucial aspect that saves your site from falling into the hands of the predator in case you forget to log out. In addition to this, fettering the login attempts to a certain number can also help secure your WordPress site against brute-force attack. What’s more is that you can enable two-factor authentication for your site’s login panel, read further to discover how that works. 

5. Enable 2FA

Apart from securing your WordPress admin panel with unique and strong login credentials, you must attain 2FA (two-factor authentication) for the same. Whenever a hacker or outsider tries to log into your WordPress site, you’ll receive a notification for the same. This will hamper the actions of unauthorized access initiated with an extra layer of security protection to the conventional password method. 

Wordfence, Google Authenticator, Duo, and JetPack are some of the highly trusted plugins that come with the 2FA plugin. Here are the steps everyone willing to integrate a two-factor authentication on a wordpress site must know:

  • Ensure you’ve saved a backup of your website just in case anything goes wrong 
  • Log in to wp-admin dashboard.
  • Go to the Plugins > Add New.

 

 

Best WordPress Security Practices

 

  • Install and activate the plugin of your choice. A configuration wizard will launch the plugin. 
  • On the screen, hit the option of Let’s Get Started.
  • Now pick any of the given methods (Using an app OR Send code on email OR both) showing for enforcing dual authentication. 
  • Proceed by clicking on Continue Setup.
  • Now select whom you want to enforce this dual authentication (all users OR certain roles OR do not enforce any users), and click on Continue Setup. 
  • Next, you can enforce this authentication method real quick or allow a grace period for the users. 
  • You now need to select what consequences (unable to access their dashboard or block) the users will bear in case they don’t activate dual authentication.  
  • Lastly, select All Done. 
  • Now proceed to configure the dual authentication for your user account, for this, select Configure 2FA Now.

 

Best WordPress Security Practices

 

  • Select whether you want to receive the code via email or an authenticator app on your mobile device like a phone.  
  • Download the WordPress 2FA authenticator app of your choice on your mobile phone and scan the QR code and enter the one-time code received on your mobile in your WordPress site. 

Well, it’s time to check whether this works or not for simply logging out of your WordPress account. Log in with your username and password. After dual authentication is active, you’ll receive a one-time code for your website that you need to enter in your WordPress site. 

6. Disable file editing permissions 

File Editing permissions must be managed meticulously to avoid breach of authorized access. This will help you control the access of editing the database, themes, plugins, etc. on your website so that no one can alter them without your consent. To do so, you can add this code:

// Disallow file edits(‘DISALLOW_FILE_EDIT’, true);

at the end of the file wp-config.php:

You can also use a plugin to do the same. In fact, WordPress comes with a built-in theme file editor that can be easily accessed from your active theme, simply go to Appearance > Theme File Editor. Similarly, you can manage plugin files editing permissions as well. 

7. Change your WordPress Login URL

For one thing, unauthorized access to wp-login.php or wp-admin are the easiest URLs to hack on a WP site. That’s why it is strongly recommended by cybersecurity experts to change this url. While this is the 

  • Keep the backup of your site before proceeding.
  • To your .htaccess file in WordPress root directory, add this code:
RewriteRule ^mylogin$ https://%{SERVER_NAME}/wp-login.php?key=123&redirect_to=https://%{SERVER_NAME}/wp-admin [L]
  • Now swap the “mylogin” with a new and unique login URL and 123 with a random string. 

Or else, use the WPS Hide Login plugin for a more smooth, clean and effortless procedure. It lets users set distinct and unrepeated login slug for enhanced protection with a few clicks. 

8. Create regular backups and run security tests

One of the most basic yet effective techniques for anyone searching for how to secure a WordPress website is keeping regular backups of the site files, content, media, settings, features, etc. It is essential to note that whilst taking backup ensure you save the files to a remote location rather than your web hosting. That’ll allow you to have more control over the files. The most important benefit of backups lies in swift access to data in case any tampering is initiated by a hacker. 

Similarly, security scans also enable site owners to guard their websites from any unknown potential cyberthreat. Any malware or malicious practice such as XSS, database injections, backdoors, etc. can be making its way toward adulterating your site’s functionality. Thanks to the best wordpress security scanning tools that have made life much easier as they detect potential security threats to a website. 

There are several plugins that can protect your WordPress site from such loopholes. Doing this task manually can be a bit tedious, especially if one doesn’t have the required knowledge and familiarity with WordPress. Now that you’ve discovered how to secure a wordpress website with plugins, learn about some trusted and relevant ones: 

PLUGINS FOR WORDPRESS BACKUPSPLUGINS FOR SECURITY SCANS
  • Backup Migration
  • Security Optimizer
  • UpdraftPlus
  • Security & Malware Plugin
  • Duplicator
  • Wordfence
  • WP Database Backup
  • All-in-one WP Security Plugin
  • WP Overnight
  • Solid Security

9. Get An SSL Certificate

An added layer of Security Socket Protocol– that protects the data of users visiting your site and can boost your credibility enormously- is a must to safeguard your WordPress website. This is important to safeguard the flow of traffic to your site; in addition, elevates the trust factor among users. Google has already made it crystal clear to users to avoid opening a site without the HTTPS protocol in their link. This creates an instant surge in bounce rate if your site is devoid of SSL.

So invest in the right type of SSL certificate, depending on the requirements of your company and WordPress website. 

Protecting the data transmission between your site’s and users end is crucial to attain trust and maintain a strong grip over any unwanted disruption or data breach. Ecommerce sites are especially at the risk of attracting unwanted attention from the attackers who keep a watch on practices to conduct fraudulent activities to garner sensitive information. They should definitely invest in SSL and other best wordpress security practices.

10. Add Captcha

Captcha isn’t something alienated if you regularly visit a couple of sites. This added layer of security with the Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) is the biggest way to safeguard your wordpress site from unwanted spam comments, automated attacks, DDoS, and many other cyber security issues. 

There are various plugins that offer such a secure environment to your WordPress site including reCaptcha by BestWebSoft, Advanced nocaptcha, and Google recaptcha. The procedure to add them is similar:

  • Log into your WordPress dashboard.
  • Go to Plugins, then click on Add New and search for the reCaptcha plugin > install and activate the plugin. 
  • That’s it and you’ve successfully added reCaptcha to your WordPress admin panel.
  • Upon activation, visit the Google reCAPTCHA registration page ensuring that you’re logged into your GMail account.
  • Fill out the details on the new page and select the version that you want to use, then click on Submit. 
  • Furthermore yield the secret keys which must be added to your site. This requires a little know-how to do it yourself and keep the keys from anyone, or else you’ll need a website developer for assistance.

Adding captcha plugins will help block spam practices and succeed at creating a diligent automated protective web environment. 

How To Secure A WordPress Website: Best Practices WordPress Security 

Here are some advanced moves that can help you cease the efforts of hackers and avert them from corrupting your WP website:

1. Use .htaccess to disable php file execution and protocol the wp-configuration.php file

 

This will allow you to combat any backdoor scripts that an attacker uses to make changes to your WordPress website. To disable PHP reporting means you’re not putting everything out on a plate for cybercriminals to harm your website. You can modify the php file:

  • Go to your site’s wp-config.php file using an FTP client.
  • All you need to do is, add this code to the php directory files that you want to obscure access for.
<files wp-config.php>
order allow,deny
deny from all
</files>
<files wp-config.php> order allow,deny deny from all </files>
<files wp-config.php>
order allow,deny
deny from all
</files>
  • Save the changes

Or else, you can use cpanel to block the potential edit threats in your wp-config.php file:

  • From your hPanel dashboard, go to the Advanced section.
  • Hit on PHP Configuration.
  • Under the PHP Options tab, uncheck the display Errors option.
  • Click on Save.

2. Change default WP database prefix

To prevent any unauthorized SQL injections in your WordPress website, you must change its database prefix to something unique and difficult to guess. 

One way to do this is by using WP CMS and renaming the prefix when you link it with your web hosting. Another way is to use a plugin. Once installed and activated, go to your dashboard > Tools > select the plugin name and change the new prefix name.

3. Block hotlinking from other sites

If your media files are being hotlinked by a source, you can avert them by blocking their access. Read further as we explain how to do so…..

Using .htaccess file via FTP, you can enter the following code into your WordPress root delivery: 

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ – [NC,F,L]

Simply enter “yourdomain” with actual domain name and 

save the changes. 

Alternatively, you can use a CDN or plugin to do so. 

4. Hide WordPress Version

Displaying your WordPress version number can stand in the way of you and your website security. That’s why whosoever searches for how to secure a wordpress website using a plugin is recommended to use Sucuri plugin. As one of its top-vigilant features, it removes your WP version number from catching the attention of hackers in site files. 

5. Change your web hosting

A safe and secure web hosting is an inseparable component of a reliable website. If your WP website is integrated with a wrong or low-quality hosting provider services, no matter how much you read about how to secure a wordpress website. So ensure you’ve signed up for the bestest hosting provider in terms of security, features and support/maintenance. 

6. Manage file and folder permissions

With a loose grip over file and folder permissions can make your website security land in trouble. That’s the reason experts always suggest controlling and managing these permissions from behind the scenes. Use an FTP or file manager to alter the permissions for writing, viewing and accessing the codes. 

7. Choose appropriate user roles

Giving unnecessary access to the users on your site can become a plausible cause of trouble and headache for you. Thus defining the right role is imperative for WordPress site security. The platform provides 6 user roles that are as follows:

  • Administrator
  • Super Admin
  • Author
  • Contributor
  • Subscriber
  • Editor

You can read about each of these roles in this WP User Roles & Responsibility guide.

8. Install a firewall

Another practice that fosters your WP site’s security is implementing a firewall – which serves as a blanket of protection to safeguard your site from any potent and harmful attack from a hacker like XSS, CSRF, SQL injection, etc. Since WordPress doesn’t come with a built-in firewall, we suggest using the one that suits best your needs and server requirements

People usually install the Web Application Firewall (WAF) plugin, however, you must assess its functionality based on your requirements.  

9. Use secure theme and plugins

In search of the best themes and plugins for WordPress, it is very crucial to know their source. Yes, you read that right! From where you download or install a plugin or theme matters because hackers can be sitting right there for you with a trap or else a free service provider might not be able to match the required security standards. That’s why it is advised to download plugins from WordPress.org to not compromise on their credibility. 

10. Monitor user activity/account

Last but not the least, always keep a tab on the ongoing activities in your WordPress website. Whether it’s an unusual plugin configuration, an unknown post or a change in administrator settings, anything can lead to a drastic risk. It’s best to monitor these activities for every user from your admin dashboard. If you’re short of time to look after this, it’s better to hire a maintenance team or services rather than neglecting it. 

You can also use plugins like Activity Log, WP Activity Log, Simple History, etc.

Conclusion 

In these alarming times of cyberattacks, you can’t just neglect the security of your website even if it is built on one of the most trusted CMS like WordPress. That’s why you must get the grasp of how to secure a WordPress website. The above article has listed 20 such ways that will transform the status of your website’s security for good. 

Follow Us On

Latest Article

Scroll to Top

Book Your Package