Search Our Database

Improve Your WordPress Security

Last updated on |
by

Introduction

Securing your WordPress site is crucial to prevent attacks, data breaches, and unauthorized access. This guide outlines key steps to enhance your website’s security, protecting your content and users from potential threats.

 

Prerequisites

  • Admin access to WordPress.
  • Knowledge of basic WordPress settings.
  • Access to the hosting control panel or server for advanced configurations.

 

Update everything

Each new WordPress release includes essential security patches that address known vulnerabilities.

Failing to update to the latest version leaves your site exposed to potential attacks, as hackers often target outdated WordPress installations with known security flaws.

Regularly check your dashboard for update notifications and prioritize applying them to protect your site. Ignoring these updates can significantly increase the risk of exploitation.

update

The same principle applies to themes and plugins.

Ensure that they are always updated to the latest versions upon release.

Regular updates help address security vulnerabilities and reduce the risk of your site being compromised.

Keeping all components current significantly lowers the chances of hacking attempts targeting outdated code.

 

Use strong passwords

According to data, about 8% of hacked WordPress websites are compromised due to weak passwords.

If your administrator password is something like “letmein,” “abc123,” or “password,” it’s critical to change it immediately to something more secure.

Creating a strong password, ideally using a password manager like LastPass, can significantly enhance your security. If you use a password manager, ensure your master password is strong and secure to prevent unauthorized access.

 

Avoid admin as a username

Every year, there was a surge in brute-force attacks targeting WordPress websites using the default username “admin” combined with common passwords.

If you still use “admin” as your username, your site is highly vulnerable to such attacks.

It is strongly recommended to create a new administrator account with a unique username and delete the “admin” account. This change, along with a strong password, greatly reduces the risk of unauthorized access to your site.

Posts from the “admin” account can be reassigned to the new user.

 

Hide your username from the author archive URL

To prevent attackers from discovering your username via the author archive URL, it’s essential to hide it.

By default, WordPress includes your username in the URL of the author archive page (e.g., http://yoursite.com/author/joebloggs), which can expose your account to brute-force attacks.

To avoid this, modify the user_nicename entry in your WordPress database. This simple step can help improve your site’s security and protect against unauthorized access.

 

Limit login attempts

In the case of a hacker or a bot attempting a brute-force attack to crack your password, it can be useful to limit the number of failed login attempts from a single IP address.

Limit Login Attempts does just that, allowing you to specify how many retries will be allowed, and how long an IP will be locked out for after too many failed login attempts.

There are ways around this, as some attackers will use a large number of different IP addresses, but it’s still worth doing as an additional precaution.

 

Disable file editing via the dashboard

In a default WordPress installation, you can navigate to Appearance > Editor and edit any of your theme files right in the dashboard.

The trouble is, if a hacker managed to gain access to your admin panel, they could also edit your files that way, and execute whatever code they wanted to.

So it’s a good idea to disable this method of file editing, by adding the following to your wp-config.php file: define( ‘DISALLOW_FILE_EDIT’, true );

 

Try to avoid free themes

We’re confident in the quality and security of our free themes. As a general rule, though, it’s better to avoid using free themes, if possible, especially if they aren’t built by a reputable developer.

The main reason for this is that free themes can often contain things like base64 encoding, which may be used to sneakily insert spam links into your site, or other malicious code that can cause all sorts of problems, as shown in this experiment, where 8 out of 10 sites reviewed offered free themes containing base64 code.

If you really need to use a free theme, you should only use those developed by trusted theme companies, or those available on the official WordPress.org theme repository.

Important Note: The same logic applies to plugins. Only use plugins that are listed on WordPress.org, or built by a well-established developer

 

Keep a backup

I can’t overemphasize the importance of making regular backups of your website. This is something that many people put off until it’s too late.

Even with the best security measures at your disposal, you never know when something unexpected could happen that might leave your site open to an attack.

If that happens you want to make sure all of your content is safely backed up, so that you can easily restore your site to its former glory.

The WordPress Codex tells you exactly how to backup your site, and if that seems like too much hard work, you can use a plugin such as WordPress Backup to Dropbox to schedule regular automatic backups.

 

Use security plugins

Apart from all of the measures above, there are tons of plugins you can use to tighten your site’s security and reduce the likelihood of being hacked.

Here are a handful of popular options:

 

Conclusion

By following these security measures—such as updating regularly, using strong passwords, and enabling security plugins—you reduce the risk of attacks. Always back up your site as a precaution.

 

Article posted on 24 March 2020 by Louis