If you have a WordPress website, you should always be serious about security. WordPress is the most popular Content Management System (CMS) in the world. According to W3Tech, more than 40% of websites are built on WordPress . Due to its popularity, hackers are more attracted towards it.
In this article, I am going to share top WordPress security tips that will help you secure your WordPress website from hackers.
Although these security tips cannot 100% secure your site from hackers attack, but you can make your WordPress website very secure.
Why is WordPress Security Important?
If we do not secure the WordPress website, then hackers can hack that site immediately, infect or delete all its data. They can steal any secret information, demand ransom, waste our years of hard work.
Any online business can cause a lot of damage to the important data and security of business, information, services etc. Can spoil the reputation of that website or blog.
Hackers can steal the information, passwords and important data of the users of that website. Even more, the site can be affected by different types of viruses. By installing different types of software in that site, by confusing the users, they can spread malware and virus in their computer mobile etc. Therefore, to avoid all this, it is very important to secure the WordPress website.
How to Secure WordPress Website Blog?
WordPress is a very secure blogging platform and is improving the security through regular updates. So that hackers cannot hack the site created on WordPress.
However, many websites are still being hacked. Which is not WordPress's fault. When the site is hacked, full credit goes to the owner of the website. There are some responsibilities that the website owner should also take care of.
Here are some of the best tips to secure WordPress website…
1. Change the Login URL for WordPress Security
In general, we login by putting login, wp-login.php, wp-admin etc. at the end of the URL of any website of WordPress. Which hackers or almost all users of WordPress, know this default login URL page very well.
Hackers constantly try to login by guessing your username and password. So that WordPress can access the website. Such as Login ID “Admin” and Password “12345”, “password”, “Admin”, “abcd” etc. Those people have millions of combinations like this.
99% brute-force attack can be stopped directly by changing this default login URL page of WordPress website. You may wonder how almost 99% of hackers attack can be avoided just by changing the login url page. Because it becomes very difficult for anyone to find this changed login url page.
By making small changes in the URL, we can hide our WordPress website login page from hackers, and can also block unauthorized access to this page. You can download “ WPS Hide Login ” to change the URL page of WordPress .
This is a very good WordPress Security Plugin to change WordPress login URL . With this plugin, you can change the login URL of your WordPress website as follows. like,
http://www।example।com/new_login
http://www।example।com/mynew-access
http://www।example।com/xyz_login_access
http://www।example।com/login-abc1234″
You can name it whatever you want. But choose the name of the login URL in such a way that it is very difficult to guess about it –
Plugin ⇒ WPS Hide Login ⇒ Settings ⇒ Login url ⇒ Save
By going here we can change the login url page of WordPress. But before changing the login URL of WordPress, the .htaccess file and the full website should be backed up. Because at any time, in case of any kind of error, you can reinstall the .htaccess file, or recover the site from the old full backup of the website.
2. Using Two Factor Authentication
Two Factor Authentication (2FA) adds an extra security layer to the login URL of the WordPress site. When you enter the username and password on your login page, you will have to enter the secret code which will be in your fun only.
In the form of Two Factor Authentication, the user has many options for login (OTP, Email Verification, Google Authenticator). Out of which you can use any one for login.
3. Using Strong and Difficult Passwords
For WordPress Security, the hardest and strongest password should be used, so that no one can guess the password. WordPress password generator can be used for this.
Also, to keep WordPress security better, the login password of the website or blog should be changed every few days. Make it difficult and complicated when creating passwords. Complex and strong passwords are very difficult to hack. Make the password as complex and strong as possible, using uppercase A, lowercase a, number 1, special characters #$-'^& etc.
You can also create a complex and difficult password using Online Password Generator. The stronger and more complex a password we use, the more difficult it will be for hackers to crack it.
4. Changing the Admin Username for WordPress Security
The admin username is saved by default when you install WordPress. If the login username of your WordPress website is admin, then change it immediately, because everyone knows this username of WordPress. And it becomes very easy for hackers also to hack the user account of this name. Never create an account for WordPress Security with the admin username, as this name is too easy to guess.
Hackers can easily hack WordPress website with admin username, because then they only need password. And with the help of different types of guessed passwords, WordPress Security can be easily hacked and damaged. You can download “ Username Changer ” to change the login username of the WordPress website . With this, the admin username can be changed easily.
Click on Users >> Your Profile . Now you will see a new option next to your username box – Change Username .
Just click on it and enter your new WordPress username then hit on Save Changes button. Congratulations! You have successfully changed your WordPress Admin Username.
You can also change the admin username manually. After login to cPanel, go to phpMyAdmin, then users can edit the username by clicking on the database prefix users.
5. Blocking IP and User Agents
If someone tries to login to the WordPress website again and again with the help of wrong username and password. And if he is unable or fails to login, then such user can be blocked with the help of ip-block feature. And this type of brute-force attempts can also be stopped. Unauthorized access is blocked by the Security Plugin, and you also get a notification in the email about this unauthorized access.
Security plugins like Wordfence , All In One WP Security & Firewall , iThemes Security , etc. block such unauthorized access. By blocking the IP address used by hackers, they protect the website from being hacked.
Set the login limit to a maximum of 3 times. If someone keeps trying to login even after these 3 attempts, then such users or hackers can be blocked forever.
6. Renaming WordPress Database Table Prefix
When you install a WordPress website, the name of its database table prefix starts with wp_. To view it, login to cPanel and go to the phpMyAdmin section. Here you will see the name of the site's Database Table Prefix wp_comments, wp_options, wp_links etc.
Hackers are well aware of this default database table prefix. SQL injections can severely damage a site's database.
This type of attack can be avoided by renaming the Database Table Prefix for WordPress Security. For example, by changing wp_, some can name it accordingly. Like, mywp_, xizq_, istc_, xzxi_ etc. Numbers can also be used in this.
If you have installed WordPress website and the name of database starts with wp_, then the name of this Database Table Prefix can be easily changed by a WordPress plugin “ All in One WP Security & Firewall ”.
7. Backing Up Websites Regularly
If all the above mentioned WordPress security fails, then you are left with only one weapon and that weapon is regular backup of WordPress website.
Suppose your site is completely affected by virus and has become defective. Its content and all data have also been deleted, so you can make WordPress website completely as before by backup.
If you don't have a backup, then assume that your site is completely destroyed. Your years of hard work has been wasted. From this you can understand how important it is to do regular backup of the site.
Backing up your website regularly is one of the ways to keep any website secure. No matter how much we increase WordPress Security. There is room left somewhere for hackers. So keep backing up your site in Google Drive , Dropbox , Onedrive etc.
The website can also be backed up regularly with the help of cPanel. If at any time the content or any data of the website is damaged, then whenever you want, with the help of this backup, the website can be fixed or restored as before. There are some good plugins available in the WordPress repository, which help in backing up the site.
VaultPress is a premium backup plugin developed by Automatics, which is a great backup plugin. But for this you will have to spend money. With this, automatic backup can be taken at any time. Along with this , it also scans the malware of the site and sends alerts if anything bad happens on the site. There are many other WordPress backup plugins available. For which you will not have to pay money. These are available absolutely free, which can prove to be good for backing up your WordPress website, but with the free version, only limited data of the site can be backed up.
UpdraftPlus Backup Plugin is a great backup plugin for WordPress website, which can take full backup of your site automatically.
8. Updating WordPress Core File for WordPress Security
The WordPress developer team regularly updates WordPress to fix its bugs, security patches, etc. So whenever WordPress update comes, it should be updated. If you do not take the update seriously, then you may have to face security vulnerabilities. Hackers can inject malware into your site.
Also keep plugins and themes up-to-date. Not updating WordPress website themes and plugins regularly can also be a big problem for WordPress website. So whenever the update comes, update it immediately.
If you do not update the WordPress website regularly. So this can also cause your site to be hacked, because hackers also attack through plugins and themes.
Efforts are made to make it even more secure and better through updating any software and the deficiencies of the software are removed.
Note: Avoid using plugins and themes that haven't been updated for years. You use their alternatives.
9. Stop File Editing
If a user or hacker hacks the dashboard of your WordPress website. So he can edit or delete any file of theme and plugin from dashboard. WordPress can even delete the main file of the website's installation. That is why it is very important to secure the dashboard of the WordPress website.
To Disable Theme and Plugin Editing from WordPress Website Dashboard /* That's all, stop editing! Happy blogging. Paste the code below before the */ line.
define( 'DISALLOW_FILE_EDIT', true );
Add this code to the wp-config.php file. This will delete the editing feature from your site's dashboard. To enter the code, log in to your hosting's cPanel, then navigate to File manager >> Root Folder . Here you can see your wp-config.php.
Note: Before entering the code, back up your wp-config.php file.
10. Securing the wp-admin directory for WordPress Security
The wp-admin directory is the most important file directory of the WordPress website. This directory file is similar to the motherboard of the computer. Just like if there is an issue in the motherboard, the computer does not work properly or gets damaged. Similarly, if there is any error in any of the files in the wp-admin directory, then the WordPress website will also not work properly.
The dashboard of WordPress website is already secured by username and password. But again securing the site's wp-admin directory with a password becomes like another security layer. Where password is required to be given twice to enter. First a password for the login area, then a password for the wp-admin directory. In this way this area becomes double protected.
First login to cPanel, then after going to directory privacy, click on public_html file and save it by typing wp-admin in Enter a name for the protected directory . After this, create a username and password and save it again.
Now this directory of WordPress is password protected. Now as soon as an admin wants to enter the dashboard or wp-admin directory, he will need to provide the username and password.
But with this protection sometimes issues also arise. So protect this area wisely. If there is a problem, then this protection can also be removed.
11. Securing the WP-Config.php File
The wp-config.php file stores important data for the installation of the WordPress website. This file stores data and information such as MySQL settings, secret keys, database table prefixes, ABSPATH, etc.
If there is any mistake in this file, then the whole site starts messing up. So keeping it safe means keeping the WordPress website secure. If the wp-config.php file is secured, then it will not be possible for any hackers to break the security of the site.
So it is very easy to secure it. After login to cPanel, go to File manager >> Root Folder and find this wp-config.php file and then change its permissions. The permissions of this file have to be kept 400 or 440. So that no other user can read or write it.
Apart from this, you can disable the WP-Config.php editing feature by putting the following code in .htaccess,
<files wp-config.php>
order allow,deny
deny from all
</files>
It is very important to keep the wp-config.php file of the WordPress website safe, otherwise the data of the WordPress website can be hacked and hacked through this file.
12. Change All Directory and File Permissions for WordPress Security
Changing directory and file permissions for WordPress Security is also a good step towards securing the site. But if it is done incorrectly, then there can also be a loss for the WordPress website. So changing the permissions of directories and files is great for WordPress security.
Set permissions to “755” for all directories and “644” for all files. With this, all the file systems, directories, sub-directories and files of the WordPress website will be secure.
According to WordPress.org , all directories should have "750" or "755" permissions. All files must have a permission of "644" or "640".
This permission should be "440" or "400" for wp-config.php. Along with this, the permission of any directory should not be "777". If the permission of any directory or file is “777”, change it immediately. Because it is not right for WordPress security.
You can change the permissions manually by logging into cPanel and going to File Manager. You can also change the permissions through an FTP connection. For this you need to download a Filezilla software .
This software will be available for free, for this you do not need to pay any kind of subscription or money. All in one wp security and firewall plugin guides about this security of file system.
13. Hard Password for User Account
This forces the users of the site to use strong and difficult passwords. Along with this, until the user changes the password, he does not allow access to the admin page or any other area. So keeping in mind the interest of the site, this plugin is very useful for multi author blogs. There are other plugins of this type that can be downloaded for this purpose. For example, Force Strong Passwords
14. Directory Indexing and Browsing Disable
Directory Indexing and Browsing is used by hackers. Through this hackers try to know which file of your site is where, and what weakness is hidden in it and by taking the help of this weakness, by gaining access to that file, try to hack the site. Directory browsing simply means that people can comfortably view the site's photos, files, folders, subfolders, directories, etc. But keeping WordPress security in mind, you would not want people to see all the files, folders, photos, directories, etc. on your site.
Some WordPress folders like wp-content, wp-includes store sensitive data. Which can be easily seen through directory browsing. The wp-content folder stores data for WordPress website themes, plugins, and media uploads. Anyone can hack the site by accessing these content or data. So not disabling directory browsing is an open invitation for hackers to hack.
There is one simple thing you have to do to stop directory browsing. At the end of the .htaccess file, you have to write or paste a simple code.
Options All -Indexes
15. Removing WordPress Meta Generator and Version Information
You can also secure the site from hackers by removing the version of WordPress website. While hacking the site, hackers also find the version of WordPress website. The version info of any WordPress website can be seen by going to 'view page source'.
Therefore WordPress security can be improved even by removing the version of WordPress. With All In One WP Security & Firewall plugin you can easily remove the version number of WordPress website and there are many other WordPress security plugin which can remove its version.
16. Using SSL Certificates for WordPress Security
SSL means " Secure Socket Layer ". An SSL certificate creates an encrypted connection between your web server and the browser of your site's visitors. Due to which any private and confidential information is transferred between each other without leaking.
SSL certificates are often used to secure debit card, credit card transactions, data transfer and login etc.
SSL certificate ensures secure data transfer between the user's browser and the server. Due to which it becomes very difficult for hackers to steal any of your information between connections.
It is very easy to use SSL certificate for any WordPress website. You can also buy SSL certificates from where you buy hosting for your site. SSL certificate can be purchased for any site from Bluehost , Hostgator, GoDaddy etc. Here is a guide – How to Setup Free SSL in WordPress Site Using CloudFlare
Currently, Google has started using SSL certificate as a Google ranking factor . The absence of an SSL certificate in the site also affects the ranking of your website. Google ranks sites with SSL better than sites without SSL certificates. Therefore, your site will rank well in Google and SSL certificate must be installed for security.
17. Securing the .htaccess File
To save this file, you can edit it and put a code in it.
<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</files>
With the help of this following code, any unauthorized access to this file can be prevented.
18. Securing WP Login Page With .htaccess
The best way to improve your WordPress security is by pasting a small code snippet in your .htaccess.
This method is not recommended if you do not have a static IP address, otherwise it will block you.
order deny,allow
allow from [insert your IP address]
deny from all
19. Using Antivirus in Your Computer
If the security of WordPress website is to be protected even more, then it is very important to have a good and pro version antivirus software in your computer. Now a lot of Antivirus software has come from Internet Security, which prevent any type of attack online.
This is very simple information, but many people do not consider it important. Hackers use such viruses, which can steal any type of data, information, username and password etc. from a computer without antivirus.
That's all! These are some simple but very effective tips about WordPress security. Which will help in securing your WordPress site. The more you pay attention to the security of the WordPress website. The more difficult the hackers will have to break its security.