Building a WordPress website is one thing while securing it is another. WordPress Security is a big concern because as we all know WordPress is the biggest CMS platform for websites. Websites like BBC America, Sony Music, Microsoft News, etc, are actively using WordPress, so of course, hackers keep their eyes on these popular sites. However, it’s your job to protect your WordPress sites from attacks and keep your data safe. The admin should always keep analysing the risks and try to reduce them as much as possible. Because security doesn’t mean only eliminating the risks but also preventing them at all means.
In this article, we provide you with some guidelines to increase the security of your WordPress website to prevent any unexpected scenarios. We listed these guidelines from easy to somewhat difficult practises. But all in all, they are not very hard to achieve.
Table Of Contents
- Get a HTTPs/SSL Certificate
- Use a Security Plugin
- Add Two Factor Authentication
- Limit Login Attempts
- Change WordPress Database prefix
- Disable File Editing
- Disable PHP File Execution
- Disable XML-RPC
#1 Get a HTTPs/SSL Certificate
The initial requirement to increase the security for any website is to get an HTTPs domain. The HTTPs domains encrypt all the requests from or to the network and bind them to a cryptographic key which can only be accessible who has the decryption key for the request. While an SSL (Secure Socket Layer) is typically used as a securing credit card and debit card transactions and information.
There are different levels of SSL protection based on your purchasing plans ranging from at average 7.29$/Year to 200$/Year.
#2 Use a Security Plugin
Now, as you have a secured connection, a security plugin for your WordPress is a must. These security plugins will prevent any possible risks and attacks, gives you a complete graphical analysis and scans your site for threats, malware and trojan horses, etc. We have enlisted some security plugins that we recommend using for your website’s security, performance and reports. Moreover, the premium versions of these plugins will completely take off your load and stress of security from you. They are easy to use and manage, so without further ado, the security plugins are as follows:
- Wordfence Security – Firewall and Malware Scan
- Sucuri Security – Auditing, Malware Scanner and Security Hardening
- iThemes Security (formerly Better WP Security)
#3 Add Two Factor Authentication
Two Factor Authentication is the most common practice of increasing security nowadays. Indeed it works very well because whenever any user tries to log in it will ask for a code. An OTP will be sent either on his mail or phone number, containing that unique digit code for a successful login.
You can also add Two Factor Authentication in your WordPress site using Two Factor Authentication plugin. This plugin already has 10,000+ Active Installations. Also, this plugin supports WooCommerce, multi-sites and any other Third-Party login forms. It is a perfect solution for your two-factor authentication security. This Two Factor Authentication plugin will generate a unique code every minute, you can activate it on wp-admin > Two Factor Authentication page
#4 Limit Login Attempts
Admin should also consider limiting the tries for login to a WordPress site. After certainly failed login attempts will result in blocking you temporarily from logging in. This block will last for a specific duration. It is important to prevent an attacker from trying to guess someone else’s username or password using any hacking tool or algorithm.
There is a plugin for WordPress, named Limit Login Attempts Reloaded which has over 1+ million Active Installations. It is possible could be because it is super easy to use. You just have to reach the settings of the plugin and define the maximum login attempts, and you are done. You can find the plugin’s settings in wp-admin > Settings > Limit Login Attempts
#5 Change WordPress Database Prefix
WordPress database contains many different tables that are responsible for storing every data in an organised and consistent way. Although WordPress handles the database itself, so everybody knows that it will have some predefined tables for it. These predefined tables have prefixes of “wp_table-name”. So, developers should also try to change these predefined table names to their desired tables and don’t worry you will not have to add any tables in the future.
- To change the prefixes of the table names, login to your PHPMyAdmin panel and select your WordPress database from your left side.
- Now Scroll Down to the bottom, select Check All to select all the tables.
- There should be a drop-down beside Check All option. Choose Replace table prefix from that drop-down.
- It will ask you for a From and To fields. Enter wp in From and “your-desired-prefix” in To field
- Click Continue
#6 Disable File Editing
In your WordPress Dashboard, there are options as Theme Editor and Plugin Editor. So, for the sake of WordPress protection, most of the developers always recommend that not to edit or add codes to the themes or plugins from there. So, why not disable them permanently? If you are a developer, then you will always have access to your files and folders or you can re-enable these options. But it could be problematic if someone else accesses these options.
To completely disable File Editing options from your WordPress Dashboard, you just have to paste the following code in your wp-config.php file located in your WordPress directory.
// Disallow file edit define( 'DISALLOW_FILE_EDIT', true );
#7 Disable PHP File Execution
There is a number of PHP files in the WordPress Directory but what’s important is that still there are some folders that do not include any PHP files or no PHP files are executed from that path. For instance, /wp-content/uploads/ does not need any PHP file to be executed. So from a security perspective, why take a chance and leave any loopholes to our website?
So, in order to disallow any PHP file executions from a particular path, folder or directory, follow the given steps:
- You will need to paste the following code through a text editor.
<FilesMatch “\.(php|php\.)$”> Order Allow,Deny Deny from all </FilesMatch>
- Now save the file as
.htaccessfile (not htaccess.txt) and upload it to /wp-content/uploads/
#8 Disable XML-RPC
XML-RPC stands for Remote Procedural Call which uses XML for call transportation. XML-RPC is used to process the call and fetch information from any third party domain, like an API, stylesheet or script, to your site. But it can also be exploited by sending thousands of requests or attacks in a short period of time, termed as DOS attack (Denial Of Service). Although it is useful for your site it is not necessarily be used for most cases, you can try to disable this service to prevent any of these types of attacks.
To disable XML-RPC, just paste the following code in your
.htaccess file located in your WordPress directory.
# Block WordPress xmlrpc.php requests <Files xmlrpc.php> order deny,allow deny from all allow from 220.127.116.11 </Files>
Final Thoughts on WordPress Security
Now, to wrap up this article, we would recommend you to try the above methods and guidelines in order to increase your WordPress security. Although, the security plugins which we mentioned above provides you with all these functionalities with just clicks either in their free version or paid. So, you should definitely check those Security Plugins too.