Skip to content

Securing WordPress Sites

  • 7 min read
  • by

Introduction

Whether you’re using WordPress as a blogging platform, e-commerce store, or a content management system, you should be concerned with your site’ security. If your site is compromised the information stored in your site’s database may be accessed and used for malicious purposes. In this article we’ll be giving you tips on how to secure your WordPress site.

Tips to Secure Your WordPress Site

Pick a Good Hosting Company

kinsta wordpress hosting - Securing WordPress Sites

The easiest and best way to secure your WordPress site is pick a good hosting company. A good hosting company ensures that your WordPress site is immune to common security vulnerabilities. The good this is that there are many great hosting providers like Kinsta, BlueHost, SiteGround, and DreamHost. Choosing a Good hosting provider is essential, and we wholeheartedly recommend these.

Use a Security Plugin

sucuri - we clean and protect websites

The next thing that you should do is to choose a good WordPress security plugin. A good security plugin will take care of making sure that malware does not invade your WordPress site. These plugins also have additional features like whitelisting/blocking IP addresses, firewall features, and even login protection. Some of the best, which are Sucuri, Wordfence, IThemes Security.

Choose a Secure Username and Password

security

To secure your WordPress website, you need good credentials. Which means that you need a good username and good password. A good username is something that can’t be easily guessed. So you shouldn’t user easy to guess names like “user” or “admin”. You should also choose a good password. If your password is an actual word like “admin” or “password” your site will be easily compromised. This is because these are very common passwords and have been known to be used by a lot of users. What you should do is choose a password that consists of letters, numbers and special characters. They must also be at least 10 characters long. Doing this will go a long way for protecting your site.

Keep Your WordPress Updated

Download WordPress Button

Always use the latest version of WordPress. Since WordPress is open source software, that means that anyone has access to the source code. If someone discovers a security bug in a particular version, then that bug can be exploited by anyone who discovers it. In addition, previous versions of WordPress (which have not patched the security bug) are also vulnerable. For every new version of WordPress, bugs are patched so that for every new version you get a more secure site.

Keep Your Themes and Plugins Updated

notebook

Themes and plugins, whether free or premium, are also susceptible to security vulnerabilities. Unlike normal programs which are compiled and turned into an executable. Themes and plugins are written in PHP so that anyone who has a certain theme or plugin can see the source code and discover security vulnerabilities as well. Keep these updated and there’ll be less security vulnerabilities to face.

Limit the Number of Login Attempts

login attempts

Another thing you can do to improve your security is to limit the number of login attempts. By limiting the number of attempts of logging in within a specific period of time, you will be able to prevent a brute force attack – this is a type of attack where someone tries to guess your password until they can login. One plugin that can do this is Login-Lockdown. This is a definite must-have if you want to protect your WordPress site.

Use Two-Factor Authentication

notebook and smartphone

Two factor authentication is a form of authentication which uses more than one method to allow access to content. Usually done by first entering a password and then confirming a login through email/phone. This prevents people who have guessed the password of your WordPress site from logging in, since you still have to verify whether the attempted login is authorized. A couple of plugins that can do this is Duo Two-Factor Authentication and Google Authenticator.

Change Your Database Table Prefix

phpMyAdmin database

By default, the WordPress database begins with the the wp prefix. All WordPress sites have this as their default prefix. They also contain the same table names. By changing the table’s prefixes you can minimize unauthorized access to your sites’ table names, making it more unlikely for them to access information. This step can be done when you first install WordPress. If the site has already been installed, this can be done through phpMyAdmin.

Use CAPTCHA Login

two doors

To further prevent unauthorized logins, you should do is use a CAPTCHA plugin. Doing this will prevent automated bots from gaining access. People trying to gain access to your WordPress site can use automated bots which can be setup for intervals. CAPTCHA prevents that by asking for input which can’t be read by bots. There are plugins available for this in the repository. A good plugin is WP Captcha.

Password Protect Your ‘wp-admin’ Directory

cPanel - Create an exceptional hosting experience

The ‘wp-admin’ directory contains files that are used to configure your WordPress site. It’s possible that these files may be manipulated so that access to your WordPress site is granted. This can be usually done in your WordPress site’s cPanel. If you’re self-hosting you need to modify your .htaccess file and create and configure an .htpasswds file. We don’t, however, recommend that since a good hosting provider is the more secure way, and these providers usually come with cPanel.

Disable File Editing

edit themes

If you’re WordPress site is compromised, the first thing that might be done is to modify the theme files, so that they can gain more access or write harmful code which may damage your site. Thankfully this is easy to do. All you need to is edit wp-config.php and add this line. This will prevent anyone from accessing the Theme Editor

Logout Idle Users

WordPress Login

Lastly, you should always log out idle users. If a user logs in using a public computer or accessing your WordPress site using and leaves the browser open without logging out. Other people might access the site and modify the access configurations in the admin dashboard. This is especially true, if the user has considerable access (which is true for admins). To prevent this from happening use the Inactive Logout.

Conclusion

We’ve now reached the end of our article. Follow these tips and your WordPress site should be secured. Take note though, that these tips work best when done with each other. So it would be best for your site if you do all of these.

Kristin Eitel

Kristin Eitel