17 Best Tips to Secure Your WordPress Website from Hacks

17 Best Tips to Secure Your WordPress Website from Hacks

How to Secure WordPress Website? If you are running a WordPress blog or website then this is your first question, this can’t be achieved in one single step and it’s not one time process, you need to check your WordPress site’s configuration once in a while and check this list to strengthen security of your WordPress website. Here are some list of points to Secure WordPress Website.

Follow These 17 Tips to Secure Your Webiste

1. User strong Passwords to Secure WordPress Website

For WordPress Admin Dashboard keep strong passwords, and also for FTP, Database, Web Hosting Control Panel. Update these passwords on a timely basis. While creating passwords use small letters, capital letters, numbers and special symbols to make it strong enough to Secure WordPress Website.

Other Articles in WordPress Security Section

Quickly Navigate to Other Sections in WordPress Tutorials

WP Getting Started
WordPress Posts
WordPress Media Library
WordPress Pages
WordPress Settings
WordPress Users & Profiles
WordPress Comments
WordPress Themes
WordPress Plugins
WordPress Security
WordPress SEO
Speed Optimization

2. Don’t use Admin username

If you are using default admin username for production website, that is too risky. If you already using admin password, create a new user with administrative access and login to WordPress admin dashboard with that new login information and remove admin user assign all content to new user which belongs to admin user.

3. Update as they are available

Update themes and plugins as they are available, If you want to recieve an email whenever a plugin, theme or wordpress core is available for updates then install use this plugin – WP Updates Notifier.

4. Stop Brute-force attacks

Brute force attacks are the attacks that checks for matching username and password from a list of username and password files. You can use firewall for blocking brute force attacks in WordPress.

5. Limit Login Attempts

Block a user’s ip address based on number of login attempts, for doing that you can use Limit Login Attempts plugin. Which has lot of options to block a user after specific number attempts to Secure WordPress Website.

6. Never show your username

If hacker knows your username then they can do brute-force attack for password. If you are not showing username then that will become tough to know username to brute force. Anyone can find your username from www.yoursite.com/author/username, try to remove this to make it more Secure WordPress Website.

7. Remove WordPress version from html metadata

If a hacker gets your WordPress version, they can easily check for flaws with in that version and break it easily. So it is recommended to Disable wordpress version from metadata html. To remove this data add this below code functions.php file in active theme directory.
[php] remove_action(‘wp_head’, ‘wp_generator’);

8. Disable Theme/Plugin editing from WordPress Admin Panel

If anyone gets access to your admin area, then they can edit your theme files and plugin files to inject malicious code. To stop that disable theme and plugin editing in admin area. You can follow this post to Disable theme and plugin editing from WordPress Admin.

9. Change Database prefix from ‘wp_’

If you are using default WordPress table prefix, then change them to something else differently. You can change table prefix in PHPMyAdmin and then update those changes in wp-config.php file.

10. Delete Inactive Themes and Plugins

If you have inactive or disabled plugins, themes then delete theme immediately because that can cause problems with security.

11. Protect wp-config.php file

Protect wp-config.php file from accessing, restrict permission by making them to read mode. And restrict wp-config.php file from .htaccess, add this code to .htaccess file in root directory.

[bash] # protect wp-config.php
<files wp-config.php>
order allow,deny
deny from all

12. Protect wp-admin directory

Protect wp-admin restricting other ip address, you can access only from your ip address, If you have dynamic IP you can add that too. add this below code to .htaccess file.

[bash] <LIMIT GET>
order deny,allow
deny from all

# static IP
allow from xxx.xxx.xxx.xxx

# dynamic IP
allow from xxx.xxx.xxx.0/8
allow from xxx.xxx.0.0/8


13. Protect wp-login.php file from unknow ip’s

Protect wp-login.php file from unknown IP address, add this below code in your .htaccess file to restrict unknown IPs from accessing wp-login.php for making it more Secure WordPress Website

[bash] <files wp-login.php>
order deny,allow
deny from all

# static IP
allow from xxx.xxx.xxx.xxx

# dynamic IP
allow from xxx.xxx.xxx.0/8
allow from xxx.xxx.0.0/8

14. Disable Directory Listings

This is already fixed by your webhost or by using .htaccess file in WordPress, if you can still access directory listings on your websites. Then add this code to .htaccess file in root directory to Secure WordPress Website.

[bash] Options -Indexes

15. Create custom secrete keys in wp-config.php file

Replace secrete keys in wp-config.php to something different, you can generate a new set of secrete keys from here.

16. Ask Apache Password Protect

Here is plugin to secure wp-login.php file and wp-admin directory at Apache level. You can protect your site with 401 authorization in easy steps. All these you can manage from the WordPress admin panel. You can download this plugin – AskApache Password Protect.

17. Always Backup

This is last and important step, in-case if you face any problem anyone hacks your website. Always keep your backup in hand, so that you can replace them instantly. Use this plugin for WordPress automatic backup – BackWPup Free – WordPress Backup Plugin. It’s simple to configure BackWPup plugin.

If you have any tips to Secure WordPress Website, let us know using below comment form.

Vivek Vengala

Vivek Vengala is a Online Entrepreneur, Web Developer from Hyderabad India.

Click Here to Leave a Comment Below 0 comments

Leave a Reply: