WordPress is one of the fast-growing CMS among all others. It is more popular just because of its flexibility. And as a result, it has been targeted most by the hacker WordPress Security is very important for every website owner. In this tutorial, I am going to show you all the possible ways you can secure your WordPress website. It is going to be a Complete WordPress Security Guideline.
Table of Content
- What is WordPress Security and Why it’s so important?
- Use a Strong and secure WordPress theme
- Update WordPress regularly
- Use Strong Password
- Setup SSL/HTTPS
- Change Default Login URL
- Pick a Secure Hosting Provider
- Setup WordPress Backup Solution
- Setup Two Factor Authentication
- Enable Login Limit Attempts
- Adding Security Questions to Login Page
- Create User Roles Based on Your Need
- Install a Best WordPress Security Plugin
- Disable PHP file executing
- Disable XML-RPC in WordPress
What is WordPress Security and Why it’s important?
Around 40% of the website site is powered by WordPress. Think about the number. Isn’t it high? Yes, definitely it’s a big number. Just because of its popularity it is the first target of the hacker. WordPress security means how much security has been added to your site. By default, the Core WordPress software is very much secure. But Whenever you will use it you will install various plugins that might be the reason for the lack of security. So before using any plugin or theme just review that theme or plugin properly.
WordPress security is all about blocking all the ways that can be the reason for the hacking. When a hacker tries to hack a website they try it in various ways. So you have to know about it. And then you have to ensure the proper security. I will explain all the security guidelines for WordPress websites one by one.
And Why it’s important? In a simple sense, As I said it’s a property. It’s an identification for your brand or business. So you should secure your brand. Suppose you have an e-commerce website that makes 10000 USD per month. Don’t you think it should be secured? Of course, you want to wrap it with the proper security.
Here is all the Security guideline for WordPress that should be implemented on your site to setup complete security.
Use a Strong and Secure Theme
The theme is the heart of a website. Everything you are seeing on the website just because of the theme. The theme defines the layout for a website and also the functionality. By choosing a malware or vulnerable theme can be the reason for your site hacking. So it’s always preferable to use a professional and secure theme. In the WordPress directory, you get thousands of free themes. Just select one which is using by many peoples with great feedback. You can select a premium theme as well.
Update WordPress Regularly
If you use WordPress, you know WordPress regularly Update its version. And they constantly making it better by providing great features and security. So once you will get the notification to update your WordPress version. You should update it. But before updating your WordPress version you should make a backup of your site. For getting the updated version of your WordPress just log in to your dashboard and you will get the update notification.
I am using the very latest version of WordPress so it’s showing Re-install version but if your use the old version you might get it as an updated version with a version number.
Use Strong Password
A password is a very sensitive and important information. I found many peoples are not sincere about the password. They often avoid to setup a hard password. When a hacker tries to hack a website the first step they follow is using a password from their mind that can be the password you set. So every people have a common mindset. So the password you have set should not be the easy one. It should not be your name or your website name. It should be a combination of Capital Letters, small letters, numbers, and special characters. It would be much better to generate a password which directly offers by WordPress.
Setup SSL / HTTPS
SSL is the short form of Secure Socket Layer. It basically set up a mask between the Browser and your website. It protects or encrypts the data while transferring to keep information safe. It’s a technology for ensuring a secure internet connection and it’s a safety guard between two systems for preventing data or information to not be modified by cybercriminals.
Setting up an SSL is very easy. As SSL is premium so you have to purchase your SSL certificate first. Once you will enable your SSL, your website will be migrated to HTTPS automatically. Both HTTP and HTTPS versions will be available. As it’s premium so Many peoples don’t want to use. But You would be happy to know that still there is a way to use the SSL for free. There has a company called Let’s Encrypt that offers Free SSL.
Change Default Login Slug or URL
You all know WordPress login URL or slug is site.com/wp-admin. Which is a very know slug. So hacker first tries to access this URL. So it’s your job to replace this URL with a custom slug. When hackers will start attacking brute-forces if they fail to access the main dashboard URL then they will be failed on their first step.
For changing this URL, you can simply use a plugin called WPS Hide Login. You will get the options to set your new URL and also you will be able to set the redirect Slug. And finally, you have to hit save. You are all done.
Pick a Secure Hosting Provider
Your Website is basically running on a server, isn’t it? A web server basically gives you a bunch of options to operate your website. So your server should provide you a stable version of the software.
Let’s say WordPress has written in PHP. So on your server, there has a module that runs the PHP. So The module has its own version and the PHP has its own version as well. If your PHP version is not updated, then Your Updated WordPress will not be installed as a result you are losing many updated features including updated security implementation.
It’s just an example to let you know. The main thing is you have to pick a server that is very much stable and updated. And also always will be ready to give all the updated software or options.
Setup WordPress Backup Solution
This is another best practice to increase your website security. Sometimes you may need to change core files or sometimes you may need to update your Core WordPress. Before doing any major changes to your site you should make a backup first. You can do any task within your site without fear you have a backup system.
A backup system is basically making a copy of your whole site. In the backend system, it basically makes a copy of your website database and all the files that need to be migrated after restore. There have various plugins available now for doing it easily
Here is the top 4 WordPress backup and restore plugin you may use. All the plugin works are similar. You have to just give enough time to explore those.
Recommended Plugins list:
- All-in-One WP Migration
- UpdraftPlus WordPress Backup Plugin
Setup Two Factor Authentication
This is another great way to secure your WordPress site. It increases your website security by providing a two-step Authentication. Every time you will be log in using a new device you will face a two setup verification process. It’s an extra layer of security and much better than the single Step Authentication. Think about your password, maybe somehow your enemies or hacker managed your Password and username. But they will never be able to login into your site without avoiding 2 Factor Authentication.
How it works
Two-factor Authentication or 2FA works with the phone verification process or email verification process. That means you can either use an email system or a phone texting system. They will send you the verification code either by email or on your phone.
How to implement 2 Factor Authentication on WordPress
In WordPress, everything is possible to do using the plugin. So there have many plugins that offer you to implement two-factor authentication into your WordPress site.
I am going to list some of the plugins for this. You can use one of them.
Enable Login Limit Attempts
This is another great step to stop the brute force attack. Suppose you set a login limit for 3. That means every 3 times it fails to log in it will block that IP for 7 days. This is really good for increasing WordPress security. But it has some problems as well. As you are an admin sometimes you may forget your password. And if you fail to login in 3 times it will also be banned for you for 7 days. Then what is the solution? Of course, it has the solution. Just you have to make yourself a whitelisted user. And then you will not be blocked even if you enter the wrong password.
How to implement Login limit attempts on WordPress?
There is a plugin called Limit Login Attempts Reloaded that can solve this problem. This is a great plugin and it is using by more than 1 million users. So once you will install this plugin you will get all the options. What you have to do is basically configure the plugin properly. It’s not like that you must have used this plugin. There are many other plugins available to do the same job. So you can search and can get your own. Just focus on the things that I mentioned for increasing the WordPress security.
Add Security Question
If you add a security Question to your login page it will add more security while login. It’s not easy to predict the question. And of course, you will not set that kind of question which can be predictable by your enemies.
You can simply use a plugin called WP Security Question to add this functionality. Just install this software and open the plugin dashboard. From the setting, you will be able to configure the Security Question.
Creating User Roles based on your need
Most of the WordPress website owner is not aware of this functions. But it’s very important to distribute all the roles if you have many users for operating one site. I saw many people directly give the admin access to write the content to their author or publisher. But it should not be like this. You should create a user role for each and every single user based on their need.
Suppose One person just writes the article for your site. So he should only get access to writing the post. He should not get access to all the options which is only getting you as admin.
By default, WordPress has 6 roles. These are given below with their Capabilities.
- Super Admin: Super Admin is the most powerful and top-level access capabilities. But it is only available on Multisite Network. Normally we think administrator is the powerful one but it’s not. The super admin is more powerful rather than a normal administrator.
- Administrator: An administrator is a top-level person with all the access levels in a single WordPress site. If you are not under a multisite network, then you are the root person.
- Editor: Editor has the capability to publish and manage all the articles of all users.
- Author: An author can write his own post and can manage his own post.
- Contributor: Contributor has only capable to write the post. He is not capable to publish the post.
- Subscriber: This is the last and very simple role of WordPress. A user can only read the post from a WordPress site and only able to manage his profile.
Install a Best WordPress Security Plugin
Basically, whenever you will think about implementing WordPress security you have to install a bunch of plugins and have to perform many operations one by one. I want to clarify the plugin’s installation. As I have already mentioned many plugin names for the specific task. Maybe one for two-factor authentication. One plugin for the log-in limit. But you need to install one main plugin which will monitor and audit your website. It will keep tracking every single thing that will be happened to your site.
If you search on google for the best security plugin you may get many plugins list. But I have already used some of them so I will recommend you to use either Wordfence or Sucuri. If you want to get only one suggestion, then I would like to recommend you to use Sucuri. It is a completely free plugin that can complete almost every security stuff that you need to complete. Though it has the premium version as well. But the free version is alright.
Either you use Wordfence or Sucuri you can use. But You have to use the key features of those plugins. After installing the plugin, you should configure it properly. After configuring you should scan your site. If it finds the malware it will set the warning what should be the steps for the malware.
Disable PHP Execution to Uploads folder
This is Another great thing for increasing WordPress security. Think about the upload directory. This folder simply manages all the files. Whatever the file format is it will accept. So you have to be careful about this folder. Because as an admin you are seeing that all the files uploading from your backend side. But it’s actually not. Suppose you have a contact form where you have a file uploading system. So this is an option that can be used by a hacker to upload the PHP script. And finally, it can harm your site. So it will be better to disable the PHP file execution inside this directory. This is very easy to do it. Just you have to make a file named. htaccss and inside this, you have to add three lines of code. And finally, you have to upload this folder side your upload directories.
here is the code you have to write on the .htaccess file.
deny from all
Once you will upload this htacess file to your upload directory then it will stop executing all the PHP files inside the upload folder.
Okay before Disabling it you should know about it in brief. XML-RPC is basically a function or simply you can think of it as a feature of WordPress. It enables words to communicate with another platform. You can think about it as a bridge between WordPress and another system. And it’s similar to the concept of the Current JSON API where JSON API is more powerful with high security.
The core features of XML-RPC are enabling your WordPress site with your smartphone, implementing pingbacks and trackbacks from other sites.
Why you should disable it
The main issue with XML-RPC is the security issue. The issue directly not related to the XML-RPC. But this xml-rpc.php file can be used to enable brute force attacks on your site.
There are two main weak points of XML-RPC. One is the brute force attack and another is taking site down using DDOS attack
How to disable XML-RPC
If you want to use the plugin, then there is are plugin called Disable XML-RPC. You have to simply install this plugin. And it will do the rest of the stuff.
Or if you want to disable manually simply add the below code and paste it into your htaccess file and finally save your file. You are done XML-RPC is now disabled on your site.
That’s all for today. Hope this tutorial will help you to learn about WordPress security. If you have any confusion Please comment below.
Here are some of my other articles you may like: