Exciting News! Flipper Code is now WePlugins! Same commitment to excellence, brand new identity.

How to Secure a WordPress Website

Sandeep Kumar Mishra
Sandeep Kumar Mishra
in Posts > Tech
November 29, 2020
5 minutes read
How to Secure a WordPress Website

To secure your WordPress website from hackers and avoid website vulnerabilities, WordPress files need special attention while installation. Preventing Directory Listing using .htaccess file, regular changing of your WordPress password or restrict direct access to WordPress core files are small but very important aspects of the security of a WordPress website. We have discussed the ways by which your WordPress Site poses security threats in the post How to Hack WordPress Site using SQL Injection with a clean intention to warn you from the vulnerabilities of being unaware of the hacking techniques.However, it will be better if we know how to secure your WordPress website from such attacks. I am thus listing here a few precautionary measures to help you be more vigilant and keep your WordPress Website safe.

Keep your WordPress Password Strong

Let’s start with the easiest strategy which most of us know but still neglect, to keep the passwords really strong and thus difficult to crack. It is a general tendency to keep passwords that are easy to remember like your name or phone no. or date of birth but that can be the biggest gateway for hackers for entering into your site. A good password must at least be of eight characters both upper and lower case including numbers, and special symbols. You can easily check the complexity of your password here and know how safe is your password and keep secure your WordPress website.

To keep your online presence safe, always set a unique password for every account. If not, an access to one account can be a key to the rest. Use a password management software like KeyPass to safeguard all your passwords.

“admin” Username is Not Safe Anymore

WordPress gives all the default administrator rights to the username “admin” and since the login page of all the WordPress websites is wp-login.php appended with the domain name, therefore, it is not very tricky to find out if your site running on WordPress and can be a risk to your WordPress security. So in case a hacker gets the access to this page he will have half his work done and all he would have to know is your password. Thus for the security of your WordPress, it becomes indispensable to change your default username. To do this, log in to your admin area, go to Users → Add New to create a new user and assign the administrator role. Now log out from your current admin panel, log in as the new user and delete the previous admin account.

Change Database Prefixes to Secure One instead of just “WP_”

WordPress has a common setup wizard during its installation where by default the database prefix is set to wp_. The attackers, therefore, have a little information on your database name and tables. To completely drop off this hint you should enter a complex and different prefix while setting up WordPress.

You can also do this by changing the prefix in $table_prefix = ‘wp_’; line of the wp-config-sample.php  file and renaming the file to wp-config.php.

Block Suspicious IPs

Because your site too can be a victim of a cyber attack so stay vigilant and use a monitoring tool to keep a watch over your visitors’ activities. Block a suspicious activity immediately if you find so. A tried and tested plugin that I use for the security of my WordPress websites and blogs is Best WP Security that is a simple way to block IP’s individually or by a range.

Set Limit to Login Attempts in WordPress Website

Commonly hackers use Brute Force attack against your encryption and constantly tries all possible passwords against your encryption to enter the website. The amount of time taken to gain successful access depends upon the complexity and length of your password. To secure your WordPress website from such attacks you can restrict the number of login attempts from a particular IP. Limit Login Attempts is a popular plugin used to secure your WordPress website from such attacks by blocking the series of failed login trials. The admin can set the number of attempts after which the plugin will block the login hits.

Keep WordPress Site Updated to Latest Version

WordPress periodically releases its newer versions. It is strongly recommended to keep your WordPress updated. These newer versions consist of new features, bug fixes and security patches. A notification appears on your WordPress dashboard with every release. Security of your WordPress website highly depends upon a single click enabling you to upgrade your WordPress and avail with the latest released security patches that are not available for older versions.

Secure .htaccess and config.php Files

Ensure that your website’s two most vital and confidential files .htaccess (controls directory it is placed in and all other subdirectories) and config.php (configures database functionalities, improves performance and security) are protected properly and have restricted access.
Use the code below in the .htaccess file itself to save it from unauthorized access:

<Files .htaccess>
   order allow,deny
   deny from all

Similarly, the code to secure the config.php  file can be put at the top of the .htaccess file is:

<Files wp-config.php>
   order allow,deny
   deny from all

Prevent Directory Listing using .htaccess for WordPress Security

Ensure that your website’s directory listing is not accessible to view contents of directories and all it’s sub directories. Place following code in your .htaccess file to prevent directory listing.

Options -Indexes

Hide WordPress Version Using remove_action

The enabled WordPress version on your website may be an indication of the prevailing security issue associated with the version. Therefore it would be a good thought to remove the generator meta for your WordPress. This can be done by adding the below-given code in your function.php file:


function flippercode_remove_version()
return '';

Modify Default Secret Keys in wp-config.php File

The wp-config.php file located in your WordPress root directory contains confidential details of your website. It includes a set of secret keys whose default values are recommended to be altered for enhancing the security of your WordPress website.

define('AUTH_KEY',               'put your unique phrase here');
define('SECURE_AUTH_KEY',        'put your unique phrase here');
define('LOGGED_IN_KEY',          'put your unique phrase here');
define('NONCE_KEY',              'put your unique phrase here');
define('AUTH_SALT',              'put your unique phrase here');
define('SECURE_AUTH_SALT',       'put your unique phrase here');
define('LOGGED_IN_SALT',         'put your unique phrase here');
define('NONCE_SALT',             'put your unique phrase here');

Replace these phrases with a long, random and unique value to modify the existing phrases. You can also use a tool created by WordPress to generate these random values.

Change File Permissions

File Permissions are vital for the security of your WordPress website and granting file write permissions can prove to be a major threat to security especially in a shared hosting environment. For the same reason, you should restrict the file permissions and prefer to create a less restricted folder for purposes like uploading files whenever possible.

You can use the below-given command to control file permissions of your websites:

For Directories:

find /path/to/your/wordpress/install/ -type d -exec chmod 755 {} ;

For Files:

find /path/to/your/wordpress/install/ -type f -exec chmod 644 {} ;

755 and 644 are the default file permission for folders and files. Set 755 chmod value to restrict everyone with read-only permission except you. But remember not to set a 777 permission which may make the file “World-Writable”.

Disable File Editing

The high user-friendly WordPress dashboard facilitates the website administrators to edit php files, plugin codes and theme files from the admin panel itself. However, it makes WordPress easy to use but it resources the hackers to execute malicious code from the dashboard itself. So it is wise to disable this feature to prevent at least some attacks by adding the following code in the wp-config.php file.

define('DISALLOW_FILE_EDIT', true);

Protect wp-includes Directory

Sometimes even a small loophole in the WordPress installation can lead attackers to the wp-includes directory where they can execute malicious code. To secure your WordPress website you need to protect this directory. Block the scripts residing in the wp-includes by placing mod_rewrite in .htaccess outside the # BEGIN WordPress and # END WordPress tags to avoid being overwritten.

# Block the include-only files.
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
# BEGIN WordPress

To allow the code to work well with multisite, drop

RewriteRule ^wp-includes/[^/]+.php$ - [F,L]

which will obviously offer less security but otherwise can prevent the ms-files.php file from generating images.

Backup WordPress Files and Database

Lastly, a regular backup of your WordPress is one of the most important WordPress security measures in the worst case if your website is hacked. If you have your backup, you can sit back and restore your site without much panic. Backup can be taken from either a remote server or local system. You can use WordPress plugins available at free like BackWPup for the purpose.

Do not solely rely on the backups offered by your hosting servers, they might not be WordPress specific, not scheduled properly or may fail during emergencies.

Explore the latest in WordPress

Trying to stay on top of it all? Get the best tools, resources and inspiration sent to your inbox every Wednesday.