Securing WordPress in 19 steps

Is securing WordPress imperative? The question doesn't even need to be asked!

We all know that attacks are being carried out on websites worldwide every second. Your website is part of this and could be targeted by a malicious hacker.

Today we'll talk about securing your website if it runs on WordPress, to avoid falling into traps that could cost you quite a bit.

However, we want to make it clear right away: we don't claim that our article will secure your site 100%!

What we will do, though, is share with you about twenty actions to perform on your website to protect yourself from malicious attacks. Nobody is completely safe, and everyone should know how to properly secure WordPress.

Before securing WordPress, think about securing your computer!

Although your site is installed on a server, far from your computer, the latter can easily serve as an entry point to your WordPress. How?

Well, you connect from your favorite web browser to access your website's administration. If someone manages to install a "keylogger" (a small malware spy that records everything you type on your keyboard) without your knowledge, you can guess what happens next!

If you also tend to save all your login information in your browser (everyone does that!), it would be enough for your attacker to access your browser to extract all the passwords they want... including those for your website. Therefore, securing WordPress depends on your computer's security.

Choosing a secure host is crucial for securing WordPress

In fact, almost everything relies on the host when it comes to securing WordPress on your website installation.

A good web hosting provider will ensure filtering any malicious attack in advance. Indeed, no matter how much you secure your WordPress website, if there is a vulnerability at your host's level, your site will suffer.

So, don't hesitate to check the following points with your provider:

Do the servers have a firewall and antivirus?
Are regular backups performed?
Is there efficient technical support?

The data stored on or transmitted through a website is often very sensitive, and its leakage can be harmful on more than one level. A reputable web host must be able to secure WordPress and ensure the integrity of its content.

Back up your databases regularly

If the host takes care of making general backups of your site regularly, you should also perform your own backups, by yourself.

To do this, specific plugins are available that allow you to make full copies of your databases either on your server or on remote web locations. Some can even send these backups to you via email.

Here are some examples: (we'll just mention names without going into further detail):

UpdraftPlus
BackWPup - WordPress Backup Plugin
Jetpack

Change the databases prefix

WordPress, upon its first installation, offers default database prefixes, starting with wp_. Don't hesitate to change these prefixes to more personalized ones.

An experienced hacker might crack a database, but it would take more time if they don't know where to start. The changes you can make to various elements of your WordPress can be really deterrent in case of attacks.

Regularly check for updates (Core, plugins, PHP)

To better secure WordPress, it is recommended to update it as often as possible. Remember that in addition to the improvements brought by an update, it is always an opportunity for developers to fix vulnerabilities detected in previous versions.

Three things are therefore very important to update to secure WordPress:

Its core
Its plugins and themes
Its PHP version

Hide the version of WordPress being used

Speaking of PHP version, an interesting tip is to hide the version of your WordPress and thus mask the PHP version running under the hood.

This will make it a little more difficult for a hacker who doesn't have the time or patience to discover or guess a version that is not displayed.

As a general rule, hide everything you can hide, to save time.

Use official extensions and themes

What attracts many WordPress users is its versatility when it comes to changing appearance (by applying a "theme") with a single click. The ability to enrich the basic structure of WordPress with extensions is a real boon for users who are not necessarily developers.

In this regard, it is strongly recommended to opt only for official extensions (free or paid) as this ensures WordPress security. Official means updated and including the latest patches that prevent curious individuals from forcing the system.

Delete unused plugins and themes

However, things can quickly become problematic when you over-install themes and plugins: most people install extensions just to try them out and then forget to clean up!

In addition to representing excess weight that can affect the speed of your WordPress site, these unused themes and plugins that have not been used for a while are generally outdated, and their developers often abandon their technical support.

Hmm, ... outdated, abandoned... That's an open door for cyber-squatters!

Change the login address

By default, your WordPress site login URL is domain.com/wp-admin. The problem is that all robots, hackers, and scripts also know this.

By changing this URL, you can secure WordPress by making yourself less targeted and better protected against brute force attacks. It's not a miracle solution, but simply a very useful small trick.

To change the URL of your WordPress login, we recommend using the free "WPS Hide" login plugin or the Custom Login Page Customizer | LoginPress plugin. Both plugins have a simple input field. Remember to choose something unique that is not already on a list that a bot or script might try to browse.

Delete the "admin" account

When installing WordPress, avoid choosing "admin" as the username for your main administrator account. Such an easy-to-guess username is accessible to hackers. All they need to do is find the password, and your entire site falls into the wrong hands.

If you accidentally chose "admin" by default, it is still possible to create a new user with administrative rights and literally delete the old admin account.

Use a strong login password

Play with your passwords and change them regularly to secure WordPress. Improve their strength by adding extra words and lengthening them.

So, instead of the conventional "123456789" or "password" (Seriously? Are there still people who choose that?), opt for something like:

jaivudesdinosauresrosescriredeslettresdamour

This password does not necessarily contain uppercase letters, numbers, or special characters. However, it remains an almost impossible combination for a hacker to predict, as they are more used to combinations found in their dictionaries!

On the other hand, such a phrase, although strange, is easier to remember than a bunch of random letters and numbers. Give it a try...

Indeed, using a complicated phrase can often be much safer and 10 times easier to remember.

If you lack inspiration, use a password generator like this one: www.motdepasse.xyz

Enable 2-step authentication

No matter how secure your password is, there is always a risk that someone will discover it. Two-factor authentication involves a two-step process in which you need not only your password to log in, but also a second method.

This is usually a text (SMS), a phone call, or a time-based one-time password (TOTP).

In most cases, this method is 100% effective in preventing brute force attacks and securing WordPress. Why? Because it is almost impossible for the attacker to have both your password and your cell phone.

Here are some plugins you might use for this purpose:

Duo Two-Factor Authentication
Google Authenticator
Two Factor Authentication

Limit login attempts

By default, WordPress allows users to try to log in as many times as they want.

Although this may help YOU if you frequently forget how your password is spelled, it also exposes you to brute force attacks.

By limiting the number of login attempts, users can try a limited number of times until they are temporarily blocked. This reduces your chances of experiencing a brute force attempt, as the hacker is blocked before they can complete their attack.

You can easily enable this with a WordPress plugin that limits login attempts. After installing one of these plugins, you can modify the number of login attempts through Settings> Login Attempt Limit. You can also enable login attempts without a plugin if you have in-depth PHP development knowledge to secure WordPress.

Limit Login Attempts Reloaded
WPS Limit Login
Loginizer (included in Softaculous, offered when installing WordPress from cPanel)

Prevent folder browsing

Directory browsing can be used by hackers to see if you have files with known vulnerabilities so they can exploit them.

Directory browsing can also be used by others to examine your files, copy images, discover your directory structure, and other information. That's why it is strongly recommended to disable indexing and directory browsing.

To do this, log in to your website using FTP or the cPanel file manager. Then, locate the .htaccess file in the root directory of your website. Next, add the following line to the end of the .htaccess file:

Options -Index

Don't forget to backup and download the .htaccess file on your site.

To secure WordPress without going through this code exercise, you can use the security plugin that has a simple dashboard that will allow you to do this and perform many other WordPress security strengthening measures with just a few clicks.

Protect your sensitive files

Among the core files of WordPress, the wp-config.php file is by far the most sensitive. It contains the login information for your site, so it is crucial to protect it against any foreign access.

However, this is a delicate operation that requires first making a good backup of your website. Mistakes can quickly occur and render your site inaccessible.

It is possible to do this through two methods:

Using a specific plugin, such as Sucuri Security - Auditing, Malware Scanner and Security Hardening, or Hide My WP Ghost - Security Plugin
By adding code to the root of your .htaccess file.

Protect your site login with an SSL certificate (HTTPS)

Nowadays, the SSL (Single Sockets Layer) protocol is more than a luxury: displaying the famous little padlock before your domain name in web browsers is priceless!

At Nindohost, SSL starts at a rather charming price. A basic version is offered for free, for life, on all our offers!

Initially, SSL was necessary to secure a site for specific transactions, such as payment processing. Today, however, Google has recognized its importance and gives sites with an SSL certificate a higher ranking in its search results.

The SSL protocol is mandatory for all sites that handle sensitive information, i.e., passwords or credit card data. Without an SSL certificate, all data between the user's web browser and your web server is transmitted in plain text and is therefore exposed to the malicious eyes of hackers and other curious individuals.

By using an SSL certificate, sensitive information is encrypted before being transferred between their browser and your server, making it more difficult to read and making your site safer.

You can install the Really Simple SSL plugin to manage your SSL certificate easily.

Protect against DDoS (via CloudFlare)

A distributed denial-of-service (DDoS) attack is a cyber-attack (malicious attempt) aimed at disrupting the normal traffic of a targeted server, service, or network by overwhelming the target or its surrounding infrastructure with a flood of internet traffic. As a result, a website may go down for a few hours or days.

What can you do to protect yourself? One of the best recommendations is to use a reputable third-party security service like Cloudflare or Sucuri.

Install a security plugin

The role of a security plugin is to maximize WordPress security. It essentially serves as a firewall and malware scanner.

Here is a non-exhaustive list of WordPress security plugin features:

Provide detailed reports on the state of WordPress security;
Check core files, themes, and plugins for malware, bad URLs, backdoors, malicious redirects, and code injections;
Identify and block malicious traffic;
Maintain a real-time blacklist of IP addresses;
block requests containing malicious code or content;
ensure protection against brute force attacks by limiting login attempts;
compare your files, themes, and plugins with the content of the official WordPress.org repository, check their integrity, and report any non-compliance.
repair modified files by replacing them with an original and healthy version;
implement two-factor authentication (2FA);
...

As an example, here are three well-known plugins:

Sucuri Security – Auditing, Malware Scanner, and Security Hardening
iThemes Security
Wordfence Security

In terms of security, Nindohost offers the following elements on all its hosting plans:

Brute Force Protection
ModSecurity Application Firewall (WAF)
Imunify360
CageFS
KernelCare
Anti-Malware

Hire a WordPress specialist! (a real one)

In our article "Why use WordPress? The answer in 7 points"we saw that this CMS is known for the ease of its installation and configuration, to the point that it is not really necessary to be a developer to use it.

We still prefer to take this impression with a grain of salt!

If you have the budget, don't hesitate to use the services of a specialist to help secure WordPress.

A real WordPress technician knows what to do, how to do it well, and without wasting time, effort, or most importantly, budget! Yes, you could pay dearly for a handling error or an omission in security!