The Ultimate WordPress Security Guide – Step by Step (2023)

Every website owner should give serious consideration to WordPress security. Google adds around 10,000 malware-infested and 50,000 phishing sites to its blacklist every day and every week, respectively.

You should take the WordPress security guidelines seriously if you care about your website. To help you keep your WordPress site safe from viruses and hackers, we’ve compiled a comprehensive list of security best practices right here.

Manual to WordPress Safety and Security
WordPress itself is very secure; hundreds of engineers perform frequent security audits to ensure this. However, there is still much that can be done to further strengthen your site’s defenses.

WPeginner maintains that security is about more than just preventing harm. There is an emphasis on safety as well. There is a lot you can do as a website owner (even if you aren’t technically competent) to increase the security of your WordPress installation.

Here are some practical measures you can take to fortify your website against potential security flaws.

Our entire WordPress security guide is organized with a table of contents for your convenience.

Ready? Let’s get into action.

The Importance of Keeping Your Website Safe.
If hackers gain access to your WordPress site, it could have disastrous consequences for your company. If hackers get access to your system, they may steal user credentials, plant malware, or otherwise compromise user security.

Your worst case scenario is having to pay hackers a ransom to get back into your website.

Defending your WordPress site and why it matters
More than 50 million users have been warned by Google that a website they are visiting may contain malware or steal information since March 2016.

In addition, every week, Google blacklists roughly 50,000 phishing and 20,000 malware-infected websites.

A business website requires additional WordPress security measures.

Just as a store owner is responsible for the safety of their actual location, so too is the owner of a website for a virtual store.

Previously on [Top ]

Updating WordPress Regularly
Maintenance of WordPress revisions
WordPress is open source software that is consistently improved upon. Minor updates to WordPress are installed automatically. When it comes to important updates, you’ll have to take the initiative yourself.

You can customize your WordPress site however you like with the thousands of available plugins and themes. Third-party developers keep these plugins and themes updated and maintain them.

If you care about the safety and longevity of your WordPress site, you must install these upgrades. WordPress core, plugins, and themes all need to be current.

Previously on [Top ]

Secure Logins and Access Controls
Keep track of secure passphrases
The majority of attempted hacks on WordPress sites make use of stolen credentials. You can make it more challenging by requiring complex, site-specific passwords. Including but not limited to the WordPress dashboard, FTP, database, WordPress hosting, and domain-based email addresses.

Passwords that are both secure and easy to remember are often avoided by novice users. The upside is that there is no longer any need to memorize complex passwords. A password manager is an option. Check out our tutorial on administering WordPress passwords.

One other precaution you may take is to restrict access to your WordPress admin account. Before adding new user accounts and authors to your WordPress site, make sure you understand user responsibilities and capabilities in WordPress if you have a large staff or guest authors.

Previously on [Top ]

Why WordPress Hosting Is Crucial
When it comes to protecting your WordPress site, your hosting provider is your first and foremost line of defense. If you’re looking for a reliable shared hosting service, look no further than Hostinger, Bluehost, or Siteground.

Here’s how a reliable web host quietly keeps your sites and data safe in the background.

They keep an eye out for any unusual behavior on the network at all times.
Every reputable hosting service protects their clients from DDoS attacks.
To prevent hackers from using a previously patched security hole, they regularly update their server software, PHP versions, and hardware.
In the event of a significant disaster, they have disaster recovery and accident plans ready to roll out and safeguard your data.
Shared hosting involves sharing the server’s resources with multiple other users. This leaves your site vulnerable to cross-site contamination, in which an attacker uses another website to get access to and compromise yours.

A more secure basis for your website is provided by using a managed WordPress hosting solution. Website security is a top priority, which is why managed WordPress hosting services provide automatic backups, regular WordPress updates, and enhanced security settings.

WPEngine is our top choice for managed WordPress hosting. They also have the highest market share in their field. (Take a look at our discount on WPEngine.com).

Previously on [Top ]

Securing WordPress Without the Need for Code
We understand that the idea of bolstering WordPress security can be daunting to novice users. Particularly if you aren’t very tech savvy. You’re in good company, by the way.

Thousands of WordPress users have benefited from our assistance in improving WordPress security.

We’ll teach you how to strengthen WordPress’s defenses with a few mouse clicks (and no additional code).

If you know how to use a mouse, you can do this.

Set up a WordPress Data Backup Service
A WordPress backup plugin should be installed.
The first line of defense against a WordPress hack is a recent backup. Bear in mind that no kind of security can guarantee complete safety. If official government sites can be compromised, so can yours.

In the event that something were to go wrong with your WordPress site, you could easily restore it from a backup.

WordPress offers a wide variety of backup plugins, both free and paid. The single most important thing to remember about backups is that you should always save copies of your entire site somewhere offsite (not in your hosting account).

Keep it on the cloud with Amazon, Dropbox, or a private cloud service like Stash.

The best configuration might be once-daily backups or real-time backups, depending on how often you change your website.

Thankfully, plugins like Duplicator, UpdraftPlus, and BlogVault make this a breeze. Both are trustworthy, but the ease of use (no coding required) is what really sets them apart.

Previously on [Top ]

The Top-Rated Plugin for WordPress Safety
Next, we’ll make sure your data is safe by installing an auditing and monitoring system that logs every change made to your website.

Checking for malware, unsuccessful login attempts, and file integrity are all part of this.

Thankfully, all of this can be handled by Sucuri Scanner, the greatest free WordPress security plugin.

You must download the plugin from Sucuri Security and activate it. Please refer to our detailed tutorial on installing a WordPress plugin for additional information.

After activation, navigate to the Sucuri submenu in WordPress’s administration. You’ll need to create a free API key as the initial step. This paves the way for the implementation of vital functions like audit logging, integrity checks, and email notifications.

Create a Key for Sucuri’s API
The next step is to select the ‘Hardening’ tab in the preferences panel. After making all necessary selections, hit the “Apply Hardening” button.

Strengthening Sucuri’s Security
You can prevent hackers from exploiting common entry points by implementing these measures. In the next section, we will discuss the Web Application Firewall, the only paid hardening option, so you may safely ignore it for now.

Many of these “Hardening” choices, such as “Database Prefix change” and “Changing the Admin Username,” are discussed later in this article for individuals who prefer to do it independently of a plugin or with additional configuration.

Once the plugin has been hardened, the default settings do not need to be changed for the vast majority of websites. We suggest modifying the ‘Email Alerts’ setting alone.

Because of the default alert settings, your inbox may become overrun with messages. It is highly recommended that you set up alerts for significant events such as plugin updates, user registration, etc. The notifications can be customized under Sucuri Settings » Alerts.

Establish email-based security alerts
Explore all the tabs and options to get a feel for the full capability of this WordPress security plugin, which includes Malware scanning, Audit logs, Failed Login Attempt tracking, and much more.

Turn on the firewall for web applications.
WordPress users may rest easy knowing their site is protected with a web application firewall (WAF).

Firewalls for websites prevent any harmful traffic from ever reaching them.

Internet traffic is redirected through the provider’s private cloud proxy servers when you use a DNS-level firewall. This ensures that only authentic users will access your server.

Firewall Plugins at the Application Level — These plugins monitor traffic after it reaches your server but before launching the majority of WordPress scripts. In terms of minimizing server load, this approach is not as effective as the DNS level firewall.

Check out our recommended WordPress firewall plugins to find out more.

WAF Sucuri
When it comes to protecting your WordPress site from malicious attacks, we highly recommend using Sucuri. Learn how Sucuri protected us from 450,000 WordPress threats in only one month.

Sucuri’s Deflection of Attacks
The finest element of Sucuri’s firewall is that it includes free virus removal and removal from any blacklists. They promise to fix your website (no matter how many pages it has) if it is hacked while under their care.

Since fixing hacked websites can be pricey, this is a decent guarantee. The average hourly rate for a security professional is $250. However, for only $199 a year, you can receive the whole Sucuri security suite.

Sucuri Firewall: Boost WordPress Security «

There are more DNS firewall providers besides Sucuri. Cloudflare is another major rival. Check out the pros and cons we found when comparing Sucuri with Cloudflare.

Previously on [Top ]

WordPress Sites, Please Switch to HTTPS/SSL
A technique called SSL (Secure Sockets Layer) encrypts information sent between a user’s browser and your website. With this encryption in place, data is more secure from prying eyes.

The inner workings of SSL
After you turn on SSL, your site will use HTTPS rather than HTTP, and a lock icon will appear next to the URL in browsers.

Certificate authorities have traditionally been the ones to provide SSL certificates, with annual costs ranging from $80 to $100 or more. Many webmasters have continued to use an unprotected protocol since it is cheaper than upgrading.

A non-profit called Let’s Encrypt saw this problem and decided to do something about it by making SSL certificates available to website owners at no cost. Many major tech companies, including Chrome, Facebook, Mozilla, and others, back their initiative.

Using SSL on all of your WordPress sites is now more convenient than ever. These days, you can get an SSL certificate for your WordPress site at no cost from several hosting providers.

If your web server doesn’t provide one, Domain.com is where you can get one. Their SSL package is the most trustworthy and effective available. A TrustLogo seal of approval and a monetary guarantee of $10,000 are included.

DIY Website Protection Using WordPress
If you follow the advice we’ve given thus far, you should be in good shape.

However, there is always more that can be done to strengthen WordPress security.

Coding expertise may be helpful for some of these processes.

Don’t use the bogus “admin” login anymore.
In the past, the username “admin” was used by default as the WordPress administrator login. Since usernames account for half of all login credentials, this made brute-force attacks more feasible for cybercriminals.

Thankfully, WordPress has now altered this, and a unique username selection is now a prerequisite during the WordPress installation process.

The default username for the administrator remains “admin” in some 1-click WordPress installers. Changing web hosts is recommended if you discover this to be the case.

Since WordPress doesn’t let you alter your username automatically, you’ll need to utilize one of three workarounds.

Make a new admin account, then remove the old one.
Make use of the Username Switcher add-on
Modify login details in phpMyAdmin
All three of them are addressed in our comprehensive article on how to change your WordPress username in a methodical, step-by-step manner.

It’s important to keep in mind that the term “administrator” refers to a specific role, not the “admin” login.

Previously on [Top ]

Put an end to file editing
WordPress’s in-built code editor lets you modify your theme and plugin files without leaving the administration dashboard. We advise disabling this function since it poses a security risk if misused.

WordPress file editing disable
Simply insert the following code into your wp-config.php file to achieve this.

1
2
File editing access denied //
specify(‘DONT_ENABLE_FILE_EDIT,’, true);
Powered by WPCode and hosted on.
Easy Setup with WordPress
As an alternative, you can use the Hardening function of the aforementioned free Sucuri plugin with a single click.

Previously on [Top ]

Turn Off PHP Execution for Selected WordPress Folders
One further technique to strengthen WordPress security is to prevent PHP files from being executed in unused directories like /wp-content/uploads/.

To achieve this, launch a text editor such as Notepad and paste the following code into the document:

1
2
3
Data Format: *.php
refute all claims
</Files>
Powered by WPCode and hosted on.
Easy Setup with WordPress
The next step is to use an FTP program to transfer this.htaccess file to the root of your website’s /wp-content/uploads/ directory.

To learn more, read our tutorial on how to restrict PHP execution to specific WordPress folders.

As an alternative, you can use the Hardening function of the aforementioned free Sucuri plugin with a single click.

Previously on [Top ]

Curb Failed Login Attempts
WordPress users are not restricted in their attempts to log in. Your WordPress site is now susceptible to brute force attacks because of this. Passwords are cracked when an attacker repeatedly enters a variety of possible logins.

A simple solution is to restrict the number of unsuccessful login attempts a user is allowed to make. Using the aforementioned web application firewall takes care of this mechanically.

If a firewall is already in place, you can go forward to the next section.

The Login LockDown plugin must first be installed and activated. See our detailed tutorial on installing a WordPress plugin for more information.

Once the plugin has been activated, go to the Settings » Login LockDown page to configure it.

Access Control Settings
Check out our in-depth tutorial on limiting login attempts in WordPress to learn how.

Previously on [Top ]

Put in place two-factor authentication.
In order to log in using a two-factor authentication system, users must complete two separate authentication steps. Username and password are the initial stage, and a second device or app is needed for authentication.

You may enable it for your accounts on most of the major internet services, including Google, Facebook, and Twitter. If you’re using WordPress, you can add the same capabilities there as well.

The Two-Factor Authentication plugin must first be installed and enabled. The ‘Two Factor Auth’ link will appear in the admin sidebar of WordPress after activation.

Options for Two-Factor Authentication
After that, launch an authenticator app on your mobile device. Google Authenticator, Authy, and LastPass Authenticator are just a few examples.

LastPass Authenticator and Authy are highly recommended because they both provide cloud-based account backup. If your phone ever disappears, gets reset, or you decide to upgrade, this will come in extremely handy. Your access to all of your accounts can be quickly restored.

In this lesson, we’ll be utilizing LastPass’ Authenticator. However, all auth apps provide comparable how-tos. Launch the authenticator app you’ll be using, then tap the “Add” button.

Provide link
You can either manually enter the URL or use the barcode scanner. To use the plugin, go to its options page and then select the scan bar code option.

Now it will be permanently stored in your authentication app. After entering your password, the next time you access your website, you will be prompted to enter the two-factor auth code.

Type in the two-factor authentication code.
The authenticator app on your phone will display a code; enter that code.

Previously on [Top ]

Alter the WordPress Database Table Prefix
All tables in your WordPress database will have the wp_ prefix by default. It’s easier for hackers to guess the names of your tables if your WordPress site uses the default database prefix. That’s why it’s suggested that you make a switch.

The WordPress database prefix can be changed to increase security by following our detailed guide.

Keep in mind that if you don’t perform this correctly, your site could crash. Don’t continue until you’re confident in your ability to code.

Previously on [Top ]

Protect the WordPress Dashboard with a Password
WordPress Admin Password Protection
The wp-admin folder and login page are normally freely accessible to hackers. They can now try out their hacking techniques or launch distributed denial of service assaults.

You can prevent such requests from reaching the server by enabling extra password protection on the server.

Use our detailed guide to secure the wp-admin folder on your WordPress installation.

Previously on [Top ]

Turn Off Searching And Indexing Of Directories
Stop using directories
By sifting through your directories, hackers can see if they include any files with exploitable flaws and then use those to break in.

Others can utilize directory browsing to access your files, get photos, and learn about your file system’s structure. Because of this, disabling directory indexing and browsing is strongly suggested.

FTP or the file manager in cPanel must be used to access your website. The next step is to find the.htaccess file in the root directory of your website. If you still can’t find it, check out our breakdown of the WordPress.htaccess file’s invisibility.

Then, at the very end of the.htaccess file, add the line:

Index Options

The.htaccess file must be saved and re-uploaded to the server. See our post on how to prevent WordPress from searching directories for more information on this.

Previously on [Top ]

WordPress XML-RPC should be disabled.
Since XML-RPC facilitates integrating your WordPress site with other web and mobile applications, it is now enabled by default in WordPress 3.5.

Since XML-RPC is so robust, it can be used to greatly increase the effectiveness of brute-force attacks.

For instance, the login lockdown plugin will detect and block 500 individual login attempts if a hacker wants to try 500 different passwords on your website.

The system.multicall method in XML-RPC, however, allows an attacker to try thousands of passwords with only 20 or 50 queries.

Because of this, we advise turning off XML-RPC if it isn’t being used.

Our comprehensive guide explains all three of the possible approaches to deactivating XML-RPC in WordPress.

The.htaccess file is the most efficient way because it uses fewer system resources.

If you’re utilizing the aforementioned web-application firewall, the firewall will take care of this for you automatically.

Previously on [Top ]

WordPress Auto Logout for Inactive Users
It’s a security issue when individuals who are logged in occasionally leave their screens unattended. A session can be hijacked, passwords changed, and account settings altered.

That’s why after a user hasn’t been active for a while, many financial and banking sites will log them out. You may add the same features to your WordPress site.

The Inactive Logout plugin must be installed and enabled. The plugin settings can be modified after activation by going to Settings » Inactive Logout.

Close inactive accounts
Simply configure the timeout period and enter an exit message. When you’re done making adjustments, be sure to click the “Save Changes” button.

Previously on [Top ]

WordPress Login Screen with Security Questions
Create a login screen security question
WordPress sites with a security question field make it far more difficult for hackers to gain access.

The WP Security Questions plugin enables the introduction of such questions. Once activated, you can adjust the plugin’s settings on the Settings » Security Questions page.

See our in-depth guide on how to implement WordPress login security questions for additional information.

Previously on [Top ]

Checking WordPress for Threats and Weaknesses
Scanning for malware
When you install a WordPress security plugin, it will do regular scans for vulnerabilities and malicious software.

A manual check may be warranted, though, if you see a precipitous decline in website traffic or search engine rankings. You can use any of these malware and security scanners, or the one that comes with your WordPress installation.

Scanning your website for known malware and harmful code is as simple as entering your website URLs into an online scanner.

Keep in mind that the majority of WordPress security scanners can only perform a scan of your website. They are unable to fix a WordPress site that has been hacked or remove malware.

Next up, we’ll discuss removing malware and restoring compromised WordPress installations.

Previously on [Top ]

How to Repair a Compromised WordPress Site
Before their site gets hacked, many WordPress users don’t give backups and security any thought.

WordPress site cleanup can be a tedious and time-consuming process. Our first piece of advise is to have an expert handle it.

Your website will likely be attacked again if the backdoors that hackers install are not properly fixed.

If you want to make sure your website is secure again, it’s best to let a professional security company like Sucuri take care of the problem. Additionally, it will shield you from any future assaults.

DIYers and risk takers, we offer a comprehensive instruction on how to restore a compromised WordPress installation.

Previously on [Top ]

Identity Theft and Network Security: An Extra Tip
If we don’t take precautions to safeguard our digital and financial identities as business owners, we risk suffering heavy damages. Thieves can use your personal information to impersonate you online and commit fraud, theft, or other illegal acts for which you may be held legally responsible.

In 2020, 4.7 million cases of credit card and identity theft were reported to the Federal Trade Commission (FTC).

This is why services like Aura (which we also use) exist to safeguard your personal information from being stolen.

Their free VPN (virtual private network) protects your devices and wifi network with military-grade encryption so you can browse the web with peace of mind no matter where you are. This lets you access your WordPress admin from a public place like a Starbucks without exposing your personal information to anyone else online.

Their service will notify you if your passwords, SSN, or bank accounts have been compromised by monitoring the dark web in real time with the help of AI.

This facilitates quicker responses and more security for your online persona.

Previously on [Top ]

That wraps up our look at the finest WordPress security measures and plugins; we hope you find this information useful.

For more information on optimizing WordPress for search engines and increasing its loading speed, check out our comprehensive guide.