WordPress powers more than 20% of websites on the Internet. Due to the high popularity and open source nature, WordPress sites are one of the main targets for hackers and malicious software. Your WordPress site could be an easy target for attackers due to simple admin username, easy passwords and outdated theme or plugins. But no need to worry, it is easy to protect your site following some simple steps. Here is a step by step WordPress security guide for beginners to understand various aspects of protecting your site from attackers and vulnerabilities.
WordPress Security Guide for Beginners
- Keep your computer and mobile free from virus
- Use secure hosting
- Keep your installation updated
- Use strong passwords
- No admin username
- Safe role management
- Use reliable themes and plugins
- Disable theme and plugin editor in admin interface
- Block PHP executing from dashboard
- Stop brute force attack
- Block suspicious users, IP and bots
- Disable directory browsing
- Disable WordPress version
- Change database table prefix
- Change WordPress admin URL
- Use correct file permissions
- Track file changes
- Use basic firewall settings
- Deny access to log file
- Disable XMLPRC and pingbacks
- Handle sensitive data securely
- Prevent spam
- Periodic site backup
- Scan site for malware
- Monitor 404 errors
- Protect “wp-config.php” and “.htaccess” files
- Provide secure third party access
- Use security plugin
Download WordPress Security Guide in PDF Format
1. Keep Your Computer and Mobile Safe
Building a website needs lot of resources like documents, images, scripts, files and videos. You may need to have a dedicated laptop and mobile to keep building your content. Especially on self-hosted WordPress platform, remotely accessing the server through FTP is required most of the times for troubleshooting and uploading purposes. Hence, install antivirus on your computer and scan the files regularly. Don’t forget to scan the plugin and theme files before uploading on your WordPress site.
Uploading a single script or file with malicious code will spoil all your hard work and your host probably will ban your account for causing trouble to the server. Also ensure to access your WordPress dashboard only through secured WiFi connection and avoid public networks to protect your data.
2. Secure Hosting
Installation of WordPress needs paid hosting that should be purchased from any of the hosting companies. As a new WordPress user, you may tend to spend less money and end up in buying a cheap shared hosting for your site. Undoubtedly you will regret your decision of choosing bad hosting company sooner or later. When you are on a shared server, it is important that all sites on that server are running safe and secure. It is common that hundreds or even thousands of sites share a single server IP address. When one site on your server is hacked, there are more possibilities that the whole server can be hacked and you will also get affected. There were many instances in the past, thousands of sites on a server was hacked as the hacker could take down the server through vulnerability in a single website.
WordPress recommends some secured hosting companies but you need to check with the company before purchasing.
Ensure your site can be completely backed periodically and the backup is stored outside the server. From security point of view, storing the backup on the same server is of really no use when the server itself is under attack.
3. Stay Updated
WordPress has three main components to update frequently.
- Core WordPress files
As threats can evolve over the period of time, all of these three components should be updated to latest and secured versions. It is highly recommended to enable auto update for your WordPress versions so that any security patches will automatically installed without your intervention. Also ensure to update themes and plugins on your hosting server so that they are secure and up to date.
Learn more on how WordPress works.
4. Set Strong Password
Generally users install WordPress through one-click installation services offered by the hosting companies. This is less than 5-minute process and there are possibilities you may not provide a very strong password during this quick installation process especially when you are doing it for first time. Also most of the users forget to update the password after initial setup and some wise users even use the password as “password”.
Self-hosted WordPress site needs lots of passwords for different reasons. Ensure to have strong passwords for all your accounts and protect the credentials from unknown people.
- Password for admin WordPress panel
- Password for FTP account
- Password for database
- Passwords for different users on your site like administrator, editors, contributors, etc.
- Password for your hosting account
- Password for cPanel and phpMydmin access
You can also use two-factor authentication to login to your WordPress dashboard. This helps to have two passwords, for example one for initial dashboard login and an additional password will be sent to your mobile for final login. Change the password immediately if you see something is going wrong on your site.
5. Change Admin Username
Similar to the passwords it’s a habit for most us to provide simple username like “admin”. The first attempt any bot or hackers will try to login to your site is with the username “admin” and password as “password”. Once the installation is completed, WordPress will not allow you to change the username. So provide complex username and password during installation so that hackers and bots can’t guess it easily.
Learn more on how to change admin your username.
You can keep the nickname and display name different than the username to make it difficult for hackers to find the admin username. Similarly try to keep your admin, editor and contributor usernames different. Otherwise it is easy for the hackers to find the admin username on your site with the author archives page.
6. Use Safe Role Management
WordPress offers many roles to classify the people who handle your site. Administrator, editor, contributor, subscriber are some of the roles you can assign. When you have registration function enabled on your site, ensure to offer subscriber or no role to the new users signing up.
It is necessary to provide your admin credentials for getting certain assistant for your commercial plugins or theme. Always create a separate admin user and provide it only in a private area of the support forums which can’t be seen by other users. Don’t forget to delete the user once your query is resolved.
7. Use Reliable Theme and Plugins
WordPress has 47 thousands of free plugins available on the repository when this article is written. Besides these free plugins, there are equivalent number of premium and free plugins offered through various third party websites. Similarly huge number of free and premium themes are available for you to choose from.
Different types of free and paid plugins always tempt beginners to install and try on their WordPress site.The abundance of themes and plugins can cause huge security threat to your site. There is no guarantee that these plugins and themes will be maintained and updated to protect from latest vulnerabilities. Do not buy or install plugins and themes from unreliable resources and always keep a habit of testing plugins and themes on your development site before deploying it on the live site. Always go for a premium version to get appropriate support instead of going for free versions.
Besides security, installing more plugins will also reduce your page loading speed. Hence delete unnecessary plugins and keep the list trim as less as possible.
8. Disable File Editing from Admin Panel
WordPress allows you to edit theme and plugin PHP files right from the admin panel. When someone have unauthorized access to your admin panel, they can easily inject malicious code from the dashboard without accessing root directory of the server. So ensure to remove the editor access to protect your data from the people accessing your admin panel.
Add the below code in your “wp-config.php” file to disable the plugin and theme editor options in admin frontend.
Learn more on how to edit “wp-config.php” file on your WordPress installation.
9. Preventing PHP File Execution
Hackers execute PHP files on your site to trigger unwanted action. You can block users executing PHP files from your admin interface from any IP address other than yours. To enable PHP execution blocking, create “.htaccess” file and place it inside the “/wp-content/plugins/” and “/wp-content/themes/” folder with the following content:
<Files *.php > deny from all allow from “ Your IP address” </Files>
10. Protecting from Brute Force Attacks
Brute force attack is the way of trying to login to your site by means of guessing the username and password. Any WordPress site can be logged in using the URL – “yoursite.com/wp-admin/” or “yoursite.com/wp-login.php/”. There are thousands of bad bots will try to log into your WordPress site as the login URL is known to all.
Keeping strong admin username and password is essential so that bots can’t guess. On other hand, thousands of bots hitting your login page will increase the CPU and RAM utilization of your server. This will lead your hosting company to ban of your account especially on shared hosting environment.
There are plenty of security plugins available for WordPress to protect brute force attacks by one or combination of the following methods.
- Enable maximum login attempts so that the user will be locked after few attempts. You as an administrator will get a notification regarding the lockout with username and IP details.
- Use captcha on login and registration forms to protect automatic login attempts of bots.
- When known bad bots are trying to login they will be redirected to localhost server to avoid loading on your server.
- Change the URL of your admin panel login.
- Keeping a whitelist to enable only those IP addresses to access login page. All other IP addresses will be denied from accessing your login page.
- Cookie based login prevention which allows only the people having special cookie set on their browser to login to your site.
- Using honeypot technique to insert a hidden field on the login page. As bots tend to fill all the fields on the login page, they can be easily stopped from accessing your site.
Learn how to prevent brute force attack in WordPress site in detail.
11. Block Suspicious User, Bots and IP Blacklist
Another important aspect of security is to monitor the users and bots accessing your site. As most of the paid hosting services are based on the traffic limit, it is necessary to monitor the automated bots crawling your site. You can find the traffic details using one of the statistics tools available in your hosting account like “Awstats“. Individual users, user agent name of the bots and IP addresses can be blocked to protect your site.
You can also easily block all IP addresses other than yours by creating a “.htaccess” file and place it inside the “/wp-admin/” folder with the following code:
order deny,allow allow from “Your IP address” deny from all
If you access the admin panel from more than one IP address then allow multiple IP addresses by adding multiple allow commands as below:
order deny,allow allow from “Your IP address1” allow from “Your IP address2” allow from “Your IP address3” deny from all
You may also block the complete country by using country blocking plugins.
Download WordPress Security Guide in PDF Format
12. Disable Directory Browsing
Directory browsing allows any user to browse the directory structure of your site. For example, anyone can open the folder “/wp-content/plugins/” on browser and check all installed plugins on your site. When a hacker knows there is a problematic plugin on your site, it will be an easy entry door to hijack your site.
Directory browsing can be disabled by adding the below directive in “.htaccess” file located in root directory of your server.
Options All -Indexes
Learn how to edit .htaccess file in WordPress site.
13. Disable WordPress Version
WordPress sites show the version of the WordPress it uses in the source code of pages. You can right click and view your WordPress site’s source code on the browser to find the version information as below:
<meta name=”generator” content=”WordPress 4.7″ />
Ideally it is not necessary to hide this meta generator tag if you are promptly updating to the latest version. It is recommended to hide this version information if you are not using the latest version or not updating periodically.
Old WordPress versions are having many known vulnerabilities which are fixed over the period of time. Hackers can use this version information to find the sites using old versions and can inject those vulnerabilities easily.
Besides the meta generator tag, WordPress also shows the version number in most of the stylesheet and script files by suffixing the string “/?ver=4.7”. Use security plugins to remove version information completely from all source codes.
14. Change Database Table Prefix
When you install WordPress, you will be promoted to enter prefix for the tables of your MySQL database. WordPress by default adds “wp_” to all database tables as a prefix. For example, all text content of your WordPress site is stored under “wp_posts” table. This makes the hackers job easy to inject malicious code into your database tables directly through inappropriate access.
Generally one-click installation from web hosting companies always add a complex prefix to your WordPress database. But when installing WordPress manually if you have provided simple prefix then we recommend changing it now. You can change the database table prefix using any of the security plugin since manually changing is rather a difficult task for beginners.
By changing the prefix you are improving the protection to your database as hackers can’t guess the correct table names.
15. Change WordPress Login URL
Changing login URL will reduce the brute force attacks since no bots and hackers find the way to login to your site. Plugins like iThemes Security and All in one WP security and firewall offer easy way to change the login URL. You can keep the URL something like “http://yoursitename.com/dontattack1me4/” containing alphanumeric to make it more secure.
16. Using Correct File Permissions
Each file and folder on your WordPress installation comes with defined file permission. This helps to decide who can read, write or execute certain files on the site. Generally files like “wp-config.php” and “.htaccess” should be protected with proper permission so that public group can’t access these files.
The default file permissions defined by WordPress is mostly sufficient to protect your data. But the problem arises when you install plugins and themes which will change or create many folders on your installation. It is a good practice to scan your site and ensure to have correct permissions for all important folders.
17. Tracking File Changes
Hackers inject malicious code on your file system and display their content instead of yours when the site is opened. So it is a wise idea to keep track of the changes on important files on your site. Generally all core files with .php extension (like “wp-config.php”) should not be changed by anyone without your knowledge.
You can achieve this file tracking using any of the security plugins. These plugins allow you to choose specific directory and files on your site to track.
18. Use Basic Firewall Settings
There are basic and advanced firewall settings to improve the security of your WordPress site. Generally these controls are added in “.htaccess” file and prevent hackers and bots from accessing your site. Some of the firewall settings include:
- Deny access to “wp-config.php” and “.htaccess” files.
- Limit file upload size
- Remove server signature
19. Deny Access to Log File
Troubleshooting WordPress problems need skilled analysis of the situation. WordPress allows you to enable the debug logging so that it is easy to find out what’s is going on when the action is triggered on your site. Once the debugging is enabled, the “debug.log” file will be stored under “/wp-content/debug.log”. This is an important file to be protected from hackers in order to avoid sensitive information is being leaked. Ensure to disable debug once the troubleshooting is done and delete the log files.
Also you can disable browser access to “debug.log” file and continue to access using FTP.
20. Disable XMLPRC and Pingbacks
When you monitor the traffic to your site, you will be surprised to see the number of bots trying to access the page “/xmlprc.php”. There are many possibilities hackers can use XMLPRC API to take down your site including vulnerabilities like DoS or Denial of Service.
Besides hacking issues, it is necessary to protect the access to “xmlprc.php” page to reduce the load on your hosting server. Ensure you are not using XMLPRC function on your WordPress site and disable it to protect your site from hackers.
Note some plugins and apps like WordPress iOS app uses this XMLPRC API. If you disable the service then the app or plugin will not work.
Similar to XMLPRC, pingbacks can also create security problems for your site. You can disable pingbacks from the admin panel and improve the data protection for your site.
21. Handle Sensitive Data Securely
Hacking does not necessarily mean always hijacking the site or server. Most of the times hacking is done to steal sensitive data like email and credit card details available on the site.
Use HTTPS on the pages for collecting data through forms, especially if the data is sensitive in nature like financial details, social security number, etc. and send the data through secured email servers to protect from hackers. Especially if you have online store, it is mandatory to use SSL and enforce HTTPS protocol for financial transactions.
Don’t use robots.txt to hide important pages and directories from search engines. Anyone can view your robots.txt file on the browser and access hidden pages. Using “.htaccess” directives can help better controlling but discuss with plugin developer or an expert if you don’t understand how the data is stored and transferred.
Generally the data collected from forms are stored in custom tables in the database and used for different purposes. Hence, ensure no other person is having access to your hosting account and read database tables.
22. Prevent Spam
Though spamming is not hacking, hacker can be a spammer to check your site’s vulnerabilities through comment or form submissions.
- Ensure to use spam prevention plugins like Akismet to protect your site from spammers.
- If required, you can use captcha on comment, login, registration and contact forms.
- Block comments not originating from your domain to stop bots automatically generating comments from outside your site.
23. Have Periodic Site Backup
From outlook security and backup will look two different topics. But the truth is they are interrelated as two steps of single activity. When a site is hacked the first thing you need is to have a secured backup to restore the content.
- Ensure to have a periodical backup of site files and database.
- Store your backup outside the hosting server.
- Protect your backup from unauthorized access similar to protecting your live site.
- Test and confirm the backup is working and can be restored during emergency.
- Check with your host that the complete site content is backed up and they can help in restoring during disaster.
Backup your site regularly so that it can be restored during emergency situations. Also download the backup to your local computer and keep it away from your hosting server. The local backup will help you to restore your site when your server is infected.
You can create a local WordPress development environment using MAMP any other software and backup your live site to local computer periodically.
24. Scan for Malware
Malware or malicious software is a piece of code which hacker will insert on your regular code. It may be difficult for you to find malware on a site, as it is difficult to differentiate the malicious code. Periodically scan your site for malware using paid security services to ensure your site content is safe. Most of the hosting companies and security plugins offer malware scanning feature and send the scan status to your email.
When your site is infected with malicious software, the first thing you may notice is drop in traffic. As search engine bots like Googlebot are very intelligent, they can detect the malicious code and demote your search ranking to protect the users. You can use the security tools available in Google Search Console and confirm your site is safe to browse.
25. Monitoring 404 Errors
The automated bots will try to access non-existing pages on your site thus leading to 404 error. Monitoring 404 error will give you an idea of who is trying to access the old or non-existing URLs on your site.
For example, a bot or user tries to access a non-existing page “…/payment/” should be blocked. This indicates the bot or user is trying to guess the potential hidden pages on your site to get sensitive data.
26. Protect WP-config and .htaccess Files
“Wp-config.php” is the configuration file having important information like database name and password of your WordPress site. The file can be access through FTP or through hosting account using options like “File Manager”. Most of the security plugins add parameters in this configuration file to control the behavior. It is highly recommended to have the backup of your “wp-config.php” file before you make any settings on security related plugins.
Similarly, “.htaccess” file located in the root directory of your site is the key file used for security measures. Ensure to have a backup before modifying the file through security plugins.
27. Providing Secure Third Party Access
When you purchase a theme or plugin from third part website, it may be necessary to provide admin access to them for troubleshooting. Follow the below guidelines when dealing with third party developers:
- Check all aspects of troubleshooting and confirm the need of sharing admin access credentials.
- Never share your own admin access to any third party websites.
- Create a new username with admin access and provide to them.
- When you offer FTP access, ensure to limit the access only for the required folder or domain.
- When deleting FTP account, be careful to delete only the account and not the data associated with the FTP account. Wrongly deleting FTP account along the associated data will wipe out your content in matter of seconds.
Use WordPress Security Plugins
Implementing all the security measures discussed above will be a daunting task for site owners. Fortunately, there are many free and premium security plugins out there offering these features as a package. You can either use free plugins like All in One WP Security and Firewall or partially free plugins like iThemes security / Wordfence. Most of the above mentioned points are offered as a package in these security plugin and make your job easy.
Below are some of the popular security plugins and we strongly recommend you to test the one suitable for your need before installing on live site.
Security Package Plugins
These plugins offer most of the security features as a bundle.
- iThemes Security (formerly Better WP Security)
- Wordfence Security
- BulletProof Security
- All in One WordPress Security and Firewall
Password Protection Plugins
- Force Strong Passwords
- WordPress Password Expiry
- WP Mail SMTP
Brute Force Protection
- Login Security Solution
- Login LockDown
- Rename wp-login.php
- Jetpack Protect module.
- Lockdown WP Admin
- Clef—Two-factor authentication
- Google Authenticator
- WordPress HTTPS (SSL)
Download WordPress Security Guide in PDF Format