At present, WordPress is undoubtedly the most popular content management system on the web. WordPress powers around 58% of all sites using content management systems, which means over 30% of all websites use this platform.
Since WordPress holds such a large market share, it naturally increases the likelihood of hacking attempts. Security is not something to take lightly, and trust me, you don’t want to experience your website being hacked.
Securing your site is a one-time process, unlike ongoing maintenance, and it involves a series of steps. But before we dive into those actions, the question arises: is WordPress secure out of the box? Are we worrying for nothing?
Is WordPress Secure?
Due to the frequent attacks on WordPress sites, many wonder if it’s secure enough. To put it simply, WordPress itself, especially its core files, is well-built to make it difficult for hackers to exploit and break into your site.
Most successful hacks on WordPress sites result from human errors, incorrect configuration, or improper maintenance. The main reasons sites become vulnerable include outdated WordPress versions, outdated plugins, and the irresponsible use of plugins or themes from inexperienced developers.
So where is WordPress most vulnerable? WP-Scan reports that 52% of all successful hacks are caused by WordPress plugins. Core WordPress files account for 37%, and themes for 11% of hacks. This is corroborated by Wordfence, which reports that 55.9% of hacks originate from plugins.
In this guide, I’ll share several steps to strengthen your website’s security and make it harder for hackers to succeed.
15 Actions to Strengthen Security on WordPress Sites
While there’s always a chance your site could be hacked, and you can never prevent it entirely, there are several best practices and actions you can take to make hacking attempts more difficult.
1. Choose the Most Expensive Hosting You Can Afford
Even if you take all the security steps, if you don’t have reliable hosting, your efforts may not help much. A report by WP White Security shows that 41% of WordPress sites are hacked due to vulnerabilities in their hosting provider.
If you’re on shared hosting, make sure your host offers account isolation. This prevents a compromised site on the server from affecting your WordPress site.
A better idea is to use managed WordPress hosting, where there’s a higher likelihood of having a firewall tailored for WordPress, up-to-date PHP and MySQL versions, routine malware scans, a server optimized specifically for WordPress, and a support team that knows WordPress inside and out.
2. Use the Latest Version of PHP
PHP is the language WordPress is built on, so using the latest version on your server is crucial. Each major version of PHP is supported for about two years after its release. During this time, many minor versions with bug fixes and security patches are released.
Currently, anyone using PHP version 7.4 or older is more vulnerable to security issues, as shown in the following chart:
Make sure you’re using the latest PHP version that your hosting provider supports.
It’s worth noting that there’s also a performance difference between PHP versions, and using a newer PHP version can boost your WordPress site’s speed and performance.
3. Ensure WordPress and Plugins Are Up-to-Date
It’s crucial that your WordPress site runs the latest version of WordPress, as well as the latest versions of your plugins. Beyond that, only use plugins and themes from trusted sources. Install themes and plugins only from the WordPress repository, and choose those with many active installs and high ratings.
If your site is running outdated versions, you’re more exposed to hacks because attackers tend to target older versions. Hackers are aware of the security flaws in outdated versions, so it’s easier to exploit them compared to finding new vulnerabilities in updated versions.
Equally important – always back up your site! A backup allows you to quickly restore your site if it gets hacked.
4. Use Strong Passwords
Be smart when choosing your admin username and password. Don’t use “admin” as the username, and choose a complex password. This is probably one of the most important actions to prevent hacks, and ironically, it’s the simplest to implement.
However, many site owners still choose simple passwords like “1234567” for convenience. Don’t do that—choose a strong password and store it in a safe place.
5. Change the WordPress Admin Login URL
To prevent brute force attacks, it’s a good idea to change the login URL for your WordPress admin panel. Since we all know that the default login page is wp-admin, hackers try various combinations of usernames and passwords at this URL to attempt breaking into your site.
You can make it harder for them by changing the login URL. You can easily do this with a plugin like WPS Hide Login.
Check out my quick guide on how to change the WordPress admin login URL.
6. Limit Login Attempts
By default, WordPress allows unlimited login attempts, which leaves your site vulnerable to brute force attacks. There are several plugins that allow you to limit login attempts, one of the most recommended being Limit Login Attempts Reloaded.
7. Secure the wp-config.php File
The wp-config.php file contains all the information needed to access your site’s database. This is the most important file in your WordPress installation. Secure the file by preventing access with the following code in your .htaccess file:
<Files wp-config.php>
order allow,deny
deny from all
</Files>Editing the .htaccess file is recommended for advanced users only.
8. Disable XML-RPC
XML-RPC allows remote access to your WordPress site and enables trackbacks and pingbacks. Hackers can exploit this to perform DDoS attacks.
You can disable XML-RPC with a simple plugin like Disable XML-RPC or by adding the following lines to your .htaccess file:
## block any attempted XML-RPC requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from 123.123.123.123
</Files>Editing the .htaccess file is recommended for advanced users only.
9. Hide Your WordPress Version
WordPress updates usually contain security fixes. If you check your site’s source code, you’ll find that your WordPress version is visible.
This information is available to hackers, giving them insights if they are looking to target sites using older WordPress versions with known vulnerabilities.
To hide the WordPress version, add the following code to your functions.php file:
function wpversion_remove_version() {
return '';
}
add_filter('the_generator', 'wpversion_remove_version');10. Use a Security Plugin
There are many WordPress security plugins available that handle several of the tasks mentioned in this guide and help prevent brute force attacks while strengthening your site’s security.
These plugins can block malicious networks, prevent security holes, enforce strong passwords, scan for changes in core WordPress files, set up a firewall, monitor DNS changes, and more…
Source: Wordfence Real-Time Traffic
Here are some recommended and popular security plugins you can check out:
11. Always Use a Secure Connection
No matter where you’re connecting from, always ensure that the connection to your server is secure. It’s recommended to use encrypted SFTP if your hosting provider allows it (or SSH) to access your site. Your hosting provider should always be secure, offering the safest tools for server access.
When I say secure, I mean using supported but up-to-date versions of PHP and MySQL, isolating accounts, and using firewalls. Avoid cheap shared hosting, as it can result in issues like overloaded servers and shared IP addresses.
12. Disable File Editing from the WordPress Dashboard
Users with admin privileges can edit the PHP files of themes and plugins directly from the WordPress dashboard. It’s recommended to disable this feature and only edit files via FTP.
To disable file editing, add the following line to your wp-config.php file:
define('DISALLOW_FILE_EDIT', true);13. Hide Login Error Hints
When trying to log into WordPress with an incorrect username or password, WordPress displays a message telling you which part is wrong (username or password).
This message gives hackers a clue as to which detail is incorrect. You can change these messages to a more generic one by adding the following function to your functions.php file:
function no_wordpress_errors(){
return 'Wrong Details - Try Again';
}
add_filter( 'login_errors', 'no_wordpress_errors' );14. Use an SSL Certificate to Encrypt Data
Implementing an SSL certificate is crucial for securing your WordPress dashboard. SSL ensures encrypted and secure communication between the user, the browser, and the server, making it harder for hackers to intercept and steal information like usernames or passwords.
In many cases, an SSL certificate is available for free with your hosting package, usually through Let’s Encrypt.
SSL certificates also affect your WordPress site’s ranking in Google, giving a higher ranking to sites with an SSL certificate than those without. Higher ranking = more traffic to your site. Here’s an article I wrote that explains SSL certificates and their importance for WordPress sites.
An SSL certificate is also a part of the important transition to the HTTPS protocol, which has benefits beyond securing communication, as mentioned earlier.
15. Add Security Headers
Security headers in WordPress are designed to protect applications from common attacks without requiring changes to your application’s code. Though it’s the last action chronologically in this post, it’s definitely one of the first and most important things to do.
Check out the post I wrote on adding security headers to WordPress sites.
Conclusion
As you can see, there are many actions you can take to strengthen the security of your WordPress site. Many of the recommendations take only a few minutes to implement, so do them to ensure you have better peace of mind about your site’s security.
I hope you found this guide helpful. Feel free to comment and share, and I’d love to hear any additional tips you have so we can all learn together 🙂
