WordPress content management system (CMS) tutorials focusing on security can help you find better ways to secure your website. Whether you’re a seasoned WordPress developer or new user learning how to customize WordPress, there’s always something that could better secure your website.
Below we cover 10 ways to secure the WordPress.
Use Strong Passwords, Update Often
Follow recommended password practices. Create passwords over 15 characters with special characters, lower and upper case letters, and numbers. This should apply not only to user logins but connected databases and salts set in the wp-config.php file.
Change passwords every 30-90 days and when someone leaves your team/organization. Consider password management tools such as KeyPass or Dashlane to manage and regularly update strong passwords.
Install a security plugin and regularly monitor its logs. Important security plugin features include:
- Activity reports
- Alerts of plugins abandoned (haven’t been updated in months)
- Blocks abusive bots
- Brute force protection against login attempts
- Firewall with IP address whitelist/blacklist based on IP Range, Hostname, and User Agent
- Multifactor authentication with email or SMS verification
- Spam comment filtering
- File integrity scans for WordPress core files
We recommend WordFence Security for securing WordPress sites from our list of security plugins.
Full account scans can catch malware in external directories – e.g. email accounts without strong authentication or subdomains using another CMS.
With an email ticket request, our Support department will scan your server space and send you the results. Although we’re not security professionals, we’ll do our best to provide resources to improve your security going forward.
VPS / Dedicated users can do this anytime with ClamAV.
Check out Sucuri for enhanced hands-off website protection. Or get a sneak peek with their free online scanner.
Create backups regularly using a backup plugin and cPanel. Security plugins don’t always catch issues before irreversible damage is done. Sometimes, the best course of action is complete hack recovery – restore from a backup and change all passwords.
Check out our Backup Manager in cPanel for automated backups.
Install an SSL Certificate
Use a free or paid SSL, then force redirects to HTTPS to assure visitors the website is secure. Websites with e-commerce functions should use a paid SSL while a free alternative such as AutoSSL, the free SSL that’s auto-enabled forever, suffices for others.
We recommend Really Simple SSL for fixing mixed content errors identified with online tools such as WhyNoPadlock.com.
Those looking for more security can configure HTTP Strict Transport Security (HSTS) to force SSL usage at the browser level.
Keep your theme and plugins up to date. Furthermore, update cPanel when prompted in WebHost Manager (WHM) (VPS/Dedicated only) and use the latest stable version of PHP.
You can use the WordPress Site Health feature for instant recommendations on improving your security and performance.
Remove Outdated/Unneeded Addons
If you don’t need a plugin, or the plugin has one purpose – create tables or add social media icons – find a plugin (or theme) capable of multiple functions such as Jetpack and Storefront theme for WooCommerce.
Remember, every addon is a potential vulnerability. This is why it’s generally recommended to only have an active theme and a fallback theme.
Inactive users and FTP account should be removed as well.
Don’t neglect the wp-config.php file when changing passwords throughout your website. But other than the salt and database password, there are many other ways to customize the wp-config.php file for better security. Edit the file to add any code below at the bottom.
define( 'FORCE_SSL_ADMIN', true ); forces users to login with an HTTPS connection.
define( 'DISALLOW_FILE_EDIT', true ); ensures no one can edit raw plugin and theme files even with login credentials for your WordPress dashboard.
define( 'EMPTY_TRASH_DAYS', 30 ); sets trashed attachments, comments, posts, and pages to permanently delete after a set number of days (30 is the default)
Warning: With EMPTY_TRASH_DAYS set, users will NOT be asked for confirmation when clicking “Delete Permanently”.
Protect User Input Fields
Contact forms, email subscription fields, and other text input fields should have input validation restrictions. For example, limit characters per field and disallow unnecessary special characters to prevent code injection.
For example, Contact Form 7 makes securing contact forms an easy task without needing to edit raw files.
Use Secure Connections
This is indirectly related to the WordPress website. When using Wi-Fi, ensure you’re using an authentic network instead of a rogue spoofed access point. Consider using a virtual private network (VPN) on Wi-Fi networks especially if they don’t require a password to connect – e.g. restaurants and hotels. This with an SSL helps fight man-in-the-middle attacks against potential hackers snooping for login credentials and other sensitive data.
Learn more about securing your website with our WordPress Education Channel.