How to make your WordPress site more secure

Date February 8, 2019 ▪ Folder

In my previous post I talked about what to do to fix a hacked site. This post is about things you can do to make your WordPress site more secure so that something like that doesn’t happen again (or ever). The basic things were mentioned in the last post: change your passwords regularly, use strong passwords and always have the most current version of WP. Below are some other things you can do. I’ve started with the easiest options that anyone can do. The ones further down are for more experienced users who know how to use an FTP editor or file manager.

How to make your WordPress site more secure

Install A Security Plugin

I mentioned this in my last post but I’m going to say it again because it’s probably the easiest and fastest way to secure your website. Wordfence is the easiest and best option I’ve found but there are plenty of other good ones to choose from. You can read my previous post for instructions to install and configure Wordfence.

Add 2-Factor Authentication

2-Factor Authentication is a great way to make your WordPress site more secure since it makes it much harder for anyone else but you to be able to log into your WordPress dashboard. Instead of just logging in with a single username and password, you’ll have to do that plus provide additional authentication to access your site. Usually something like receiving an text or email with a passcode.

To enable this, go to Plugins>Add New and search for 2-Factor Authentication (or Two-Factor Authentication). There are a ton of options in the plugin database. For plugins I’m unfamiliar with, I usually start with the one that has the best rating and most installs. If you hate it you can always delete that plugin and try another.

Don’t Forget to Update Your Plugins and Themes

Security vulnerabilities can be just as much of an issue with plugins and themes so they need to be kept up to date, too. WordPress makes updating super simple. Go to Dashboard>Updates and you’ll see a list of plugins and themes that need to be updated.

If you have old themes that you aren’t using anymore, delete them. To do this go to Appearance>Themes. Click on the theme. In the bottom right you’ll see a link to delete the old theme.

Backup, Backup…and Backup Again

Updraft Plus

You are backing up your website regularly…right? If not, you need to be. I’ve seen hacks that completely decimate websites and in those cases, the only way to restore the site was from a previous backup. Your website is very important to you and I’m sure you wouldn’t want to lose it, so backup early and often!

Most web hosts have a backup option in your control panel but there are plenty of options to backup your site right in your WP dashboard. My preferred plugin is Updraft Plus. It’s easy to use and you can configure it to send your backups to any number of storage options like google, dropbox, FTP, etc.

Make sure to always keep a backup of your files and database (especially your database, it stores all of your posts, comments, pages, etc.) on your computer, a separate hard drive, cloud storage, etc. It does you no good to have backups saved on your server if that server becomes inaccessible.

Don’t Use the Default Settings

Most of the time, when you install WordPress it automatically gives you the username ‘admin’. Hackers know this, so it can be unsafe because then all they have to do to get in is guess the password. Go to Users>Add New and add a new username for yourself. For the role, choose Administrator. Once you’ve added your new username, log out and log in as the new user. It’s better to have your nickname (what is displayed publicly on your blog) be different from your username, so you might want to edit your new user profile to change that. Then check the box next to the admin username and delete it. It will ask if you want to attribute all of admin’s posts to someone else, choose your new username. This will transfer all your posts over to the new username.

Don’t Advertise Your WordPress Version

This is very easy to find on any WordPress site and it can be a problem. Let’s say there’s a known vulnerability to a certain version of WP. They’ve released an update but you haven’t gotten a chance to upgrade your blog yet. Hackers can easily seek out blogs using this vulnerable version and exploit them.

Luckily, if you’re using a security plugin like Wordfence you can easily hide your version by going to Wordfence>All Options>General Wordfence Options and check “Hide WordPress Version.” Most other security plugins should have a similar options.

If you want to make absolutely sure your version isn’t showing, you can put this code in your the functions.php file of your theme:

function wpbeginner_remove_version() {
return '';
add_filter('the_generator', 'wpbeginner_remove_version');

Add Secret Keys to your wp-config.php

Open up wp-config.php and find this line:

define('DB_HOST', 'localhost');    // 99% chance you won't need to change this value

Under it add these:

define('AUTH_KEY',         'PuT-in-A-bunCh-of-ranDom-leTTers,NumBers-and-syMbolS');
define('SECURE_AUTH_KEY',  'PuT-in-A-bunCh-of-ranDom-leTTers,NumBers-and-syMbolS');
define('LOGGED_IN_KEY',    'PuT-in-A-bunCh-of-ranDom-leTTers,NumBers-and-syMbolS');
define('NONCE_KEY',        'PuT-in-A-bunCh-of-ranDom-leTTers,NumBers-and-syMbolS');
define('AUTH_SALT',        'PuT-in-A-bunCh-of-ranDom-leTTers,NumBers-and-syMbolS');
define('SECURE_AUTH_SALT', 'PuT-in-A-bunCh-of-ranDom-leTTers,NumBers-and-syMbolS');
define('LOGGED_IN_SALT',   'PuT-in-A-bunCh-of-ranDom-leTTers,NumBers-and-syMbolS');
define('NONCE_SALT',       'PuT-in-A-bunCh-of-ranDom-leTTers,NumBers-and-syMbolS');

You need to put a different random string of characters in each line. You will never have to remember these, so make them as long and as random as possible. This handy site will generate a random string for your every time you refresh the page.

Make it Impossible for Search Engines to Index Core WordPress Files

It’s not a good idea to let search engines like google index every single part of your site, specifically your WordPress files. Say that a vulnerability is discovered in one of the files in the wp-admin folder. A hacker could just google that file name and the first site at the top of the list is the one he’s going to hack today. To prevent this simply open up notepad or an HTML/text editor and add this:

Header set X-Robots-Tag "noindex, nofollow"

Name it .htaccess and use an FTP program or the file manager through your web host’s control panel to upload the file to your wp-admin directory. If there’s already a file in there, then download the file and add the above rule to it. Then re-upload.

This not only disallows search engines from indexing private WP files, but also prevents them from indexing redundant files (which search engines can read as trying to spam them).

Thanks for Polemic Digital for this tip, you can read more about why this works over on their site.

Make Sure Your Database Password Is Not the Same As Any Others

Your wp-config.php is a very easy file to find. It has your database password sitting right inside it. You absolutely must make sure that your database password is completely different from your any other password you use. If you are using the same password for all, a hacker can easily find this file and get in everywhere. If it is the same, then it’ll probably be simpler for you to change your other passwords. But changing your database password isn’t too hard through cPanel (click on MySQL and add a new user and password, then assign that user to your WP database, then go and update your wp-config.php file with the new user info).

Alternately, you can make your wp-config.php file inaccessible. Edit the .htaccess file from your main WordPress directory and put this at the top:

<Files wp-config.php>
order allow,deny
deny from all

For good measure, add this to protect the .htaccess file itself:

<Files .htaccess>
order allow,deny
deny from all

Change the Database Prefix

This is really a recommendation for when you are setting up a new installation of WordPress. It’s not recommended for already installed blogs, especially for beginners as you can severely mess up your blog. But if you are setting up a new WP blog, it’s a simple thing you can do to help increase security. In the wp-config file, just look for the line that says:

// You can have multiple installations in one database if you give each a unique prefix
$table_prefix  = 'wp_';   // Only numbers, letters, and underscores please!

wp_ is the default prefix and hackers know this, so this is just another case of changing the default WP options. Change it to anything you want, though you’ll probably want to keep it short and random like kb_, cc_, ibc_, aba_, etc.

Confused? Get Help!

A lot of this is very basic, logical stuff to make your WordPress site more secure but if you’re new to WordPress some of it may seem overwhelming. If that’s the case for you and you’d like help with your site, we are offering a new service called a Website Audit. For a small fee, we will look over your site and make all the security improvements mentioned above, plus many more. We will also provide help and recommendations to improve your SEO, site speed and design.

Find out More about our Website Audits »

Add A Comment