is the most popular (CMS) – that of all websites run on this software. Unfortunately, its popularity attracts all kinds of hackers who take advantage of security vulnerabilities in the platform.
This does not mean that WordPress has a bad security system, but that failures can also occur because users do not give enough importance to security. Therefore, it is better to apply preventive measures before someone tries to hack your website.
We will discuss 22 methods to improve WordPress security and protect your site from various cyber attacks. The article will include best practices and tips, with or without WordPress plugins. Some methods are also applicable to platforms other than WordPress.
Why is WordPress security important?
If your website is hacked, you risk losing important data, assets, and credibility. Additionally, the incident may jeopardize your customers’ personal data and billing information.
It is expected that by 2025 the damage caused by cybercrime may reach 10.5 trillion dollars a year. You certainly don’t want to be part of that statistic.
According to the Vulnerability Database, here are some of the most common types of WordPress security vulnerabilities:
- Cross Site Request Forgery (CSRF)– Forces the user to perform unwanted actions in a trusted web application.
- Distributed Denial of Service (DDoS) attack– Disables online services by filling them with unwanted connections, making a site inaccessible.
- Authentication Bypass: Allows hackers to access your website resources without having to verify their authenticity.
- SQL injection (SQLi)– Forces the system to execute malicious SQL queries and manipulates the data in the database.
- Cross-site scripting (XSS)– Injects malicious code that turns the site into a malware carrier.
- Local File Inclusion (LFI)– Forces the site to process malicious files placed on the server.
Best practices to improve security in WordPress
In this section, we’ll review six general WordPress tips that don’t require advanced technical knowledge or high-risk investments. Even a beginner will be able to perform these simple tasks like updating WordPress software and removing unused themes.
1. Regularly update the WordPress version
WordPress regularly releases software updates to improve performance and security. These updates also protect your site from cyber threats.
is one of the easiest ways to improve WordPress security. However, most WordPress sites run on an old version, which makes them more vulnerable.
To check if you have the latest version of WordPress, open your and go to Desktop -> Updates in the left menu panel. If it appears that your version is not up to date, we recommend that you update it as soon as possible.
You should keep an eye on them to make sure your site is not running on an outdated version of WordPress.
We also advise updating installed themes and plugins. Outdated themes and plugins can conflict with newly updated core WordPress software, causing bugs and being prone to threats.
Follow these steps to get rid of outdated themes and plugins:
- Log in to your WordPress admin panel, and go to Desktop -> Updates.
- Scroll down to sections plugins Y Topics, and check the list of those that need to be updated. Please note that they can be updated all at once or separately.
- click on Update plugin.
Expert Type
Enabling automatic updates makes work easier, but it can crash your website due to incompatibility with old plugins or themes. If you enable this option, make sure to back it up regularly so you can roll back to the previous version in case of an error.
2. Use secure WP-Admin login credentials
One of the most common mistakes people make is using easy-to-guess usernames like “admin”, “administrator” or “test”. This puts your site at a higher risk of suffering from . Additionally, attackers also target WordPress sites that do not have strong passwords.
Therefore, we recommend that the username and password be unique and more complex.
Follow these steps to create a new WordPress admin account with a new username:
- In the WordPress dashboard, go to Users -> Add new.
- Create a new user and assign the role of Administrator. Add a password and press the button Add new user once you’re done.
Include numbers, symbols, and uppercase and lowercase letters in your password. We also recommend using more than 12 characters, as longer passwords are much more difficult to crack.
Expert Type
The longer the password, the more secure it is. However, strong passwords don’t have to be long and complex: use special symbols and numbers instead of familiar letters. For example, 41@bAm@! instead of Alabama! it’s easy to remember and harder to figure out. Another option is to use a pattern on the keyboard instead of actual words, like qpzmwoxn. Mix these two elements together to create a stronger password.
If you need help generating a strong password, use online tools like and . You can also use their password management services to store secure passwords. That way, you won’t have to memorize them.
After creating a new WordPress admin username, you will need to delete the old one. Here are the steps to do it:
- Login with your newly created WordPress user credentials.
- Choose Users -> All users.
- Select the old administrator account you want to remove. Change the dropdown menu batch actions a Erase and click Apply.
To keep your site secure, it’s also important to check your network before connecting. If you unknowingly connect to a , a network operated by hackers, you risk leaking access credentials to operators.
Even public networks, like a school library’s WiFi, may not be as secure as it seems. Hackers can intercept your connection and steal unencrypted data, including login credentials.
That’s why we recommend using one when connecting to a public network. Provides a layer of encryption to the connection, making data interception difficult and protecting your online activities.
3. Set up a security list and a block list for the administration page
Enabling URL blocking protects your login page from unauthorized IP addresses and brute force attacks. To do this, you need a web application firewall (WAF) service like or .
Using Cloudflare, it is possible to set up a . It specifies the URLs that you want to block and the range of IPs that can access these URLs. Anyone outside the specified IP range will not be able to access them.
Sucuri has a similar function called url path blacklist. First, the URL of the login page is added to the blacklist so that no one can access it. Then, you make a safe list of IP addresses authorized to access.
You can also restrict access to this page by setting the file .htaccess of your site. Go to the root directory to access the file.
Important! Before making any changes, we advise you to make a backup copy of the old . If something goes wrong, you can easily restore your site.
Adding this rule to your .htaccess, you will limit access to your wp-login.php to a single IP. Thus, attackers will not be able to enter your home page from other locations.
# Block IPs for login Apache 2.2
This rule should be placed after # BEGIN WordPress and # END WordPress as it’s shown in the following
This rule applies even if you don’t have a static IP, as you can restrict logins to the common range of your ISP.
You can also use this rule to restrict other authenticated URLs, like /wp-admin.
Expert Type
Please note that block lists are only effective against known threats. Hackers can design malware specifically to evade detection by tools that use a block list system. While safelists offer stronger security, they can also be more complex to implement, especially if you want a third party to do it: they’ll need information about all the apps you use.
4. Use trusted WordPress themes
Nulled WordPress themes are unauthorized versions of the original premium themes. In most cases, these themes are sold at a lower price to attract users. However, they often have a lot of security flaws.
Oftentimes, the providers of nulled themes are usually hackers who modify the original premium theme and insert malicious code such as malware and spam links. Additionally, these themes may contain backdoors for other exploits that compromise your WordPress site.
Since the banned themes are illegally distributed, their users do not receive any kind of support from the developers. So if they cause any problems on the site, you will have to figure out how to fix it and secure your WordPress site on your own.
To avoid this, we recommend that you choose one from your or trusted developers. Look for options on official theme marketplaces as if you want to buy a premium theme.
5. Install an SSL certificate
(SSL) is a data transfer protocol that encrypts the data exchanged between the website and the users, which makes it much more difficult for attackers to steal important information.
Also, SSL certificates increase SEO, which helps you gain visitors and increase website traffic.
they will use HTTPS instead of HTTP, so it is easy to identify them.
Most hosting companies include SSL in their plans. For example, includes SSL certificates unlimited free from Let’s Encrypt on all .
Once you have an SSL certificate installed on your hosting account, you need to activate it on your WordPress website.
Plugins like or take care of the technical aspects and SSL activation in a few clicks. The version premium Really Simple SSL also has an option to enable HSTS headers (HTTP Strict Transport…
Facebook Comments
Disqus