Skip to content
Table Of Content
- Introduction
- Add Security Keys
- Theme and Plugin Editor
- Important Files from Access
- Restrict Access to PHP Files
- Prevent PHP Files from Being Executed
- Disable Script Injections
- Secure wp-includes
- Restrict Admin Access
- Prevent Directory Browsing
- File Permissions
- WordPress Version Number
- Move Your Site to SSL/HTTPS
- Update WordPress regularly
- 2 Factor Authentication
- Free WordPress Security Plugins
- Important Files IMMUTABLE
- Block Spammers on Contact US
- Block BadBots,Scanners,bad Crawlers on server
18 Tips to Secure your WordPress Site
Shraddha Shribas | 10 min read | April 10, 2020
Introduction
Having a website and driving business online seems to be a pretty simple but managing security of your WordPress website is tricky and essential.
As per sucuri 90% of CMS websites hacked in 2018 were WordPress sites. Security is like securing your property from thieves to get all stolen your sensitive data.
Securing WordPress site is not rocket science but it is a practical approach to secure your website. We will be discussing 18 tips to secure your WordPress website. We will be discussing all major security measures covering code to server environment.
1. Add Security Keys
WordPress security keys, also called SALTs, encrypt information stored in browser cookies. That way, they protect passwords and other sensitive information. The keys themselves are phrases used to randomize that information and stored inside wp-config.php where it says this:
https://api.wordpress.org/secret-key/1.1/salt/
2. Disable the Theme and Plugin Editor
To make changes to your site, WordPress contains an internal editor for theme and plugin files. While it can be useful in some situations, it’s also very risky.
The reason is that if somebody gains access to your site’s back end, they can use the editor to take out your website without even having to have access to your server.
To avoid this, disable the editor by adding this line to your trusty wp-config.php file:
define(‘DISALLOW_FILE_EDIT’, true);
3. Protect Important Files from Access
.htaccess is another important file that configures your server. Among other things, it holds the code that enables using pretty permalinks in WordPress. It can also set redirects and – you guessed it right – increase WordPress security.
For the latter, you first need to access the file, which is located on your server’s root directory and hidden by default. Therefore, to edit it, make sure to set your FTP client to display hidden files (Server > Force showing hidden files in FileZilla). After that, take the following measures.
The code below will prevent access to critical files like wp-config.php, php.ini, error logs and .htaccess itself.
Order deny,allow
Deny from all
4. Restrict Access to PHP Files
Additionally, you can keep others from accessing PHP files and injecting malware into them:
RewriteCond %{REQUEST_URI} !^/wp-content/plugins/file/to/exclude\.php
RewriteCond %{REQUEST_URI} !^/wp-content/plugins/directory/to/exclude/
RewriteRule wp-content/plugins/(.*\.php)$ – [R=404,L]
RewriteCond %{REQUEST_URI} !^/wp-content/themes/file/to/exclude\.php
RewriteCond %{REQUEST_URI} !^/wp-content/themes/directory/to/exclude/
RewriteRule wp-content/themes/(.*\.php)$ – [R=404,L]
5. Prevent PHP Files from Being Executed
A common place for hackers to upload malware is in wp-content/uploads. To prevent them from executing the bad codes in the event of a hack, use this piece of code:
Order Deny,Allow
Deny from All
6. Disable Script Injections
While you are at it, use this snippet to prevent outsiders from being able to inject malicious code into your existing PHP files:
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]
7. Secure wp-includes
The wp-includes folder houses WordPress core files that nobody should have the need to tamper with. To make absolutely sure it doesn’t happen, use the following code.
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ – [F,L]
RewriteRule !^wp-includes/ – [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ – [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L]
RewriteRule ^wp-includes/theme-compat/ – [F,L]
8. Restrict Admin Access to Specific IP Address
With .htaccess you can also restrict access to your WordPress login page by IP address. That way, only you can get there. To achieve this, copy and paste the following code into it:
ErrorDocument 401 default
ErrorDocument 403 default
Order deny,allow
Deny from all
Allow from 198.101.159.98
9. Prevent Directory Browsing
By default, anyone can look at the directory structure of any WordPress site by simply including the full path to directories on their browser bar.
While that doesn’t enable hackers to make changes, the knowledge of your site structure will still help them. Since you want to make things as difficult as possible for them, switch off directory browsing inside .htaccess :
Options All -Indexes
10. Pay Attention to File Permissions
Using correct file permissions on your server is a way of keeping unauthorized parties from modifying your files.
As for what you should change them to, WordPress recommends the following settings:
755 or 750 for directories
644 or 640 for files
600 for wp-config.php
11. Remove WordPress Version Number
By default, WordPress contains a meta tag inside the source code that will display the version of your site and also add it to scripts loaded in yoursection.
Unfortunately, this information is very useful to anyone trying to hack your site, especially true if you are using an older version of WordPress that has a known security vulnerability. Thankfully, removing the version number is as easy as adding the following to the top of your theme’s function.php file:
function remove_wordpress_version_number() {
return ”;
}
add_filter(‘the_generator’, ‘remove_wordpress_version_number’);
function remove_version_from_scripts( $src ) {
if ( strpos( $src, ‘ver=’ . get_bloginfo( ‘version’ ) ) )
$src = remove_query_arg( ‘ver’, $src );
return $src;
}
add_filter( ‘style_loader_src’, ‘remove_version_from_scripts’);
add_filter( ‘script_loader_src’, ‘remove_version_from_scripts’);
12. Move Your WordPress Site to SSL/HTTPS
SSL (Secure Sockets Layer) is a protocol which encrypts data transfer between your website and users browser. This encryption makes it harder for someone to sniff around and steal information.
13. Update WordPress regularly
With any new release, WordPress gets improved and its security is improved too. Lots of bugs and vulnerabilities are fixed every time a new version comes out. Also, if any particularly malicious bug gets discovered, the WordPress core guys will take care of it right away, and force a new safe version promptly. If you don’t update, you will be at risk.
To update WordPress, you first need to go to your dashboard. At the top of the page, you’ll see an announcement every time a new version is out. Click to update and then click on the blue “Update Now” button. It only takes a few seconds.
14. Activate 2 factor authentication
https://wordpress.org/plugins/google-authenticator/
15. Free WordPress Security Plugins
Here comes the time for WordPress security plugins reviews. There are thousands of security plugins available at wordpress.org. We have handpicked 15 of the most popular solutions that are trusted by millions of WordPress users and can safeguard different aspects of your online presence. Let’s get started.
https://wordpress.org/plugins/tags/security/
Wordfence Security – Firewall & Malware Scan
16. Make Important Files IMMUTABLE (Unchangeable)
chattr (Change Attribute) is a command line Linux utility that is used to set/unset certain attributes to a file in Linux system to secure accidental deletion or modification of important files and folders, even though you are logged in as a root user.
In Linux native file systems i.e. ext2, ext3, ext4, btrfs, etc. supports all the flags, though all the flags won’t support to all non-native FS. One cannot delete or modify file/folder once attributes are sets with chattr command, even though one have full permissions on it.
17. Block Spammers on Contact US
A contact us form is call to action for every website and it allows website owners to capture the leads. But in most cases contact us page leads to spamming on websites. It has been observed that in most cases website cross scripting and phishing attacks has been done through contact us form.
The spamming activities from contact us forms can be blocked in two ways:
Use Akismet
Akismet is tested and trusted solution for filtering spam comments from your website. If you use a contact form plugins like Contact Form 7 or others plugins still this can be integrated.
Use CAPTCHA
This is one of the best ways to block spammers, CAPTCHA/reCAPTCHA solutions can make it difficult to impossible to use a website contact form at all.
18. Block BadBots,Scanners,bad Crawlers on server
BadBoats, scanners, bad crawlers makes your website slow and they continuously looks for the loopholes in your website. It is too important to restrict all of them.
It can be done through placing some rules in robots.txt and .htaccess.
For Further Details or Additional Information
OR If you want to know more about our Services
