Want to improve your WordPress Security?

I am sharing all the tips and tricks I have learned to run many WordPress blogs or websites.

Just to let you know, In recent times, WordPress has been the very objective of hackers.

Many users have asked: “Is WordPress safe?”

And here is my answer:

Yes, WordPress is a secure 

However, when we use various plugins, themes, and sometimes for hosting it, it follows the worst security practices and thus makes our WordPress website vulnerable to various attacks and hacks.

Fact: WordPress powers almost 33% of the world’s websites, making it not only the most popular CMS platform but also has a tendency for hacking.

As an end-user, there are some things you can do to secure a WordPress website.

My site has been hacked 2 times in the past for wp security (they claim it, at least) they infiltrated my site and left it open with an ugly black background and featured GIF images of crow. This is what compels me to explore how WordPress security can be strengthened.

Over the course of 10 years, I have learned many strategies I am sharing with you today so that hackers don’t have to bother losing your WordPress website.

If WordPress is Safe, Why is WordPress Security Important?

As I mentioned above, WordPress is protected by default but when you host it on an unsafe server or add new code in the form of themes and plugins, you are increasing the chances of being hacked.

10 Best WordPress Security Plugins : Lock out the Hacker! in 2020

For personal gain hackers usually hack a WordPress site, which is usually in the form of adding a backlink to some spammy site or redirecting a WordPress site to another website. Sometimes it’s done so sophisticatedly that you didn’t know you were hacked or had a backdoor installed on your website.

However, the owners start losing traffic over time (SEO is fine) and as they realize the real problem, things are out of their hands. What could be worse is being blacklisted by a prominent blacklist authority. This will cost you a significant amount of time and money to get your website blacklisted.

According to security firm Sucuri,

Of all the CMS they cleared in 2018, WordPress topped the CMS affected by 90%.

These are some scary numbers for any WordPress owner and that is why it is extremely important for you to roll your sleeve and follow these best practices to increase WordPress security.

Let’s see the 14 Proven Tips to Secure WordPress Website

1. Configure WordPress Backups

Although I’ve given plenty of proven tips below to secure your WordPress blog, you must make sure that you don’t lose anything if something happens.

Not fixing WordPress backup properly is one of the biggest mistakes you make. When a large site like Sony or Dropbox can be hacked, it will be relatively easy for your WordPress blog to be hacked by hackers for proper wp security.

So the first is to make sure that you are taking a daily backup of your blog.

You can use the backup system provided by your hosting company or use a third-party backup system such as VaultPress or UpDraftPlus.

If your hosting company gives you a backup, make sure they store the backup on another server.

2. Use A Secure & Reliable Hosting Company

Your WordPress installation is simply software installed on a server. The basis of a secure website is a server with sufficient security that ensures that your website is protected against hackers.

A secure WordPress Hosting usually includes:

• • Server level firewall to mitigate DDOS attacks.
  • Uses the latest hardware and top data center for physical protection.
  • Regularly update the operating system and apply the latest security patches.
  • There is an intrusion detection system for malicious activity or policy violations.

I understand that it’s hard to know which hosting company is reliable against hackers and I made this list of secure WordPress hosting companies.

1. 1. BlueHost
   2. SiteGround
   3. GoDaddy
   4. HostGator

If your existing hosting company is not secure and offers no security assistance, moving to any of the hosting listed above will make a huge impact for WordPress website security

3. Use the Latest version of WordPress

Keeping your WordPress software up to date is one of the most basic security tips for any WordPress blogger. This is something you will never want to miss.

Whenever WordPress is sending an update, that means they have fixed some bugs, added some features and made some of the most secure features and fixes.

When you see the message: ‘WordPress z.z.z is available!’

Update it.

Nowadays, it is very easy to upgrade your blog with one-click updates.

Make sure your themes and plugins are compatible with this latest version of WordPress. If an update rolls out and it is not a security update, I suggest you wait 5-6 days before other users stop reporting bugs to the latest version.

4. Update WordPress Plugins

As I mentioned above, WordPress releases an update to fix bugs and security holes and goes the same with plugins.

Often times, a weak plugin or third-party script can create a security hole in your WordPress website.

One of the things we have seen in the past is TimThumb weakness. This was caused by a script, and many plugins that use this script have also become vulnerable. This national Zero-Day vulnerability is tough to overcome, but you can further protect the WordPress site by limiting the number of plugins, scripts and themes.

Always use plugins that are constantly updated and have good support. If you’ve been using a plugin that hasn’t been updated for a while, look for an alternative.

5. Use Latest PHP version

PHP is the backbone of WordPress and, currently, 7.3 is the latest version of PHP. It’s important for your WordPress website security. According to the official PHP Statistics page, they provide security support for any stable version of PHP for only 2 years.

This means that if you are using something below PHP 7.1, you will not receive security updates.

Here is an interesting status from WordPress.org, about 71.8% of the WordPress website is using outdated PHP.

Depending on the hosting environment you are using, you can quickly change your PHP version. I suggest you first create a staging environment and then test the latest PHP version. To ensure consistency over time, outdated plugins and themes can cause problems.

You can check the PHP version of WordPress from the dashboard and ask your hosting support to update and test your PHP version.

6. Use (WAF) Web application firewall

A firewall exists between your network traffic and hosting server. The role of a firewall is to filter out the most common threats before reaching your WordPress website hosting machine.

There are three common types of firewall solutions you can use in WordPress:

1. 1. At the network level: This is usually stored at the network level or machine level and works when you are hosting WordPress in a data center of your own. This is the most expensive option and is commonly used by an enterprise-level website where they have control over the physical space on which the server is installed.
   2.  At the host level: It is hosted at the web-application level, in our case it is WordPress. This is not recommended in the end, as your host will have to do a heavy lift to trim traffic. This is certainly better than network-based WFF but it requires local server provisioning, it is not the best option.
   3. Cloud-based WAF: Cloud-based WFA is usually implemented at the DNS level and it filters out the most common types of threat before it hits your WordPress server. It is the easiest to implement and most economical in the sense. The only disadvantage is that you need to change the DNS for this.

Some common types of threats detected and protected by WAF are: cross-site scripting (XSS) attacks, SQL injection attacks, session hijacking, and buffer overflows. This is a protocol level 7 defense of the OSI model.

• • Cloudflare: Starts at $20/month
  • Sucuri: Starts at $9.99/month

This is a highly recommended WordPress security feature for WooCommerce and other WordPress websites built for business.

7. Hide WordPress Version

Let’s say you don’t have 2 minutes to update your WordPress core files. The WP version listed can make an idea to break the hacker. If you are running an old version of WP and everyone knows it, believe me, you are destroyed. .

Most theme designers nowadays get rid of it for you, but just go to your function.php to make sure and add this line:

<?php remove_action(‘wp_head’, ‘wp_generator’); ?>

8. Use A Complex Login Password

I don’t need to mention this, but I know a lot of people who use complicated and extremely crazy passwords:

• • password
  • ilovefood
  • 123123

Please complex your passwords, add a few special characters (% & * #) and change it every 5 or 6 months.

I would like to recommend a plugin called Login Lockdown. This plugin will record all IP and time stamps of failed login attempts. After a certain number of failed attempts from a particular IP, the IP will be blacklisted. It helps a lot to prevent a violent-attack attack.

At the end, you should start using a password manager, which will help you improve your password protection.

9. Change WordPress Login URL

By changing the WordPress login URL page you are preventing a lot of attacks and hacking attempts.

In particular, if you are someone who has a handful or if you just need to login to the WordPress dashboard, changing the login page will provide a lot of help.

10. Set alert for Google indexed pages

This is one less tactic you can use right now. Whenever Google indexes a new page in your domain name, you can use Google Alert to send you alerts. Many times, WordPress hackers add new pages and posts that do not appear on the backend or in the foreground, but they get noticed on Google.

When you set this alert, you will know when something is happening without your notification. Since it’s free and it only takes 2-5 minutes to set up, it’s totally worth it.

Here is how you can do it:

• • Head over to Google alerts

• • Add site:domain.com, In the “create an alert about” field
  • Change How often to language to “any language”, “as it happens”,  and how many to “all results’

You will receive instant notifications when new engines are indexed in search engines.

11. Check WordPress Folders File Permissions

Go to File Manager on your cPanel or log in to your FTP software and check the file properties of your WordPress folder.

If it’s 744 (read-only), it’s good, if you consider it to be 777, consider yourself lucky that you haven’t hacked it yet.

When most bloggers change hosting, they may not understand how their file permissions also change. Make sure you have verified all file permissions after transferring your hosting.

12. Delete Default Admin User

This is one of the most important tips for WordPress website security, those who want to create a secure WordPress blog. The default “admin” username is the victim of violent attacks because most people never change it.

Make sure you use a custom user and do not use “admin” when you install WordPress,

You can create a new user with “admin” rights and give this new administrator a nickname that will be displayed publicly when he writes the post. Now, log out and then login again into the newly created admin user account and delete the old “admin” user.

Be sure to specify all user names and links with the new user you create.

13. Hide The Plugins Directory

Plugins folder / wp-content / plugins / should not display the list of folders and files inside them.

Try visiting your plugin folder (replace domain.com with your domain name):

domain.com/wp-content/plugins/
If you see a list of files and folders, you need to hide them.

To hide these folders, you need to create a new .htaccess file and place it in your plugin directory.

# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# Prevents directory listing
IndexIgnore *
# END WordPress

If you already have a well-written .htaccess file in your root directory, adding separate .htaccess to a separate folder will not do any harm.

14. Turn Off Database Errors

In older versions of WordPress, if there was a bug in the MySQL database, it would show the hacker the exact error in the browser to give valuable information about your database.

To prevent this, you need to update your WordPress version to the latest version, so that it just displays a simple error message such as “Database connection error” instead of pointing out what’s wrong.

Go to your WP Dashboard and update your WordPress core files.

WordPress Security: It’s up to you

Okay, I hope this guide helped you understand the importance of WordPress security and helped you make it even harder.

Again, it’s wise to take an automatic backup of your WordPress blog at regular intervals to ensure that you can always get your blog back in a healthy state.

Let us know what WordPress security tips you have for other bloggers to help keep your WordPress blog secure.