How to Secure WordPress? 16 Steps to a Secure Website

secure WordPress

If you read our blog regularly, you know that website security and hosting security are the most critical issues. More important than performance, artwork, and other functionalities. When creating a website, you must make sure that it is safe. But secure hosting and server security aren’t enough if you don’t keep WordPress secure.

WordPress is vulnerable to attacks

The more popular the app, the more likely it is to be hacked by hackers. WordPress currently powers more than half of the websites around the world. Its success was determined primarily by the combination of simplicity and the possibility of development. The open structure allows for the development of websites by plugins.

Unfortunately, the number of WordPress installations also brings some disgraceful results. According to Wordfence, on December 9, 2021, over 1.5 million websites built on WordPress were attacked. Over 13 million attempts to take over access to site management panels were made during 36 hours.

Cybercriminals are not idle and are constantly looking for weaknesses in websites and applications, thanks to which they can obtain valuable data. Sucuri points to another crucial element of security. Over 50% of hacked pages on WordPress are related to an outdated version of the application. adds other statistics: almost 56% of threats and security vulnerabilities are caused by out-of-date plugins or themes.

How to maintain WordPress safe?

But even patching an application is not a guarantee of security. Take care of your website by yourself. Do it according to our guidelines. The more of them you use, the safer you will make your website. 

Some of the solutions require a basic knowledge of the phpMyAdmin panel, in which you can edit the database. Incorrect operation on tables may result in partial inaccessibility of the page or the entire website.

Another critical factor of hosting security is hosting it on a secure server. You have two solutions: VPS hosting or secure WordPress hosting. I recommend the second because it has built-in security measures to protect WordPress from attacks. Now let’s get to the list.

Update WordPress

Sounds cliche? Maybe so, but the key is to double-check that your WordPress does not get old. Since version 3.7, WordPress can update the CMS, themes, and plugins automatically. Postponing updates is very risky.

Change the default wp_ prefix for tables in the database

Thanks to ​​a prefix to tables in the MySQL database, the application can recognize which data belongs to it. After all, multiple applications can use one database. One of the weaknesses of WordPress is that it leaves the default wp_ prefix in the database; it makes things easier for hackers. Therefore, change this prefix to another, less distinctive one (e.g., xtmx4_). 

You can do it in two ways – when installing WordPress and after installation by logging into the MySQL database through the phpMyAdmin panel. Thanks to this change, a website based on WordPress will be less susceptible to SQL Injection attacks.

Changing the table prefix name requires modifying entries in two WordPress tables: xtmx4_options and xtmx4_usermeta. You can do this by one of the two SQL commands (it is necessary to indicate the prefixes proposed by yourself):

  • SELECT * FROM `xtmx4_options` WHERE` option_name` LIKE ‘% wp_%’;
  • SELECT * FROM `xtmx4_usermeta` WHERE` meta_key` LIKE ‘% wp_%’;

Remember to modify the line with the prefix in the wp-config.php file after this change.

Change login and administrator ID

The default login proposed by WordPress is “admin” – it is easy to guess by someone trying to log in to the Dashboard. During installation, it is worth changing it to another, less “logical” from the point of view of an external user. Remember that the login will not be displayed under blog articles, as the display name is configured individually in the WordPress panel.

Change the login after installation via phpMyAdmin in the table (your-prefix)_users. In the same place, you will also change the account ID. It is best to enter a high number with a random sequence of numbers (e.g., instead of 333333, enter 158062).

Restrict access to the WordPress dashboard with .htaccess

Restricting access to the login page is a very sensible solution. In the .htaccess file, it is enough to configure the allowed connections to the selected IP address. Below is the correct formula to include in the content:

  • AuthName “Example Access Control”
  • AuthType Basic
  • order deny, allow
  • deny from all
  • allow from IP_address

In place of “IP_address”, enter the address from which you want to access the panel.

Change your WordPress backend login address

Malicious scripts primarily attack subpages related to the content and its edition, i.e., “/ wp-admin”. Therefore, it is worth considering changing this address to another one that is more friendly and less obvious to cybercriminals. Install the WPS Hide Login plugin and configure it according to your needs. The new panel login address will be available immediately.

Another type of protection against “hijacking” the WordPress login page is the use of the .htaccess file on the hosting and reference to the .htpasswd file, in which you configure the access data to display the login page.

Change the login method to your email address

Changing how the application verifies the user increases the security of the WordPress dashboard. To do this, install the WP Email Login plugin and replace the login name with the email address assigned to the user. After saving the changes, change the standard login to a set of random characters (especially, if you used “admin”).

70 Best Free WordPress Themes in 2022

Enable Extra Application Protection on Hosting (WAF)

Secure WordPress Hosting protects you with an additional layer of security – a Web Application Firewall. If you use another provider, ask him about WAF. It protects you against attacks with the use of vulnerabilities related to MySQL databases or with the use of malicious headers.

Disable editing of plugin and theme files

Did you finish personalizing your theme and launching the plugins? Secure your files by preventing further code editing in the WordPress dashboard. To do this, add one line to the wp-config.php file:

  • define (‘DISALLOW_FILE_EDIT’, true);

Disable user registration

WordPress allows you to register users by default, but if you run a website that does not need this option (e.g., it is only reading-oriented), it is better to block it in the WordPress settings. It is another “window” to a potential attack attempt.

Enable two-factor authentication

The additional level of security when logging in has not hurt anyone yet. Use the Two Factor Authentication plugin to configure a double login to the panel. After entering a login and a password, you would have to enter a unique code sent to your smartphone. This solution requires the installation of the Google Authenticator application on your smartphone, available on Android and iOS.

Security plugins for WordPress – why is it NOT worth using them?

You will find several additional plugins on the market that contain several of the above functionalities and additionally protect WordPress against brute force and other attacks. So they save time (all you have to do is install one of them and set it up in a few minutes) and (in theory) take care of several security-related topics. 

But are you sure? Let’s not forget that it is just another plugin. Even security plugins can contain vulnerabilities that would make it easier for a potential hacker to access your WordPress dashboard.

Plugins such as Wordfence, Sucuri, or iThemes Security are trendy, offer various features, and look tempting, but the statistic from the WPwhiteSecurity study is worrying. Among the 10 most vulnerable WordPress plugins in 2019, Wordfence took 4th place.

Make additional copies of your data

On UltaHost servers, the backup is performed cyclically at night, in a point-like manner. All files and databases in the backup reflect the state of the server from a given hour. In any case, the user can restore such data from the last 16 days. It is one of the best deals on the market, but it should come as no surprise. UltaHost has a security-first policy.

If your website is dynamic and you publish a lot of content on it (e.g., in the form of an advertisement portal), install additional WordPress backup applications. One of them is Updraft, thanks to which you can program a backup even every 60 minutes. Remember to make backups when your traffic is low because each backup operation is a heavy load for the server.

Remove unnecessary plugins and themes

WordPress allows you to create a website for any purpose. No wonder you’ll be testing new themes and plugins on it. Remember to remove them if you won’t use them. Even deactivated but outdated plugins may be the reason for an attack on your website.

Download plugins only from a trusted source. It does not necessarily have to be an official WordPress repository because there are premium plugins you can download only from the author’s website. But avoid plugins from unreliable sources like email or free file services. They do not undergo any verification, nor are they subject to control.

Update the theme frequently

It is the third potential source of a problem that a website based on WordPress may encounter. Theme developers should release updates as often as possible to fix bugs and software vulnerabilities. They can be exploited by hackers and cannot be underestimated.

Use an SSL certificate

WordPress provides full support for encrypted HTTPS connection via the browser. As of 2017, the CMS application requires the server to support this protocol. SSL certificate is also essential because of SEO optimization. 

In addition, the most popular browsers (Google Chrome, Mozilla Firefox) mark websites without an SSL certificate as “unsecured”. From a psychological point of view, this is equivalent to discouraging the user from visiting the site in the future.

Use long passwords

The longer and more varied the password is, the better. WordPress automatically offers to save the password in the form of several characters without dictionary phrases. Usually, in this step, we want to propose our password, but in most cases, it will not be strong enough.

If you enjoyed this article, then you’ll love the safe UltaHost hosting platform. Get 24/7 support from our support team. Our powered infrastructure focuses on auto-scaling, performance, and security. Let us show you the difference! Check out our Secure WordPress Hosting plans!   

Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post
Subscribers and newsletter

How to Get Subscribers to the Newsletter?

Next Post

Why is uptime so important?

Related Posts