The Complete WordPress Security Handbook: A Step-by-Step Guide (2024)

Best WordPress Security Plugin

Setting up an auditing and monitoring system that records every action made on your website is the next task we must undertake after creating backups.This covers virus detection, unsuccessful login attempts, file integrity monitoring, etc.Fortunately, Sucuri Scanner, the greatest free WordPress security plugin, can handle all of this.Installing and activating the free Sucuri Security plugin is required. Please refer to our detailed instructions on installing a WordPress plugin for additional information.You must navigate to the Sucuri menu in your WordPress admin after activation. You will be required to generate a free API key as soon as possible. Email notifications, integrity checks, audit recording, and other crucial functions are made possible by this.

The next step is to select the ‘Hardening’ tab from the menu by clicking on it. After selecting each option, press the “Apply Hardening” button.You can secure the important locations that hackers frequently target with the use of these alternatives. You may skip the Web Application Firewall for now, as it is the only hardening option that requires a paid upgrade. We will go over it in more detail in the following step.For those who choose not to use a plugin or for those who need further steps like “Changing the Admin Username” or “Database Prefix change,” we have also addressed several of these “Hardening” alternatives later in this post.The default plugin settings are sufficient for the majority of websites after the hardening phase and don’t require modification. Our recommendation is to customise “Email Alerts” solely.Emails from the default alert settings may overflow your inbox. We advise subscribing to alerts for important activities such as plugin updates, the registration of new users, etc. Go to Sucuri Settings » Alerts to configure the alerts.Explore all the tabs and options of this robust WordPress security plugin to learn what it can do, including tracking failed login attempts, audit logs, and malware scanning.

Enable Web Application Firewall (WAF)

With a web application firewall is the simplest approach to safeguard your website and feel secure with WordPress (WAF).Before any dangerous traffic even reaches your website, it is blocked by a website firewall.DNS Level Website Firewall: These firewalls use cloud proxy servers to reroute traffic to and from your website. They can now only transmit legitimate traffic to your web server as a result.Application Level Firewall: These firewall plugins check incoming and outgoing traffic before most WordPress scripts load on your server. When it comes to lowering server load, this technique is not as effective as the DNS level firewall.See our ranking of the top WordPress firewall plugins for more information.Sucuri is the greatest web-application firewall for WordPress, and we use it ourselves. You can read about our experience using Sucuri to stop 450,000 WordPress attacks in only one month.The best feature of Sucuri’s firewall is that blacklist removal and virus cleanup are guaranteed. Basically, they promise to fix your website (no matter how many pages it has) if it were hacked while they were watching over you.Given the high cost of fixing hacked websites, this warranty is quite robust. Experts in security typically bill $250 per hour. On the other hand, the full Sucuri security stack is available for $199 annually.

Move Your WordPress Site to SSL/HTTPS

Data transmission between a user’s browser and your website is encrypted using the SSL (Secure Sockets Layer) protocol. It is more difficult for someone to sniff around and steal information thanks to this encryption.Your website will use HTTPS instead of HTTP when you enable SSL, and the browser address bar will display a padlock icon next to your website’s address.Typically, SSL certificates are granted by certificate authorities, and their annual costs range from $80 to hundreds of dollars. Most website owners chose to continue using the insecure protocol since it was more expensive.A nonprofit group named Let’s Encrypt made the decision to provide website owners with free SSL Certificates in order to address this. Numerous businesses, including Google Chrome, Facebook, Mozilla, and many more, support their effort.Starting to use SSL for all of your WordPress websites is now simpler than ever. These days, a lot of hosting providers provide a free SSL certificate for WordPress websites.

WordPress Security for DIY Users

You should be in good shape if you follow all of the advice we have given thus far.You can still take more steps to strengthen your WordPress security, though.Coding expertise may be needed for some of these processes.

Change the Default “admin” username

“admin” used to be the default WordPress admin username. Because usernames comprise up half of the login credentials, brute-force attacks were made easier for hackers.Fortunately, WordPress has already corrected this, requiring you to provide a unique username when installing the software.Nevertheless, some one-click WordPress installers continue to utilise “admin” as the default admin username. It would be wise to move your website hosting if you discover that to be the case.

There are three ways you can modify the username in WordPress as it doesn’t let you do so by default.

• Delete the previous admin username and create a new one.
• Update your username from phpMyAdmin by using the Username Changer plugin.

Disable File Editing

With WordPress, you can change theme and plugin files directly from the WordPress admin area thanks to the built-in code editor. We advise disabling this function since it poses a security risk in the wrong hands.You can easily do this by adding the following code in your wp-config.php file.Alternatively, you can do this with 1-click using the Hardening feature in the free Sucuri plugin that we mentioned above.

Disable PHP File Execution in Certain WordPress Directories

Another way to harden your WordPress security is by disabling PHP file execution in directories where it’s not needed such as /wp-content/uploads/.

You can do this by opening a text editor like Notepad and paste this code:

The next step is to save this file as.htaccess and use an FTP programme to upload it to the /wp-content/uploads/ directories on your website.See our tutorial on how to prevent PHP execution in specific WordPress directories for a more thorough explanation.As an alternative, you may accomplish this in just one click by utilising the Hardening feature in the previously mentioned free Sucuri plugin.

Limit Login Attempts

WordPress by default permits users to attempt logins as frequently as they’d like. Because of this, brute force assaults against your WordPress website are possible. Hackers attempt to break passwords by attempting various login combinations.Limiting a user’s ability to make several unsuccessful login attempts is an easy way to remedy this. This is immediately taken care of if you’re utilising the web application firewall that was previously described.On the other hand, if you haven’t configured the firewall, follow the instructions below.Installing and turning on the Login LockDown plugin is the first step. See our detailed instructions on installing a WordPress plugin for more information.

Upon activation, visit Settings » Login LockDown page to set up the plugin.

See our guide on how and why to limit WordPress login attempts for comprehensive information.

Add Two Factor Authentication

Users that utilise the two-factor authentication strategy must log in using a two-step authentication process. The username and password are required in the first phase, and an additional device or app must be used for authentication in the second.The majority of well-known websites, including Twitter, Facebook, and Google, let you activate it for individual accounts. You may give your WordPress website the same features.Installing and turning on the Two Factor Authentication plugin is the first step. You must select the “Two Factor Auth” link in the WordPress admin sidebar after activation.Next, on your phone, install and launch an authenticator app. Many of them are available, including Authy, LastPass Authenticator, and Google Authenticator.Since Authy and LastPass Authenticator both let you backup your accounts to the cloud, we suggest utilising them. In the event that your phone is lost, reset, or you purchase a new phone, this is incredibly helpful. Restoring all of your account logins will be simple.For the tutorial, we’ll be utilising the LastPass Authenticator. All auth apps have similar instructions, though. Click the Add button after opening your authenticator application.You will be prompted to either manually scan a website or scan the barcode. After choosing the scan bar code option, focus the camera on the QRcode that appears on the plugin’s settings page.That’s all; it will now be saved by your authentication app. After entering your password, you will be prompted for the two-factor auth code the next time you enter your website.Simply open the authenticator app on your phone and enter the code you see on it.

Change WordPress Database Prefix

WordPress prefixes all tables in your WordPress database with wp_ by default. Hackers will find it simpler to determine the table name on your WordPress website if you are using the default database prefix. For this reason, we advise modifying it.

By following our step-by-step guide on how to modify the WordPress database prefix for better security, you may alter your database prefix.

Password Protect WordPress Admin and Login Page

Hackers typically have unrestricted access to your WordPress admin folder and login page. They can now attempt their hacking techniques and launch DDoS attacks thanks to this.You can effectively stop those requests by adding further password protection on the server-side.To password protect your WordPress admin (wp-admin) directory, follow our detailed steps.

Disable Directory Indexing and Browsing

Hackers can utilise directory browsing to see if you have any files that are known to be vulnerable so they can use these files to obtain access.Other individuals can view your files, copy photos, discover your directory structure, and access other information by using directory browsing. It is therefore strongly advised that you disable directory browsing and indexing.You must use the file manager in cPanel or FTP to connect to your website. Next, search the root directory of your website for the.htaccess file. If it’s not visible there, check out our guide on why WordPress won’t let you view the.htaccess file.The.htaccess file then has to have the following line added to the end:

Choices – Indexes

Remember to save and re-upload the.htaccess file to your website. See our post on disabling directory surfing in WordPress for more information on this subject.

Disable XML-RPC in WordPress

Because it facilitates the integration of your WordPress website with online and mobile applications, XML-RPC was enabled by default in WordPress 3.5.XML-RPC is quite powerful and can greatly increase the strength of brute-force attacks.Traditionally, for instance, a hacker would have to attempt 500 different passwords on your website in order to be detected and prevented by the login lockdown plugin.However, XML-RPC allows a hacker to access the system.With 20 or 50 queries, you can use the multi call function to try thousands of passwords.For this reason, we advise turning off XML-RPC if you are not utilising it.Three methods exist for disabling XML-RPC in WordPress, all of which are explained in our comprehensive guide on the subject.

Advice: The least resource-intensive approach,.htaccess, is the best one.

This can be handled by the web-application firewall if you’re using it, as previously noted.

Automatically log out Idle Users in WordPress

Users who are logged in occasionally stray from the screen, which is dangerous for security. Passwords can be changed, sessions can be hijacked, and account modifications can be made.

For this reason, a lot of financial and banking websites automatically log out inactive users. You can also add comparable features to your WordPress website.

Installing and activating the Inactive Logout plugin is required. To adjust plugin settings after activation, navigate to Settings » Inactive Logout.

Just enter the time period and include a message to log out. Remember to click the “Save Changes” button in order to save your configurations.

Add Security Questions to WordPress Login Screen

It is considerably more difficult for someone to get unauthorised access when you add a security question to your WordPress login screen.Installing the WP Security Questions plugin will allow you to add security questions. Upon activation, the plugin settings are configured through the Settings » Security Questions page.See our guide on adding security questions to the WordPress login screen for more specific information.

Scanning WordPress for Malware and Vulnerabilities

Installing a WordPress security plugin will cause it to automatically scan your site for malware and indications of security lapses.However, you might wish to manually perform a scan if you see an abrupt decline in website traffic or search engine rankings. One of these malware and security scanners, or your WordPress security plugin, can be used.It’s very simple to run these online scans; all you have to do is enter the URLs of your websites, and their crawlers will search them for known malware and harmful code.Note that the majority of WordPress security scanners are limited to scanning your website. They are unable to clean up a hacked WordPress website or remove the infection.This takes us to the following section, where we remove malware and compromised WordPress sites. 

Fixing a Hacked WordPress Site

Until their website gets hacked, a lot of WordPress users are unaware of the significance of backups and website security.WordPress site cleanup can be an extremely challenging and time-consuming task. The first thing we would suggest is to leave it to the professionals.On compromised websites, hackers install backdoors; if these backdoors are not adequately removed, your website is likely to experience another hack.You can make sure your website is safe to use again by hiring a reputable security company like Sucuri to fix it. It will shield you from any assaults in the future as well.We have prepared a step-by-step tutorial on how to fix a hacked WordPress website for the daring and do-it-yourself users.