WordPress Security: Top WordPress Security Tips and Tricks

WordPress Security: Top WordPress Security Tips and Tricks

Today we’ll be discussing the best tips and tricks regarding WordPress Security, enabling you to secure your own website.

1. Regularly Update WordPress Security

Current versions of WordPress feature one-click updates. You can launch the update by clicking the link in the new version banner or by going to the Dashboard > Updates screen. Once you are on the “Update WordPress” page, click the button “Update Now” to start the process off. You shouldn’t need to do anything else and, once it’s finished, you will be up-to-date.

In general we would recommend the following steps when performing an update:

  1. Back your website up
  2. Turn off any caching plugins
  3. Update your plugins and theme framework
  4. Update WordPress
  5. Reactivate your caching plugin and clear your cache

2. Backup Your Website

Always rely on a strong backup and recovery protocol for your website. It’s not just hacking that may compromise your website but other factors like a faulty upgrade or plugin install.

If you are looking for an automated backup solution that runs inside your WordPress site then review the following plugins:

  • VaultPress “VaultPress provides realtime, continuous backup and synchronization of every post, comment, media file, revision and dash­board setting.”
  • DropBox for WordPress “WordPress Backup to Dropbox has been created to give you piece of mind that your blog is backed up on a regular basis.”
  • BackupBuddy (VMware Cloud VPS Required)“Backup your entire Single or Multisite WordPress install. Including the widgets, themes and plugins.”
  • BackWPUp “Do backups and more for your WordPress Blog.”

3. Manage Your Plugins

Third party plugins is what makes WordPress so popular but at the same they are a primary point in allowing an attack on your website. Every plugins is another item that you have to ensure is updated or patched.

For this reason it’s important to install only those extensions that have a good reputation. You should read the reviews at the WordPress Plugin Directory as many plugins contain vulnerable code, which when installed makes it easy for hackers to compromise your website.

Also check to see if there are any associated exploits or vulnerabilities with the plugin you are about to install. This can be done at Secunia or ExploitDB.

4. Remove Unused Plugins

People often test different plugins or themes and forget to remove them once they finish working with them. Leaving these plugins or themes installed, even if they are disabled, can create a potential security risk so it’s advisable to remove these after any testing has been completed.

5. Use Strong Login Details

For almost every website that you build, there will be various user accounts that you have to create and manage. For each of these you should create a secure password. Choosing a password that other people won’t guess easily is a matter of creating unlikely letter and number combinations.

A strong password:

  • Is at least eight characters long
  • Does not contain your user name, real name, or company name
  • Does not contain a complete word
  • Is different from previously used passwords
  • Contains a mixture of uppercase, lowercase characters and numbers

You can use a free tool like the Norton Identity Safe Password Generator to create a complex password for your WordPress accounts.

6. Block Unwanted Visitors

Bots are automated computer programs operated by hackers who use these tools to aggressively attack and gain access to your website. This can quickly rack up bandwidth and resources for your hosting account, and ultimately may lead to your WordPress site being compromised.

A simple but effective method of restricting bots can be implemented by creating, or modifying an existing, .htaccess file in your WordPress root directory with the following lines:

SetEnvIfNoCase User-Agent ^$ keep_out
SetEnvIfNoCase User-Agent (pycurl|casper|cmsworldmap|diavol|dotbot) keep_out
SetEnvIfNoCase User-Agent (flicky|ia_archiver|jakarta|kmccrew) keep_out
SetEnvIfNoCase User-Agent (purebot|comodo|feedfinder|planetwork) keep_out

Order Allow,Deny
Allow from all
Deny from env=keep_out

A more comprehensive approach is to use the 5G Blacklist provided by Perishable Press.

The 5G Blacklist is a simple, flexible blacklist added to your current .htaccess file that checks all web pages requests against a series of carefully constructed htaccess directives. This happens behind the scenes at the server level, saving important resources for WordPress site and protecting it from unwanted visitors.

7. Protect Your Administrative Page

You can significantly improve the security of your WordPress site if you restrict the access to your admin area.

First, you can password protect the /administrator folder of your site. To do this, follow the instructions in our tutorial on How to Password Protect a directory using cPanel. Once you protect your /wp-admin folder an additional password will be required in order to see the standard administrator login form.

Next, you can restrict the access to the /wp-admin directory only to your IP address.

Create a file called “.htaccess” in your /wp-admin directory

Open the file and add the following lines


Deny from ALL
Allow from x.x.x.x

Note that you need to replace x.x.x.x with your actual public IP address. To find out your address, you can use the What Is My IP website. To add multiple IPs, simply replicate the Allow from x.x.x.x command to a new line and change the address.

If your Internet service provider provides you with a dynamic IP address, the IP restriction option might not be suitable for you because you’ll have to edit the .htaccess file each time your IP changes.

8. Change The Admin User

In WordPress the default user name for the Super Administrator is admin. Intruders usually rely on this during a brute force attack, but simply changing the name this will provide protection from attacks that attempt to guess the name of the Administrator (admin) account. There are also other attacks that may attempt to guess the default ID of the Administrator account in order to gain access to the site.

To create a new Administrative account just:

  1. Login to your WordPress Admin area.
  2. Click on “Add new” in the “Users” menu.
  3. Type in the information for the new user account. You need to use a different email address than what you have setup for your “admin” username.Make sure you select “Administrator” as the role. Choose a new user name that is not similar to the name you display publicly on your blog.
  4. Click on the “Add User” button.
  5. Logout of WordPress.
  6. Login to your WordPress again, using your new username.
  7. Click on “Users” in the “Users” menu.
  8. Move your mouse cursor over the “admin” row. You will see links for “Edit” and “Delete”. Click on “Delete”.
  9. Select “Attribute all posts and links to” and then select your new username from the drop-down list. Ensure that you select this option otherwise all your posts will be deleted!
  10. Click on the “Confirm Deletion” button.

Some people may prefer an alternative method using the iThemes Security plugin which allows you to do all of these tasks, and change the default ID at the same time.

9. Implement Two-Factor Authentication


Two-Factor Authentication is a login method whereby a person has to provide his/her user name, password and a random generated OTP (One Time Password).

OTP is six numeric digit code, generated by cryptographic functions in a short interval. Even if a hacker was to guess your WordPress Administrator username and password correctly, they would still require the OTP to login.

To implement Two-Factor Authentication on your WordPress site we can recommend using either:

  • Two Factor Auth
  • Duo Two-Factor Authentication

10. Use SSL Certification

Use SSL on your site and force WordPress into SSL mode for all logins. Just be aware that you must have a properly configured SSL certificate for your site’s domain, or you will not be able to enable this feature.

When you have an SSL certificate on your website, this setting will have the user’s browser encrypt their user name and password before it’s sent over the internet to your server.

To enable the SSL Login feature for your administrative section open up the wp-config.php found in your root WordPress folder and enter one of these:

Force only admin sessions to happen over SSL

define('FORCE_SSL_ADMIN', true);

Force all logins and all admin sessions to happen over SSL

define('FORCE_SSL_LOGIN', true);

11. Disable Access To The wp-content Folder

Uploaded images and other media are stored in the wp-content folder. To prevent unuthorised access to this with the exception to client-side media create an .htaccess file within your /wp-content/ directory with the following statements:

Order Allow,Deny
Deny from all
<files ?.(jpg|gif|png|js|css)$? ~>
Allow from all

12. Disable Directory Browsing in WordPress

To prevent visitors from traversing through our site folders and viewing their contents you can disabled directory browsing for your website. Create or modify an existing .htaccess file in your root WordPress directory with the following contents:

Options -Indexes

13. Use Proper File Permissions & Ownership

File permissions are a method of controlling what you and other people can do with a file or folder. You will want to configure your permissions so that files and folders can only be accessed by your account, and that outside visitors can’t read important WordPress configuration files.

  • All files should be set with a CHMOD value of 644
  • All folders should be set with a CHMOD value of 755
  • Your wp-configuration.php file should be set with a CHMOD value of 640

14. Hide WordPress Reporting

When things go awry, only you should know about it. Displaying errors to our visitors can be an absolute disaster, especially if they have malicious intentions.

A common method of a WordPress attack is to crawl sites that have a particular version number, with a number of known security exploits and vulnerabilities associated to them.

In order to remove WordPress version reporting simply place the following line of code in your theme’s functions.php file:

remove_action('wp_head', 'wp_generator');

To hide any WordPress login errors by place the following snippet of code in your theme’s functions.php file:

add_filter('login_errors',create_function('$a', "return null;"));

15. Disable file editing via the dashboard

In a default WordPress installation, you can navigate to Appearance > Editor and edit any of your theme files right in the dashboard.

However, if a hacker managed to gain access to your admin panel, they could also edit your files that way, and execute whatever code they wanted to.

So it’s a good idea to disable this method of file editing, by adding the following to your wp-config.php file:

define( ‘DISALLOW_FILE_EDIT’, true );

16. Monitor For Malware


Malware is malicious computer code that can harm your website, steal personal information and enable malicious individuals to cause you financial, electronic or any other kind of harm.

It’s imperative that you have some kind of system in place to constantly monitor your site for malware.

Sucuri – https://sucuri.net/ is a company that offers a security service that detects unauthorized changes to network assets, including WordPress web sites, DNS, Whois records, SSL certificates and others.

How you monitor is vitally important. Choose a method that can actually dive into your file structure and detect deep breaches, rather than one that just shows you where you’re vulnerable.

17. Use Security Plugins


WordPress security  extensions provide a way to monitor, review and secure important files and components for your WordPress installation.

One of the most popular is the free WordFence Security fix your file and directory permissions, protect your administrator directory, change your database prefix, set a secure Super Administrator ID and a whole host of other recommended security improvements.

Wordfence includes an endpoint firewall and malware scanner that were built from the ground up to protect WordPress. Our Threat Defense Feed arms Wordfence with the newest firewall rules, malware signatures and malicious IP addresses it needs to keep your website safe. Rounded out by a suite of additional features, Wordfence is the most comprehensive security option available


WordPress Hosting

WordPress Hosting FAQ

All you need to do is sign up with a hosting account with us. Once you've completed signing up for your hosting account, you will receive an email telling you where to log into your Web Hosting Control-Panel (cPanel). Simply login and  install WordPress using our free 1-click script installer. From there, you can begin writing and publishing your content.You will also have the ability to install many other applications on your hosting account with no coding or development knowledge necessary.
Our WordPress Hosting solutions are designed to be user-friendly, yet they are loaded with a number of features that developers are looking for. That means both WordPress experts and users who have never hosted a site before will both love our solutions. Additional, all our server are hosted on a VMware Cloud Infrastructure in a Sydney Data Center, which directly cater to the speedy access fro your local customers!
For newer WordPress sites, we definitely recommend our high speed Shared Hosting solutions. These solutions are high speed and easy-to-use. They are the perfect springboard to get your site up and running. If you have outgrown the Shared Hosting Environment then you can always move to our Enterprise Cloud VPS solutions as well.
The first step in customizing your WordPress site is to log into your WordPress install. From there, you'll actually find an "Appearance" section within your WordPress dashboard dedicated to helping you customize your site. The easiest and most likely the method you'll find most effective is by using a pre-made WordPress theme. Just click the "Add New Theme" button to browse through a number of theme options. You can search for themes as well as use the Feature Filter. The Feature Filter is an excellent way to discover a theme that you like the most. This is where you can narrow down themes based on features, the type of layout you want and the subject of your site.Once you find a theme you like, you will want to click on the selected theme and click the Install button. Once installed, navigate back to the Appearance menu, select the newly installed theme and select Activate.
The WordPress application itself is free. There are free themes and plugins to get started. Many startup businesses set up their websites with no expenses aside from their hosting and domain costs. Premium WordPress add-ons incur fees, some for a few dollars or a donation. Others cost hundreds of dollars annually but are mostly for advanced users. A WordPress website, like any other, consumes bandwidth and may grow over time. The more content, media, and plugins the site has, the more likely resource needs will increase. You should plan and budget accordingly for new expenses as your account grows. At first, shared hosting works well for most WordPress sites, but most users upgrade their plans when they outgrow their shared hosting accounts, especially ecommerce or business sites. FASTDOT is where you can get high quality, affordable hosting for WordPress!
WordPress website core PHP software plus any additional third-party plugins, need to be updated to protect from external attacks. Just like your phone or computer, these updates are essential to patch vulnerabilities that can allow attackers in. WordPress websites are vulnerable by design, because they’re public facing and accessible by everyone.
To get started with your own WordPress website simply follow these simple steps. Here’s how:
1. Find and register your Domain Name and order your WordPress hosting plan via the link below: https://my.fastdot.com/cart.php?gid=1
2. Log into your cPanel account and use the one-click installer to install WordPress site.
3. Install one of the awesome WordPress theme in your WP admin area and set up some plugins.
4. Create and publish your website pages.
That's it, its a simple as that and your new website is live now.
Previous Post
Optimizing Your WordPress Site
Next Post
WooCommerce WordPress – Using WooCommerce To run an Online Store

Get Online Today!


Your perfect domain name is waiting!

Search our huge portfolio for more domain name extensions and pricing below
domain name extensions

Classic Domain Names

.COM | .AU | .CO | .NET | .BIZ | .ME | .EU | .ASIA | .TV | .MOBI | .NAME | .INFO | .ORG | .US | .NL| .FM | .HK | .ES | .CO.NZ | .DE | .CO.UK | .RU | .IM | .PM | .TW | .FR | .CN | .CA | .CH | .VN | .PL | .IL | .JP | .KR |