How to Secure Your WordPress Website in 2024 (Detailed Tutorial)

WordPress has become one of the world’s most popular content management systems (CMS), with over 44% of websites built on it. As with any online platform, security should be at the top of your list of concerns. In this post, we’ll examine WordPress security concerns and provide tips on how to keep your WordPress website safe and secure.

Let’s dive in.

Is WordPress Secure?

For the most part, yes. WordPress developers work hard to maintain the security of their platform through patches and updates occurring regularly. However, since WordPress is built on an open-source framework, hackers can analyze how it’s constructed and frequently develop new ways to gain control of WordPress websites. Because of this, WordPress security is crucial. Knowing the risks associated with using WordPress is important to understand better how to secure your website.

WordPress Security Concerns

When operating a WordPress website, there are several potential risks to be aware of. One of the biggest concerns is hackers. Because WordPress is so popular, it attracts the attention of nefarious actors who attempt to exploit vulnerabilities like outdated plugins or core files to gain unauthorized access to your site. They can employ methods such as backdoors, launching brute force attacks, pharma attacks, denial of service (DoS) attacks, or cross-site scripting (XSS).

If left unresolved, there can be serious consequences, such as malware (malicious code designed to steal your site’s visitor information), forwarding your website to a completely different one, adding content you’re unaware of, Google warnings that can hurt your position in the SERPs, or worse, being unable to log in to your website.

How to Secure Your WordPress Website

The following section will explore best practices to enhance WordPress security to protect your website against potential threats.

Subscribe To Our Youtube Channel

WordPress Security: Choose Good WordPress Hosting

The first step to take is partnering with a good WordPress hosting company. With so many choices available, it can be difficult to determine how to choose the right host. If you’re a beginner, it’s probably best to opt for a good managed hosting provider, such as SiteGround, that will provide all security updates for WordPress, while also maintaining the server it’s installed on. For those who are more tech-savvy, a cloud hosting provider, such as Cloudways, is an excellent choice.

Either option will give you all the tools you need to ensure your website is safe and secure, including:

• Free SSL certificate
• Web application firewall (WAF)
• SFTP access
• Distributed denial of service (DDoS) protection
• Malware protection

Keep Your WordPress Login Secure

Another easy thing you can do to boost your WordPress security is to lock down your login credentials. This can be done in several ways, including using a plugin to change the login URL from /wp-admin to something of your choosing. You can also add two-factor authentication (2FA) to your login and limit login attempts, which will help repel bots.

Another way to protect your login is by linking it to your Google account using the Google Apps Login for WordPress. Once your login is locked down, you should whitelist your users’ IP addresses. This ensures that only registered users can get in, even if they have managed to figure out your password.

Use a Suite of WordPress Security Plugins

Another very useful thing you can do is to install a good security plugin, such as iThemes Security. It will allow you to add 2FA, limit login attempts, schedule backups, and hide your WordPress login.

In addition to a WordPress security plugin, consider installing a good backup plugin, like UpdraftPlus, if your host doesn’t offer backups. A backup plugin protects you from losing your site’s files, helping you to avoid rebuilding WordPress from scratch. You can easily restore your site with little effort if something goes wrong. Finally, incorporating an activity log plugin like WP Activity Log will allow you to pinpoint what went wrong and when.

Keep PHP Updated

WordPress requires three things to work correctly: PHP, MySQL, and HTTPS support. PHP, or hypertext preprocessor, is a popular open-source scripting language used in web development and is the backbone of WP. Like WordPress, being open source leaves it open for malicious actors looking to take advantage. To avoid these potential issues, it’s best to keep PHP updated. Not only does it help with WordPress security, but it also keeps your site running optimally.

Choose Strong Passwords

One of the most important aspects of WordPress security is choosing strong passwords for login. Weak or easily guessable passwords leave your site vulnerable to unauthorized access and expose your site to botnets. Botnets are a collection of computers that have been infected by malware and come under the control of a hacker. They are the leading cause of DDoS attacks on the internet, but you can prevent your site from falling victim to them by taking the correct precautions.

For example, you can protect your site by ensuring all users adhere to a password policy. One great way to do this is by installing a plugin like Password Policy Maker.

WordPress Security: Keep Software Updated

Another simple step in WordPress security is keeping your WordPress core, plugins, and themes updated. Leaving software out of date can have negative consequences on your website, including security breaches, the WordPress white screen of death, or any number of common errors.

You can either keep up with updates on your own or enable automatic updates. What is right for you depends on several factors, including time, expertise, and the type of software your WordPress install runs. Regardless of whether you handle updates or choose to update automatically, you should always make a backup before performing any updates.

Install SSL Certificate

If you partner with a good hosting provider, one of the benefits that come with it is a free SSL certificate. However, there may be situations where you’ll need to install one yourself. Most providers, like SiteGround, offer a free SSL that installs in a few minutes. As you read this, you might ask , “Why do I need an SSL certificate?”. Let’s explain.

image courtesy of Valery Brozhinsky | Shutterstock.com

SSL, or secure socket layer, expands the hypertext transfer protocol (HTTP) to hypertext transfer protocol secure (HTTPS), adding encryption and an extra layer of security. For example, a consumer who makes a purchase over HTTP risks their credit card information being exploited. On the other hand, their information would be protected if they had made the same purchase over HTTPS. Your site and its visitors are exposed and vulnerable without that secure connection. That’s why installing an SSL certificate on any new website is crucial.

Conduct a Security Audit

Once you’ve taken steps to secure your site, it’s important to conduct a WordPress security audit occasionally. Just as technology changes daily, so does a hacker’s arsenal of tools. Malware and other tactics are developed regularly, so securing your WordPress website isn’t a one-and-done deal. Schedule regular security checks, and look for signs that your site may be in trouble. If you notice your site loading slowly, your traffic drops, you discover new links you didn’t add, or you experience excessive login attempts, it may be time to run a security scan to ensure your site remains safe and secure.

Advanced WordPress Security Techniques

In addition to the steps listed above, there are a few more advanced techniques to incorporate into your site to enhance WordPress security.

Harden the wp-config.php File

One common point of entry for hackers is your WordPress website’s wp-config.php file. It houses information about your database, including the name, host, username, and password. Leaving this important file open can prove detrimental, so hiding it is always a good idea.

Move Your wp-config.php File

To move wp-config, you can drag it into your site’s root folder (public HTML), and WordPress will look for it whenever the site is pinged. However, if your site’s file structure includes a htaccess file, you can further protect it by adding a directive to deny access to it by using the following code:

<FilesMatch "wp-config/.php">
Require all denied
</FilesMatch">

Note: Before doing this, ensure your hosting provider hasn’t already taken steps to move your wp-config file for you. Some hosts, such as Kinsta, do this automatically to keep your site safe.

Change WordPress Salt Keys

Another way to protect your wp-config file is by altering your site’s salt keys. These keys add an extra layer of protection while saving passwords to your database, signing in to cookies, and other important WordPress security aspects. If hackers can obtain your salt keys, they can access your site’s database and files, including stored credit card information, passwords, and other important information. Therefore, it’s recommended to change them periodically.

Change File Permissions

By default, files in your root directory are set to 644, which means they are both readable and writable, leaving them vulnerable to bad actors. According to WordPress, these should not be left at default permissions. Rather, they should be changed to 440 or 400 to prevent others on the same server from reading them. However, it’s important to check with your hosting provider before making any changes to your file permissions. They may have a unique system in place, so changing permissions could cause disruption to your site.

Disable XML-RPC

XML-RPC is a WordPress API that allows you to connect your website to third-party apps and tools. In recent years, it has been exploited by brute force attacks, allowing access to WordPress sites. It is primarily used for making Zapier connections or accessing your site remotely through an app. You should disable XML-RPC on your server if you aren’t using any of these connections.

There are several ways to do this, including disabling it through htaccess, using a code snippet, or with a plugin. The most advanced method, htaccess, can be tricky for beginners, so the most recommended approach is to use a code snippet.

For the htaccess method, use an FTP client to access your site’s files, then add the following code to your htaccess file:

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny, allow
 deny from all
allow from 123.123.123.123
</Files>

Note: Be sure to change the IP 123.123.123.123 with your own.

Alternatively, you can use the AIOSEO plugin’s tools htaccess tab to insert the code:

If you’d rather disable XML-PRC using a code snippet, you can easily accomplish it using the WPCode plugin. It has a built-in snippet that you can use to disable the API.

Hide WordPress Version

This is an often overlooked step when it comes to WordPress security, but an important one. By default, WordPress leaves a footprint in your site’s code that shows which version is installed. This might seem harmless, but by accessing the website’s source code, hackers can determine what version of WordPress you’re running. If it’s outdated, they can use that info to hack into your site by injecting malware or malicious scripts.

So, as an extra WordPress security measure, hide your site’s WordPress version to make it harder for hackers to take control of your site. There are good ways to do this. You can either implement a code snippet plugin that will remove the line in the source code or create a child theme and place it into your functions.php file.

function elegantthemes_remove_version() {
return '';
}
add_filter('the_generator', 'elegantthemes_remove_version');

Alternatively, if you’d like to remove the WP version in the meta tag, in database query strings, and in RSS feeds, use this code:

/* Hide WP version strings from scripts and styles
* @return {string} $src
* @filter script_loader_src
* @filter style_loader_src
*/
function elegantthemes_remove_wp_version_strings( $src ) {
global $wp_version;
parse_str(parse_url($src, PHP_URL_QUERY), $query);
if ( !empty($query['ver']) && $query['ver'] === $wp_version ) {
$src = remove_query_arg('ver', $src);
}
return $src;
}
add_filter( 'script_loader_src', 'elegantthemes_remove_wp_version_strings' );
add_filter( 'style_loader_src', 'elegantthemes_remove_wp_version_strings' );
 
/* Hide WP version strings from generator meta tag */
function wordpress_remove_version() {
return '';
}
add_filter('the_generator', 'elegantthemes_remove_version');

What to Do if Your WordPress Website is Hacked

Even if you do everything right, you may find yourself in a situation where your website has been hacked. Thankfully, there are steps you can take, including putting your site into recovery mode, restoring from your most recent backup, or resetting your passwords. If all else fails, your hosting provider may be able to help.

Final Thoughts on WordPress Security

By taking the necessary steps to boost your WordPress security, you can ensure your site continues to operate normally while being safe for your visitors. While WordPress offers tremendous benefits and ease of use, it’s important to understand its shortcomings. Thankfully, there are a number of WordPress security plugins like iThemes that can help keep things on track.

Looking for more information on WordPress? Check out some of our in-depth articles that will transform you into a WordPress expert in no time:

• How to Install WordPress: The Definitive Guide
• 10 Best WordPress Hosting Options (Handpicked)
• 31 Best WordPress Plugins (Everything You Need)
• 10 Best WordPress Themes (Compared & Ranked)

Frequently Asked Questions (FAQs)

Before we wrap up, let’s answer some of your most common questions about securing your WordPress website. Did we miss one? Leave a question below and we will respond!

Featured Image via Pikovit / shutterstock.com