How to secure your WordPress site

    September 14, 2020

    While no security can claim perfection, these methods can mitigate many common threats to your site.

    Why bother?

    The popularity of WordPress makes it a high-priority target for hackers. The default WordPress settings are inadequate for protection, but it is a relatively simple matter to implement effective safeguards. 

    Though security can never be perfect, the guide can help prevent the most common vulnerabilities and exploits. Prevention is the most effective medicine, and as your site rises in popularity, it will also become more visible to potential attackers.

    Essential security measures

    This section provides eight critical safeguards for any WordPress site. Ignore these at your own peril.

    Monitor patch releases and apply them immediately

    Like all Internet software, you must use the latest version to maintain a secure environment. These upgrades provide feature upgrades, bug fixes, and critical security updates designed to address the latest exploits and attacks. 

    If you ignore or postpone these patches, you compromise your security and endanger your data. WordPress provides automatic incremental updates for versions after 3.7 for minor security updates, but you will still need to manually update for major feature releases. You can find more information on updating WordPress on their website.

    Remove unused plug-ins and themes

    Plug-ins and themes offer convenience and aesthetics in exchange for increased vulnerability. Every plug-in and theme on your site is another potential risk; therefore, removing unnecessary ones increases security. Even if inactive, a forgotten theme or plug-in can provide an attacker with another gateway to your site.

    Implement and maintain a strong password policy

    A password policy states requirements for passwords. A strong password follows the conventions outlined in our article, How to create a strong password.

    Consider using the Nexcess Secure Password Generator to help generate a secure custom password. For assistance, refer to How to use the Nexcess Secure Password Generator.

    Hide the wp-config.php file

    Your wp-config.php file contains extremely sensitive information, including your database connection. WordPress allows you to move your wp-config.php file one directory above your webroot so it is hidden to the public. 

    Even if your permissions are set incorrectly or your version of WordPress suffers from an unpublished exploit, your wp-config.php file is not accessible in a browser and your database information is safe.

    For example, the path, / would become /

    Remove "admin" user

    Hackers use programs specifically designed to guess massive numbers of usernames and passwords until it successfully logs in, otherwise known as a brute-force attack. These programs start with common login credentials, and "admin" is at the top of the username list. Remove the "admin" username and switch to a unique one to help prevent these types of attacks.

    Set proper file permissions

    Permissions can often lead to security concerns if set incorrectly. If a directory is set to 777, then anyone, anywhere, can read, write, and execute any file within that directory. 

    This is hardly advisable. The proper and safest permissions for most environments are 755 for directories and 644 for files to prevent anonymous users from making changes to your site. You can view a detailed breakdown of the numeric value permission system here.

    Perform regular malware scans on your PC

    Your PC can compromise your site if infected with malware. For example, attackers may gain access your FTP account, infect the site files stored on your PC, and then wait for you to upload them to your site, giving them access. If you use a PC to work on your blog, then your other security measures are irrelevant  if and when hackers infiltrate that PC.

    Perform regular backups

    Even if your hosting company already does so, create your own backups and update them on a regular schedule. Some "sleeper" malware will lay dormant for months or years in an attempt to "outlive" the available backups. Having a deep history of backups will allow you to return to a clean version of your site without relying on your host's backup policies.

    Additional security measures

    This section highlights three additional security measures for your WordPress site. If you have a popular site or just want more safeguards, consider applying any or all of these recommendations.

    Use two-factor authentication

    Two-factor authentication adds an extra layer of security to your administrator panel login. Many exploits aim to gain access to the administrator panel to gain full access to the site. 

    This implementation can alleviate any worries you have about password-related WordPress security risks. Duo Security offers an option to apply two-factor authentication to your WordPress site. Duo Security offers a cloud-based solution and there is no need to install additional software.

    Prevent search engines from indexing your admin login page

    This is easy, effective, and prevents anyone from finding a direct link to your login page by simply searching for your site. To prevent search engines from indexing your admin login page, input the following line into your robots.txt file:

    Disallow: */wp-admin/

    Hide your wp-content/plugins directory

    Hackers have a multitude of ways to expose your site's list of installed plug-ins, which they will then use to search for exploits. In addition to removing unused plug-ins, you can hide your wp-content/plugins directory to keep such information private. 

    To do so, place a blank index.html file within your wp-content/plugins directory, and anyone attempting to view that directory in a web browser will instead see a blank page.

    For 24-hour assistance any day of the year, contact our support team by email or through your Client Portal.

    Was this article helpful?

    Send feedback

    Can’t find what you’re looking for?

    Our award-winning customer care team is here for you.

    Contact Support