WordPress security is the most important thing you need to consider if it is an earning way for your livelihood.
Now you will think about how to secure my WordPress site from hacking? Don’t worry, here WPressBlog has provided more than 14 ways to secure your WordPress website.
Just for your knowledge, WordPress is the secure platform to create a website than other platforms but you can still improve your WordPress security using many techniques as given below.
Check all the following ways and implement them on your WordPress website for hardening security now.
In this article, you will learn:
- 1 Ways To Secure Your WordPress Website
- 1.1 1. Keep your computer safe from virus
- 1.2 2. Use a quality hosting provider
- 1.3 3. Don’t use “Admin” as your administrator username
- 1.4 4. Keep your WordPress and its components updated
- 1.5 5. Download WordPress Themes and Plugins only from known sources
- 1.6 6. Limit WordPress login attempts
- 1.7 7. Disable pingbacks and trackbacks
- 1.8 8. Use two-factor authentication for login
- 1.9 9. Disable the theme and plugin editor
- 1.10 10. Disable PHP Error Reporting
- 1.11 11. Prevent PHP files from being executed
- 1.12 12. Disable directory indexing and browsing
- 1.13 13. Disable XML-RPC
- 1.14 14. Take Backup Regularly
- 2 Conclusion
Ways To Secure Your WordPress Website
1. Keep your computer safe from virus
Before securing your WordPress website, you need to clean your computer and you can keep it safe in the future by installing antivirus on your computer.
Don’t use public wifi. If you use, then there are many chances of credential tracking so never use public wifi.
Always use FTPS to access your server instead of FTP.
2. Use a quality hosting provider
Most of the attacks come from hosting so always choose a quality hosting provider for your website. A quality hosting provider comes with a firewall, CDN, malware scanning, and latest PHP and MySQL technologies.
You can use hosting providers like Bluehost and SiteGround which protects your website from common malware.
3. Don’t use “Admin” as your administrator username
Admin is a common username for the administrator account which comes at the time of WordPress installation. So that a hacker can easily try to hack your website by using admin as the username.
To change the username, create a new user and provide a unique username to it then give all admin credentials to it. You can check here the complete guide on how to change admin username (3 different ways to change the username).
If your blog posts are published using an old admin account then assign all blog posts to the new admin account.
After assigning all the blog posts to the new admin user, delete the old admin account.
By using this technique, it becomes a little hard for hackers to hack your website.
Also, use a strong password for your admin account. You can service like Password Generator to create a strong password.
4. Keep your WordPress and its components updated
Always keep your WordPress updated. Whenever a bug or issue appeared then WordPress release a new version. So whenever you see a new WordPress version is available then update it.
The same thing happens with plugins and themes. Keep all these components updated to keep your WordPress website safe.
5. Download WordPress Themes and Plugins only from known sources
All WordPress users are using plugins to manage their websites. Plugins are available to download from many places online. Don’t download any plugin from external sources. You can download required plugins from the WordPress directory and only from known sources.
A plugin from external sources can damage your website without letting you know about it.
Also, keep the required plugins and remove other extra plugins from your website because it affects the speed of your website.
6. Limit WordPress login attempts
After too many tries to log in to your WordPress, a hacker can enter your website. To avoid this, limit the number of login attempts.
You can do this by installing the Login LockDown plugin. Here you can allow a user how many times he can try to log in. After failing all the times, that user’s IP blocked automatically temporarily or permanently.
7. Disable pingbacks and trackbacks
Using pingbacks and trackbacks, hackers can cause DDoS attacks on your website. To avoid this, you can disable pingbacks and trackbacks from WordPress settings > discussion then uncheck the option for trackbacks.
8. Use two-factor authentication for login
Two-factor authentication helps you to increase your website security. By using two-factor authentication, whenever anyone wants to log in to your WordPress, a passcode will be sent to your mobile number.
So without your permission, no one can enter your WordPress dashboard.
You can implement this technique by using the following plugins:
9. Disable the theme and plugin editor
There is an internal theme and plugin editor, in which a user with having access to your WordPress dashboard, can damage your website without accessing the server.
You can disable these editors from the wp-config.php file. Find the following line in the wp-config.php file and change “false” to “true”. If you can’t find the following line then you can add it in the file.
10. Disable PHP Error Reporting
Whenever your theme or plugin can’t work properly, then an error message pops up on top of the website that any user can see it. This message contains the path of the error and a hacker can take advantage of this.
You can turn off showing these error messages on your website, add the following two lines in the wp-config.php file.
If the error still visible on your website then contact your hosting provider.
11. Prevent PHP files from being executed
A hacker can use directories like “/wp-content/uploads”, “/wp-includes/” to upload malware. To avoid executing any code from those directories, create a text file with the “.htaccess” name. Now add the following code into that file.
deny from all
Now save the file then copy to above both directories. That’s done.
12. Disable directory indexing and browsing
Using directory browsing, a hacker can able to know where he can get access easily. Also, any user can know the structure of your website using directory browsing. So it is recommended to disable directory browsing and indexing.
To do this, add the following line at the end of the .htaccess file.
13. Disable XML-RPC
Using XML-RPC, a hacker can try thousands of passwords in just around 40 requests. Thus I recommend you to disable XML-RPC if you are not using it. To disable XML-RPC, copy the following code and paste it into your .htaccess file.
# Block WordPress xmlrpc.php requests
deny from all
allow from 220.127.116.11
14. Take Backup Regularly
You have made your website secure using all of the above steps but maybe hackers can find your mistakes in making your website secure and hack your website.
In this situation, only a good backup will help you to restore your website. So always take a backup of your website regularly.
To take a backup of your site, you can use the following plugins:
You can also install one of these best WordPress security plugins to protect your website.
You can use all the techniques mentioned above to secure your WordPress site. It will take only a few minutes to implement on your site and you can make your website secure.
If you are using any other ways to secure your website which is not listed above then please let us know it by commenting in the comment section.