WordPress developers work hard to provide a secure, powerful system for creating websites. The system is robust, but there is always more you can do to secure WordPress.
In this tutorial, I’m going to show you some of the best WordPress security tips. Implementing these methods will increase your website security. There’s no guarantee that your site will never be attacked, but these practices will help defend it.
Without further adieu, here are several ways on how to secure WordPress beyond login credentials.
Method 1: Change Database Table Prefix Before Installation
WordPress uses a database table prefix of “wp_.” The prefix is common knowledge among those targeting WordPress. During the install process, you can change the prefix to something unique.
Changing the prefix of the database reduces the possibility of hackers gaining control of it. That is because it is more difficult to find.
If you use something like Softaculous to install WordPress, you can change the table prefix in the “Advanced Options.” For example, you could use “gt76x_” as the prefix.
Softaculous will create a random database table prefix automatically. For instance, one table may be labeled “wpts_” while another installation will use “wpep_”. Softaculous is already boosting the security of your site without worrying about changing settings.
You can also edit the wp-config.php file of WordPress to reflect the new database prefix. You can do this with either an FTP program like FileZilla or through cPanel’s File Manager.
Before installation, edit the wp-config-sample.php file of WordPress. Change the “wp_” part of the code in the $table_prefix line.
For example:
[ht_message mstyle=”info” title=”” show_icon=”” id=”” class=”” style=”” ]$table_prefix = ‘ffd4_‘[/ht_message]
That would change the prefix of your tables in WordPress during the installation. Rename the wp-config-sample.php file to wp-config.php and then run the WordPress installation normally.
Method 2: Use a Unique Username to Secure WordPress
Some people will not change the default administrator user name, “admin.” That gives hackers half of the credentials for hacking the site. Now all they need is the password. Always use a unique username when installing WordPress.
But what if you already installed and are using, “admin?” That’s easy to change, and I would advise you to do so immediately to help boost WordPress site security.
From the WordPress dashboard, click the User section.
As you don’t have access to change a username, you need to create a new account. Click the “Add New” button on the top.
Create a new administrator user account for yourself using a unique username. Unfortunately, you cannot register the same email address in WordPress under two users. So, you have two options:
- Go into the “admin” account and change the address to something like [email protected]. It doesn’t have to be a real address, especially since you’ll be deleting the account in a moment. That lets you use your original email address on the new account.
- Enter a new email address.
Click the “Add New User” button on the bottom.
Log in to WordPress using your new admin credentials and check that you have administrative access to the entire site.
From the Users screen, hover your mouse over the old “admin” account and click the “Delete” link.
On the next screen, click the “Confirm Deletion” button.
Method 3: Secure WordPress by Securing Your Local Computers
Local security—the security of the computers you use to connect to your website—is a critical part of website security. We see a lot of website compromises that aren’t technically website “hacks.” They’re not hacks because the hacker gained access using valid FTP login credentials.
They get those credentials by logging keystrokes or reading log files on a computer that has been infected with a virus or malware.
So one thing you can do to boost making WordPress secure is to be sure the computers and devices you use to access them are as well.
Method 4: Perform Regular Backups
Keeping regular backups will prevent you from losing the site in the event of a hack or hardware disaster. It’s one of the most essential parts of maintaining any site, whether it’s an online store or a personal blog.
UpdraftPlus WordPress Backup Plugin
UpdraftPlus is an excellent option for creating backups. Not only does this plugin create copies of your files and databases, but it also integrates with cloud storage sites. For instance, you can have UpdraftPlus save your backup copies directly to Dropbox or Google Drive as well as other services.
Method 5: Secure WordPress by Keeping Plugins, Themes and WordPress Updated
WordPress security best practices include keeping your files up-to-date and current. You can choose automatic updates if you install WordPress using Softaculous. However, it’s almost as easy to update your plugins directly in the admin dashboard.
Click the Update function when one becomes available and install it.
Method 6: Change the WordPress Login Error
WordPress gives hints about your login when it fails, displaying whether the username or password was incorrect. That lets someone trying to compromise your site know which part of the login is wrong.
But if you take away the indication of which is incorrect, the username or the password, you make it much more difficult for brute force or guess a login.
To change the login error, add this line to the functions.php file in the theme that you’re using:
[ht_message mstyle=”info” title=”” show_icon=”” id=”” class=”” style=”” ]add_filter(‘login_errors’, create_function(‘$a’, “return ‘Error: Incorrect login’;”));[/ht_message]
You can change the ‘Error: Incorrect login’ text to return whatever message you’d like.
Method 7: Remove the WordPress Version Information
When the bad guys know which version of WordPress you’re using, it’s much easier for them to find a way into your site.
It’s also easy to use Google to find WordPress sites that are running a particular version that has a known vulnerability. Removing the version number from WordPress eliminates those clues.
The version number appears in the page source and in CSS and Javascript files. It can be removed from all of those locations by adding code to functions.php, but that method is a bit more complicated than changing the login error.
For that reason, I’d recommend using a plugin to remove the version information and help secure WordPress. Many general security plugins remove version information, but there are also standalone plugins like WP Hide & Security Enhancer.
Method 8: Disable Theme and Plugin Editing
A lot of WordPress sites get hacked using the theme and plugin editors in WordPress. We can disable the ability to edit theme files in the admin dashboard by adding a line to wp-config.php (located in the root directory of your WordPress installation).
Drop this in right before the “Stop Editing” line near the bottom of the file:
[ht_message mstyle=”info” title=”” show_icon=”” id=”” class=”” style=”” ]define(‘DISALLOW_FILE_EDIT’, true);[/ht_message]
Method 9: Password Protect the wp-admin Folder
One good way to keep unwanted people from accessing your admin files is to password protect the folder. This is easy to do from the cPanel dashboard.
Click the “Directory Privacy” link or icon in the Files section.
You don’t want to add a password to any of the default folders. If you do that, no one will be able to visit the website unless they knew the password.
Click the “Settings” button on the far right.
Click the “Document Root for:” radio button and select your domain from the drop-down box.
Click the “wp-admin” link to open its settings.
Check the “Password protect this directory” box.
Create a username and password for accessing the admin folder. It will be separate from the WordPress login. Click the “Save” button to commit your changes.
Now if anyone tries to access the wp-admin folder outside of WordPress, they will have to know the username and password of the directory first.
Method 10: Set .htaccess Rules on wp-admin Folder
Another way to secure WordPress is by denying access to the wp-admin folder using an .htaccess file. The only downside to this function is that you may have to re-enter your IP address periodically.
Unless you own a static IP from your Internet service provider, one that never changes, you may have to edit the .htaccess file if your IP address changes to open the wp-admin folder.
To create the .htaccess file, go to the “wp-admin” folder of your website through File Manager in cPanel.
Click the “+ File” function from the top toolbar.
Name the new file, “.htaccess” and click “Create New File.”
Add the following lines to the .htaccess file:
[ht_message mstyle=”info” title=”” show_icon=”” id=”” class=”” style=”” ]Deny from all
Allow from 192.168.0.1[/ht_message]
Replace the “192.168.0.1” with your own IP address assigned from your Internet service provider. This can be found in your Internet router or by contacting your ISP’s customer support.
Click the “Save Changes” button on the editing screen in File Manager.
That is one of many ways you can secure a folder using .htaccess. Remember that your IP address has to match the one in the file if you want direct access to the wp-admin folder.
You can also include the .htaccess file in various folders throughout your website if you want to keep all of those sections locked down as well. However, it might be time-consuming if you have to change the address each time you need to access those resources if your IP changes.
Method 11: Install Security Plugins
Perhaps one of the easiest ways to protect your website is by installing one of the better WordPress security plugins. There are many to choose from, and each offers a great deal of safety and security.
Wordfence Security
One of the best WordPress security plugins you can install is Wordfence Security. This free tool comes with a range of functions, from file scanning to protecting the login screen of your website. It shields you from more than 44,000 threats and prevents known backdoor security holes. It’s free, so you’ve got nothing to lose by giving it a try.
A Secure WordPress Is a Happy WordPress
There’s no such thing as too much website security. It’s the nature of the Internet: we don’t ask if a website will be the target of an attack, but when.
Do your part to keep your files and content safe. Even some of the smallest additions can help secure WordPress.
What kind of plugins do you enjoy when it comes to protecting WordPress? How often do you create backups of your website?