Since WordPress is today’s forerunner for CMS and blogging platforms, hackers often target WordPress website security. Although getting a WP website up and running is fairly easy, you should take all necessary security precautions too. Otherwise, all your website’s information – be it your company’s or your visitors’ – will be at risk. So today, let’s talk about the best security practices.
1. Enhance WordPress website security with regular updates
The most important thing you need to do is regularly update all your files and WordPress plugins. New security patches for WP and all the different plugins come out quite regularly. And having the latest version makes it much more difficult for cybercriminals to gain access to your site.
It doesn’t matter if these vulnerabilities are small and seemingly insignificant. Perform a thorough security overview and make sure you install all the latest updates. Any WordPress vulnerability is a liability. So don’t take any chances and do whatever you can on your part.
2. Secure your Admin Panel
The WordPress admin panel is the area where you can make all the changes on your site and perform actions. It’s important that you restrict admin panel access to people who need it only. If you have no registration on your site, website visitors don’t need access to /wp-login/ or /wp-admin/.
The next action is to take your home IP, which you can see on many sites such as “whatismyip.com”. And add text lines to your /.htaccess/ file located in the WordPress admin. Then you can replace the current location with your home IP address:
1. <Files wp-login.php>
2. order deny, allow
3. Deny from all
4. Allow from xx.xxx.xxx.xxx
To allow logins from multiple locations or computers, just add another “Allow from” statement in the following text line. Then insert additional addresses. Do you switch locations constantly and use Wi-Fi networks? Then you want to have access to your admin panel regardless of IP address. So you should only allow a small number of login attempts.
Like this, you’re safe against anyone trying to guess your password by trying out as many variations as possible. Here’s how you do it. First, find the “WP Limit login attempts” plugin. Then choose how many times someone is able to enter the wrong password. If they exceed this, they’re locked out. By doing this, you’ll make your WP website far less vulnerable to hackers.
3. Avoid using an Admin Username
It may seem like an obvious thing to do, but a lot of people never change the default WP username. Thus, giving hackers the opportunity to try and log in as the “admin”. All they need to do is use certain types of software to guess the password over and over again. This method is quite often successful, so avoid this rookie mistake and set a different username.
4. Strengthen your passwords
The same rule applies for passwords. Many use simple phrases and insert the first thing that pops into their mind. No matter how unique you think your password is, a lot of people use similar passwords. So consider yours for a little bit longer. Because a hacker can easily figure this out.
Think about it this way, owners don’t think much about their passwords. But hackers think about what people use the most and manage to get their way. Make sure you use a sentence that’s characteristic to you and you can remember easily. Use the first letters of each word. And then add numbers and symbols intermittently to increase its complexity.
5. Clean up malware and viruses
If your computer isn’t safe, then using it to log into your WordPress website will make it vulnerable too. So if you have malware or a virus on your computer, a hacker can quickly acquire your login details when you access your site. And they will easily be able to access it too. As a result of bypassing all of the security measures you set up.
Maybe you think that the biggest threats are online, and from direct attacks. But a lot of hackers create smart malware that sits on your computer for ages. They steal important info, such as login details. And this is why you need to make sure you install a good anti-virus software. Hence, update it often and scan your computer regularly to ensure that your system is clean.
6. Perform a security check with Plesk’s WP Toolkit
Plesk’s WP Toolkit is a management dashboard through which you can easily manage, configure and install your WordPress with Plesk. You can have this if you install Plesk panel on your system. Here’s how you can use the Toolkit to perform a WordPress website security check.
WordPress content folder
There are many unsecured PHP files in the /WP-content/ folder that can damage a WordPress site, if someone misuses them. After installing WordPress, you can execute PHP files directly from this directory. This security check will verify if the PHP file execution is forbidden or not.
Bear in mind that any custom directives in /web.config/ or /.htaccess/ files can override the set security measure. Additionally, be aware that some WordPress plugins can stop working when you secure the /WP-content/ folder.
There’s a lot of sensitive information, including database access credentials, within the WP-config.php file. So after installing WordPress, execute the WP-config.php file. Because if web server PHP file processing is off, any solid hacker can enter your WP-config.php file contents.
And by using the security check, you’ll be able to block any unwanted access to this file. Moreover, you should know that both /web.config/ or /.htaccess/ can override this security measure too.
Directory browsing permissions
If directory browsing is on, it can give hackers the opportunity to acquire important website information. Including how it’s built, which plugins it has, and so on. In Plesk, directory browsing is off by default. And by running a security check, you’ll also confirm if the directory browsing is off.
Each WordPress installation uses identical nomenclature for database tables. If you only use the standard /WP_/ prefix for your database table names, the database structure won’t be secret. Meaning everyone will be able to acquire information from it.
Therefore, the security check will change all the database table prefixes from the default /WP_/. Then, it will deactivate plugins and turn on maintenance mode. After it will change prefixes within the configuration file and the database. And it will re-activate plugins and refresh the permalink structure before it finally switches off maintenance mode.
Permissions for files and directories
If your permissions aren’t compliant with security policies, then all the files that fail to comply will be vulnerable. After the installation is finished, your directories and files may have different permissions. By using a WordPress website security check, you can confirm if the permissions are properly set. It should be 755 directories, 600 for WP-config.php and 644 for all the other files.
All WordPress versions have different security vulnerabilities. This is why you should avoid displaying which version you’re using, as hackers might know its weaknesses. Hackers can find your WordPress version in the /redme.html/ files and the metadata of a page.
By performing a WordPress website security check, you can see if all /readme.html/ files are empty. Plus, you can see that all your themes have a /functions.php/ file that has the text line: Remove_action (/wp_head/ , /wp_generator/)
If you want, you can change security settings and see your security status. First, go to the S column that’s located in Websites & Domains > WordPress. And perform the next steps:
- Click on “check security” to see all your WordPress installations security.
- If you want to secure a single installation find the S column and click the icon next to a particular installation.
- If you want to check multiple installations, check their boxes on the side and click on the check security button.
- In the end, select the checkboxes with the security improvement you want to perform. And then click the secure button.
These are the necessary steps you need to adopt in order to ensure WordPress website security of the highest level. Bear in mind that these measures will still not make your site 100% secure. As there’s no such thing online. However, you’ll drastically reduce the chances of someone breaking into your site in order to steal your data and misuse it online.
Thank you such a wonderful article, I am using Plesk Onyx for managing my Cloud Server and I have 4 WordPress websites installed on it. I have followed your article step by step and secured my WordPress websites. Thanks
Thank you such a wonderful article. i will follow the provided steps
If using the Plesk WordPress security is WordFence or Ithemes Security necessary?
Max, WordPress security as part of Plesk WordPress Toolkit was designed as an all-inclusive solution, negating the need for other third party products. We have an updated full featured article on WordPress Security right here: https://www.plesk.com/blog/various/wordpress-security-guide/ as of a month ago 🙂
Hi Javi, that article has a whole section on using the Sucuri plugin… which is a third party product. I’m not knocking Sucuri but surely Wordfence or Ithemes are viable alternatives and have features not currently part of the Plesk WP Toolkit (which I’m definitely a fan of)?