WordPress is one of the most popular content management systems (CMS) and powers millions of websites. But like any other system, it’s vulnerable to cyberattacks. In fact, according to Wordfence’s report from 2021, WordPress websites suffer more than 2,800 attacks per second.

The good news is that these attacks can be prevented. They’re often a result of neglecting to follow basic security best practices. We’ll show you 12 tips you can use to lock down your WordPress website and make it more secure.

adi goldstein eusvweosble unsplash
[Source: Unsplash]

1.    Make secure server hosting your priority.

Hosting a WordPress website on your own VPS is expensive and requires a great deal of technical knowledge. You’ll either need to become a sysadmin yourself or hire someone else to do it for you, which just doesn’t pay off.

It’s better to find a host that you can trust with your business and data. Here’s what you should look for:

  • Web application firewall (WAF). A web application firewall is basically a set of rules that are made to prevent malicious attacks before they happen. These rules are an essential part of WordPress security, as they act as a shield between the internet and your WordPress site. A WAF can help you prevent various types of attacks like SQL injections, distributed denial-of-service (DDoS) attacks, file inclusion and cross-site scripting (XSS).
  • Malware scanning. This is the second line of defense against malicious attacks. If WAF fails to prevent malware from reaching your website, a daily malware scan should be able to notice it quickly and prevent it from causing any further damage.
  • Account isolation. If you keep your website completely separate from other websites, no one will be able to hack your website just because someone else’s site got hacked. This means you should avoid shared hosting if possible.
  • Automatic updates. Having to think about updates is tiring and you’re bound to forget about it at some point. A secured WordPress host will allow you to enable automatic updates for your software and ensure a higher level of safety. This is something we’ll talk about more in the next few sections.

These plans offer more than just a secure server to host your website. They also include access to a personal support team and 24/7 site security monitoring, so you never have to worry about hackers or other cybercriminals attacking your site.

2.    Create backups.

Just as your computer and phone need a backup, so does your WordPress website. It’s kind of like insurance for your website. You could not only accidentally lose or delete important data, but hackers could also completely destroy the website and leave you with nothing to work with.

To avoid that, you need to regularly backup your website. Not once a month or once a week – ideally, you should create a new backup every single day. There are multiple ways for you to ensure this is done properly:

  • Using WordPress backup services. You can easily store your files using WordPress services. The monthly fee they charge is usually pretty low, so this is a pretty good option.
  • Using backup plugins. Backup plugins allow you to integrate with an external storage source like Amazon S3, Google Cloud Storage, Google Drive, or Dropbox.

Of course, you shouldn’t only backup your database, but also WordPress core files, media library, and plugin and theme files. Make sure this is done automatically so that you don’t forget about it.

3.    Update the PHP version.

The WordPress platform is written using PHP, which is both a programming and a scripting language. It’s a server-side language, which means that it runs on the server, not the user’s browser. Just like every other programming language, there are several versions of PHP you can use.

Just because you can use an older version doesn’t mean you should. Using a 7.1 version (or older) isn’t advised because it no longer receives active support. Typically, each major release of PHP is supported for two years, which means that bugs and security issues are fixed and patched regularly. Since this is no longer the case with versions like 7.1, 7.0, and 5.5, we advise you to update it to version 7.2, 7.3, or 7.4.

If you’re not sure which PHP version you’re currently on, you can go to the header request on your website, as most hosts include this information in that section. Some of them (such as Kinsta) remove this header for safety reasons, but you can always ask them. Of course, if you’re working with some of the top WordPress development companies, they will ensure you have the latest version of PHP and help you keep your website secure.

4.    Avoid simple passwords.

Unsurprisingly, most people are still using simple and obvious credentials. You should make sure your password is strong and unique. So, stay away from the following passwords:

  • 1234567890
  • qwerty
  • password
  • qwerty123
  • 1q2w3e
  • 111111

These and similar passwords (as well as those that contain your pet’s name, swear words, or your birthdate) are frequently used and will make the hacker’s job a piece of cake.

WordPress recommends using a combination of uppercase and lowercase letters, numbers, and symbols.

Your password should be more than eight characters long. Using a passphrase like “IWantToEatLasagnaTonight” along with a significant date is even better. You can also use an online password generator, but make sure to write it down as they include random letters and numbers that you’ll have trouble remembering on your own.

In fact, it’s best to change your WordPress password every few months to further reduce the risk of any breaches.

Also, avoid using the same passwords on multiple sites or services. If you reuse a password that has already been compromised, attackers could use it to access your website.

5.    Include two-factor authentication.

Sadly, no matter how complex and smart you are when setting your password, there is always a risk someone will discover it. To avoid that, we advise you to enable two-factor authentication.

Two-factor authentication means the user not only has to provide the right password but also insert a one-time passcode received in a text message, phone call or app. As the hacker is unlikely to have both your password and your phone, two-factor authentication is great for preventing brute force attacks. You can also combine it with changing the login page URL, as this will protect your website even better.

To enable two-factor authentication, you’ll need a plugin such as Duo Two-Factor Authentication or Google Authenticator. They also have apps for Android and iPhone you can install. Now all you have to do is set it up and you’re ready to go.

6.    Lock down your WordPress login.

Another great way to protect your website is to hide the entrance into the WordPress admin area.

Each WordPress website has a default login URL set to domain.com/wp-admin. Hackers know this as well, which means all they need to do is find out what your credentials are or use malicious redirecting, et voilà– they’re in.

To make it more difficult, all you need to do is download a plugin that allows you to change the login URL, such as the WPS Hide or Perfmatters plugin. Just like with your password, this is the time to be creative.

An additional step you can take is to limit login attempts. To do that, install a plugin such as Cerber Limit Login Attempts and use it to set up login attempts, lockout durations, and IP whitelists and blacklists. You can combine multiple options to secure your WordPress website even more effectively.

7.    Manage permission levels.

Permission levels are basically a set of permissions each user has in terms of managing your website and its data. If you want to maximize your website security, make sure not all users have the same permissions.

When it comes to WordPress, there are two types of permissions: file permissions and folder permission. There are also three levels for each type: read, write, and execute.

File permissions

  • Users with read permission are authorized to read the file.
  • Users with write permission are authorized to modify or write the file.
  • Users with execute permission are authorized to run or execute the file.

Folder permissions

  • Users with read permission are authorized to access the content of the folder.
  • Users with write permission are authorized to add or delete the files in the folder.
  • Users with execute permission are authorized to perform functions and commands, as well as delete the data within the folder.

To minimize the chances of any breaches, we advise you to set all file permissions to 644 or 640, except for the wp-config.php file which should be set to 440 or 400. As for folders, make sure to set all folder permissions to 755 or 750.

8.    Protect your wp-config.php file.

The file called wp-config.php is the heart of your WordPress website in terms of security. It contains your credentials and security keys which handle the encryption of information in cookies. As you can see, you need to protect this file at all costs. Here’s what you can do:

  • Change its location. By default, this file is stored in the web root directory of the WordPress installation. While some believe hackers must circumvent your server PHP interpreter to see that file, it can also happen as a result of misconfiguration on behalf of the admin.
  • Update security keys. Security keys represent a set of random variables used to improve the encryption of what’s stored in the users’ cookies. They are generated randomly when you install WordPress, but you should update them if you’ve purchased a website from someone else or have performed multiple migrations.
  • Limit permissions. If you don’t want other users to access this file, WordPress suggests that you set the permissions of the file to 440 or 400. This way, you’ll be the only one able to see it. If this doesn’t work, contact your hosting providers, as some of them have different permissions.

9.    Hide the WordPress version number.

The WordPress version number is a part of your WordPress site configuration. For this reason, other people shouldn’t be able to see it.

Basically, each update of WordPress consists of a list of changes and fixed bugs it includes. Everyone can see this list because it’s open to the public, which means hackers can see it too. This information will allow them to tweak their attack method in a way that allows them to use the weaknesses of each WordPress version.

If your coding skills are a bit rusty, you can simply install a plugin that will allow you to hide the WordPress version number. Download the WP Security Safe plugin, go to its settings and choose the privacy tab. Check the box that says Hide WordPress Version Publicly and save it.

That wasn’t so difficult, was it?

10.    Install a security plugin.

Installing a WordPress security plugin is yet another great extra step you can take to protect your website from cyber-attacks. These plugins are programmed to harden the website security while also blocking brute force attacks.

There are many WordPress security plugins you can choose from. Here are some features you should look for when choosing a plugin:

  • generate strong passwords
  • setup passwords to expire so that you need to reset them regularly
  • logging users’ activity
  • simple updates of WordPress security keys
  • two-factor authentication
  • IP whitelisting and blacklisting
  • option to monitor DNS changes
  • ability to view WHOIS information on visitors
  • malware scanning
  • security firewall
  • checksum utility.

Some well-known security plugins are Sucuri Security, iThemes Security, WordFence Security and WP Security Audit Log plugin. They have a large user base and are very reliable because the developers constantly push out new updates to keep up with the hackers and prevent them from successfully breaching WordPress websites.

11.    Disable file editing.

As you now know, if your website has multiple users the first thing you should do is limit the access other users have through permissions. No one should have administrator rights except for you. But, mistakes happen all the time.

For that reason, we also advise you to disable the “Appearance Editor” in the WordPress dashboard.

First things first, making direct edits in the Appearance Editor is a bad idea because even some small changes can leave you with a white screen of death. Performing all edits locally and uploading the file via FTP is a much better idea, so you don’t really need the Appearance Editor.

Also, the first thing hackers will do if they successfully hack your website is edit a PHP file or your theme using the Appearance Editor.

All that can be avoided if you simply disable this option. Just go to your wp-config.php file and place the following snippet: define(‘DISALLOW_FILE_EDIT’, true);

This will remove the ‘edit_themes’, ‘edit_plugins’ and ‘edit_files’ abilities for all users.

12.    Keep your plugins and themes up to date.

Using the latest version of WordPress core, plugins, and themes helps you harden your WordPress security.

These updates are done for a reason. They often include security enhancements and bug fixes. According to the latest stats on AV-test, more than 17 million new pieces of malware are detected each month. Many people fail to remember to update their websites or believe that their site will break if they do it, but it’s quite the opposite.

Websites typically break because of bugs in older WordPress versions, not because of the new security patches included in the update. Many cyber-attacks are successfully performed simply because website admins fail to update their theme and plugins.

This is why setting the WordPress automatic updates option is the smartest choice you can make. This will help protect your website from security vulnerabilities, improve the usability of your website and help your business grow, without having to actively think about it.

To sum it up

Locking down your WordPress website doesn’t have to be difficult. Many of these methods will allow you to secure your website using just a couple of plugins. You can even combine them for extra safety.

So, which one of these did you like best – and are you going to use it on your website?


Zahid Aramai, Malaysia Freelance Website Designer

Zahid Aramai do help more than 500+ business owner's WordPress Website and currently he's doing an experiment with React Framework for headless WordPress. He rentlessly develop, design and manage client's website as well as fixing WordPress bugs. His #1 goal will always be to meet clients needs and business objective.

Latest Post

Ready to upgrade your website?

I build custom WordPress websites that look great, easy to manage and most importantly impactful design to your business.

.. Let’s talk