Security is not about perfectly secure systems. Such a thing might well be impractical, or impossible to find and/or maintain. What security is though is risk reduction, not risk elimination. It’s about employing all the appropriate controls available to you, within reason, that allow you to improve your overall posture reducing the odds of making yourself a target, subsequently getting hacked.

Website security is often a top concern for WordPress site owners and prospects. While 28 percent of all websites on the internet are powered by WordPress, because of its popularity the CMS is often targeted by hackers. However, that doesn’t mean your site has to fall victim to malicious behavior.

While no system is 100 percent hack-proof, there are certain measures you can take to prevent a hacked WordPress site. To reduce your chances of being affected by a disastrous brute-force or DDoS attack, read below for some of the most important WordPress security tasks you should immediately implement to become more proactive against potential threats. To help you we have put together a nice step by step guide composed out of 15 useful advice.

15 WordPress Security Tips

Keep WordPress core, themes, and plugins up to date

The most common culprit of a hacked WordPress website is due to an outdated component. Outdated plugins, themes, and core open the portal for a potentially hacked site. When left un-updated, these outdated files are traceable and make your site a target by outside intruders.

In fact, in one study 54 percent of reported WordPress security vulnerabilities belonged to outdated WordPress plugins (outdated WordPress core accounted for 37 percent and outdated WordPress themes accounted for 11 percent of vulnerabilities).

Ensuring your WordPress site is up-to-date is simple. When you see an orange notification in your WordPress dashboard next to plugins, themes, or notification to upgrade WordPress, update immediately. 

If your website is maintained by Media PRO Web Design Galway, we’ll automatically run these WordPress core updates for you, although you will need to be attentive with themes and plugins to update them accordingly to protect your website from malware. Consistently updating your plugins is key to any successful and secure WordPress site.

To help you manage your plugins with confidence, we advise you to install the WP Engine created plugin, called “Smart Plugin Manager“.  Smart Plugin Manager is an automated solution that checks your plugins for updates nightly and ensures that when updates happen, your site doesn’t break.

How to configure automatic updates

If you’d rather not do it manually, you can configure automatic updates. To auto-upgrade WordPress core, insert this code into your wp-config.php file:

define( 'WP_AUTO_UPDATE_CORE', true );

For plugins, use:

add_filter( 'auto_update_plugin', '__return_true' );

For themes, use:

add_filter( 'auto_update_theme', '__return_true' );

To detect if a theme or plugin can be trusted or not, first, read its ratings. There you can find clues to whether there have been security breaches or issues in the past, like buggy updates.

You’ll also want to check to see when a plugin/theme was last updated. If a plugin or theme hasn’t received an update in some time (say years), then the inactiveness in that plugin/theme is a sign you should look somewhere else.

In addition, analyzing a plugin or theme’s popularity is another way to better ensure you aren’t installing malicious code into your WordPress site.

A plugin/theme that’s widely popular isn’t necessarily less likely to be targeted by hackers but is more likely to be updated with security patches regularly due to its wide use.

Remove Unused Plugins and Themes

Over time, your WordPress site will require some housekeeping.

As you start to accumulate themes and plugins, you should go through and dispose of the ones you no longer use. Getting rid of unnecessary clutter is likely to make your site run faster, as well as remove security vulnerabilities from stagnant or outdated add-ons.

If using WordPress multisite, try using a plugin like Plugin Activation Status to perform a plugin audit and detect unused plugins across all sites in the multisite network.

See the codex on WordPress housekeeping for more information on how to remove unused plugins and themes.

Install a WordPress security plugin

Installing a WordPress security plugin is a no-brainer when it comes to enhancing the security of your site. To become more proactive against security threats, try installing a plugin like one of these to minimize any security vulnerabilities.

Sucuri Security

iThemes Security

Bulletproof Security

Regularly backup your WordPress site

Even if you take the above security precautions (and the ones listed after) you should always backup your WordPress site.

Backing up your WordPress site is fairly easy to do, as given these instructions by WordPress. Or you can try a plugin like BackupBuddy or any other backup plugin that you know it works. You can backup your site manualy as well.

If it’s something you’d rather not have to worry about, WP Engine conducts automatic backups for you every day. That way you can rollback to your original site *should* you ever lose your site due to an outside invasion.

Enforce Strong Passwords and Usernames

We’re all guilty of using a password that’s simple to remember. But using an easy password, say one that contains your birth year, makes it easier for hackers to crack the code using brute force automated scripts, which continuously try to guess your password and username over and over.

To ensure your password is strong and secure enough, use a tool like Strong Password Generator or Strong Random Password Generator.

You should also force other users on your site to use a strong password. You can use a WordPress plugin like Force Strong Passwords to enforce strong passwords.

Use two-factor authentication

Enabling 2FA adds an extra layer of security to your login credentials. 2FA works by requiring a second factor of information that only you can give, like a code sent to your phone to verify your activity on a specific computer.

That way it’s harder for an intruder to steal your information if they log in through a different device.

Here are some WordPress plugins you can use for 2FA:

Change or omit the “admin” username

By default, WordPress gives the primary domain account the username “admin”. Leaving the username as “admin” is an instant security threat to your site. If an attacker wants to crack the code, half of the puzzle is already solved and all that’s left to guess is your password.

Removing or changing the “admin” username is the next step to improving site security. To do this, simply go to the “users” section of the WordPress admin panel and rename or delete the “admin” account or username.

WP Engine does not allow the use of the “admin” username and will automatically remove it for you, replacing the admin name with a “wpengine account” name. This account is used by our support team. We implement special configurations to prevent attacks on the “wpengine” user account specifically.

Limit Login Attempts

WordPress doesn’t have a limit as to how many times one can guess a password to log in. This presents a problem because determined hackers won’t give up. For example, a hacker could use a script to enter different password combinations (called brute-force attacks) until they’ve cracked the code.

To resolve this issue, you should limit login attempts. Here are some plugins built for limiting logins:

• Login Lockdown
• Limit Login Attempts
• Jetpack Protect

To prevent forgetful customers or employees from getting locked out, you can also whitelist certain IP addresses (Jetpack Protect is great for this).

Use SSL for data security

Enabling SSL is the next crucial step to a more secure site. SSL (Secure Sockets Layer) encrypts all information sent to and from your site. That way the private data visitors share with your site stays private.

Using SSL ensures that hackers can’t see or intercept the data your users share on your site. The secure tunnel SSL creates is especially important with sensitive information, like credit card numbers, usernames, and passwords.

Identifying whether or not a site is SSL certified is simple. An SSL certified site will start with an HTTPS in the URL address, while a site that’s not SSL certified will begin with HTTP.

An SSL certificate helps a user’s browser verify that they are not only accessing a secure website, but the certificate is also genuine and linked to the domain/website that was requested by the user.

With Media PRO, all customers are encouraged to obtain a free SSL certificate with Let’s Encrypt.

Hide Your WordPress Version

If you defer WordPress updates, you should consider hiding your WordPress version because it leaves footprints, telling the hacker useful information about your site.

There are three areas where your WordPress version number will be hidden:

1. The generator meta tag in the header:

2. Query strings on scripts and styles:

subscriptions.css?ver=4.0

3. Generator tag in RSS feeds:

http://wordpress.org/?v=4.0

To get rid of your WordPress version number in all three areas, add this code to your functions.php file:

/* Hide WP version strings from scripts and styles
 * @return {string} $src
 * @filter script_loader_src
 * @filter style_loader_src
 */
function fjarrett_remove_wp_version_strings( $src ) {
 global $wp_version;
 parse_str(parse_url($src, PHP_URL_QUERY), $query);
 if ( !empty($query['ver']) && $query['ver'] === $wp_version ) {
 $src = remove_query_arg('ver', $src);
 }
 return $src;
}
add_filter( 'script_loader_src', 'fjarrett_remove_wp_version_strings' );
add_filter( 'style_loader_src', 'fjarrett_remove_wp_version_strings' );

/* Hide WP version strings from generator meta tag */
function wpmudev_remove_version() {
return '';
}
add_filter('the_generator', 'wpmudev_remove_version');

In addition, you should also make sure your readme.html file is removed from your install, as this exposes your version number.

At Media PRO Website Design, we prevent access to this file on our platform to make fingerprinting WordPress versions more difficult.

Relocate or rename login page

To make your site more bulletproof, relocating your login page is worth the effort. Not only does it hide the fact that you’re on WordPress, but it limits brute-force attacks on your login page.

If someone was trying to hack your WordPress site and came across a 404 error upon entering your login page, say www.mysite.com/wp-login.php, they’d likely be deterred from breaking in.

Try using a plugin like Rename wp-login.phpMove Login to assist in moving or renaming your login page. But before you take this action, do be sure to talk to your web host or developer to ensure the steps you are taking are correct.

Secure the wp-config file

he wp-config file contains your website’s base configuration details, like database connection information. To protect your wp-config.php file from intrusion, add the following code to your .htaccess file to deny access to anyone surfing it:


order allow,deny
deny from all

For more information on moving the wp-config file, see the WordPress codex.

Use A Secure Hosting Environment

You can follow all of the security measures above, however, if you don’t invest in a secure hosting provider, these efforts are all for nothing.

Secure hosting with WP Engine addresses many of the above tasks (daily backups, 2FA, etc.) with its proprietary security technology.

Here’s just some of the security benefits Irish-Hosting’s enterprise-grade infrastructure contains:

Automatic updates to new versions of WordPress

As soon as a new version of WordPress rolls out, we automatically upgrade your site for you so it contains the latest security patches.

Blocks potential hacks as they occur

Our platform contains real-time security threat detection. We have the technology to block even the most sophisticated hacks, like JavaScript/SQL injection and XML-RPC attacks, along with garden variety DDoS and brute force attacks.

This technology also blocks IP addresses identified as belonging to spammers or hackers.

Periodic security audits and code reviews

WP Engine conducts periodic code reviews and security audits of our infrastructure. We also partner with outside security businesses to ensure we offer the best possible security measures in the industry.

High-performance, secure technology stacks

Securing your web environment requires proper server configuration. Our software stack includes provisions to ensure optimal WordPress performance, including disk write limitations and protection against scripts known to contain vulnerabilities. We also implement PHP tuning to disallow dangerous or insecure commands.