A Beginner's Guide to Hardening WordPress Security

13 Ways to Harden a WordPress Site · 1. Install an SSL certificate · 2. Use strong passwords · 3. Use Two Factor Authentication (2FA) · 4. Limit ... Wordpress ABeginner’sGuidetoHardeningWordPressSecurity By PasqualeMellone NoComments 24Jun TherearemultiplereasonswhywebsiteownersandmanagersloveWordPress.Butthereisonebigreasonwhyevenhackersloveit:itspopularity. HackersareconstantlylookingforwaystobreakintoWordPresswebsites.Thankfully,therearesomestepsyoucantaketoprotectyourwebsitefromsuchthreats.WordPresshardeningisaprovenwaytomakeitharderforhackerstoattackyourwebsite. So,whatisWordPresshardening?HowcanyouhardenWordPresssites?Howhardisittodo? ThiscompleteWordPresshardeningguidewillhelpyouunderstandallthisandmore. Contents hide 13WaystoHardenaWordPressSite 1.InstallanSSLcertificate 2.Usestrongpasswords 3.UseTwoFactorAuthentication(2FA) 4.Limitloginattempts 5.SetupaWPfirewall 6.UseaWPsecurityplugin 7.BlockPHPexecutioninuntrustedfolders 8.Disablethefileeditor 9.Changesecuritykeys 10.SecureWP-Admin 11.Securewp-config.phpfile 12.Assignuserrolesandpermissionscarefully 13.Changethedefaultusernamefrom‘admin’ Overtoyou Don’tmissourweeklyposts! 13WaystoHardenaWordPressSite Beforewedivein,whatisWordPresshardening?Simplyput,itisasetofstepsthatfortifyaWordPresswebsitetoprotectitfrommalwareandattacks. HowtohardenyourWordPresssite Inthisarticleare13provenwaystohardenyourWordPresswebsite. Soundsoverwhelming? Let’sstartwithsixeasywaysofsitehardeningthatdonotneeddeeptechnicalorWordPressknow-how. 1.InstallanSSLcertificate ShortforSecureSocketLayer,anSSLcertificatemovesitfromthepreviousHTTPnotationtothemoresecureHTTPSnotation(withthesecurepadlock).Thisensuresthatallthedatabetweenyouruser’sbrowserandyourwebsiteisencrypted,andtherefore,safe.EvenGooglerecommendsthateverywebsitehasanSSLcertificateforthesecurityofitsusers.   HowcanyoumoveyoursitetoHTTPS? AllyouneedtodoisinstallanSSLpluginlikeLet’sEncryptonyourWordPresssite,andyouareallset. 2.Usestrongpasswords ThisisprobablytheeasiestandmosteffectivewayofhardeningWordPresswebsites.EnsurethatallyourusersincludingyourWordPressadministratorsconfigureloginpasswordsthatareatleasteightcharacterslongandhaveacombinationofupper-&lower-casealphabets,numbers,andspecialcharacters.  YoucanalsoinstallapasswordmanagementtoollikeLastPasstoautomaticallygenerateandstorestrongpasswords.Additionally,makesuretoregularlychangealluserpasswords,sayeverythreemonths. Seealso HowtoSupportUkrainewithYourWordpressWebsite3.UseTwoFactorAuthentication(2FA) WPhardeningisnotcompletewithoutprotectingyourloginpagefrombruteforceattacks.Two-FactorAuthenticationisaprovenmethodforsecuringanyWordPressloginpage.With2FA,userssigningintotheiraccounthavetogothrougha2-stepverificationprocessof: First,enteringthecorrectuserusernameandpassword Enteringauniqueverificationcodethatissenttotheirmobiledevice. Howdoyouenable2FA?ForWordPresssites,installa2FApluginlikeGoogleAuthenticator.  4.Limitloginattempts Bydefault,WordPressallowsanunlimitednumberofloginattempts,whichiswhatbruteforceattackstakeadvantageof.YoucanhardenWordPressloginpagesbylimitingthenumberoffailedattempts. Toenablethis,youcaneitherusetheLimitLoginAttemptsReloadedWordPresspluginorusesecuritypluginslikeMalCarethathavein-builtloginpageprotection.  YoucanevenlimitattacksbyhidingyourWordPressloginpage. 5.SetupaWPfirewall WordPressfirewallsblockanyhackerbeforetheycangainforcedentryintoyourwebsite.AfirewallcantrackmaliciousIPaddressesorthoseusedbyhackersacrosstheglobeandblockanyIPrequestsentfromtheseaddresses. WanttoknowhowtohardenWordPresssiteswithfirewalls?PopularWordPresssecurityplugins,likeMalCare,haveanin-builtwebapplicationfirewallthatcaneasilybeenabledforyoursite. 6.UseaWPsecurityplugin SecuritypluginsarethebestwaytodetectandfixcurrentissuesaswellaspreventfutureattacksonyourWordPresssite.SincetheyaredevelopedexclusivelyforWordPress,theydetectsecurityissuesthatareadvanced,lesser-known,oreasyforyoutomiss.  WordPresshardeningpluginslikeMalCareorSucuricombinemultiplesecuritypracticesso youcanhardenyourwebsiteinjustafewclicks.Forinstance,MalCare,inadditiontomalwarescanningandautomatedmalwareremoval,alsohasanin-built2FAfeature,firewallprotection,andaneasywaytoupdateyourWordPressplugins,themes,andcoreacrossmultiplewebsites.   Installingasecuritypluginisthebestwaytotakechargeofyourwebsitesecuritywithouthavingtodependontechnicalexperts. ThiscompletesourlistofthesixeasywaystorunWordPresshardening.  Now,let’stakealookatsevenslightlyadvancedwaystohardenWordPresssecuritythatwillbolsteryourwebsitesecurity. 7.BlockPHPexecutioninuntrustedfolders Whilethisisslightlytechnical,itisfairlysimple.Hackers,aftergainingcontrolofyourwebsite,ofteninserttheirmaliciousPHPfunctionstodamageyourbackendfiles.WhatyouneedtodoisblocktheexecutionofanyPHPfilesfromanyunknownfoldersofyourWordPressinstallation.  Seealso HowtoRecoverWordpressAdditionalCSSin2022Howcanyoudothis?Locatethe.htaccessfileinyourWordPressinstallationandpastethefollowingcodewiththehelpofatexteditortool: denyfromall 8.Disablethefileeditor ApartfrominsertingtheirPHPfunctions,hackerscaneasilymodifybackendfilesandplugins/themesoncetheygaincontrolofyourwebsite.Then,theylaunchattackslikeSQLinjectionsandspamhacksbyinsertingtheirmaliciouscodeorscriptsusingyourFileEditortool.Theseattacksloweryourwebsite’scredibility,driveyourusersaway,andevendamageyourSEOrankings.  Thebestguardagainstsuchattacksistodisableyourfileeditortool.Toperformthisstep,openthewp-config.phpfileinyourWordPressinstallationandinsertthefollowingcode: define(‘DISALLOW_FILE_EDIT’,true); 9.Changesecuritykeys WordPresssitesoftenstoreusercredentialssothatregisteredusersdon’thavetokeepenteringtheirusernameandpasswordeachtimetheyaccesstheirloginaccounts.Tosecurethesecredentials,WordPressstorestheminencryptedforminsteadofplaintext.  Securitykeysarerandomvariablesthatareusedtoencryptthesecredentials.Hackerstrytogaincontrolofthesesecuritykeystodecrypttheusercredentialsandgainillegalaccesstoaccounts. AsaneffectiveWordPresshardeningmeasure,itisagoodpracticetochangethesesecuritykeysregularly.Todothis,youcanusetheSecretKeylinktogenerateyoursecuritykeysandtheninsertthemintothesecret-keysectionofyourwp-config.phpfile. 10.SecureWP-Admin HackersoftenusebotstotargetattacksontheWordPressAdminpage(/wp-admin).Thisiswhyyouradminpanelhastohaveanextralayerofsecurity.   Thebestwayofsecuringyourwp-adminpanelistoinstalltheSSLcertificatefirstandthenaddthefollowingcodetothewp-config.phpfileofyourWordPressinstallation: define(‘FORCE_SSL_ADMIN’,true); Whilethisstepmaylooksimple,itcanleadtoplugin-relatedcomplicationslater;werecommendthatyoudothiswiththesupportofaWordPresstechnicalexpert. 11.Securewp-config.phpfile Aswehaveseeninsomeoftheprevioussteps,hackersoftentrytocontrolwebsitesthroughthecrucialwp-config.phpfile.TohardenWordPress,youmustprotectthewp-configPHPfileatallcosts. Seealso WeeklyRoundup,March21-252022  Herearesomewaysbywhichyoucansecurethewp-config.phpfileinyourWordPressinstallation: Hidethefilebymovingitfromitscurrentinstallationfoldertoonelevelupsothathackerscannotlocateitatthedefaultlocation.  Denyaccesstothewp-config.phpfilebyaddingthefollowingcodetothe.htaccessfile: orderallow,deny denyfromall   12.Assignuserrolesandpermissionscarefully  Typically,hackerstrytobreakintoaccountsofWordPressadministratorsastheyhavethehighestlevelsofpermissions.Oncetheygaincontrolofanadminaccount,hackerscaninflictmaximumdamagecomparedtobreakingintouseraccountswithlesserprivileges. ApartfromSuperAdminandAdministratorroles,WordPresssupportsfourotheruserroles—includingEditor,Author,Contributor,andSubscriber—thathavelowerprivileges. Toimplementleastprivilegepermissions,limitthenumberofadministrators,andassignlowerrolestootherusers.Bylimitingthenumberofadminusers,youcanminimizethedamagecausedbyhackerseveniftheymanageasuccessfulhack. 13.Changethedefaultusernamefrom‘admin’ MostWordPresswebsitescontinuetousethedefaultusername,suchas‘admin’or‘webmaster’,foradministrators.Thismakesiteasierforhackerstoguesstheadministratorcredentialsandlaunchattacksontheadminaccounts. YoucanhardenWordPressadminaccountsbychangingthedefaultadministratoraccountnamethatishardertoguess.Youcanperformthistask: ThroughthephpMyAdminSQLtool. OrbyrunningthefollowingcommandonanyMySQLclient: UPDATEwp_usersSETuser_login=‘newuser’WHEREuser_login=‘admin’; Overtoyou It’simportanttorememberthatwebsitesecurityisanongoingprocessashackersarealwaysthinkingupnewwaystoattackanddamagesites.Ifyou’relookingforasimplewaytohandleWordPresssecurity,securitypluginslikeMalCaredoagreatjobofcombiningmostoftheWordPresshardeningstepsfromthisarticlewithwaystodetectevenlesser-knownmalwareortypesofattacks.  WehopethisWordPresshardeningguidemakesimplementing WordPresssecurityeasierandsimplerforyou.Letusknowyourfeedbackinthecommentsbelow.   FeatureimagebyAndrasVasonUnsplash Pleaseleavethisfieldempty Don’tmissourweeklyposts! Wedon’tspam!Readourprivacypolicyformoreinfo. Checkyourinboxorspamfoldertoconfirmyoursubscription. share: NoComments TAGS:maintenancemalcaresecuritysslwebsitewordpress PasqualeMellone PasqualeisFounderatIncreasily.com,aH2HmarketingagencybasedinDublin,Ireland;andCo-FounderatluxuryecommercemarketplaceThesidebe.com.PasqualehasworkedinDigitalMarketingandAccountManagementsince2004.HecurrentlylivesinDublinwithhiswife,stepdaughterandcat. RelatedPost 28Jan HowtoHidetheWordPressLoginPage(3EasySteps 08Jul MostImportantWordPressPluginsin2021 06Jan HowtoDowngradeaWordPressPlugin(EasyTutorial LeaveaCommentCancelreply Savemyname,email,andwebsiteinthisbrowserforthenexttimeIcomment.  Yes,addmetoyourmailinglist. Δ FollowUsOn SearchOurBlog WeeklyNewsletter PleaseleavethisfieldemptySign-upforfreeweeklyarticles Checkyourinboxorspamfoldertoconfirmyoursubscription. BrowsebyCategory CaseStudy(1) Client(17) Community(7) Facebook(6) FAQs(2) Fonts(1) Gallery(1) GraphicDesign(2) Guides(16) H2H(7) Instagram(8) Lists(1) Marketing(28) News(114) Quotes(2) Security(1) SEO(20) Services(7) Shopify(21) SocialMedia(6) Stories(7) TikTok(1) Tutorial(15) Uncategorised(22) WebDesign(2) WebMaintenance(3) Whatsapp(1) Wordpress(14) RecentPosts AYearfromNowYouWillWishYouHadStartedToday[QUOTE] 31March2022 Downsyndromecentre.ie[NEWWEBSITELAUNCHED] 30March2022 HowtoSolveElementor3.6FatalError(EasyStep-by-Step) 29March2022 H1TagandSEO:EasyandCompleteGuidefor2022 28March2022 WeeklyRoundup,March21-252022 25March2022 RecentComments HowtoAccessFacebookBusinessSuite(Revisedfor2022) PasqualeMellone HowtoAccessFacebookBusinessSuite(Revisedfor2022) Stephen SEONewsWeeklyRoundup7-11June2021 Kshitij SEONewsWeeklyRoundup7-11June2021 PasqualeMellone SEONewsWeeklyRoundup7-11June2021 Kshitij