WordPress security is a topic of huge importance for every website owner. Google blacklists around 10,000+ websites every day for malware and around 50,000 for phishing every week.
If you are serious about your website, then you need to pay attention to the WordPress security best practices. In this guide, we will share all the top WordPress security tips to help you protect your website against hackers and malware.
Table of Contents
- 1 Choosing Hosting Wisely = More WordPress Security :
- 2 Keep Your WordPress Updated:
- 3 Choosing Themes and plugins:
- 4 Use Strong Password:
- 5 Change Default Username:
- 6 Disable File Editing:
- 7 Secure Wp-Config.php:
- 8 Disable Includes Browsing and File Editing:
- 9 Change WordPress database Table Prefix:
- 10 Move From Http To Https:
- 11 Add Security Question in your Admin log in Page.
- 12 Make Backups:
- 13 Bonus Tips:
- 14 Conclusion:
Choosing Hosting Wisely = More WordPress Security :
Very first thing you need to choose the best and reliable hosting for your blog.
I recommended you to go with Inmotion Hosting one of the best company so far with all the features you need. Like Support, Cpanel, etc.
If you are a new customer they will migrate your site to inmotion free of cost.
If you have a good budget then you can try Kinsta. The best-managed WordPress hosting, powered by Google Cloud and LXD orchestrated Linux containers. They will handle all server-side things for you like caching, security, updates, and more.
Just choose best for your blog.
Keep Your WordPress Updated:
It is highly recommended that you keep your WordPress version Updated. Old versions contain a lot of bugs and vulnerabilities so hackers mostly attack old version WordPress blogs.
New updates contact a lot of improvements and security fixes so test and update it as soon as possible before its too late.
Choosing Themes and plugins:
Think 100 times before applying themes or plugins on your blog. I recommended you to buy a premium theme for your blog instead of free themes.
Chances high that free themes can contain a Virus or hacks. The Internet is full of nulled themes which is available free to download.
The Internet is full of nulled themes and plugins. Choose premium theme because theme comes with support and optimized codes.
Note: One line of code can hack your blog fully.
Use Strong Password:
I know for newbies remembering password is the very difficult task but nowadays hackers are so smart they attempt to recognize your passwords with many software and bots.
Let me give you a tip whenever you set the password, for example, your password is (newbie555). Its easy to hack so add some characters like ($$newbie555$$##) that’ a strong password. It takes unlimited years to recognize your pass.
Change Default Username:
Now thanks to hosting companies and WordPress for taking action to change this thing. In old days if you install then your username and password is the admin so it’s easy for a hacker to hack your blog with brutal force attacks.
Install WordPress software in your hosting carefully likes set the custom password and username for your blog if you see that your pass and username is the admin.
You can also change your username from the database.
- Open PHPMyAdmin from your hosting and click on users tables.
- under settings click pass and change your username.
- Save and go.
This is one of the most important things for your WordPress security.
Disable File Editing:
WordPress comes with inbuilt file editing section like you can edit your plugins and theme files from WordPress admin section.
But it’s not good some can edit your files and themes and add virus code in it so for safety disable this how to see below.
Go to your hosting panel and open the wp-config-PHP file from your blog root folder then add below code.
// Disallow file edit define( 'DISALLOW_FILE_EDIT', true );
Done your file editing is disabled no one can change the code of your files from WordPress dashboard.
This is the most important file for your WordPress blog. This file includes all your information which hacker needs to access your database.
How To secure this file simply add this code to your .htacsss file.
deny from all
Disable Includes Browsing and File Editing:
Many bloggers don’t know that this is a very dangerous thing to open your http://www.domain.com/wp-includes/ for browsing. Hacker can easily find potential exploits by sniffing through those files.
If you secure this file correctly then this file should return a 403 forbidden error.
How to Block Browsing And File Editing:
Simply add this code to your .htacsss file.
# Block the include-only files.
RewriteRule ^wp-admin/includes/ – [F,L]
RewriteRule !^wp-includes/ – [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ – [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L]
RewriteRule ^wp-includes/theme-compat/ – [F,L]
Change WordPress database Table Prefix:
By default, WordPress adds the (wp-) name in your database tables and hackers can easily guess what your blog database table name. I recommended you to change it With Like (wp- 54444 etc ). How to see below.
- Go to WordPress dashboard and click plugins and add a new plugin.
- Install and activate (DB Prefix) Plugin.
- Got to plugin settings.
- Enter existing prefix name then enter your new prefix name.
- Done your database table name change successfully.
- You can delete this plugin after this.
Move From Http To Https:
All know that Google loves https and also with https your blog security ll increase. Because every data from your blog become encrypted and make difficult for hackers to hack that.
You have to read this one of my guide for https.
Add Security Question in your Admin log in Page.
If you add a security question to your admin login page then its make your WordPress blog more secure with an extra layer like no bots can access your blog, admin. Only authorized members can log in your blog.
How to add security question see below.
First, you need to install and activate (WP Security Questions) Plugin.
After activation just visits his settings and configure as your requirements. Done
I see many newbies who not care about backups but what happens when your site gets hacked or deleted. I recommended you to make the backup of your blog every month or 2 months.
How There are many plugins out there like backup buddy vault press and nowadays hosting companies give free backup options so you can easily make backups.
- Remove inactive users from your blog.
- Install security plugins like (All in one security).
- Always scan your blog every week.
- Remove unused FTP accounts.
- Remove unused database tables with (Plugins Garbage Collector) plugin.
That is I hope you like this post and help you to improve your WordPress security. Anyhow again recommended you to check your blog every week or month for bad activity.
This ‘ll help you make your blog more secure.
Don’t forget to share this post with your other friends. And help them to secure their blogs.