15 Tips to Improve WordPress Security

Published: August 12, 2019 / Article by: Siarhei Kulich

When it comes to content management systems, WordPress is hard to beat. However, it’s popularity brings with it a load of unwanted attention from the not-so-nice folks. As website owners, WordPress security is not something you should take lightly.

That’s not to say that WordPress is not secure. On the contrary, the WordPress core is rather secure and updated regularly. Even so, there are a number of small and big things that ordinary folks like you and me can do to secure our websites, even with zero technical skills.

The recent WordPress update 5.2 allows you to measure your site health score, so you know how you fare with site security.

WordPress security - Site Health score
Site health score

Let’s start with some easy-to-do pointers:

Tips to Improve WordPress Security

The best place to start working on WordPress security is the login page.

Protect the login page in WordPress

Protecting Your Login Page

Here’s what you can do:

1. Customize the login page URL: Commonly, WordPress login pages are found at yourwebsite/wp-login.php or yourwebsite/wp-admin, often with ‘Admin’ as username. Easy for hackers to guess, right? Simply changing this to something like XYZ_my_login or XYZ_admin, and using an email id as username can make unauthorized entry more difficult.

Commonly, WordPress login pages are found at yourwebsite/wp-login.php or yourwebsite/wp-admin, often with ‘Admin’ as username. Easy for hackers to guess, right? Simply changing this to something like XYZ_my_login or XYZ_admin, and using an email id as username can make unauthorized entry more difficult.

2. Use strong passwords: No doubt, it’s best to stop malware even before it enters your website. And what better way to achieve this than using strong passwords? Sound passwords use uppercase and lowercase alphabets, digits and characters. If you have difficulty in making up / remembering them, use password generators and password managers.

3. Limit login attempts: Often, hackers use bots to randomly bombard your website at high frequency with various combinations to guess your password. This is called brute force attacks. By limiting the number of login attempts, you can drastically reduce the chances of forced entry. 

Login lockdown WordPress plugin

4. Add security questions to login: Ask users to answer a question or enter a captcha before allowing them access. The nuisance value is a small price to pay to keep out bots and boost WordPress security.

5. Logout idle users automatically: Users who leave their screens unattended for a period of time are a risk to WordPress security. Other people can gain access using the unattended screen. Thankfully, the inactive logout plugin can automatically logout idle users after a specific time period of inactivity.

Logout idle users

6. Enable two factor authentication: A surefire way to restrict unauthorized entry on your login page is two factor authentication. It adds another step to the usual login process of username/ password.

For instance, install the Google authenticator app on your smartphone and enter the code generated by the app on your login page. This ensures that only the person possessing the smartphone can access the website.

Google Authenticator app

There are many more ways to add two way authentication like using a secret key on a USB.

7. Activate a web application firewall: A web application firewall catches all malicious traffic even before it reaches your website, allowing only genuine traffic to your website. It affords protection at the DNS level, in contrast to most other WordPress security measures which act at the application level. Many WordPress plugins like Sucuri, Wordfence and  Cloudflare include firewalls in their functions.

Wordfence firewall

Other Things You Can Do to Improve WordPress Security

8. Enforce need-based user permissions: If you run a multi-user website, you’ll be granting access to multiple users to your WordPress back panel.

Various user roles in WordPress

However, not all users need to have access to every area of your WordPress – you can restrict their access to different areas on a need-only basis. Now, don’t stop there, go on to ensure that all users use strong passwords .

9. Add SSL certificate to your website: Have you noticed the padlock sign on the address bar of this website? This indicates that HRank has obtained an SSL certificate. It conveys that the communication between the users’ browser and your server is encrypted, making it difficult for any unwanted third party to listen in. This trust signal makes users more comfortable in dealing with your website.

Best of all, SSL certificate gives a boost to WordPress security as well as SEO.

Nowadays, getting an SSL certificate is easy. Most hosting services provide this as an add-on, and Lets’ Encrypt provides it for free. 

10. Update WordPress core, themes and plugins: As I mentioned before, WordPress is updated regularly, and minor updates happen automatically. That’s not the case with major updates, where you’ll receive notifications on your dashboard that you need to act upon.

Updating WordPress

Likewise, the themes and plugins that you install should also be updated regularly, and unused plugins can be deleted. It’s also a good idea to purchase / download themes and plugins from trusted sources like the WordPress repository or Themeforest / Codecanyon

11. Disable file editing: If any user manages to reach your dashboard, it’s rather easy for them to alter files that make up your WordPress install. You can prevent this with a simple code fix – add 

define(‘DISALLOW_FILE_EDIT’, true);

to the very end of the wp-config.php file.

12. Install a security plugin: Plugins like Wordfence, and  Sucuri are actually all-in-one solutions for WordPress security. They scan your website for malware, monitor traffic, protect your login page and do much more. Activating these plugins (many of them are free) can minimize vulnerabilities to a large extent. 

13. Choose reliable hosting: Reliable hosting is the biggest favor you can do for yourself when it comes to WordPress security, particularly if you’re on a shared server. A good host protects the servers against common threats, monitors traffic for suspicious activity and protects against DDoS attacks. They also keep software and hardware up to date. 

14. Security audit: A periodic scrutiny of logs can detect unwanted activity.

15. Backup: One security measure that should definitely be on everybody’s list is backing up your WordPress. Backing up WordPress can greatly limit the damage from compromised WordPress security. To help you with backup, there are many quality backup /restore plugins like Backup Buddy. They can carry out a regular, scheduled and automatic backup of your website. 

Backup Buddy

Beyond backing up your website, you should also maintain multiple copies of backup at different locations, including off-site locations. Cloud services are an excellent option here.  

Final words

Compromised WordPress security can cause your website to be blacklisted by Google. It may also cause loss of access to your website, damage your reputation and disrupt your revenues. Not only that, you’ll lose sensitive information and may be forced to pay a ransom to regain access. The pointers above can do wonders for WordPress security, so be smart about it and stay proactive to keep your website safe.


About the Author:
Priya is learning WordPress and likes to share what she learns. She can be reached at [email protected]

About Siarhei Kulich
Co-founder and CTO of HRank.com - a hosting uptime monitoring website. Siarhei has more than 20 years experience in web developing and web hosting.
Connect: Website, LinkedIn
Leave a Reply