Improve WordPress Security with 9 Advanced Tips
Improving your WordPress security with advanced security techniques will make your website or blog as hack-proof as a website can be.
In a scenario where 30,000 WordPress websites are hacked daily, website owners must be cautious and remember that prevention never is too much.
This page contains affiliate links. If you purchase through our links, we get a commission at no cost to you. Read the full disclosure here.
Table of Contents
- Does WordPress Have Good Security?
- Can WordPress Websites Be Hacked?
- 9 Advanced Hacks To Improve WordPress Security
- 1. Replace the default WP-Admin user
- 2. Create an Editor Account and use the Admin account only when necessary
- 3. Hide the author’s slugs
- 4. Add the recommended HTTP Security Headers
- 5. Disable Directory Listing / Directory Browsing
- 6. Disable File Editing
- 7. Prevent PHP direct execution on sensitive directories
- 8. Limit Password Guessing
- 9. Moderate Comments
- How Do I Give Someone A Secure Access to My WordPress Site?
- How Do I Check If My WordPress Site Is Secure?
- WordPress Security Checklist
RELATED: 5 Reliable Ways To Protect Your Privacy As a Blogger
Does WordPress Have Good Security?
WordPress itself does not have a good security system when newly installed. Actually, WordPress has many silly security holes that can be fatally harmful to the health and safety of blogs and sites. However, WordPress sites have the potential to be extremely secure as long as site owners implement best security practices.
Among the best security practices is having a reliable security system, strong passwords, and only installing trusted plugins and WordPress themes.
RELATED: Keep Your Blog Safe From Harm (9 Best Practices)
Can WordPress Websites Be Hacked?
Yes, WordPress sites can be hacked, which happens quite often. WordPress is the most popular CMS, powering over 445 million sites, and unfortunately, many WordPress site owners don’t take online security seriously. As a result, WordPress is easy prey for hackers.
Industry data points out that WordPress sites are victims of 90% of all hacking attempts.
To prevent your WordPress blogs and websites from being hacked, it is of paramount importance to take the security of your websites seriously. You should also always improve your WordPress security as much and whenever you can.
Read next: How secure are WordPress websites for e-commerce? Pros and cons
How Can I Improve My WordPress Security?
In this article, you will learn the most advanced ways to secure your WordPress website. Although some of the following practices to improve WordPress security require some skill with websites, don’t let them scare you!
As long as you have patience and calm, these advanced WordPress security practices are actually easy to implement. And even if you run away from anything related to coding as if it were The Plague, remember that there’s always a handy plugin to do the boring stuff for you! So you’ve run out of excuses for not protecting your hard work and efforts! 😉
Here Are 9 Advanced Hacks To Improve Your WordPress Security
IMPORTANT: Back up your site before implementing any of the security recommendations below! It’s not uncommon for something to go wrong for whatever reason, whether it’s a system or human error. So make sure you can recover your site exactly as it was before any changes were made.
If you don’t have a reliable backup plugin yet, you should definitely check Solid Backups / Solid WP (former BackupBuddy).
Solid Backups / Solid WP, in case you don’t know, is a complete, 4-in-1 backup plugin, that has been protecting over 1 million WordPress sites since 2010, so be sure to check it out!
1. Replace The Default WP-Admin User To Improve WordPress Security
Generally, when your web hosting service pre-installs WordPress for you, it automatically creates an Admin user account for you to log into your site’s Dashboard. This Admin user account usually has your blog name in the username, which is risky because that’s one of the first things hackers will try when they’re trying to guess your login credentials
It’s even riskier if you don’t have a strong password.
So, to make it difficult for a hacker to break into your site, you need to create a new user account for your blog and assign the Administrator role to the new account.
Do not use your name or a pen name as the username. Use something long and more secretive (something you won’t share with anyone) or just a combination of words and symbols that don’t make sense.
How to create a new Admin account and replace the default one:
- Log into your WordPress site as an Administrator.
- From the Dashboard, select Users > Add New.
- Fill in all the information (remembering that you will need a different email) and set the Role to Administrator. Save.
- Log out of your website and then log in again using the new Admin account credentials.
- From the Dashboard, select Users > All Users.
- Hover your mouse over the username of the other Admin user and select Delete.
- Don’t forget to attribute the old posts that were created by the default Admin account to the new one, so you don’t lose your content.
2. Create An Editor User Account For Your WordPress Website & Use The Admin User Account Only When Necessary
Your Admin account has access to all the functions on your website that you don’t want any bad guys getting their hands on. So, just in case of session hijacking (when a hacker takes over your internet session), avoid spending too much time logged into your Admin account if this isn’t necessary.
After all the must-have settings have been made, you won’t need to log in to your Admin account very often. And when you need it, usually it is just to update plugins.
Most of your time will be dedicated to posting and editing articles, which you can do with an Editor user account.
Again, use strong passwords, and don’t use your name or nickname/pen name as a username.
How to add an Editor account to your website:
- Log into your WordPress site as an Administrator.
- From the Dashboard, select Users > Add New.
- Fill in all the information (remembering that you will need a different email) and set Role to Editor. Save. It’s done.
3. To Improve WordPress Security, Hide The Author Usernames By Changing The Author Slug / user_nicename
user_nicename is nothing more than the author slug, which is, by default, the Author login username. Also, the user_nicename has no use for logging into a website if this is not the same as the Author login username.
When you read an article on a blog, at the beginning or end of the post there is the name of the author of the article. If you click on the author’s name you will go to the page containing all the articles by that author, whose URL will be “websitename.com/author/authorusername”. That’s the author’s slug.
This “authorusername” slug is, by default, the login username of that author. That is, if an article was written by “Christy Anne”, and Christy Anne’s login username is “christylovescatsandtea”, the author slug will be “websitename.com/author/christylovescatsandtea”.
As a result, this WordPress flaw exposes your login username and it’s even more aggravating if you post articles with your Admin account (which you should NOT do).
To improve your WordPress security, you should hide your real username by changing the user_nicename inside your WordPress website database.
WordPress uses MySQL (Structured Query Language) as its database management system. You can manage your MySQL database through a web-based software called phpMyAdmin by using your web browser.
How to access phpMyAdmin and change the user_nicename, step-by-step:
Note: Keep in mind that every web hosting is going to be a little different. This is how it is done within the DreamHost Control Panel.
- Log into your web hosting cPanel (Control Panel)
- Find the “MySQL Databases” tab or “Databases” tab.
- Head to “Manage Database”. If your web hosting asks for your credentials, go to “Show Credentials” and copy the username and password.
- Inside phpMyAdmin, click on the left bar named “yourwebsite_com”.
- Find the bar called something like “wp_xxxxx_users”.
- In the data tables that will appear on the right, find the column titled “users_nicename”.
- Double-click on the bar containing the user_nicename you want to change, type in the new user_nicename and confirm with the keyboard. Now just close the phpMyAdmin page.
- Check that the new user_nicename has been successfully changed by going to your website, opening any article you have written, and clicking on the author’s name to check out the new author slug.
- Congratulations! It’s done.
IMPORTANT: Inside phpMyAdmin, do not make any other changes unless you know very well what you are doing!
4. Add The Recommended HTTP Security Headers For Advanced WordPress Security
HTTP (HyperText Transfer Protocol) Security Headers are crucial components to keep your WordPress website secure.
From stopping a hacker from redirecting your blog visitors to a fake domain address to forcing the web browser not to guess what kind of data should be transferred, HTTP Security Headers protect your website’s connection from hackers.
There are many HTTP Security Headers, but you don’t actually need to add them all to your website.
Some of them are just getting obsolete, while others are too advanced, meaning if you make a mistake adding them, you may end up bringing your site down.
There are, however, four HTTP Security Headers that you SHOULD add to your website as soon as possible:
1. HSTS Strict-Transport-Security
The Strict-Transport-Security header protects your website from redirects to insecure and fake domain addresses.
I.e. a user is trying to access your website, but a hacker is trying to redirect the connection to a fake domain, an insecure domain that doesn’t have a valid SSL certificate. This header then will tell the browser to always request connections to your site that are over https, which the fake domain doesn’t have.
2. X-Content-Type-Options
If, for example, you make PDF files (or any other type of file extension) available for users of your site to download, the web browser cannot be sure that the file being downloaded is, in fact, a PDF file. The browser just guesses.
The X-Content-Type-Options header forces the browser not to guess what type of data is being transferred.
Otherwise, a hacker can trick the browser into downloading a malicious file in place of your freebie pdf. This is extremely dangerous for your website users as well as harmful to your blog’s reputation.
3. X-XSS-Protection
Cross-site scripting (XSS) attacks often seek to steal cookies stored in the victim’s (in this case, the user of your site) web browser, and since cookies store sensitive data such as login credentials and credit card details, this attack is extremely dangerous.
The X-XSS-Protection header will stop pages from loading if a reflected cross-site scripting attack is detected.
4. X-Frame-Options
This header prevents clickjacking.
When the X-Frame-Options is set on your domain, your website is restricted from getting secretly embedded in another site using an iframe.
According to WhatIs.com
An IFrame (Inline Frame) is an HTML document embedded inside another HTML document on a website. The IFrame HTML element is often used to insert content from another source, such as an advertisement, into a Web page.
How to add the recommended Security Headers to your website manually:
IMPORTANT: I must say it again: remember to FULL BACKUP your website before executing this procedure. The .htaccess file is delicate. Changing a single character wrongly can break your website or take it down! Don’t modify any line of code you know anything about.
- Log into your web hosting cPanel.
- Select Websites > FTP Users & Files (the name might be a little different depending on your web hosting).
- Select Manage Files.
- Select “yourwebsite.com” > .htaccess.
- Scroll down to the bottom of the file, skip a line, and add the following lines of code:
# Security Headers
<IfModule mod_headers.c>
Header always set Strict-Transport-Security “max-age=31536000; includeSubDomains; preload” env=HTTPS
Header always set Content-Security-Policy “upgrade-insecure-requests”
Header always set X-Content-Type-Options “nosniff”
Header always set X-XSS-Protection “1; mode=block”
Header always append X-Frame-Options SAMEORIGIN
</IfModule>
# End Security Headers
Save the changes and close the file.
5. Disable Directory Listing / Directory Browsing To Improve WordPress Security
A Directory Listing, or Directory Browsing, provides an index of all resources located in the directory, and this feature is accessible to anyone who wants to locate it.
Test it with your website by typing the following URL: yourwebsite.com/wp-includes/css
Scary, right? I know.
Hackers can easily take advantage of this WordPress security hole by looking for sensitive information on your website and finding files that have vulnerabilities.
To disable the Directory Listing/Directory Browsing, you need to add a simple single line of code at the bottom line of the .htacces file of your website.
How to Disable Directory Listing / Directory Browsing MANUALLY (the scary way if coding is not your thing):
IMPORTANT: Once more, ALWAYS FULL BACKUP your website before modifying absolutely anything within the .htaccess file! Changing a single character wrongly can break your website or take it down!
In case you really, really run away from the .htaccess file of your site like a vampire runs away from the sunlight, check the following section to learn how to disable Directory Browsing easily and safely through a plugin, but backup your site anyway (“just in case” is a rule of thumb when it comes to backing up WordPress).
- Log into your web hosting cPanel.
- Select Websites > FTP Users & Files (the title might be a little different depending on your web hosting).
- Select Manage Files.
- Select “yourwebsite.com” > .htaccess.
- Scroll down to the bottom of the file, skip a line, and add the following single line of code:
Options -Indexes
Save the changes and close the file. Then verify by visiting yourwebsite.com/wp-includes/css
If all goes well, Directory Listing/Directory Browsing will no longer be accessible. Instead, your site’s default “404 Not Found Page” will appear.
How to Disable Directory Listing/Directory Browsing via the Solid Security / SolidWP (formerly iThemes Security) plugin (the easiest and safest way):
- Log into your WordPress site as an Administrator.
- From the Dashboard, select Security. Select Advanced (in the bottom left).
- Under System Tweaks, check all the File Access checkboxes: Protect System Files and Directory Browsing. Save. It’s done.
6. Improve WordPress Security by Disabling File Editing
Anyone with access to an Administrator account on your site can freely edit the code of plugins and themes directly from the Dashboard.
Also, changes that compromise your website security can be made accidentally if any Admin who doesn’t have the skills to write code decides to make changes out of curiosity.
But the biggest danger lies in the fact that if a hacker manages to break into your Administrator Dashboard, all of your site’s sensitive data will be accessible to the hacker.
The easiest way (and more practical, in case you need to enable file editing for a few minutes to do some quick editing) to disallow file editing is via Solid Security / SolidWP (formerly iThemes Security) Settings.
If you still don’t have the Solid Security / SolidWP plugin (which specializes in WordPress Security and protects 1+ million websites) installed on your website, click here to get it.
How to Disable File Editing via Solid Security / SolidWP:
- Log into your WordPress site as an Administrator.
- From the Dashboard, select Security. Select Advanced (in the bottom left).
- Under System Tweaks, head to WordPress Tweaks. Then select the button Configure Settings.
- Check the Disable File Editor checkbox.
- You can uncheck the checkbox anytime if realize you need to edit the code of your plugins and themes (which probably won’t happen).
7. Prevent PHP Direct Execution On Sensitive Directories
Sensitive directories such as wp-content and wp-includes, or the .htaccess file, found in the root folder, are often targeted by hackers. If hackers manage to have access to such writeable directories, they will upload malicious code and execute them remotely.
The best way to prevent such hack attempts is by disabling PHP execution.
How to prevent PHP direct execution on sensitive directories via Solid Security / SolidWP:
Note: Check out the Solid Security / SolidWP plugin here if you don’t have it yet.
- Log into your WordPress site as an Administrator.
- From the Dashboard, select Security. Select Advanced (in the bottom left).
- Under System Tweaks, check all the PHP Execution checkboxes: Disable PHP in Uploads, Disable PHP in Plugins, and Disable PHP in Themes. Save.
8. Limit Password Guessing To Intensify WordPress Security
Password Guessing is a type of brute force attack against websites. Malicious people will simply test multiple different combinations in the hope of guessing your password.
Furthermore, hackers use bots, which try millions of password combinations per second!
To keep your blog secure, limiting the number of login attempts is a smart way to prevent hackers and bots from getting into the login area of your website trying thousands of different combinations to figure out your password.
How to limit password guessing/login attempts via Solid Security / SolidWP:
- Get the plugin here (if you still don’t have it).
- Log into your WordPress site as an Administrator.
- From the Dashboard, select Security.
- Under Configure, select Lockouts.
- Under Local Brute Force, enter the maximum number of your choice in Max Login Attempts Per Host and Max Login Attempts Per User.
- Finally, enter the period of your choice in Minutes To Remember Bad Login (check period).
- Save.
IMPORTANT: Note that you should not limit the number of login attempts to an extremely low number, as you might end up getting your password wrong once or twice.
9. Moderate Comments For Advanced WordPress Security
Do not allow comments on your blog posts to be automatically approved. Unfortunately, the more your traffic increases, the more spam activity you will see in your comment area.
These spam comments always contain malicious links that are both a danger to your WordPress security and a threat to your visitors, who might end up clicking on such links, either by accident or because they were tricked by the content of the comment.
How to set comments to enter moderation mode automatically:
- Log into your WordPress site as an Administrator.
- Head to Settings (in the left menu) > Discussion
- Scroll down to the bottom of the page and fill in the following checkboxes: “Comment must be manually approved” and “Comment author must have a previously approved comment”.
- You can define other specifications as well, i.e. to deny or allow link notifications from other blogs and which email notifications you want to receive.
- Save changes.
Tips for knowing which comments to approve and which to reject:
Tip #1: Get the Hide My WP plugin for anti-spam protection (and more!).
The more pageviews you get, the more time you have to spend reviewing comments and selecting those that should go to the trash because they are spam.
This is time-consuming, and you don’t have time for it!
Your precious time is to keep your site healthy, create quality content for your real readers, and constantly improve your traffic gain strategy. That’s why having a plugin to get the spam-filtering boring work done for you is so important.
Hide My WP not only provides you with more WordPress security, hiding your WordPress from spammers but also hides your website from attackers and theme detectors.
Tip #2: Sometimes you’ll get comments that seem real, mentioning something like “this article is the most detailed and complete I’ve read in the field, congratulations on the quality”. Beware of these comments! Realize that this “in the field” is something completely vague.
That is, if a comment doesn’t seem to be specific about what you write about, it’s probably spam.
How Do I Give Someone a Secure Access to My WordPress Site?
Fortunately, WordPress lets you create as many users as you want. Best of all, however, you can define how much access each user can have.
As an example, anyone with Editor access can publish, delete and edit posts and pages, but cannot access the site’s backend. On the other hand, those who have Contributor access can only write and edit their own posts, but cannot publish them.
Here are the roles you can assign your site users to improve WordPress security:
- Administrator: A user who has full access to all the administration features and can manage the site’s backend.
- Editor: A user who can write, publish, and edit posts and pages, including the ones created by other users.
- Author: A user who can write, publish, and edit only their own posts.
- Contributor: A user who can write and edit their own posts but cannot publish them.
- Subscriber: A user who can manage their profile.
Remember that there is no reason to grant any access to your site that is not absolutely necessary. Therefore it is essential to know what roles the new user will play to assign them the proper user role. Also, to maintain your WordPress security, it is ideal that you remove access to your site by deleting the user accounts of those who no longer exercise any role within your blog or website.
To create new user accounts, follow the exact instructions of item #2 of this article.
How Do I Check If My WordPress Site Is Secure?
To check that your website is free of malware, viruses, blacklisting status, website errors, out-of-date software, and malicious code, check out Sucuri’s free tool, Sucuri SiteCheck.
Now if you want to check if your website has all the Recommended Security Headers, use Security Headers, a website scan created by Information Security Consultant Scott Helme.
Improve WordPress Security Checklist
To make sure you don’t miss a step, download our free WordPress security checklist and keep it with you! Leave your email here so we can send it to your inbox (don’t worry: we don’t send spam):
Improve WordPress Security — Final Thoughts
WordPress security enhancement isn’t something to put off for tomorrow, as there isn’t a single day where there aren’t hundreds of hackers and bots trying to break into your site.
Whether you’re just getting started or have been blogging for a while (or a lot more), the sooner you improve your WordPress security, the better.
Always stay one step ahead and don’t let hackers destroy what you have worked so hard for daily!
Remember to bookmark this page to check later details you may have missed, or save this helpful PIN to one of your boards on Pinterest!
READ NEXT:
- Why is the WHOIS database public (and how to hide your personal information)
- The ultimate guide to domain privacy: why do you need WHOIS privacy?
- Legal Guide For Bloggers: Make Sure Your Blog Is Legal
Sharing is caring! Share on Pinterest!
Originally posted on November 13, 2021. Last updated on February 15, 2024.
3 Comments
Pingback:
Pingback:
Pingback: