Harden WordPress Security – 12 Actionable Tips for Your Website

You’re probably thinking that you are running a secure and safe WordPress website. The short story – you’re not!

We’re living with the status-quo that our websites are secure enough to not bother with the dirty job of hardening them as best as we can. But the reality is different. While supporting my customers, I personally face every day with shared web hosting servers, outdated(sometimes, ancient) technologies; people are still using the “admin” username, they don’t have a security plugin installed, even if it takes less than 5 minutes.

It’s not your fault. We assume that WordPress is pretty safe to run a website on it. And it is, but threads are everywhere and it’s best to avoid them if possible. And it is possible.

Let me show you 12 quick and actionable tips and tricks which will harden WordPress security and make your website safer.

1. Harden WordPress Security by updating WordPress, themes and plugins

It’s obvious why I’m starting the list with this tip. Even if it’s a no-brainer for many, the reality is different.

W3tech.com and WordPress.org stats show that 8,6% of all WordPress websites are still running on WP version 3, and only 45% are either running the latest version, 4.7+, or making the transition from older versions. This means that more than half of the WordPress websites are not updated when they should.

WordPress versions usage - January 2017
WordPress versions usage – January 2017

This is very serious. WordPress is a community but it seems that the same community is working against WordPress, at least from a security point of view. I could mention that the largest journalist data breach, known as Panama Papers(you heard about it already, I know) started from an outdated version of Slider Revolution WordPress plugin.

These numbers are too big to be true, but they are. WordPress is any hacker’s playground. I’m thinking that a hacker’s “career” starts by exploiting WordPress websites. They usually take a very targeted and automated approach to exploiting outdated websites in a massive scale, so having an old installation with known vulnerabilities is sure to make your site a target.

WordPress can be set to instantly perform minor update, just to ensure that you’re safe from vulnerabilities. On the other hand, it’s your job to enable automatic major updates, either via a plugin or by editing your functions.php file. In case you’re comfortable enough editing WordPress files directly, there are plenty of plugins to assist you with this. If you want to go down the simple route, try the Easy Updates Manager plugin. It will take care of everything described in this section.
Furthermore, if you would still want or need to enable updates by yourself, you can always configure your theme’s wp-config.php file or even create a child theme to hold your custom functionality. Put this code in your wp-config.php file to enable automatic major updates:

define('WP_AUTO_UPDATE_CORE', true);

You can also enable automatic updates for your themes and plugins, but this is only possible with the items available in the WordPress.org directory. No such thing for 3rd party themes or plugins – they’re doing it their own way. So, to auto update themes, the next piece of code added this time inside the functions.php file of your theme should do the trick:

add_filter( 'auto_update_theme', '__return_true' );

For plugins, use this code:

add_filter( 'auto_update_plugin', '__return_true' );


2.Keep an eye on the web hosting server infrastructure

Most of the WordPress websites are exposed to vulnerabilities by also running outdated versions of PHP. WordPress.org statistics show that only 5% of websites are running PHP v7 – the latest version, while only 27,7% of them are running on older but still supported versions. Around 44,3% of the WordPress websites are using other versions, and 68.3% are running versions older than 5.6. A similar scenario is true for MySQL versions 5.6 and 10.1, where only 1% of the WordPress websites rely on the latest version.

PHP versions run by WordPress websites - January 2017
PHP versions run by WordPress websites – January 2017

Updating your plugins and themes may be a relatively easy task, but when it comes to keeping up with latest versions of PHP, MySQL, Apache, Nginx, etc, you have to ask your hosting provider for some help. And guess what? Many people didn’t hear about Apache or Nginx. You can’t blame them. They just want to have a website. They don’t know or care if the site can run better, faster, as long as it’s working as is.

However, this does not mean that your WordPress website will be immediately compromised if these technologies are not kept up to date, but if your current web hosting provider is unable to help you out with updates, it’s best to shake hands and move on. I highly recommend Siteground – the no 1 web hosting provider for WordPress websites. So does WordPress. We’ve also put together a fair comparison between Siteground and Inmotion Hosting. Check it out.


3. Reinforce and obscure all passwords by enabling WordPress Secret Authentication Keys

WordPress gives you the option to set authentication keys that you can incorporate in the encryption process of various pieces of information that it uses, on a daily basis. These keys add an extra layer of unpredictability and security to your passwords.

So, you can quickly generate a list of authentication keys to implementing on your site with a handy tool. This page will automatically create a code snippet with a set of highly randomized and long keys, ready to be copied and implemented. So generate a new set at Wp Auth keys.

Now you just need to copy and paste these keys in the right place and make sure they remain a secret to everyone but yourself (this is their purpose). Look for something like this inside your wp-config.php file and use the new keys inside:

harden wordpress security with salt keys in wp-config.php

4. Plan ahead and make use of a backup solution

Having a robust, automatic backup process for your WordPress installation can save you from invaluable business damage and a whole range of stress related issues. A backup solution should be one of the top concerns if you are a WordPress website owner or administrator. If your site is ever hacked in spite of all the carefully thought measures you have taken, this could be the only thing that prevents you from suffering a complete loss of your business efforts, very likely, forever.

There are many backup plugins which can give you piece of mind, at least in this matter. Backups can be stored locally, on the server or directly in the cloud, or even sent to your Dropbox account. There is no reason not to use one. Here`s a list for you: BackWPUp, UpdraftPlus WordPress Backup, VaultPress(made by the guys behind WordPress).


5. Install a security plugin to harden your website`s weakest spots.

A security WordPress plugin monitors your website 24/7 and ensures that you have all the data to properly harden the website`s open doors. This should be the no 1 tool in your arsenal against threads. There are a handful of great plugins that can protect your websites, like WordFence, iThemes Security, Shield Wp Security or Wp Defender. Here’s a nice list of WordPress security plugins prepared by our friends from Kinsta.

Check out this list of plugins which can scan your WordPress website for hidden malware

Hence, they can do things like analyzing site security, hardening, resolving issues, locking out IPs, scanning core files for changes, plugins and themes vulnerability scans, backups and even sending reports to email. So, wait no more and get one of these plugins up and running. You can thank me later.



6. Use a WAF (Website Application Firewall)

Paying for a Web Application Firewall is like hiring military protection, surveillance and intelligence for your WordPress site. This layer of security will defend the website against massive attacks, such as the dreaded Distributed Denial of Service Attack (DDoS) – big websites went down because of a DDoS attack (i.e. Twitter, SoundCloud, Spotify, Shopify and many others).

What options do you have? Well, you can either use a cloud-based service and I mention here Sucuri Firewall and Cloudflare. But you could also combine this tip with the previous one and use a security WordPress plugin with a Firewall feature. Two of the plugins which come with a firewall are WordFence and Shield WordPress Security. Hard to pick one? Just flip a coin! (just kidding)

Sucury Firewall Process of Protecting a Website


7. Disable direct browser access to directories and files

If someone manages to figure out the path to one of your website’s directories, then the Pandora box can be opened. In other words, a hacker may be able to access the folder via the browser and gain access to information such as folder structure, file contents, images, videos, etc – clearing the path to possible vulnerabilities.

My recommendation is to disallow direct file access. All you have to do is to add inside the .htaccess file the “Options -Indexes” (no quotations) statement. Simple like that!

This is acceptable on a local environment, but not on a live staging website!


8. Isolate the wp-config.php file

I consider wp-config.php to be the most important file of a WordPress site because it stores so many sensitive information(i.e. database name, user, and password, authentication keys, hashes, salts) and sets rules that WordPress uses for its core functionalities. It makes perfect sense to lock it under some sort of protection mechanism. Luckily, you can isolate it, making it impossible to be remotely executed, thus making it even harder to access. To achieve this, simply go to your WordPress installation folder and add this line inside the .htaccess file:

<files wp-config.php>
order allow,deny
deny from all

9. Set up Security Questions for the WordPress login screen

Just like banking and bank account related websites do, you too can add security questions to the WordPress login screen. You can do this very easily with the WP Security Question plugin. Once installed you will need to setup your security questions and secret answers by going to Settings > Security Questions. Don’t forget to enable security questions for your login, registration and password recovery screens. Neat!



10. Logout Inactive/Idle WordPress Users

You might want to restrict the amount of logged in idle time on the platform. I know you know those apps that warn you about inactivity before disconnecting you. You could do this with your website too. This prevents other people from hijacking your sessions while you are away from your computer. It`s easy to set it up by installing a plugin called Login Security Solution. Afterwards, go to Settings > Login Security Solution to configure it for your needs.


11. Disable XML-RPC if it’s not being used

XML-RPC is the core functionality that allows you to log into your website from the WordPress mobile app or other remote/cloud apps. It is also integrated into plugins like Jetpack, BuddyPress, and LibSyn. The XML-RPC implementation in WordPress is thoroughly tested and considered pretty secure, but it could still be part of a cracker`s checklist. In fact, there is an ongoing trend of increased attacks and methods that aim to abuse the XML-RPC feature.

Yet, if you are not using any kind software, other than WordPress itself, to log into your admin panel and none of the plugins that you need makes use of this functionality, then you are better off disabling XML-RPC for good.  There are different ways to disable XML-RPC, so here are three methods for you:

Disable XML-RPC Pingback plugin

This plugin will only remove the “pingback” feature in XML-RPC, making this form of attack ineffective. This is the most compatible solution if one of your plugins requires XML-RPC to work properly, but the security benefits are much less compared to the other methods.


Disable XML-RPC plugin

This plugin will completely disable XML-RCP, removing all of its vulnerable spots.

Via wp-config.php file

Dropping this line on your wp-config.php file will do the same as the plugin above, but will give you the option to implement conditional ways to enable or disable XML-RCP. Here is the line you will need to add:

add_filter('xmlrpc_enabled', '__return_false');

after the line:

require_once(ABSPATH . 'wp-settings.php');


12. Change or delete the “admin” username

Last but not least, make sure to change the “admin” username.

Maybe it’s not your case. WordPress figured out how to fix this. But there are still cases where the “admin” username is still in use or at least, still present in the database. You could use the Username Changer plugin. Simple and effective.


Summing Up

Hardening the security of your WordPress website should be one of your top priorities, especially if you’re already running a well-established site. It shouldn’t be that hard, as you already saw, some tips require a bit of code added there, some plugins installed. So added to your to-do list or get to work right now. “Plans are nothing; planning is everything.” – Dwight D. Eisenhower

Click to rate this post!
[Total: 1 Average: 5]

Madalin Tudose

A web developer with a crush on SEO. Having my skin in the game of website development and digital marketing for more than 10 years already, you might consider me an expert. At least this is what people call me. Honestly, I HATE that term. I prefer to describe myself as a person who takes action and risks. I test every hypothesis, document every step of the process, and implement what works.