Md Obydullah Follow I'm Md Obydullah. I build open-source projects and write about Laravel, Linux server, modern JavaScript and web development.

The Powerful WordPress Security Guideline – Simple Tricks

Last modified on March 9, 2019 5 min read

Every website owner has the main headache about the security of their website. We can easily build a website but security is the main issue. To protect our website from the hackers we need to pay attention to this matter. Do you know how many websites are blacklisted for malware and phishing in a week? It’s around 20K for malware and 50K for phishing.

Notice: if you didn’t read this article yet, please read this article first: The Powerful Professional Blog Guideline For Beginners.

List of Security Methods

Basic Methods
Choose Good Hosting
Install Security Plugin
Backup Your Website
Keep Your WordPress Up-to-Date

Advanced Methods
Forbid Execution of PHP Files
Limit Login Attempts
Prevent from Directory Indexing and Browsing
Disable File Editing
Use Strong Username & Password
Disable XML-RPC
Use Custom Database Prefix
Use 2-Factor Authentication
Change Your Login URL
Remove WordPress Version Number
Add Captcha or Security Question to Login

Now, Let’s start.

Choose Good Hosting

The initial task is to choose best web hosting. You can use shared web hosting or managed WordPress hosting. I would like to suggest you not to use managed WordPress hosting. There are some problems. Initially, you can buy shared hosting. Then you can upgrade it to VPS or Dedicated. The best shared hosting providers are BlueHost, HostGator and SiteGround.

[ Jump to List ↑ ]

Install Security Plugin

By installing security plugin you can secure your WordPress website. To keep secure there are many plugins are available. Have a look at some plugins:

1. Wordfence Security

Wordfence Security
Wordfence Security is the best among all security plugins.It sends the security alert to your email if found any unusual activities on your website. It won’t slow your website. If your website has been hacked, you can easily clean your site. You can read this article clean your hacked WordPress website. It has also two version. One is free another is premium.

Active installs: 2+ million
Average Rating: 4.8 out of 5 stars

Download Free Get Premium

2. iThemes Security

iThemes Security
To protect any site iThemes Security (formerly Better WP Security) provides 30+ ways. Some features are: Two-Factor Authentication, WordPress Salts & Security Keys, Malware Scan Scheduling, Online File Comparison, Google reCAPTCHA, wp-cli Integration, Temporary Privilege Escalation, Password Expiration etc.

Active installs: 800,000+
Average Rating: 4.7 out of 5 stars

Download Free Get Premium

3. All In One WP Security & Firewall

All In One WP Security & Firewall
This plugin is also provides some great features. Some of them: User Login & Registration security, Database security, Blacklist, wp-config.php and .htaccess backup, firewall, Brute force security, Security scanner etc.

Active installs: 500,000+
Average Rating: 4.8 out of 5 stars

Download Free

4. Sucuri Security

Sucuri Security
Sucuri provides seven key features:

* Blacklist Monitoring
* Effective Security Hardening
* Post-Hack Security Actions
* Security Notifications
* Security Activity Audit Logging
* File Integrity Monitoring
* Remote Malware Scanning

Active installs: 300,000+
Average Rating: 4.6 out of 5 stars

Download Free

5. BulletProof Security

BulletProof Security
BulletProof Security provides Firewall Security, Login Security, Database Security & Backup. Pro version provides
more security.

Active installs: 100,000+
Average Rating: 4.7 out of 5 stars

Download Free [ Jump to List ↑ ]

Backup Your Website

This is very important to take backup of your website. You can backup of your website in many ways. You can take backup via CPanel or using backup plugins. To take backup quickly and easily, you can use backup plugins.

Now, I want to introduce with the best free backup plugin. The plugin name is UpdraftPlus WordPress Backup Plugin. This plugin provides two version. One is free, another is premium.

UpdraftPlus WordPress Backup Plugin
It’s an amazing plugin. You can backup into the cloud server using this. Supported cloud servers are Dropbox, Google Drive, Amazon S3 (or compatible), Rackspace Cloud, DreamObjects, FTP, Openstack Swift, UpdraftPlus Vault and email. Premium version backup into Microsoft OneDrive, Microsoft Azure, Google Cloud Storage, SFTP, SCP, and WebDAV.

Active installs: 1+ million
Average Rating: 4.8 out of 5 stars

Download Free Get Premium [ Jump to List ↑ ]

Keep Your WordPress Up-to-Date

Always try to use updated version. In eash new version they enhance existing features and improve performance. Before updating any plugin or WordPress version, don’t forget to take full backup.

Why should I use updated version?
– You should use updated version because of:
1. Security
2. Bug Fixes
3. Speed up
4. Compatibility
5. Awesome New Features

If you want you can also enable auto updates. To enable WordPress core update, add the following code to your wp-config.php file.

define('WP_AUTO_UPDATE_CORE', true);

To enable themes and plugins auto updates, add the following code to your theme’s functions.php file.

add_filter( 'auto_update_plugin', '__return_true' );
add_filter( 'auto_update_theme', '__return_true' );
[ Jump to List ↑ ]

Forbid Execution of PHP Files

First create a .htaccess file. Write this 4 lines of code to your .htaccess file to disable PHP execution. Then upload this file to three directory of your WordPress site.

1. /wp-includes
2. /wp-content/uploads
3. /wp-content

You can use File Manager or FTP to upload the .htaccess file.

<Files *.php>
Order allow,deny
Deny from all
</Files>
Read More: How To Disable Execution of PHP Files in Specific WordPress Directory

[ Jump to List ↑ ]

Limit Login Attempts

By default, WordPress enabled unlimited logins. If a user enters wrong the password, the user can try to login as many times. Hackers may take this facility to hack your website. To protect your website from brute force attacks, you need to limit the login attempts.

You can easily set up this security. Just download and active Login LockDown plugin. After activating, go to Settings » Login LockDown and setup.

LockDown Settings

Read More: Why You Should Enable Limit Login Attempts In Your WordPress

[ Jump to List ↑ ]

Prevent from Directory Indexing and Browsing

Easily we can disable this. We are going to disable this via .htaccess file. Okay just follow this steps.

First, login to your CPanel. Open file manager. Or, you can use FTP client. You can use FileZilla – The free FTP solution.

Once you connected with FTP, go to the root of your website’s directory. If there is a .htaccess file, edit the file. Or if there is no .htaccess file, just create a file named .htaccess. Then edit the file.

Now at the end of your .htaccess file, add this line.

Options -Indexes

Don’t forget to save the .htaccess file before closing.

Read More: Why and How to Prevent Directory Browsing in WordPress

[ Jump to List ↑ ]

Disable File Editing

Normally using WordPress’s editor, we can easily edit the theme and plugin’s files. To keep secure our website we need to desible this tool. To hide this, go to file manager and open wp-config.php and write the following code.

define( 'DISALLOW_FILE_EDIT', true );

Before closing, don’t forget to save the wp-config.php file.

Read More: How To Disable File Editing In WordPress And Secure Your Website

[ Jump to List ↑ ]

Use Strong Username & Password

Yes, it’s another fact. Use of unique and strong password is one of the most necessary thing.To gain access to your website hackers run scripts trying random username and password. It’s brute-force type of attack.

Never use the default “admin” or similar username. Always change it to something that is random and/or difficult to guess.

[ Jump to List ↑ ]

Disable XML-RPC

In WordPress 3.5 version, just paste this code in a specific plugin.

add_filter('xmlrpc_enabled', '__return_false');

You can also intall a plugin called FileZilla to disable XML-RPC.

You can also write this folowing code in .htaccess file to disable XML-RPC. Just copy-paste this code in your .htaccess file:

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from 123.123.123.123
</Files>
[ Jump to List ↑ ]

I hope this article will help you. You can also read this article Must-Have Powerful Plugins for Every WordPress Websites.

You're welcome to suggest any article to write!

Md Obydullah Follow I'm Md Obydullah. I build open-source projects and write about Laravel, Linux server, modern JavaScript and web development.

Leave a Reply

Your email address will not be published. Required fields are marked *