WordPress is a popular CMS, but its widespread use makes it a common target for cyber attacks. To keep your WordPress site secure, follow these specific guidelines:
- Use HTTPS
- Regular Updates
- Use Strong Passwords and Different Default Username
- Use Two-Factor Authentication
- Protect wp- config and includes
- Regular Backups
- Monitor Activity
Use HTTPS
Make sure your website uses HTTPS in its URL and not just HTTP. It can appesr as a padlock before the URL in some browsers. HTTPS encrypts the data exchanged between your website and its visitors, safeguarding sensitive information like login credentials and payment details. You can get an SSL certificate from your web host or a trusted certificate authority to enable HTTPS.
You can also use HTTPS and verify its usage with the Really Simple SSL plugin for WordPress.
You can install it with our How to Install a WordPress Plugin article, manually or from your dashboard. After installing and activating the plugin, it automatically detects your SSL certificate and configures your website to use secure connections, handling the necessary changes to your site’s URLs and settings and ensuring that all content is served securely without requiring manual adjustments. This not only protects your visitors’ data but also boosts your site’s credibility and search engine ranking.
Update Regularly
Ensure that your WordPress core, themes, and plugins are always up-to-date. Updates often include security fixes that address known vulnerabilities.
Use Strong Passwords and Change Default Usernames
Set strong, unique passwords for all user accounts, including your website’s admin panel and email, and change the default “admin” username to something less predictable.
Enable Two-Factor Authentication (2FA)
Add an extra layer of security by enabling two-factor authentication (2FA). This requires you to enter a code sent to your phone or generated by an app, in addition to your password, making it harder for unauthorized users to gain access.
Protect wp-config.php and wp-includes
The official doc on wordpress.org (https://developer.wordpress.org/advanced-administration/security/hardening/) recommends protecting wp-config and wp-includes:
Protect wp-config.php:
<Files “wp-config.php”> Require all denied </Files>
Protect wp-includes by including before BEGIN WordPress:
Block the include-only files.
# Block the include-only files. <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ – [F,L] RewriteRule !^wp-includes/ – [S=3] RewriteRule ^wp-includes/[^/]+\.php$ – [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L] RewriteRule ^wp-includes/theme-compat/ – [F,L] </IfModule>
This prevents unauthorized users from accessing critical WordPress files.
Correct File Permissions
Ensure directories have 755 permissions and files have 644 permissions. Many FTP clients and web hosts allow you to check and modify this within the File Manager tools. This limits write access to essential files and directories only.
Regular Backups
Implement a reliable backup solution that includes regular backups of your WordPress files and database in the event of any issue or hack. Store copies of backups in a secure, offsite location.
Monitor Activity
Use security plugins and tools in your web host to monitor login attempts, detect malware, and track changes to your site. Regularly review logs for any attacks or unusual activity.