How to Secure Wordpress: Effective and Advanced Techniques

Wordpress is the most popular platform in the world for websites and is also one of the most hacked platforms.

 

Sadly to say, i have experienced multiple hacked and malware injected sites and the headaches of dealing with them are still lingering. It's not only difficult to restore your site and plug the security holes. But also the website and business stand to a halt with no traffic as Google had identified the hacks and malware and sites received no traffic in Google Ads (see our article) and ALL organic traffic by displaying a full screen warning before anybody visited our site from Google.

 

We wanted to share with you the most effective and advanced methods for securing your Wordpress site better.

Advanced Security Tips

Lock Server File & Folder Permissions

One of the most common hacks are finding a security hole and writing to files on the server to inject code or redirects. I you lock the permissions and get hacked, no code will be changed. Also, consider blocking “uploads” folder and add code to unlock when you are verified and need it.

Lock Database Tables

Similar to the above locking, you can also lock the database tables from writing. This will stop hacks that write to the database.

Firewall

  • Block access to site from specific non-relevant countries
  • Secure wp-admin and wp-login login urls to only allow office ip's or specific cookies that identify employees.
  • Secure plugins and pages that allow user input (i.e forms, logins)
  • Block visitors from entering special characters, code & url’s
  • Block known wordpress hacks (i.e. cloudflare set wordpress firewall rules)

Disable XML-RPC and API's

If you are not using XML-RPC and API's, which most sites do not use, then disable them via plugin or code.

Base Security Tips

2FA Admin Login

Ensure a second one time code (two factor authentication) after you enter your username and password to login to backend as an extra form of login security.

Block Brute Forcing

Monitor wordpress, server ssh and ftp logins from trying too many times to guess your passwords.

Captcha

Ensure you have captcha for logins and forms to increase security on guessing passwords.

Change Database Prefix

Don't keep default settings when you setup wordpress. Make every input and data non standard.

Daily Backups

Ensure you backup your files and databases daily or regularly so you can quickly restore and compare the before and after of site and code to see where hacks change your code or data.

Don't Use "admin"

Never user admin as your login username.

Education & Security Policies

Make sure you teach employees that login to Wordpress best practices.

Force HTTPS

Ensure all pages on site are HTTPS to reduce man in the middle attacks.

Hide Admin Login

Change your wp-admin login url to a non guessable one. For example - site.com/try47hfjrueiejfhry

Hide Wordpress Version

Hide the Wordpress Version to make it hard for attackers to guess the version and easily find out security holes for your version.

Implement CSP

Implement a Content Security Policy on the server level to add an event layer of security to detect and reduce Cross-site scripting (XSS) and data injection attacks.

Limit User Input

Make sure that users are limited in what they can submit / send to server (for example only allow up to 20 characters on their name in a contact form)

Limit User Roles

Limit what your staff can see and do when they login to backend

Limit Access in Company

Limit access to only specific staff in company.

Log Everything

Make sure you log every page view and action on site and server so you can learn and improve your security.

Regularly Change Logins & Review Access

Regualry Change admin logins and review user access for employees. 

Remove Unneeded Plugins

Schedule a regular review of plugins and remove as needed. In short, the less custom code, the more secure.

Secure Host & Server Updates

Regularly upgrade your software and server to have the latest secure code 

Update Wordpress and Plugins

Regularly upgrade your wordpress version and plugins to have the latest secure code 

Use Secure Passwords

Ensure using very long and unique passwords for all logins. Use numbers, characters, letters, uppercase and lowercase and at minimum 15 characters. Also, never re-use passwords.

Use Security Plugins

Install 3rd party security plugins to help you monitor your site and code.

Wordpress Security Slide

Here's our slide - View Here

View Entire Topic Via Our Youtube Walkthrough:

How to Secure Wordpress: Effective and Advanced Techniques Youtube Video
Back to blog

Leave a comment

Please note, comments need to be approved before they are published.

Tags

Thank You For Reading Our Articles!

We're committed to delivering real answers, valuable insights, and efficient knowledge online. Join us by subscribing, sharing, and engaging with our community to make a difference!

Subscribe to One Scales Youtube Channel