How to Improve the Security of your WordPress Site

by Sunny Hoi

This article seeks to inform you on how to improve the security of your WordPress site and does so by offering several security tips and measures.

According to a recent investigation, 73% of most popular WordPress websites are at risk of vulnerabilities which may be detected easily using automated programs. This should come as a no surprise since WordPress is the most popular blogging and Content Management System (CMS) on the internet today. Hence, it is crucial for a WordPress site owner to properly improve the security of their site.

Make sure your WordPress website and installed plugins, themes are currently up-to-date.

Many updates to the WordPress core and plugin, theme updates contain important security patches. The vulnerabilities in plugins and themes tend to be from older versions that have already been patched in newer versions. Individuals interested in hacking your website are able to use automated scanners and crawlers to find your WordPress core, plugin, and theme versions. Also, intruders would use those obtained versions of your website software, search in various online web vulnerabilities databases, and may be able to identify one or more vulnerabilities to your site. Sites like,, and list software version and vulnerabilities associated. People often put too much emphasis on trying to hide their software versions. No matter what, intruders are always capable of finding anything of interest to them security-wise if they put in the effort to. We don’t see Facebook or Google trying to hide crucial website infrastructures. Thus, put more effort into checking for updates to your website infrastructures. By not updating to the latest patches, you are putting your website and reputation at risk.

Again: Make sure to check for theme updates, VERY IMPORTANT.

People often overlook the fact that updates to your WordPress theme are extremely significant. Even the United States Federal Bureau of Investigation fails to notice and mention this in one of their recent public service announcements regarding ISIL taking advantage of WordPress vulnerabilities. Therefore, the attack vendor is not merely isolated to WordPress plugin vulnerabilities, but also vulnerabilities exploited in themes and brute force attacks directed at your WordPress admin login panel.

Disable plugins or themes that you don’t currently use.

Since you are not using the plugins or themes, you are mostly not going to place priority on whether you update them or not.

Limit the number of plugins you are using.

We already stated this in the previous bold sentence. However, even if you update all of your plugins you use no matter whether you use them or not, you are still placing your site at greater risk. Having installed too many plugins does not only open up more opportunities for the attacker, but can also slow site performance as well. Patched plugins may still be vulnerable. The attackers may be able to manage to exploit them through their own discovery or shared zero-day exploit among those in the hacker community. So stay vigilant.

Protect your website’s most crucial files using .htaccess.

You don’t have to make too many hardening changes to WordPress. But one that is recommended is to hide your wp-config PHP file since it contains many details regarding security. You can hide it by adding the code below here to your .htaccess:

<files wp-config.php>
 order allow,deny
 deny from all

Limit access to your wp-admin directory.
You can create a new .htaccess file in your wp-admin folder and then add the code below:

order deny,allow
allow from your IP address
 deny from all

Replace “your IP address” with your own IP. Additionally, you may allow other IP addresses access to the wp-admin login-in panel by adding another allow from IP address on a new line.

Audit your plugins and themes.

Check for the reviews of the plugins and themes you are using or interested in using. See what comments are written. If a theme or plugin has dozens of one-star reviews and rarely any four or five-star reviews, then it is probably best to not install it. Also, check to see if these plugins and themes are being regularly updated. A plugin or theme which is not being updated or continually supported by it’s developer is clearly a “no install”.

Enable two-factor authentication for all users.

A great way to prevent brute force attacks and thus, successful infiltration is to enable two-factor authentication. When this is enabled, you will be required to enter an authentication code in addition to your password. Use Clef or Google Authenticator to achieve this.

Enable HTTPS on login and admin access pages.

Force enable HTTPS on your login and admin access pages to reduce the chances of man-in-the-middle attacks.

Download only from official sources.

Download your plugin and patches from the official WordPress website onlyThe same goes for themes. Download only from the official developers and repositories. Any pirated theme or patch can potentially jeopardize the security of your site. They tend to come with backdoors, unwanted advertisements, and malware. By downloading “nulled” plugins and themes, you are permitting criminals to compromise your site, and it’s visitors. Support the developers and buy the software directly from them.

Don’t only retain the “update” mentality.

In this age of the internet, we should not only be concerned with keeping things up-to-date. We have to check server logs, dashboard logs, and firewall logs. This means there should be constant monitoring of not only the web application but also the server in which the website is hosted on. Even the most secure website can still be compromised successfully without diligently checking the logs on a regular basis.

Use strong passwords and change them frequently.

A combination of symbols, letters, and numbers in your password will make it much difficult for the intruder to brute force or guess. Free password generators like LastPass and Norton Password Generator can help accomplish this task.

Make sure you are using anti-virus software on your computer and confirm that your operating system and applications are running the latest versions.

Use anti-virus software and scan your computer on a regular basis. Nowadays, free anti-virus like FortiClient, Sophos Home, and AVG offer enterprise-grade protection or consumer-grade protection. Additionally, ensure that your operating system and applications are using the most recent versions.

Go to WordPress’s official Hardening WordPress guide to check for additional hardening methods that you are interested in.

While the security advice given here is enough to protect your WordPress site, you may be interested in hardening your WordPress security even further. If this is the case, then refer to here.



Related Posts