Have you ever been hacked? Whether that’s a yes or a no, falling victim to a malicious hacker is one of the worst experiences you’ll ever have. I’ve been hacked before, and you don’t want to know how frustrating it is. How I wish I knew what I’m about to share with you today.

And what’s that? In today’s post, you and I cover a couple of security measures to protect your WordPress site from the bad guys. On top of that, we pepper the post with a couple of excellent WordPress security tools, so be on the lookout for that.

How to Secure Your WordPress Site

Before we go on, it’s important to keep in mind that securing your WordPress site is not a single process. Instead, WordPress security involves repeatedly doing many things right. And contrary to popular belief, protecting your WordPress site is simple.

Read on to learn how you can secure your WordPress site without breaking a sweat.

Update, Update & Update

I can’t emphasize this enough but running an out of date website makes it all too easy for attackers. Why do you think I was hacked? That’s right; I forgot to update one of my test sites. Now I know better; I use ManageWP to update all my sites in one fell swoop.

That being said, always use the latest version of WordPress to avoid attackers who exploit known vulnerabilities in older versions. Besides, a newer version of WordPress means new features, so you don’t have an excuse not to update.

Additionally, always remember to update your themes and plugins. I say this because all an attacker needs to wreak havoc on your site is a faulty theme or plugin. Updating your themes and plugins is as easy as clicking a button, and takes care of known security bugs among other things.

Aside: Never download premium plugins and themes from illegal download sites to save a quick buck. Only obtain WordPress products from where they are officially on sale or the respective WordPress repositories.

At the same time, updating WordPress, themes, and plugins isn’t enough. Go the extra mile and update your operating system, antivirus, and all programs on your computer. If a hacker installs a keylogger on your computer, they can steal your website login information at will. The best and only way to stop this kind of attack is to ensure your computer is up to date.

Keep Full and Regular Off-Site Backups

Creating backups will not necessarily keep the bad guys away, but should the worst happen, you won’t be forced to build your site from scratch. Keeping backups is a fallback security measure since you can restore your site immediately saving a lot of time and money.

It’s disappointing when I’m hired for some web design tasks and find out the client doesn’t keep backups. It’s a sad state of affair considering there are many backup plugins and services out there. Premium backup solutions include BlogVault, Sucuri, and VaultPress among others.

To be on the safe side, create full off-site backups regularly. If it’s your first time, a full off-site backup involves saving your WordPress files and databases on an external service, e.g., Dropbox, Google Drive, etc. Create backups regularly, say daily, weekly or monthly depending on how busy your site is.

Having backups running is great, but they are useless if they don’t actually work. Test your backups regularly, ensure your site can be restored from them in a test environment. There’s nothing more frustrating than needing the backup to find the process has broken down somewhere, and the backup is unusable.

Protect Your WordPress Login Page

Brute force attack is one of the most wicked ways attackers use to break into your site. The hacker bombards your login form with millions of username and password combinations until something gives.

To keep this kind of attack at bay, you can use a plugin such as iThemes Security or Loginizer. Both plugins have a unique feature that blocks or bans any user who uses wrong login credentials a specific number of times.

On top of that, you must create a strong and unique password that is hard to guess. And by the way, creating strong passwords goes beyond your website. You need to create strong and varying passwords for your hosting, email, FTP and all other online accounts.

One other way of making life miserable for brute force attackers is to change the URL of your login page. By default, you can access your admin area by pointing your browser to example.com/wp-admin or example.com/wp-login.php. Brute force attackers know this already, so customize your login URL using the iThemes Security plugin and throw them off.

And since brute force attackers rely on guessing usernames, you can force all users to log into your website using their email address instead of a username. This usually works because email IDs are harder to guess than usernames. For this, use a plugin such as Force Email Login. Also, never use admin as your username no matter what.

To harden your security even further, you can add a security question or reCAPTCHA to your login form. Enabling these features is easy since you need plugins such as WP Security Question and Invisible reCaptcha for WordPress. On top of that, allow 2-factor authentication (2FA) using the Google Authenticator plugin.

More WordPress Security Measures

Don’t click away yet, here comes more security measures to secure your WordPress site.

Install SSL

SSL (Secure Sockets Layer) encrypts the information sent between your website and the user’s browser. The technology makes it hard for hackers to steal or manipulate data submitted on your site.

Installing SSL is relatively easy and cheap, with most hosts offering free SSL certificates. The installation process varies depending on your server environment, so contact your host for help. At the end of the day, SSL certificates protect your data and boost customer confidence.

Secure Your WordPress Database

The database is an integral part of any WordPress site. If a hacker compromises your databases, they can cause a lot of damage. Well, there are two main ways to secure your WordPress database, but create a backup before you edit anything.

For starters, create a strong and unique password for your database. The secret is to use a combination of characters, but feel free to use an online password generator such as Secure Password Generator or LastPass.

Secondly, change your database prefix from the default wp- to something unique. Doing so protects your website from SQL injection attacks. You can change your database prefix easily with plugins such as iThemes Security and WP-DBManager.

Disable Directory Listing

Let’s try something together. In your browser, add wp-content/uploads to the end of your site URL, i.e., example.com/wp-content/uploads and hit the ENTER key. If you see a list of folders and files as shown in the screenshot above, you must disable directory listing.

Hackers exploit directory listing to find if you have any vulnerable files they can use to launch a tailor-made attack on your site. Also, anybody with an internet connection can view/steal your data, hotlink images, see your directory structure and so on.

Disabling directory listing is as easy as A, B, C. Find the .htaccess file in your WordPress root directory (the folder where your site lives) using FTP or via File Manager in your cPanel. Next, add the following code at the very bottom of your .htaccess file:

Options -Indexes

Save the file. Now, nobody can list your directories in a browser.

Move The wp-config.php File

The wp-config.php file lives within the WordPress root directory, and allows WordPress to store and retrieve data from the database among other things. As such, it’s an important file – the kind of file you want to hide from the bad guys.

But how do you hide wp-config.php without breaking your WordPress site? Luckily for you, the process is easy and does not involve coding. Just move the file to a higher level than your WordPress root directory.

Doing so makes the wp-config.php file inaccessible to attackers, and please don’t worry, WordPress will still see the file.

Disable File Editing in WordPress Admin

As an admin user, you can edit a lot of files right from within the WordPress admin dashboard. This includes your theme and plugin files. Now, if a hacker gets a hold of your login details, you’re roast goose since they can do whatever they want.

Unless, of course, you disallow file editing within the WordPress admin. To achieve this, add the following piece of code at the end of your wp-config.php file.

define('DISALLOW_FILE_EDIT', true);

Set Proper Directory Permissions

As a beginner, directory permissions might sound all alien to you, but setting the proper permissions to protect your site needn’t be challenging. Setting the appropriate directory permissions is essential especially if you use shared hosting – where many users share the same server.

On shared hosting, an attacker can compromise your site even if it wasn’t the initial point of entry. But you can make things harder for them by setting the proper directory permissions. To protect your whole file system set the permissions as follows:

  • Set permissions to 755 for the root directory and,
  • 644 for files

You can set permissions using FTP or via File Manager in your cPanel. To learn more about WordPress directory permissions, check out this changing file permissions article on the Codex.

Final Words

WordPress security needn’t be challenging. If you need pointing in the right direction, create a checklist from this post and start from there. I recommend installing the iThemes Security plugin even though WordPress security goes beyond adding a security plugin.

How do you secure your WordPress site? Please share your favorite methods, suggestions, and thoughts in the comment section below.

What to hear about our latest deals and new posts? Subscribe below 👍


Posted by Freddy Muriuki

Experienced in WordPress, Freddy is a prolific blogger offering you exactly what you need to boost engagement on your WordPress-based business.