D5 Creation Blog

20 Ways to Harden The Security of Your WordPress Site

Are you at risk while using WordPress for your business?

This blog will help you adopt the best ways to harden the security of your reputed sites. Additionally, it is essential to take appropriate measures and ensure high-end security or else, it can cost you a huge loss of visibility and revenue too.

As the WordPress owns a valuable market share, it brings additional security concerns.

Follow the complete guide below to know what you can do to boost the security of your WordPress sites and prevent them from getting hacked or become the next victim of malware attack.


WordPress Risk and Security issues

WordPress is used nearly by 75 million websites all around the world. So we can say that it powers 27% of the top 10 million websites, holding 58% of the market share of all the sites using CMS.

Looking at these stats, security has become the most critical part of WordPress project as a whole.

It becomes difficult to enable 100% security. But yes, what you can achieve is reduction that applies a good balance between risk and security issues.

WP Security

Top 20 ways to harden WordPress Security


Use WordPress Security Plugins

Have you missed the favorite security plugins? Let’s discuss.

Sucuri and Wordfence are the best WordPress security plugins that come 100% free to all the WordPress users.

Wordfence Security comes with the wide range of features Scheduled Scans, Two-factor authentication, Country Blocking, Checking website IP address is not spam and much more.

Sucuri Security handles issues such as File Integrity Monitoring, Security Notifications and Website Firewall.

These plugins play a remarkable role in hardening security of your sites. So, if your hosting provider doesn’t have comprehensive security solutions, installing one of these plugins can offer a helping hand to reduce attacks risks.


Use Smart Usernames and Passwords

It is always recommended to use smart passwords and usernames which are not easily recognizable by the brute-force attacker.

WordPress has a plugin namely Force Strong Passwords which forces one to use passwords that are extremely difficult to be guessed.

Weak passwords are the easiest ways to get into the WordPress installation and exploit the valuable content of your site.

So, in case if the hacker reaches your login page and tries to get control over your site such passwords can alert you from next big attack!


Check File Permissions

Every file has different permissions to read, write and modify. Out of these permissions, be careful enough to allow readable permission and restrict the writable permission to the admin user.

Any intruder can get into your files and modify them by writing into certain WordPress directories.

Access to your site by appropriate file permissions will not only save you from vulnerable attacks but also allows you an opportunity to keep an eye on the content security too.

You can go through the WordPress Codex which is a complete guide for changing file permissions and detailed settings to perform it?


Block bad BOTs

WP Bots

Bad bots are a single automated system that goes against the rules. They are malicious patterns which originate from a single IP address in a short span of time stealing maximum bandwidth.

It is necessary to block such bad bots otherwise may result in decreasing the bandwidth and can affect the Google rankings of your WordPress website.

There have been instances who have stolen content outranking the originals on Google search pages such as product reviews, product catalog, and trending news.


Always Backup your site

This is the most recommended and trusted method to restore your site. Above all, it is a prerequisite to backup your site so that you may not regret later in case of a malicious attack.

WordPress plugins like BackWPup and VaultPress provide the site and database backup on regular basis.

BackWPup saves the complete installation including /wp-content/ and pushes them to Dropbox creating a backup.zip file.

VaultPress is another such plugin that backs up every post comment dashboard setting on the servers.

Imagine a situation when you come to know that the entire database is affected by malware, but you can immediately roll back to the site using your daily backups.


Ensure Database Security

To protect your database you need to change the table prefix.

The default table prefix for any WordPress is wp_. You can make any changes and keep the name of your choice so that no hacker can get into your site and access personal details.

You can change the table prefix at the time of WordPress installation making it harder to guess. Use WordPress plugins like Sucuri Security to change the table name prefix or can also change via phpMyAdmin.


Disable File Editing

By default, anyone can see the editor theme in the WordPress dashboard.

But have you ever thought to disable the edit option so that no one can see it?

A hacker who enters your website through brute force attack can make unwanted changes in files or themes putting the extra code.

So, disable file editing can be safe step to avoid such problems and harden your WordPress site security. You can add the following line of code in wp-config.php to disable file edit.


Lockdown phpMyAdmin

phpMyAdmin is a PHP script giving the ability to interact with MySQL databases which are used by WordPress to handle like posts, comments, categories etc. with the site.

There will be a bunch of crucial information stored in your website database, therefore make sure you use the current version of phpMyAdmin to avoid malicious attacks which can harm the performance of your site.

Please note, if the tool phpMyAdmin is an older version of your WordPress site there are more chances that a hacker might exploit the database and steal personal content.


Secure HTTP headers

This method is all about adding another layer of security to the make the site more robust. It needs a minor change in the web server configuration which adds a security layer while transferring information on the web.

The WordPress plugins like HTTP Headers offer the various policies which can be implemented to enable secure headers over the web.

These headers are used to transfer technical information like how the browser should cache content, what type of content it is, the software running on the server and much more. It offers various policy such as

  • Content –Security
  • X-XSS- Protection
  • Strict-Transport-Security

For example, by using the strict-transport-security policy you can force the browser to communicate solely over HTTPS.


Use SSL certificates

SSL stands for secure socket layer. It works by encrypting the information which is passed between the server and the browser rather than having it as just plain-text.

There are Free SSL Certificate Providers like Let’s Encrypt. DirectAdmin, cPanel Hosting Panels also offer Free SSL. You may also get Free SSL from CloudFlare Free Plan. If your site accommodates sensitive data such as name, address, credit card details and passwords, you may want to adopt SSL protection. Without it, your user’s information can be easily compromised.


Secure Login screen with CAPTCHA & reCAPTCHA

Adding CAPTCHA & reCAPTCHA  gives added protection against spam registration and brute force login attempts.

Moreover, you can avoid automated bots by adopting CAPTCHA & reCAPTCHA for your login screens.

You need to add the Better WordPress reCAPTCHA plugin to enable secure login page for the users.

Consider a scenario, if the attacker tries to invade the site by guessing multiple passwords, this feature will immediately block the spam users.


Enable Secured connections

Secure File Transfer Protocol (SFTP) is a network protocol used for transfers. It is highly secure in compare to Standard FTP. It provides an encrypted layer over the important credentials before transferring it to the network.

To use SFTP you need to configure the WordPress account with the FTP client installed. If you are using an FTP client, the default port number for SFTP is 22.

For example, if you surf your website from a different PC the web host does not enable a secure FTP connection; which automatically increases the chances where a third party can steal your secret data across networks.

Use WordPress plugin SSH SFTP Updater Support plugin for problem free SFTP connections in your website.

This will make your client server connection secure no matter wherever you host your site.


Lockdown WordPress Login page

The most efficient way to handle brute force attack is to protect the login page itself. This feature helps to prevent the attacker from reaching the login page.

Locking down the /wp-admin login page is the easiest way to implement. There are a number of plugins available that are used to Limit Login Attempts by a user and thereby keep a track record of failed attempts.

You can use WPS Hide Login to hide login URL from brute force attackers.

In case, if a site cracker tries series of passwords or gets into the site, it will block the IP address of that particular site.


Put WordPress Version number out of sight

By default, WordPress version number leaves its footprints for the sake of hacking. Hiding the WordPress version is the easiest way to enable site security.

Using an older version of WordPress is a bit threatening as any malware attacker can get into your site without any efforts.

An updated version of a proper security solution is always preferable.

If you do not hide the version number, by default you are telling the hacker about the older version running on your WordPress site.

Add the following code snippet in function.php file to completely hide the version number in head files and RSS feeds.


Change WordPress Login url

Be careful!

The WordPress login URL is easy to guess as it is /wp-admin or /wp-login by default. Anybody can make a quick guess to get through your site modifying vulnerable changes.

The shortest way to change the URL is using Custom Login URL. It customizes the default login URL making it simple.
In case, if the intruder tries to exploit your site by simply knowing the URL, you can handle it upon activation of a simple plugin.

Good luck!


Always use Updated Themes and Plugins

You should always keep your WordPress themes as well as plugins up to date. Adding to this, it is always suggested to update or download plugins and themes from reputed sites such as wordpress.org, d5creation.com. D5 Creation is one of the leading WordPress Themes providers. All of the Free Versions of D5 Creation Themes are approved by WordPress.org.

This can make a great difference to the security of your site by avoiding major malware attacks that enter and corrupt vital information.

For instance, get your plugins and themes from WordPress repository or from well-known companies.


Use Two-factor Authentication service

This feature enables one-time password (OTP) security by two-factor authentication to prevent someone getting access to your site.

Whenever the user logins, a unique code is generated that ensures user’s authentication over login credentials.

We highly recommend Google Authenticator plugin by WordPress who provides this service. You can then set up two-factor authentication by creating a new secret key or by scanning a QR code.

The login page will have an additional option for your Google Authenticator Code.


Disable XML-RPC features

The XML-RPC helps connecting a number of blogging clients on the web using Trackbacks and Pingbacks.

Unfortunately, you may become the victim of next Distributed Denial of Service (DDoS) attack. In this attack, the site is affected by automated bots that lead to denial of service.

You can use WordPress plugin Disable XML-RPC from WordPress repository to disable XML_RPC.

You can also add the following line of code to disable the XML-RPC features.


Secure and Move wp-config.php file

This is the most important file in your entire installation. It consists of all the necessary information for any attacker to get into your website database.

Move the wp-config.php file in a different location such that it is not accessible to anyone except the admin account user. By doing this, it becomes difficult for someone to crack the database and exploit vital information.

You can simply move the file by copying everything into a different file and paste following code into the wp-config.php file.

To secure the wp-config.php file you can add the single line code in .htaccess as under


Choose Secure hosting provider

Choosing a web host provider for hosting your website on the safe platform is the most crucial decision in the entire site building procedure.

Invest some time to think about who you should pay to host the website? What are the qualities you need in a hosting company?

A secure host provider comes with the facilities such as upgraded security solutions, reliability and customer support.


Closing Note

So, here you have the basic and most effective tips to harden your WordPress security.

Go through each of these methods carefully and feel free to practice the ones you haven’t!

Cause it’s better to be safe than to be sorry, isn’t it?

Wish you luck! 


[ Note: This is a Guest Post and D5 Creation may not recommend all these 20 tips for WordPress Sites. Some of them  may create addition problems for WordPress Sites ]

Author : Anil Parmar

Anil Parmar is the co-founder of Glorywebs, a full-service digital marketing agency aiming to help clients with services like web design, web development, digital marketing and graphic design

Comments are Closed