With over 33% of all websites on the internet running WordPress, it’s no wonder that WordPress is a prime target for hackers.
Here are 10 actionable WordPress security tips that you can implement today in order to make your WordPress website more secure.
- Choose your Plugins Carefully
- Keep Everything Up to Date
- Hide your WordPress Version
- Hide the Login URL
- Change the Default “admin” Username
- Choose a Strong Password
- Limit Login Attempts
- Change Permissions
- Disable Theme Editing
- Install an SSL Certificate
1. Choose your Plugins Carefully
It’s been suggested that 98% of WordPress vulnerabilities are related to plugins. These vulnerabilities include leaking sensitive information, database injection, and remote code execution.
So you’ll want to avoid plugins that transmit data, especially sensitive data, to or from your website. In general, safe plugins don’t process any user input. You want to make sure you only use plugins from WordPress.org, and keep the number of plugins you install to a minimum, which also helps with the performance of your website.
2. Keep Everything Up to Date
This includes your theme, plugins, and WordPress itself. Many times updates include security patches that fix vulnerabilities, and these should never be overlooked.
3. Hide your WordPress Version
This is a security through obscurity technique that limits the amount of information you make public about your website.
You can hide your WordPress version by adding this code snippet to your functions.php file:
function wp_version_remove_version() { return ''; } add_filter('the_generator', 'wp_version_remove_version');
Or you can use Perfmatters, one of my favorite plugins, to hide your WordPress version with the click of a button.
4. Hide the Login URL
Another similar security through obscurity technique is to hide your login URL. By default anyone can access your login screen by going to your domain name:
- /wp-admin
- /admin
- /login
- /wp-login.php
I have an entire video on this topic that also uses the Perfmatters plugin to disable this WordPress login screen with the click of a button.
5. Change the Default “admin” Username
If your WordPress username is admin, that’s a potential security risk. The first guess of any hacker will be admin, so you’ll want to change this.
Unfortunately, WordPress doesn’t allow you to change a username, but you can get around this by creating a new user with administrator privileges and then subsequently deleting the original admin user.
If you’re comfortable with executing MySQL commands, you can also rename the admin user with this code snippet.
UPDATE wp_users SET user_login = 'newuser' WHERE user_login = 'admin';
6. Choose a Strong Password
I know, you hear it all the time, but if you’re using one of these common passwords1, it’s just a matter of time before your website gets hacked.
- 123456
- 123456789
- picture1
- password
- 12345678
- 111111
- 123123
- 12345
- 1234567890
- senha
- 1234567
- qwerty
- abc123
- Million2
- 000000
- 1234
- iloveyou
- aaron431
- password1
- qqww1122
A strong password of at least 16 random characters that include letters, numbers, and symbols will prevent your website from falling victim to a brute-force attack. And keep in mind, in addition to your WordPress administrator password, you’ll also want your FTP, database, and server passwords to be just as secure.
7. Limit Login Attempts
On that note, it’s also a good idea to limit the number of login attempts for your WordPress website.
You can do this with a free plugin, but the official WordPress documentation suggests adding server-side password protection, which is essentially another layer of security. If you’re interested, I have videos on how to do this on Apache and Nginx web servers.
8. Change Permission of wp-config.php and the WordPress Install
Also according to the official WordPress documentation, permissions for your WordPress installation should be as follows:
Resource | Permission |
---|---|
wp-config.php | 440 |
All other files | 644 |
All directories | 755 |
If you have SSH access to your server, you can apply these permissions with the following three commands.
find /var/www/html/ -type d -exec chmod 755 {} \; find /var/www/html/ -type f -exec chmod 644 {} \; chmod 440 /var/www/html/wp-config.php
And some FTP clients even allow you to change these permissions as well without going on the command line.
9. Disable Theme Editing
By default, WordPress administrators can edit core PHP files directly from within the WordPress dashboard. To turn off this capability, simply add this line of configuration to your wp-config.php file which will disable the Theme Editor option under Appearance.
define('DISALLOW_FILE_EDIT', true);
10. Install an SSL Certificate for Encrypted HTTPS
Not only will an SSL certificate provide an encrypted connection between your server and your visitors, but it will also give your website a boost in organic search results.
Having your WordPress website running under HTTPS is especially critical when working with sensitive information such as usernames, passwords, and personal information.