WordPress Security Guide: 20 Steps to Protect Your Site

WordPress holds almost all the Content Management System (CMS) market share and powers over 400 million websites. There is little query that it covers a improbable variety of websites, from personal blogs to big eCommerce web sites.

With such an essential operate, it’s no shock that WordPress attracts cybercriminals.

WordPress builders do their best to cowl all vulnerabilities by regularly updating the core software program program. However, it’s up to the web page householders to implement additional security measures to further defend their WordPress websites.

This WordPress security data will concentrate on 20 methods that you could be merely implement to keep your web page secure.

Types of WordPress Security Vulnerabilities

Table of Contents

WordPress is so in type that it has change right into a objective for lots of cyberattacks. Furthermore, it is going to seemingly be powerful to implement WordPress security measures with out first understanding its vulnerabilities.

Here are among the many most common WordPress security vulnerabilities you need to understand sooner than implementing any WordPress security measures.

  • SQL injection – malicious code injection directed to the WordPress database to entry the web page’s data and content material materials.
  • Distributed Denial of Service (DDoS) assault – an assault carried out by a group of laptop methods. This creates a surge of fake guests that takes up the web page’s sources, overwhelming it and making it inaccessible to most people.
  • Brute-force assault – makes an try to break the login by guessing a serious amount of usernames and passwords.
  • Cross-site scripting (XSS) – a malicious code injection into a web based utility. This assault will then ship the malicious script to the end-user using the online utility to steal delicate information saved in cookies or session tokens.
  • Backdoors – a malware assault that allows an attacker to bypass WordPress security measures. Backdoors can lead to situations the place attackers place a redirection code to a malicious web site.
  • Phishing – if an attacker constructive points entry to your web page, they’ll place a phishing hyperlink to a pretend web page that asks for the individual’s credentials and completely different delicate information.
  • Hotlinking – carried out by one different web page that embeds your content material materials instantly out of your server with out permission. Not solely is that this thought-about stealing, nonetheless it moreover takes up your sources.

How to Secure WordPress Website: The Basic Steps

There isn’t any single web page security comply with which will block all threats alone – you’ve got to implement quite a lot of methods to improve WordPress security. The following WordPress security options are essential and are comparatively easy to implement out of your dashboard with the help of WordPress plugins.

1. Use Strong Credentials 

While login credentials are the first line of safety to secure a WordPress web site, many WordPress web page householders don’t benefit from the precise practices for his or her credentials.

An ordinary mistake is to use generic usernames and passwords, paying homage to admin or administrators, and personal information like a full establish or begin date. This locations the web page at a greater hazard of brute drive assaults.

The first essential tip for strong credentials simply is not using the an identical username and password combination twice on fully completely different platforms. In completely different phrases, your WordPress credentials should not be the an identical as a result of the credentials for, let’s say, your Twitter account.

Using the an identical credentials for quite a lot of logins implies that as quickly as attackers uncover out the username and password for one platform, they get entry to all your accounts, along with the WordPress web page.

The second tip is to use a strong password that mixes quite a few characters. Various password generator devices may be discovered to enable you to create strong passwords. Remember that longer passwords are extra sturdy to crack, so we recommend using a minimum of 12 characters.

Password managers like 1Password or LastPass enable you to to retailer your strong passwords. Avoid using an utilized password supervisor on a web based browser like Google Chrome as they’ve an inclination to be a lot much less secure than devoted password managers.

If you’ve got already organize your WordPress account and want to change the username and password, you could add a model new administrator account. Follow these steps:

  • Log in to your WordPress dashboard and navigate to Users -> Add New.
  • Enter the credentials. Select Administrator for the operate, then click on on Add New User.

WordPress Security Guide 20 Steps to Protect Your Site

2. Enable 2FA (Two Factor Authentication)

Two-Factor Authentication or 2FA gives one different layer of security by authenticating login makes an try using a novel code. The code is continually regenerated and would possibly solely be accessed from a separate system or textual content material message.

To enable 2FA on a WordPress web page, you’ll need a WordPress plugin and a third-party authentication app in your mobile system, like Google Authenticator.

While quite a few WordPress security plugins enable 2FA, essentially the most well-liked one is Wordfence. Install this plugin and observe these steps to enable 2FA:

  • Navigate to the Wordfence -> Login Security menu on the left panel.
  • Open the Two-Factor Authentication tab.

1649377284 772 WordPress Security Guide 20 Steps to Protect Your Site

  • Scan the QR code using the authentication app in your mobile system or enter the activation key.
  • Enter the code generated on the mobile authentication app.
  • Click the Activate button to finish the tactic.

Every time you log in to your WordPress account, you’ve got to enter the code generated by the app in your mobile system.

3. Regularly Update Your WordPress Version

Updating to the latest mannequin of WordPress is the most effective however most crucial step to secure your WordPress web site. The exchange to the WordPress core software program program patches any vulnerabilities to defend you from attackers.

Remember to exchange the themes and plugins, too. In addition to patching security weaknesses, WordPress theme and plugin updates be sure that they work correctly with the latest mannequin of WordPress.

Keep in ideas that when updating the WordPress core software program program, it’s best to check whether or not or not the put in themes and plugins already assist the latest WordPress mannequin. If not, there’s a hazard that they obtained’t work precisely.

To check for any obtainable updates, log in to the WordPress dashboard and go to Dashboard -> Updates. There, you’ll have the chance to see whether or not or not updates for the core WordPress software program program, themes, or plugins may be discovered. If so, it’s best to exchange them immediately.

1649377284 130 WordPress Security Guide 20 Steps to Protect Your Site

4. Upgrade to the Latest PHP Version

WordPress is dependent upon PHP as its principal scripting language, due to this reality, having the latest mannequin of it is essential every for retaining the web page working precisely and guaranteeing it’s secure.

Each most important launch of PHP will get full support for two years after its safe launch. During this period, builders and contributors restore bugs and security vulnerabilities using the widespread stage releases. After two years, each mannequin will get one different 12 months of assist for important security factors solely.

However, observe that the builders will restore factors primarily based totally on experiences solely. This means the much less the number of prospects, the much less experiences of security factors.

Currently, PHP mannequin 7.3 has reached the tip of its lifespan, ceasing any further assist for it. As for PHP 7.4, it might solely receive patches for important security factors. If you’re nonetheless working PHP 7.3 or PHP 7.4, enhance your PHP mannequin as rapidly as potential.

PHP 8.0 and PHP 8.1 are in the mean time the advisable variations to run your WordPress web site on.

Depending in your web host, you want to be able to see the energetic PHP mannequin using the administration panel. If your web site runs on PHP 7.4 or lower, enhance it to PHP 8.0 or PHP 8.1 immediately – doing so have to be easy to configure it from the administration panel.

For occasion, in hPanel, merely navigate to Advanced -> PHP Configuration. Select the PHP mannequin you want to use and click on on Update to save the change.

1649377284 254 WordPress Security Guide 20 Steps to Protect Your Site

5. Get Secure WordPress Hosting

A web internet hosting provider will grant you space to retailer your web page data and make it accessible on the Internet. Therefore, it’s best to choose a bunch that gives a secured web internet hosting environment.

Many WordPress websites run on shared infrastructure, which signifies that quite a lot of consumers use the an identical managed server. This will enhance the security hazard as a breach in a single web page can affect one different.

Hosting companies ought to implement security measures and devices to cut back the hazard, paying homage to 24/7 monitoring in direction of vulnerabilities, firewalls, and DDoS security. Some suppliers even droop hacked WordPress web sites as they’ll affect completely different websites on the an identical server.

When choosing a WordPress web internet hosting plan, we recommend checking for these choices:

  • Firewall – server security ought to block any malicious guests and cease DDoS assaults.
  • Auto backup – an web website backup is the precept mitigation plan to forestall eternal data loss inside the event of cyber-attacks. Auto backup choices from the provider ought to reduce any hassle you could in every other case experience.
  • Credible managed service – for individuals who use a managed service, make sure that the provider generally updates the server software program program and {{hardware}} to cut back vulnerabilities.
  • Support – an exquisite 24/7 assist employees will enable you to with technical assist to resolve any security factors that come up.

Hostinger is an excellent occasion of a secure WordPress web internet hosting provider. Their suppliers embody a 24/7 security monitoring system and a Cloudflare DNS firewall that stops DDoS assaults. Hostinger’s tech employees may even notify you and even perform force-updates if in case you have got vulnerable WordPress plugins put in in your web site.

Another risk for secure WordPress web internet hosting is NameHero. Its AI-based security identifies threats and malicious guests to your web page. Some plans even embody this AI experience to decide malicious WordPress admin logins.

6. Install an SSL Certificate on the WordPress web site

SSL (Secure Sockets Layer) gives a security layer that enforces a secure protocol for data swap between the online server and friends. This is especially essential in case your web page collects loads of data.

Without SSL certificates, the information alternate between prospects and the online server will use plain textual content material. This makes it easier for attackers or middlemen to steal information, notably when using unsecured group connections.

In distinction, websites with SSL certificates encrypt all data exchanged. When prospects want to be part of to an web website, the browser will ship a request, and the server will ship the certificates with most people key. The browser then checks the certificates validity and encrypts the information using most people key. This data can solely be decrypted using the personal key inside the server.

Other benefits of SSL certificates embody greater web site positioning rankings as Google components in SSL for his or her SERPs. SSL certificates moreover enable you to assemble perception and credibility, as friends will actually really feel safe submitting their data to a secured web page.

Many web internet hosting plans already embody a free Let’s Encrypt SSL Certificate. If that is not the case in your plan, you’ll get one freed from cost on the Let’s Encrypt web page or purchase a premium Comodo SSL certificates.

1649377284 149 WordPress Security Guide 20 Steps to Protect Your Site

After the certificates is put in in your web internet hosting account, you proceed to have to activate it in your WordPress web site. You’ll need a plugin like Really Simple SSL to activate the certificates in just some clicks out of your WordPress dashboard.

7. Install Trusted Plugins and Themes

Plugins and themes is perhaps an entry stage for attackers to obtain entry to your web page. This is the case when a WordPress theme or plugin is compromised or outdated. To forestall this from going down, solely arrange trusted plugins and themes.

When it comes to free themes and plugins, guarantee to arrange solely these already obtainable on official WordPress directories. These themes and plugins are examined to modify to safe coding necessities. In addition, we recommend choosing themes and plugins that are incessantly up to date, as they’re additional in all probability to incessantly patch security vulnerabilities.

1649377284 175 WordPress Security Guide 20 Steps to Protect Your Site

Make sure to solely choose from revered builders and marketplaces when purchasing premium plugins and themes. Check for the number of energetic installations and skim individual evaluations as they level out their credibility and robustness. Themeforest is an excellent occasion of a good marketplace for premium themes.

1649377284 321 WordPress Security Guide 20 Steps to Protect Your Site

Avoid placing in nulled WordPress themes and plugins. These are hacked premium themes and plugins that attackers may have injected with malicious code after which provided at lower prices and even freed from cost. The intention is to lure victims into placing on this software program program that could be a backdoor to their WordPress websites.

Another essential tip is to take away unused themes or plugins. If you proceed to have them put in in your WordPress web site and depart them outdated, they’ll pose important WordPress security risks.

8. Lockdown WordPress Login Page

Locking down your WordPress web site is an efficient means to strengthen the situation’s security by making it extra sturdy to entry the login. There are 3 methods to do this – altering the WordPress login URL, organising an IP cope with safelist for the WordPress login net web page, and limiting login makes an try.

Changing the WordPress Login URL

By default, the WordPress login net web page might have the URL of yourdomain.com/wp-admin. This makes it easier for various people to entry the login net web page and conduct login makes an try, inserting your web site susceptible to brute-force assaults.

The All In One WP Security and Firewall plugin has a attribute to rename login URLs. Once you’ve put in and activated the plugin, observe these steps:

  • Go to WP Security -> Brute Force.
  • Go to the Rename Login Page tab.
  • Check the Enable Rename Login Page Feature and insert your custom-made URL inside the Login Page URL space.

1649377284 560 WordPress Security Guide 20 Steps to Protect Your Site

  • Click Save Settings.

Create an IP Address Whitelist

This approach protects the login net web page from being accessed by unauthorized IP addresses. The easiest method to do that’s by means of using the All In One WP Security and Firewall plugin or a web based utility firewall (WAF) service like Cloudflare.

Follow these steps to create an IP Address Whitelist using the All In One WP Security and Firewall plugin:

  • Go to  WP Security -> User Login.
  • Open the Login Lockdown tab and scroll down to the Login Lockdown IP Whitelist Settings.
  • Check the Enable Login Lockdown IP Whitelist discipline and enter the permitted IP cope with or IP ranges inside the Enter Whitelisted IP Address space.

1649377284 116 WordPress Security Guide 20 Steps to Protect Your Site

  • Click Save Settings.

If you make the most of the Cloudflare firewall as an alternative, it has a Zone Lockdown attribute to specify the URLs to lock down and the IP addresses allowed to entry these URLs. Any request from IP addresses open air the permitted range will in all probability be mechanically blocked.

Limit Login Attempts

The closing safety measure to lock down the login net web page is limiting login makes an try. There’s no limit to login makes an try by default, making your web site inclined to brute drive assaults. By distinction, licensed prospects may solely need just some tries to log in.

You can regulate the login makes an try by means of using the Wordfence plugin. It has a attribute to sign off any IP addresses that exceed the failed attempt to level out these addresses as malicious. There’s moreover an risk to set a lockout time sooner than the IP cope with can attempt to log in as soon as extra.

Here’s how to do it using Wordfence:

  • Go to Wordfence -> All Options.
  • Scroll down to the Brute Force Protection.
  • Switch on the Enable brute drive security risk and select the login lockout selections.

1649377284 965 WordPress Security Guide 20 Steps to Protect Your Site

  • Click Save Changes on the very best navigation bar.  

9. Turn Off PHP Error Reporting

PHP error reporting is a useful attribute for finding any points related to PHP recordsdata. However, unauthorized prospects can exploit this attribute, as PHP error experiences present flaws in your WordPress back-end in good factor, along with the form of error, PHP file path, and code line.

The easiest method to restore that’s from the administration panel. If there’s an risk to configure the PHP error logging on the PHP configuration, disable the attribute.

For occasion, in Hostinger’s hPanel, you could flip off PHP error reporting by navigating to the Advanced -> PHP Configurations. Then, open the PHP selections tab and uncheck the logErrors and presentErrors bins. Scroll down and click on on Save.

1649377285 479 WordPress Security Guide 20 Steps to Protect Your Site

10. Install WordPress Security Plugins

Among all the plugins you’ve already put in to have your web page functioning as meant, it is best to moreover bear in mind to embody security plugins.

Choose one plugin with many security options, paying homage to 2FA, a login limiter, and firewall security. This means, you don’t need to arrange quite a lot of plugins to cowl quite a few vulnerabilities.

Also, don’t forget that the free mannequin couldn’t current full security. We recommend discovering revered plugins and investing in premium variations if needed.

While there are actually 1000’s of good plugins, listed beneath are our options:

  • Wordfence Security – the primary plugin for WordPress security. It gives a web based utility firewall, two-factor authentication, and IP cope with blocking to improve your security.
  • Sucuri – gives web page firewall security and WordPress file integrity check. Its dashboard and interface are among the many many finest to use.
  • iThemes Security – an entire security plugin that gives individual lockouts and a database prefix change.
  • All In One WP Security – gives a improbable range of security options, along with firewall, spam prevention, and hotlinks security.

11. Disable the XML-RPC Function

XML-RPC is a WordPress attribute that enables data swap between WordPress and completely different devices. This attribute has been enabled by default since WordPress 3.5 and makes use of HTTP for the information swap mechanism and XML encoding protocol.

This attribute permits content material materials administration using mobile devices by the use of the WordPress mobile app. However, XML-RPC is perhaps harmful for a WordPress web page as a result of it has a attribute to use the system.multicall function.

This function executes quite a lot of directions in a single HTTP request. Attackers can exploit this to perform brute drive assaults by attempting lots of of passwords in decrease than 100 requests.

While XML-RPC has some benefits like managing content material materials using mobile devices and activating certain plugins like Jetpack, we recommend disabling this attribute for individuals who don’t use it the least bit.

The simplest way is thru using a plugin. While there are a selection of plugins for disabling XML-RPC, we recommend using the Wordfence security plugin as a result of it’s an entire bundle for WordPress security.

After you set in and activate the plugin, observe these steps:

  • Navigate to Wordfence -> Login Security from the dashboard.
  • Select the Settings tab.
  • Scroll down to the Settings half and check the Disable XML-RPC authentication discipline.

1649377285 560 WordPress Security Guide 20 Steps to Protect Your Site

  • Click Save to save the settings.

12. Scan for Malware

Malware is software program program or a small code string that compromises the web page’s security. There are quite a few types of malware which will harm your web page in quite a few strategies, paying homage to stealing information, luring your friends to a deceptive web page, and even incomes cash illegally. Another consequence of malware is getting your web site blocklisted by serps.

Malware can reside in your web site undetected until it lastly causes harm. Some malware might even avoid security detection by modifying themselves.

This is why generally scanning your web page for malware is crucial.

Various security plugins are in a position to conducting this. Moreover, plugins like Wordfence embody a real-time signatures exchange to defend your WordPress web site from even the latest of threats.

Some plugins moreover conduct a file integrity check. In essence, they study your WordPress arrange recordsdata with the default ones and see if any malicious code has been injected. Ultimately, these plugins will trade contaminated recordsdata with the distinctive ones from the WordPress repository.

13. Back Up WordPress

Creating a WordPress backup obtained’t forestall any assaults or web page security factors in your web site. However, it might enable you to get effectively the information quickly if any such events happen. The backup data ought to embody all the WordPress core recordsdata and the database.

There are two methods of backing up WordPress – using the administration panel and using a WordPress plugin.

Using Control Panel

Most administration panels have a backup instrument to create and acquire backups merely. For occasion, using the Hostinger’s hPanel, go to Files -> Backups. Then click on on on Generate New Backup to create a model new backup data. After that, you could receive the backup recordsdata and database to your native laptop computer.

1649377285 330 WordPress Security Guide 20 Steps to Protect Your Site

Using WordPress Plugin

If you prefer to deal with your backup by the use of WordPress dashboard, it is best to use plugins like UpdraftPlus and observe these steps:

  • Navigate to Settings -> UpdraftPlus Backups.
  • Click Backup Now.

1649377285 218 WordPress Security Guide 20 Steps to Protect Your Site

  • A pop-up show display will appear, select Include your database inside the backup and Include your recordsdata inside the backup, then click on on Backup Now.

1649377285 606 WordPress Security Guide 20 Steps to Protect Your Site

  • Download the backup from the Existing backups half on the bottom of the online web page.

1649377285 742 WordPress Security Guide 20 Steps to Protect Your Site

An essential tip when storing your backup data is to use a few location. For occasion, you could keep the information in your native laptop computer, a USB flash drive, and cloud storage like Google Drive. This means, if one storage location is damaged, your backup data will in all probability be very good.

14. Block Hotlinking

Hotlinking refers to the comply with of an web website using one different web site’s content material materials, paying homage to an image, by linking the provision. For occasion, web page A makes use of a picture from web page B. Instead of downloading the image and reuploading it. Website A makes use of the image URL from web page B to present the image.

This comply with has certain disadvantages for the provision web page. If the guests is extreme, this takes up the distinctive web site’s sources, inflicting the situation to decelerate and even experience downtime if the helpful useful resource simply is not enough.

There are three methods to block hotlinking – by means of using a content material materials provide group (CDN), a WordPress security plugin, or an FTP shopper.

Content Delivery Network (CDN)

The principal intention of a CDN is a sooner content material materials provide velocity. That talked about, some CDNs even have asset administration choices, along with hotlink security. The steps to enable hotlink security may vary counting on the CDN. In this tutorial, we’ll use Cloudflare as a result of it’s one of many essential in type CDNs. Here are the steps for it:

  • Log in to the Cloudflare account.
  • Select the web page to configure.

1649377285 544 WordPress Security Guide 20 Steps to Protect Your Site

  • Select the Scrape Shield app from the left sidebar.
  • Switch the Hotlinking Protection toggle button on.

1649377285 809 WordPress Security Guide 20 Steps to Protect Your Site

WordPress Security Plugin

Several WordPress plugins have a attribute to modify your .htaccess file to forestall hotlinking. We recommend using the All In One WP Security and Firewall plugin, and listed beneath are the steps:

  • Install and activate the plugin.
  • From the sidebar, navigate to WP Security -> Firewall.
  • Go to the Prevent Hotlinks tab and Check the Prevent Image Hotlinking discipline.

1649377285 823 WordPress Security Guide 20 Steps to Protect Your Site

  • Click Save Settings.

FTP Client

If you select to do this manually, it is best to use an FTP shopper to entry the WordPress arrange folder and modify the .htaccess file. Connect the FTP shopper and open the public_html itemizing. Then, uncover and open the .htaccess file using a textual content material editor.

All you’ve got to do is insert this code snippet into the file:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)?google.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)?bing.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)?yahoo.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)?yourdomain.com [NC]
RewriteRule .(jpg|jpeg|png|gif)$ – [NC,F,L]

Replace yourdomain.com alongside along with your exact space establish and save the file. Now, your WordPress web site ought to block hotlinks on .jpg, .jpeg, .png, and .gif media recordsdata.

15. Use a Secure Connection at All Times 

One of the required security practices is to use a trusted and secure net connection, notably when accessing your admin net web page and completely different web sites that require credentials.

This is to avoid a hotspot honeypot – a malicious WiFi entry stage that appears to be a legit connection nonetheless is managed by attackers to launch man-in-the-middle assaults. This hotspot honeypot permits attackers to doc your net train and steal essential information using a spoofed web page.

Avoid using public WiFi everytime you need to use the online for essential actions like accessing the WordPress admin panel. Even school, library, or cafe networks that look legit is perhaps compromised and exploited by attackers.

If you’ve got to use a public group, we recommend using a VPN. This will add security inside the kind of encryption to the connection. Therefore, your data and on-line actions have to be safe.

Another tip is to use the Secure File Transfer Protocol as an alternative of an on a regular basis FTP shopper. Doing so you may use an SSH file swap protocol to encrypt the information you turn out of your laptop computer to the online server, making it extra sturdy for attackers to steal and intercept your data.

16. Review Permissions

The web page recordsdata and folders have permission settings that define who can be taught, write, and execute them. You can forestall attackers from accessing the WordPress admin account by configuring the precise permissions.

The default permissions vary counting on the recordsdata and folders. However, it’s best to check the permissions for the wp-admin folder, wp-config.php, and .htaccess recordsdata. We recommend altering these permissions so that solely the Owner can write them.

There are quite a lot of methods to change the permissions. The finest one is using the web internet hosting file supervisor. Here’s an occasion of doing it using Hostinger’s hPanel file supervisor. The course of have to be associated on another administration panel.

  • Click File Manager beneath the Files half.


  • Open the public_html itemizing.
  • Right-click on the file you want to configure, then select Permissions.


  • Uncheck Write bins for Group and Others individual courses.

1649377285 495 WordPress Security Guide 20 Steps to Protect Your Site

  • Click Change to save the modifications.
  • Repeat on completely different recordsdata and folders you want to configure.

The second approach is using an FTP shopper. We’ll use FileZilla for this occasion.

  • Connect FileZilla to your WordPress web site.
  • Open the public_html itemizing.
  • Right-click on the file you want to configure, then select File permissions.

1649377285 242 WordPress Security Guide 20 Steps to Protect Your Site

  • Uncheck Write bins for Group and Others individual courses.

1649377285 111 WordPress Security Guide 20 Steps to Protect Your Site

  • Click OK to save the modifications.
  • Repeat on completely different recordsdata and folders you want to configure.

17. Change the Database Prefix 

The WordPress database outlets essential information that makes your web site work, paying homage to submit content material materials, metadata, and individual information. This is why attackers often objective the database for SQL injection assaults, as they’ll bypass WordPress security measures and steal the database content material materials.

The database consists of quite a lot of tables which have the default prefix of wp_. Many prospects overlook to change this prefix, thus making it easier for attackers to launch SQL injection assaults.

Use a plugin like iThemes Security that has a attribute to change the database prefix merely. Follow these steps to obtain this:

  • Navigate to Security -> Settings.
  • Click Tools on the left banner.
  • Open the Change Database Table Prefix drop-down and click on on Run.

1649377285 450 WordPress Security Guide 20 Steps to Protect Your Site

The plugin will mechanically change all desk prefixes with a random and secure prefix.

You can also change the default desk prefix when placing in a WordPress manually by altering the desk prefix to your hottest establish on the WordPress setup wizard.

18. Monitor User Activity

We recommend monitoring prospects’ actions using an train log plugin for a WordPress web page with quite a lot of prospects.

This is because of prospects may change essential web page configurations, paying homage to plugins and themes. Having train logs permits you to monitor and revert the modifications.

It’s moreover useful in order to uncover out who’s accountable for any modifications and decide hacked prospects. As an occasion, individual A may have modified your web site’s security primarily based totally on the train log, nonetheless the rightful proprietor of individual A was not accountable for it. In this case, attackers may have hacked individual A.

We recommend using the User Activity Log plugin to monitor individual train as a result of it’s easy to use. Once you’ve put within the plugin, navigate to User Activity Log from the sidebar, and likewise you’ll see all train particulars, along with the individual, associated IP cope with, and the involved object.

1649377286 85 WordPress Security Guide 20 Steps to Protect Your Site

19. Manage WordPress User Roles 

If you’ve got quite a lot of prospects in your WordPress web page, deal with the individual roles and limit entry accordingly.

By default, there are six roles for WordPress prospects, starting with Super Admin, who has the power to all group administration choices, to Subscriber who can solely deal with their profiles.

Chances are, not all prospects need the Super Admin or Administrator privileges. Therefore, limit the number of Administrators and assign roles to completely different prospects in accordance to their contribution to the web page.

There are quite a few causes to obtain this.

First, if any individual accounts get hacked, not all might have entry to the web page administration, thus limiting the hurt an attacker can do sooner than you lock down the account.

Second, this may increasingly cut back the hazard of errors made by prospects. For occasion, someone may unintentionally flip off a security plugin and put your WordPress web site at risk.

Follow these steps to change individual roles:

  • Go to your WordPress admin dashboard and navigate to Users -> All Users.
  • Click Edit on the individual you want to deal with.
  • You’ll uncover the Role space on the individual administration net web page and open the drop-down menu to choose the proper individual operate.

1649377286 569 WordPress Security Guide 20 Steps to Protect Your Site

  • Click Update User if you’ve accomplished.

20. Hide WordPress Version

You may think that displaying the mannequin of WordPress in your web page obtained’t give away any essential information. However, attackers can exploit vulnerabilities within the occasion that they know which WordPress mannequin your web page is working, notably if it’s an older mannequin.

By default, the Sucuri plugin removes the WordPress mannequin information from the HTML meta-tag. Install and activate the plugin, and it ought to cowl your mannequin of WordPress.

To verify this, go to Sucuri Security -> Settings out of your dashboard. On the Hardening tab, it’s best to see the Remove WordPress Version risk. It ought to have a inexperienced background if it’s already activated.

1649377286 263 WordPress Security Guide 20 Steps to Protect Your Site


WordPress security measures are essential to defend one’s web site from quite a few cyberattacks. While the builders are endlessly updating the software program program to patch quite a few vulnerabilities, it’s up to you to keep updating your WordPress web site with quite a lot of layers of security.

Remember that cyberattacks keep evolving and additional vulnerabilities is also discovered over time. Keep your self up to date with any associated information and reinforce your WordPress web site with urged security measures if needed.

For occasion, a specific vulnerability is also discovered on a plugin that’s put in in your web site. In that case, you’ve got to act sooner than attackers exploit this and compromise your web site quickly.

Lastly, WordPress security is a gentle job. As your web site grows, reassess your security measures and keep in mind investing in further sturdy choices like premium plugins or hiring an knowledgeable WordPress security service.