15 security steps for a WordPress website

29 July 2020, by

WordPress Ασφάλεια

WordPress is now being used by around 30% of all the websites that exist online! That’s why it is being targeted by hackers which results in many cases of violations. However, this does not mean that your WordPress site is vulnerable and that there is nothing you can do! ere are no ways to increase its security.

Although there is no system that can be completely secure and there is always the possibility of breach through a vulnerable point, below you can find some ways to make your installation more secure.

Starting from the basics

Find some basic steps you can take, no coding required.

1. Upgrade WordPress, plugins and theme to their latest version

One of the most common reasons for a WordPress website to be compromised is a non-upgraded installation. Keeping your installations in older versions, you leave it vulnerable to hackers who are aware of but the community has fixed (in future releases). Your WordPress plugins and theme should always be upgraded to the latest version.

If you want to activate automatic upgrades for WordPress you can add in the wp-config.php file the line below:

define( ‘WP_AUTO_UPDATE_CORE’, true );

If your website is hosted on Top.Host and you’ve got a Plesk your control panel, you can enable automatic upgrades for the entire installation through Plesk’s WordPress Toolkit.

You should always remember to upgrade plugins or themes that you have purchased and do not support automatic upgrades or the upgrade process through the WordPress Dashboard.

2. Remove plugins and themes that you don’t use

Your installation needs cleaning up from time to time. As themes and plugins accumulate, you need to delete the ones you no longer use. Getting rid of unnecessary plugins is likely to make your site run faster as well as remove vulnerabilities from static or obsolete add-ons.

3. Replace plugins that have stopped being upgraded

A designer may have stopped upgrading a theme or plugin for months or even years. You should seriously consider replacing it because it can cause compatibility issues and security vulnerabilities. You can check if you have plugins or themes with known security vulnerabilities by using a tool such as WPScan.

4. Use only strong passwords

We often set passwords that are simple enough so we can easily remember. Often, they are based on dates of birth, our username or even our name. This makes it easier for hackers to find out our passwords with an automated script by trying alternatives. Below, you can see how much time a malicious automated script needs to break a password based only on characters in relation to the number of characters.

7 characters – 0.3 ms
8 characters – 5 h
9 characters – 5 d
10 characters – 5 months
11 characters – 1 decade
12 characters – 2 centuries

These times increase to a great extend when you also add special characters to your codes. Try a password generator and manager tool such as 1Password. This way, you won’t need to create and recall easy passwords. Also, an additional security measure  you can use to prevent your admin’s compromise is a two-factor authentication (2FA). Activate it by using a plugin such as Google Authenticator.

5. Change or remove the default admin username

By default, WordPress creates the initial admin account and gives an admin username. By maintaining this username you have a significant security gap, since hackers already know half the information and have to find out just the password. Choose your own username and make it harder to find.

So you can either create a new user with administrator privileges and delete the one with the admin username or modify the existing user by changing the username.

In case your website is hosted on Top.Host and you’ve got a Plesk control panel you can set the above through WP Toolkit.

6. Limit Login Attempts

If many failed login attempts are made from an IP, WordPress does not have a mechanism to temporarily or permanently block the IP. Thus, persistent hackers can endlessly try combinations until they find the right password and gain access.

Use a plugin such as Login LockDown that can do that and protect your website by blocking insecure IPs.

Top.Host servers this restriction already exists at server level by the Web Application Firewall, so an additional plugin is not necessary.

7. Change the login URL

Take an extreme step against breach attempts by changing the default login URL in the admin. Anyone who visits domain.com/wp-login.php will receive an error 404 and not the login form.

You can achieve that with a plugin such as WPS Hide Login.

8. Disable Trackbacks and Pingbacks

There are at least two serious reasons why you should consider disabling trackbacks and pingbacks: they can lead to unwanted comments but they can also be used in a coordinated DDoS attack. If you do not use trackbacks and pingbacks on your website, turn them off: go on Settings> Chat.

9. Use an SSL certificate

Enabling an SSL certificate is critical for a more secure website. SSL (Secure Sockets Layer) encrypts all information exchanged in your website. This way the visitors’ shared data remain private.

Using SSL ensures that hackers can not see or obstruct the data that your users share on your website. The secure tunnel created by an SSL is especially important when sensitive information is exchanged, such as credit card numbers, usernames and passwords.

It is really simple to check whether a website is SSL certified. An SSL-certified website has an HTTPS address in the URL, while a non-SSL-certified one will have an HTTP.

Going a bit deeper into WordPress security

The following steps should be done by someone who has coding experience. If you are a simple user go on but be really careful.

10. Hide the WordPress version

Once your WordPress version is visible in the code, a hacker can easily spot possible security vulnerabilities of the version -in case it is not upgraded. The installation’s version is visible in three different points. You can remove them by adding the following code to your theme’s functions.php:

/* Hide WP version strings from scripts and styles
* @return {string} $src
* @filter script_loader_src
* @filter style_loader_src
function remove_wp_version_strings( $src ) {
global $wp_version;
parse_str(parse_url($src, PHP_URL_QUERY), $query);
if ( !empty($query[‘ver’]) && $query[‘ver’] === $wp_version ) {
$src = remove_query_arg(‘ver’, $src);
return $src;
add_filter( ‘script_loader_src’, ‘remove_wp_version_strings’ );
add_filter( ‘style_loader_src’, ‘remove_wp_version_strings’ );

/* Hide WP version strings from generator meta tag */
function remove_metatag_version() {
return ”;
add_filter(‘the_generator’, ‘remove_metatag_version’);

You should also check that you have removed the readme.html file from your installation master folder, as it also contains the WordPress version.

11. Protect your wp-config.php

The wp-config.php file contains sensitive information about the installation settings. To protect it even better add the following rule to the .htaccess file.

<files wp-config.php>
order allow,deny
deny from all

In case your website is hosted on Top.Host and you’ve got a Plesk control panel you can set the above through WP Toolkit.

12. Use a unique database prefix

When installing WordPress, you have the right to set the database prefix; the default one is wp_. One more way to protect your base is to change the default prefix with something unique. And in this case, if your website is hosted on Top.Host you can set the above through your control panel by using WP Toolkit.

13. Disable PHP execution

Themes and plugins allow you to upload files. Ιf there is a security vulnerability hackers can upload a PHP file, execute it and make changes to your code or database.

To limit this, you can disable the execution of PHP files in the wp-content / cache and wp-content / uploads folders by creating a .htaccess file with the rule:

<Files * .php> deny from all </Files>

If your website is hosted on Top.Host and you’ve got a Plesk control panel you can set the above through WP Toolkit.

14. Disable directory browsing

If the directory browsing is enabled on server level hackers can view a browser’s folder contents. They can detect any files with vulnerabilities and then exploit it. You can disable directory browsing by adding the following rule to the central .htaccess of your installation:

Options -Indexes

This security setting exists in all of our servers so in case you’ve got your hosting with us there is no need to do anything else.

15. Disable PHP file processing

In case someone has access to the installation manager it is very easy to modify the plugins and themes files based on a feature provided by WordPress. If you want to disable this feature you can add the following to your installation’s file wp-config.php:

define (‘DISALLOW_FILE_EDIT’, true);

In case your website is hosted on Top.Host and you’ve got a Plesk control panel you can easily make the above setting through WP Toolkit.

Good luck!

Did you enjoy this post?

Then you will definitely love the ones coming up next! Subscribe so that you don't miss a thing.

By providing your email, you will get notified for the new blog posts of Top.Host. You can unsubscribe at any time. Learn more on our Privacy Policy.

Join the Discussion

Leave your comment