17 Ways to Protect Your Website on WordPress

mario and mushrooms banner Security

To date, WordPress is one of the most popular and widespread content management systems in the world. Based on this convenient and simple engine, many blogs, websites, portals are built.

But such simplicity and prevalence attract attention not only of honest users, but also of intruders. Any student can create a website now, but to protect it correctly, knowledge and at least a small experience will be required.

Read also : How to protect WordPress website from hacking?

That’s why the security of WordPress is one of the most important aspects of working on your website. Protecting WordPress from hacking involves many ways that it’s important to apply to everyone who does not want their site to suffer.

Site protection on wordpress

Today we will consider a number of the simplest, but at the same time very important ways to protect the site on WordPress.
From the article you will learn:
1. Use a good login.
2. Use a complex and unique password.
3. Update the version of WordPress.
4. Hide the version of WordPress.
5. Download themes and plugins from reliable resources.
6. Do not store unnecessary files.
7. Regularly check your local computer for viruses.
8. Make backup copies of the site.
9. Use a secure connection.
10. Create a .htaccess file.
11. Change the prefix of the database tables.
12. Limit the number of access attempts.
13. Remove readme.html and license.txt.
14. Use the SSL certificate.
15. Change the wp-config.php file.
16. Use two-factor authentication of accounts.
17. Use plugins that provide security.

The protection of the site on WordPress begins with the elementary – the creation of a good login. When installing WordPress, users often use the login, which the installer offers by default, namely – admin. This is what bots are looking for, looking for holes in the security of your site, first.

Using this login, you already provide half of the necessary information for hackers, and they can only choose a password.
If you have already installed a platform and are working on your site, it’s unlikely that you will want to delete the installation and start everything from scratch to use a more reliable login. There is an exit:

Step 1 – Create a new user
Log into the WordPress administrative panel and create a new account with a more complex login, which has full access to all site functions, that is, administrator rights.
In the main menu on the left, select Users >> Add new.

Enter all the necessary information for the new user by defining his role as Administrator and click Add New User.
The role of administrator in wordpress

Step 2 – Removing the admin user
After that, log out of the control system, log in with a new account and delete the admin user from the system in one of the ways:
Method 1 – From the main menu on the left, select Users >> All Users. Hover over to the username admin, and you’ll see the “Delete” function.

Removing a user from wordpress
Method 2 – From the main menu on the left, select Users >> All Users. Find the user admin, tick the box and select “Delete” from the “Actions” drop-down menu. After that, click on the “Apply” option below the list of users. This option is useful if you need to delete several users at once.

You can also change the username admin via the database query:
UPDATE wp_users SET user_login = ‘new_login’ WHERE user_login = ‘admin’;
This method has a minus: the author for posts written by the user admin, will not be changed. In order to fix this, you need to make one more query to the database:
UPDATE wp_posts SET post_author = ‘new_login’ WHERE post_author = ‘admin’;

2. Use a complex and unique password.

Read also : 9 WordPress Plugins For Malware Detection

The protection of the WordPress admin area is, of course, impossible without a complex good password. It is important that it is unique and includes numbers, letters of different registers, punctuation marks, symbols, and so on. Passwords of type: pass, 1q2w3e4r5t6y, 87654321, qwerty, abc123, 111111, 1234, your date of birth, etc. – are not reliable, but many users continue to use them.

Example of a good password: pcVaOF8r39. Of course, it will be hard for you to remember such a password, but for this there are a number of programs that store and generate passwords, and can also be integrated into the interface of your browser (for example, Password Agent, KeyPass, Roboform, etc.)
If you still want to remember your passwords by heart, we recommend creating a combined password from a well-known name / word with several large letters / numbers in random places and several special characters at the beginning or end. Such a password will also be difficult to select, but it will be easy to remember.

Do not forget to regularly update your passwords.

3. Update the version of WordPress.

WordPress takes care of its users, and so in the administrative control panel you can find notifications about the release of the new version. We recommend that you perform the update as soon as you see it, because one of the most common vulnerabilities in the security of your site is the use of an outdated version of the platform.

4. Hide the version of WordPress.

Read also : How to search for malicious code in WordPress

WordPress by default adds the current version number to the source code of its files and pages. And since it’s often not always possible to update the WordPress version in time, it can become a weak point of your website. Knowing which version of WordPress you have, a hacker can do a lot of harm.

Using the functions.php file, you can prevent the display of information about the version of your platform. To do this, you need to open the functions.php file located in the root folder of the current theme of your website (wp-content / themes / current_name_wordpress), and add the following code:
Remove_action (‘wp_head’, ‘wp_generator’);
Or you can add the following code to the functions.php file:
/ * Hide WP version strings from scripts and styles
* @return {string} $ src
* @filter script_loader_src
* @filter style_loader_src
* /
Function fjarrett_remove_wp_version_strings ($ src) {
Global $ wp_version;
Parse_str (parse_url ($ src, PHP_URL_QUERY), $ query);
If (! Empty ($ query [‘ver’]) && $ query [‘ver’] === $ wp_version) {
$ Src = remove_query_arg (‘ver’, $ src);
Return $ src;
Add_filter (‘script_loader_src’, ‘fjarrett_remove_wp_version_strings’);
Add_filter (‘style_loader_src’, ‘fjarrett_remove_wp_version_strings’);
/ * Hide WP version strings from generator meta tag * /
Function wpmudev_remove_version () {
Return “;
Add_filter (‘the_generator’, ‘wpmudev_remove_version’);

In addition to the above, in the folder of any WordPress theme, you will find the header.php file. It also indicates the version of your installation, which for a hacker is very interesting, as mentioned earlier. Removing the following line from the file, you get rid of this extra information:
<Meta name = “generator” content = “WordPress <? Php bloginfo (‘version’); ?> “/>

5. Download themes and plugins from reliable resources.

WordPress is so common that more and more developers create ready-made themes and plug-ins for it. While most of them will make it easier to work with your site and expand its functionality, some can hide very unpleasant consequences in the form of viruses and open doors for hackers.

Use only proven resources for downloading themes and plug-ins, for example, wordpress.org, and also pay attention to all the emerging warnings about the severity of files. As in the case with WordPress itself, it is important to update plug-ins in time to the latest versions.

6. Do not store unnecessary files.

Read also : How to remove a virus or malicious code from WordPress?

Inactive extensions can pose a serious threat to the security of your site. Therefore, safely remove all unused plug-ins and themes. For example, you installed woocommerce plug-ins to test and select the one that you will use. After choosing, do not forget to delete all unnecessary.

7. Regularly check your local computer for viruses.

The implementation of various steps to ensure the security of the site on WordPress is good, but it is necessary to follow the computer. You must have a constantly updated antivirus. Otherwise, you risk infecting your website by downloading virus files on it.

8. Make backup copies of the site.

Not all attacks of attackers can be prevented, but only one successful attack can destroy all efforts to work on your site. We recommend that you make regular backup copies of the website. Many hosting companies provide the option of server backups and in which case, you can restore the site from a copy that is available on the server.

But we recommend not to be limited to such server backups, since it’s important to take care of backups and on your part. You can manually create copies of your site at certain intervals or before important updates, but there are also a number of plug-ins that will automatically create copies of WordPress.

You can see the various options here: wordpress.org/plugins/tags/backup

By installing the plug-in WordPress Database Backup, you will additionally be able to secure the database of your site. Settings plug-in allow you to set the option to send a daily backup of the database to your contact mailbox.

9. Use a secure connection.

If you prefer to download your files using an FTP client, use the secure connection protocol to the SFTP server.

10. Create a .htaccess file.

.htaccess file is the main configuration file of the web server, which is located in the root folder of your website. If you do not have this file, just create it with a text editor. There is no extension to the file, so you just need to name the new .htaccess file.
This is the kind of standard WordPress file .htaccess:

Important: All changes to .htaccess must be made after #END WordPress.
By adding various variations of code to this file, you can significantly secure your site:

A code that blocks access to your wp-config.php file, which contains important information necessary to connect to the MySQL server and database:
<Files wp-config.php>
Order allow, deny
Deny from all
</ Files>

A code that restricts access to the .htaccess file itself:
<Files .htaccess>
Order allow, deny
Deny from all
</ Files>

In the same way, you can protect any other file by simply replacing the “.htaccess” in the code with the name of the required file.
A code that restricts the access of users with a specific IP address to your site:
Order allow, deny
Allow from all
Deny from X.X.X.X

So you can deny access to suspicious users, spammers and bots, because their IP addresses are often repeated. This will also reduce the load on the server.
Code that gives access to your site only to users with a specific IP address:
Order deny, allow
Deny from all
Allow from X.X.X.X

The code that restricts access to the admin panel of your site (this is convenient if you have a static IP address, and you can set access only for yourself):
AuthUserFile / dev / null
AuthGroupFile / dev / null
AuthName “Access Control”
AuthType Basic
Order deny, allow
Deny from all
Allow from X.X.X.X

Code that prohibits the tracking of HTTP headers:
RewriteEngine On
RewriteRule. * – [F]

The code that protects against SQL injections is the most common type of attack on WordPress sites:
RewriteCond% {QUERY_STRING} (\ <|% 3C). * Script. * (\> |% 3E) [NC, OR]
RewriteCond% {QUERY_STRING} GLOBALS (= | \ [| \% [0 – 9A-Z] {0, 2}) [OR]
RewriteCond% {QUERY_STRING} _REQUEST (= | \ [| \% [0 – 9A-Z] {0,2})
RewriteRule ^ (. *) $ Index.php [F.L]

Code that does not allow you to view the folders on your server by typing their full path:
Options -Indexes

For example, typing in the browser http://yourdomain.com/wp-includes, you will see the entire contents of the folder “wp-includes”, which, of course, is not secure. With this code, users will see a response from the server – 403 Forbidden.

An alternative method of hiding subfolders is to create an empty index.php file in each directory. Thus, when you open http://yourdomain.com/wp-includes, the browser displays a blank page.

A code that protects against the use of XSS injections and attempts to modify the variables GLOBALS and _REQUEST:
Options + FollowSymLinks
RewriteEngine On
RewriteCond% {QUERY_STRING} (\ <|% 3C). * Script. * (\> |% 3E) [NC, OR]
RewriteCond% {QUERY_STRING} GLOBALS (= | \ [| \% [0-9A-Z] {0,2}) [OR]
RewriteCond% {QUERY_STRING} _REQUEST (= | \ [| \% [0-9A-Z] {0,2})
RewriteRule ^ (. *) $ Index.php [F, L]

For the same purpose, you can use a number of WordPress plugins, which you can find here: wordpress.org/plugins/tags/xss
A code that blocks access to the / wp-content directory:
Order deny, allow
Deny from all
<Files ~ «. (Xml | css | jpe? G | png | gif | js) $»>
Allow from all
</ Files>

This folder is one of the most important because it contains themes, plug-ins, images and other content.
The code that protects against hotlinking:
RewriteEngine On
RewriteCond% {HTTP_REFERER}! ^ Http: // (. + \.)? Yourdomain \ .com / [NC]
RewriteCond% {HTTP_REFERER}! ^ $
RewriteRule. * \. (Jpe? G | gif | bmp | png) $ /images/nohotlink.jpg [L]

Hotlinking is inserting an image from your server into someone else’s site \ blog. The traffic goes directly to your server.
Using the code above, you can force the server to check where the request came from: if from the pages of your website, the server gives the image to the user without problems; If the same from someone else’s website – it shows an image with an error.

11. Change the prefix of the database tables.

Read also : How to remove a virus from the WordPress site

Protecting WordPress from hackers will also increase if you remove the original prefix wp_ – this will complicate the search for intruders. Let’s consider several ways:

Method 1 – Suitable for new installations via Softaculous
If your hosting provider allows you to use the Softaculous script to install WordPress, you can change the prefix during the initial installation: in the Advanced Options section you will need to make the required changes.

Method 2 – For existing sites and fresh installations of WordPress

If your WordPress has been installed for a long time and the site is working, then you can change the database prefix using phpMyAdmin.

Select the required database from the list and make the following query to the database:
RENAME table `wp_commentmeta` TO` newprefix_commentmeta`;
RENAME table `wp_comments` TO` newprefix_comments`;
RENAME table `wp_links` TO` newprefix_links`;
RENAME table `wp_options` TO` newprefix_options`;
RENAME table `wp_postmeta` TO` newprefix_postmeta`;
RENAME table `wp_posts` TO` newprefix_posts`;
RENAME table `wp_terms` TO` newprefix_terms`;
RENAME table `wp_term_relationships` TO` newprefix_term_relationships`;
RENAME table `wp_term_taxonomy` TO` newprefix_term_taxonomy`;
RENAME table `wp_usermeta` TO` newprefix_usermeta`;
RENAME table `wp_users` TO` newprefix_users`;
Where “newprefix_” must be replaced with the new prefix that you want to use instead of the “wp_” prefix.

After that, you will see a new prefix in the database tables:

To make sure that all the changes were successful and the prefix wp_ is no longer used in the _options and _usermeta table, you will need to make another query to the database:
SELECT * FROM `newprefix_options` WHERE` option_name` LIKE ‘% wp_%’

Query to the database wordpress
SELECT * FROM `newprefix_usermeta` WHERE` meta_key` LIKE ‘% wp_%’

Querying the WordPress database
As a result, you can find a number of prefixes that you will need to rename manually using the Edit button:

Manually rename database prefixes
The number of changes you need to make may vary. But all the prefixes wp_ you must change to your new prefix for the normal functioning of the website.
After that, do not forget to also make changes to the prefix in the wp-config.php file:

Rename the prefix in the wp-config file
You can also use special plugins to change the database prefix: Change DB prefix or Change table prefix.

12. Limit the number of access attempts.

Most often, attackers make a huge number of attempts to enter your site by selecting a password. You can configure the system so that the IP address is locked for several hours after a certain number of failed login attempts.

To do this, you can use additional plug-ins, for example, Login LockDown or Limit Login Attempts. In the settings of these plugins, you can independently set the number of login attempts and the time of blocking.

In addition, it is possible to hide the message that the entered login and password are incorrect. This is also information that can help an attacker.

To remove the output of this message, you need to open the functions.php file located in the current theme folder of your website (wp-content / themes / current_WordPress) and add the following code:
Add_filter (‘login_errors’, create_function (‘$ a’, “return null;”));

13. Remove readme.html and license.txt.

Files readme.html and license.txt are present in the root folder of any WordPress installation. You do not need these files, and hackers can cure their atrocities. For example, to find out the current version of your WordPress and much more useful for hacking a website. We recommend that you uninstall them immediately after installing WordPress.

14. Use the SSL certificate.

To transfer protected information and confidential data exchange, we recommend using the SSL protocol. This is especially true for online stores, if you do not want personal information about your customers to be transmitted unprotected.

First of all, you will need to purchase an SSL certificate and install it for your domain name.
After that, you can set the mandatory use of SSL-protocol when you enter the control panel of your site. To do this, open the wp-config.php file located in the root folder of your website, and add the following line:
Define (‘FORCE_SSL_ADMIN’, true);

15. Change the wp-config.php file.

By adding such code to the wp-config.php file, you can also strengthen the protection of your website:

Restriction on the theme and plugin changes:
Define (‘DISALLOW_FILE_EDIT’, true);

Disabling the installation and removal of plug-ins:
Define (‘DISALLOW_FILE_MODS’, true);

Adding salt-keys or so-called security keys: you will first need to find such lines in the wp-config.php file:

How to add salt keys

You will see that the keys are already installed and can be changed. Or you will see lines of this type: ‘put your unique phrase here’, which indicates that the keys are not yet installed:
/ ** # @ +
* Authentication Unique Keys and Salts.
* Change these to different unique phrases!
* You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
* You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
* @since 2.6.0
* /
Define (‘AUTH_KEY’, ‘put your unique phrase here’);
Define (‘SECURE_AUTH_KEY’, ‘put your unique phrase here’);
Define (‘LOGGED_IN_KEY’, ‘put your unique phrase here’);
Define (‘NONCE_KEY’, ‘put your unique phrase here’);
Define (‘AUTH_SALT’, ‘put your unique phrase here’);
Define (‘SECURE_AUTH_SALT’, ‘put your unique phrase here’);
Define (‘LOGGED_IN_SALT’, ‘put your unique phrase here’);
Define (‘NONCE_SALT’, ‘put your unique phrase here’);

Just go to api.wordpress.org/secret-key/1.1/salt/, where new keys will be generated. Copy them and paste into the wp-config.php file.
Such salt keys are used to enhance the security of information stored in user cookie. They complicate the process of hacking user passwords.

16. Use two-factor authentication of accounts.

To increase the security of your passwords, the method of several types of authentication is increasingly used. After you enter the password on the site, you are sent a request for a new one-time password, which you receive on the contact phone number or e-mail (you can go to a specific link from the letter).

Therefore, even if your primary password was compromised, the hacker will not be able to log in to the account without access to your phone or email.
One of the most popular WordPress two-factor verification plug-ins is Google Authenticator and Clef Two-Factor Authentication.

17. Use plugins that provide security.

In addition to all the listed ways to secure your website, there is also a large number of special plug-ins developed for WordPress. You can find them here: wordpress.org/plugins/tags/security
Some plug-ins I want to mention separately:

Wordfence Security

Plugin for WordPress Wordfence Security
This is a WordPress security plugin that allows you to crawl your website in order to search for malicious code, gaps and loopholes left by hackers, showing website analytics and real-time traffic. It is also possible to configure automatic scanning and much more.

Acunetix WP Security

Plugin for wordpress Acunetix WP Security
This plugin checks your website for various vulnerabilities in security and offers a number of methods for their elimination. For example, passwords, different access rights to files, database protection, protection of information about the version of WordPress, administrator protection and so on.

All In One WordPress Security

Plugin for wordpress All In One WordPress Security
This plugin allows you to secure user accounts and logins, databases and file system, prevent attack brute force (attacks related to password recovery), scan the site and so on.

We also recommend the plugin for the protection of the admin on WordPress LoginLockDown, which protects against the choice of password and login.


However how sad it may sound, WordPress protection is a complicated thing, and the ways described in this article do not guarantee 100% that your site will be completely protected from any actions of scammers. However, they should not be neglected, as they will significantly reduce the possibility of hacking the site by intruders.


Share with friends
Add a comment