You are currently viewing WordPress Security – Keeping your website safe

WordPress Security – Keeping your website safe

Today, WordPress security is more important than ever. The sole reason for this fact is the astounding popularity of WordPress globally. Did you know that WordPress powers an astonishing 39.5% of websites in the world? If we only count websites that run a CMS, WordPress powers a staggering 64%! If you’re an e-commerce portal, nearly 28% of all e-commerce traffic goes through WooCommerce!

What does this mean for me as a website owner?

These numbers mean that WordPress impacts nearly everyone’s web presence. If you are a business, even more so. Unfortunately, this also means that WordPress is the target for malicious entities such as hackers who try to find vulnerabilities and exploits in your WordPress configuration. Luckily, you can quickly secure your WordPress website to keep it safe from malware attacks, DDoS attacks and other phishing attacks.

Why should I be concerned about WordPress security?

Google regularly blacklists more than 10,000 websites every day for malware and around 50,000 for phishing each week. This means that if your website is on this list, you can forget about ranking, and if your business depends on this website, you are in trouble! Additionally, a hacked or compromised website can cause lasting damage to your business, revenue and reputation. Hackers can easily steal confidential user information and passwords, install malicious software, and even distribute malware to your users. You may also find yourself paying ransomware to hackers just to regain access to your website.

How can I secure my website from such attacks?

We’ve put together this guide to help users like you secure your WordPress website. Here’s what you can do:

Step 1: Securing WordPress Software

Keeping WordPress updated

This is the most important activity that you can do. Updating WordPress is essential and ensures that you have the latest and greatest version with all the security patches. WordPress has automatic updates turned on by default and will automatically update your website to the latest version available.

There are four different categories of WordPress automatic updates:

  • Core updates
  • Plugin updates
  • Theme updates
  • Translation files updates

Core updates further have three sub-categories

  • Core development (only for dev installations)
  • Minor core updates (these are enabled by default for maintenance and security in stable installations)
  • Major core updates

Here’s how you can update your WordPress installation from your WordPress Dashboard:

By default, you will see the following text whenever an update is available:

WordPress 5.7.2 is available! Please update now.

You can either choose to update right away or click on Dashboard > Updates. This opens the WordPress Updates screen. If an update is available, you will see the following text:

Current version: 5.6

Last checked on June 27, 2021 at 2:19 pm. Check again.

Automatic update scheduled in 12 hours.

This site is automatically kept up to date with each new version of WordPress.
Switch to automatic updates for maintenance and security releases only.

If you do not want to update your WordPress installation to the latest version, click Switch to automatic updates for maintenance and security releases only.

Once you click the link, the text will revert to:

This site is automatically kept up to date with maintenance and security releases of WordPress only.
Enable automatic updates for all new versions of WordPress.

You can also make these update preference changes manually. Here’s how you can do this:

  1. Log into your server via SSH or SFTP
  2. Edit the wp-config.php file from the public_html folder
  3. Make the following changes to the file
# This disables all core WordPress updates:
define( 'WP_AUTO_UPDATE_CORE', false );
# This enables all core WordPress updates, including minor and major updates:
define( 'WP_AUTO_UPDATE_CORE', true );
# This enables minor WordPress updates:
define( 'WP_AUTO_UPDATE_CORE', 'minor' );

Keeping themes and plugins updated

It is essential to keep your themes and plugins updated to their latest versions. Often, hackers can find ways to manipulate out-of-date plugins and themes by exploiting loopholes that users might not have patched yet.

Themes and plugins are easily updated in WordPress. You can set both themes and plugins to update automatically, but there’s a catch—you must ensure that your themes and plugins are compatible with the WordPress version installed on your system. Although most major plugins and themes are compatible with the latest and greatest WordPress versions, some might have legacy version requirements and need careful monitoring.

Updating plugins automatically

  1. Log on to your WordPress dashboard
  2. Navigate to Dashboard> Plugins> Installed Plugins and choose the plugins that you wish to update
  3. Click the Enable Auto Updates button to update the plugin

Updating Themes automatically

  1. Log on to your WordPress dashboard
  2. Click on Appearance > Themes
  3. Click on the theme you wish to update automatically and click Enable Auto Updates to update the theme automatically

Removing unused themes

Unused plugins and themes can take up unwanted space, and as these themes and plugins are often not updated in time, they can open backdoors for hackers to inject malicious code on your website. Remove all unwanted plugins and themes. If you think you might need them later? Download and save them to your PC, or just get the latest version of these themes and plugins when you need them!

Step 2: Limiting access to your website

Most attackers target websites with weak passwords or with little to no security infrastructure to gain access to them. Therefore, it is essential to lock down your WordPress admin access to those who need them and restrict access to all others through strong passwords, roles, multi-factor or two-step authentication and limiting user session duration.

Managing WordPress accounts

Most attacks on WordPress-based websites target wp-admin, wp-login.php and xmlrpc.php access points. These attacks use common usernames and passwords to log on to your website. Here’s what you can do to keep your WordPress admin account safe:

Remove the default WP-admin account

Removing the default admin account and having a unique username and password makes it difficult for hackers to guess their way into your website.

Here’s how you can replace the default admin account:

  1. Log into your website as an administrator
  2. Go to the Dashboard and click on Users > Add New
  3. Use a new email address and password to create a new account
  4. Set the role to administrator and save the user
  5. Log out of the WP-admin account and log in with the newly created account
  6. Select the default admin account and click Delete

If you have any old posts made by the default account, you can also attribute all these posts to the new admin account.

Limiting privileges

Most security experts recommend using the principle of least privilege to reduce the chances of intrusion. This means:

  • Using the least amount of privilege that is necessary to perform an action.
  • Only grant privileges when necessary and revoke them when the task is complete

WordPress includes roles for Administrators, Authors, Editors, Contributors, and Subscribers by default. These roles define access control. For example, administrators have full access, and subscribers only have read-only access.

Here’s how you can control access to your WordPress website:

  1. Create new accounts with the least required permission levels
  2. Only grant higher privileges temporarily and revoke access when not required
  3. Delete all unused accounts
  4. Ensure that all default roles are set to “Subscriber”. To do this, log in to WordPress as an administrator and from the Dashboard, select Settings > General. Set the new user role to subscriber by default.

Using strong passwords

Strong passwords are the mainstay of security. When you use a strong password, it is difficult for hackers to guess your password and log into your website using brute-force. Strong passwords should include the following

  • One upper case character
  • One lowercase character
  • One digiOne
  • One special character
  • A minimum of 8 characters, with no more than two identical characters in a row

Using a password generator can go a long way in ensuring a strong password. Password generators generate a randomised string of letters and numbers to make passwords challenging to break.

Using Two-factor authentication or Multi-factor authentication

Two-factor authentication and Multi-factor authentication add a second layer of security to your account. Using this feature adds another step in the login process and requires users to approve their login via an app. This ensures that even if your password is guessed, the second layer of authentication can keep your WordPress website secure.

Individuals and businesses are increasingly using two factor and Multi-factor authentication to ensure the safety and security of their networks, emails and websites. 2FA and MFA are easy to implement in WordPress.

How can I add two-factor authentication or multi-factor authentication to my WordPress website?

You need a two-factor authentication plugin such as miniOrange 2FA, Wordfence, Duio, Authy or Keyy. Additionally, you need to install Google Authenticator on your phone for added security.

  • Install and activate a 2FA plugin such as miniOrange
  • Follow the instructions of the plugin provider to set it up
  • Generate a QR code through the plugin
  • Install Google Authenticator on your mobile phone
  • Open Google Authenticator and click the Add button
  • Scan the QR code displayed by the plugin
  • Verify the code on the plugin page

Limiting the number of login attempts to WordPress

You can also limit the number of times someone can log in without the proper credentials for a particular account. Additionally, you can also use a web application firewall or WAF. Popular plugins include Limit Login Attempts, WP Limit Login Attempts, Loginizer and many others.


CAPTCHA or Completely Automated Public Turing test to tell Computers and Humans Apart is a critical feature that stops bots from accessing your Dashboard and reduces spam. Popular plugins for CAPTCHAs include reCaptcha and Really Simple Captcha. You can easily enable captchas in login and registration pages through plugins such as WordFence.

Creating URL Allow Lists

URL allow lists can limit access to your login page through authorised IPs. Most WAF or Web Application Firewall plugins can help you implement this feature. Using WAFs for allow lists will not allow anyone to access login pages except those in your allow list.

For example, if your organization has a page that must only be accessed from a particular network, you can revoke access to all IP addresses except those that originate from the allowed network. This is particularly useful for dashboards and restricted login pages. Those attempting to access your website from outside the IP range will get a 403(forbidden) error. You can create a whitelist through your .htaccess file or through the interface in WAF plugins such as Sucuri, Cloudflare, WordFence and others. Here’s an example using the .htaccess file:

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^$
RewriteCond %{REMOTE_ADDR} !^$
RewriteCond %{REMOTE_ADDR} !^$
RewriteRule ^(.*)$ - [R=403,L]

Step 3: Hardening your website

A lot of WordPress installations use Apache server. The .htaccess file is a critical configuration file for Apache web servers. Even if you’re running a LAMP (Linux, Apache, MySQL and PHP) stack, you must harden your website by creating rules within your .htaccess file.

Securing .htaccess

Securing .htaccess will offer you peace of mind as you will be able to set the basics right. Once you have the basic security mechanisms in place, you can then work on the extras to harden your site further. Here’s what is included in rules that help you in hardening and securing your .htaccess file:

Rewrite rule for mod_rewrite

WordPress generates this rule if write access is enabled for your server to fix issues with permalinks. If this rule is not at the top of the .htaccess file, do that now. Remember that all rules must start after #BEGIN WordPress and end before #END WordPress.

# BEGIN WordPress
# Rewrite rule
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress

Restricting IP ranges for login

This is an allow list for IP addresses that can access the wp-login file. IP addresses of devices that are not in the list cannot access wp-login.

# Block IPs for login Apache 2.2
<files /wp-login.php>
order deny, allow
allow from MYIP
allow from MYIP2
deny from all
# Block IPS for login Apache 2.4
<Files "wp-login.php">
Require all denied
allow from MYIP2

Protecting wp-config

Wp-config.php is a critical configuration file. This file contains critical information about your database name, host, usernames and passwords. This file is also used to make advanced settings, add security keys and for developer options.

# Protect wp-config Apache 2.2
<files wp-config.php>
order allow, deny
deny from all
#Protect wp-config Apache 2.4
<Files "wp-config.php">
Require all denied
Require ip

Preventing directory browsing

Most hackers check the directory structure of a website to determine if it is easily “hackable”. Disabling directory listings will make it difficult for hackers to get the information they need to run these exploits and hacks.

# Prevent directory browsing
Options All -Indexes

Preventing image hotlinking

Image hotlinking can rake up your bandwidth usage and use up server resources. This rule will not allow other websites to use images hosted on your site.

# Prevent image hotlinking
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} \
!^http://(www\.)*$ [NC]
RewriteRule \.(gif|jpg|jpeg|bmp|png)$ – [NC,F,L]

Protecting .htaccess

This rule protects all files that begin with hta. This will also ensure that hackers cannot access your .htaccess files in any folder on your server. This is done using a “regular expression” that looks for files that begin with hta and denies access to them.

# Protect htaccess Apache 2.2
<files ~ "^.*\.([Hh][Tt][Aa])">
order allow, deny
deny from all
satisfy all
# Protect htaccess Apache 2.4
<FilesMatch "^.*\.([Hh][Tt][Aa])">
Require all denied

Blocking includes

The primary folder used for “includes” are the main target of hackers. Blocking these folders can help you harden your WordPress installation further. These folders include:

  • /wp-admin/includes/
  • /wp-includes
  • /wp-includes/js/tinymce/langs/
  • /wp-includes/theme-compat/

You can secure these folders with the following rule, however, note that if you are using a multi-site instance of WordPress, these directives can cause problems.

# Block Includes
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ – [F,L]
RewriteRule !^wp-includes/ – [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ – [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php \
– [F,L]
RewriteRule ^wp-includes/theme-compat/ – [F,L]

Preventing PHP backdoors

Hackers often inject backdoors in PHP scripts located in /wp-includes and /wp-content-uploads. This rule can help you avoid these backdoors:

# Backdoor Protection Apache 2.2
<Files *.php>
deny from all
# Backdoor Protection Apache 2.4
<FilesMatch ".+\.php$">
Require all denied

WordPress application security

Securing WordPress at the application level is essential. Most of the critical information about WordPress is located in wp-config.

Moving WP-config outside root

WP-config file exists in the root directly. Moving wp-config out of the root folder will prevent it from being accessed over the internet. Here’s what you need to do to move your wp-config file outside the root folder:

  1. Login to your website via Cpanel or Sftp
  2. Create a new folder outside the public_html folder
  3. Move the wp-config file from the root directory into this folder
  4. Create a new file called wp-config.php
  5. Add the following code to the wp-config.php file that you have just created:
//Ensure that you replace 'usr' with your server username

A good tip is to rename your config file to further obfuscate the configuration and the called file name.

Note: Open_basedir errors

There are chances that you may receive a PHP “open_basedir” error. If you do, add your new config folder name to the PHP configuration file.

If you do not have access to your PHP configuration, you will need to check with your hosting provider to do this change. If you do, add the full server path name to your new configuration folder.

Here’s an example of the full path: “/var/www/usr/wp-confidential”.

If you’re doing this yourself, open php.ini in a text editor. Find the open_basedir directive and append your new folder pathname to the line within the quotes using a semicolon as a separator.

Here’s an example:

open_basedir = "/var/www/usr/httpdocs/;/ var/www/usr/wp-confidential/;/tmp"

Setting up Salt Keys

WordPress uses salt keys to protect your passwords. With these keys, hackers cannot use your passwords even if they access your database as they are encrypted by the Salt keys cryptographic elements. These keys are also used to sign your website cookies, preventing hackers from gaining control even if they take over cookies.

Salt keys can easily be set by including or editing these lines at the end of the define statements in your wp-config.php file:

define('AUTH_KEY', 'include salt here');
define('SECURE_AUTH_KEY', 'include salt here');
define('LOGGED_IN_KEY', 'include salt here');
define('NONCE_KEY', 'include salt here');

Disabling file edits

Files can often be edited through the online editor in WordPress from Appearance > Editor. Disabling file editing will prevent attackers from gaining access to your files through WP-admin.

To disable file editing, add the following code at the end of your wp-config file:

## Disable Editing in Dashboard
define(‘DISALLOW_FILE_EDIT’, true);

Disabling XML-RPC

XML-RPC is one of the top targets for brute-forcing. This is because you can easily use the system.multicall method to execute multiple methods inside a single request. For most users, XML-RPC has no use and can easily be disabled. To disable XML-RPC, use a plugin such as Disable XML-RPC. Note: disabling XML-RPC can cause Jetpack to stop working.

Hiding your WordPress version

Your WordPress version is an important bit of information for hackers. Knowing that you have an older version can help them open up a pandora box of exploits that work only on old, unpatched installations. To hide your WordPress version, add the following code snippet to the functions.php file of your active WordPress theme:

function wp_version_remove_version() {
return '';
add_filter('the_generator', 'wp_version_remove_version');

Note: the WordPress ReadMe file also has your WordPress version. You can safely delete this file. It is located in the root directly and is called readme.html.

Step 4: Using a WAF or Web Application Firewall to protect WordPress

A Web Application Firewall can be the best and the easiest way to protect your website from hackers. Solutions such as Cloudflare, Prophase, WordFence, AWS WAF, Akamai and many others can identify, filter and block malicious traffic before it reaches your site. These firewalls inspect all HTTP/HTTPS traffic. If a hacking tool attempts an attack, these website firewalls block it immediately to protect your website and server.

Web Application Firewalls are differentiated by application. WAFs are either Internal or External. Popular examples of Internal WAFs include WordFence and External WAFs include CloudFlare.

Internal WAFs are installed on your hosting server and act as intermediaries between web apps (including websites) and external users. This ensures that the firewall analyzes all request-response communication before it reaches the web apps or users. WordFence plugin is a prime example of an internal firewall. Also modsecurity, if installed on web server, acts as an internal WAF.

External Web Application Firewalls such as CloudFlare are cloud-based WAF services that can stop malicious traffic before it reaches your origin web server. This ensures that your hosting stays safe from all threats.

If your web host provides these services, ensure that you research their offerings thoroughly to know what they have on offer

Step 5: Using SSL and HTTPS

No one can deny the importance of SSL and HTTPS. The biggest testament to the importance of SSL today is that Google regularly flags non-secure websites that transmit credit card and password data. Additionally, implementing SSL on your website is now easy with the help of plugins such as Really Simple SSL and EasySSL.

As the prices of certificates go down due to widespread use, it is easy to find certificates for as low as $10 from providers such as Comodo. Many hosting providers also provide free SSL certificates with hosting plans. Additionally, you can also take advantage of AutoSSL, which is offered for free with every cPanel hosting. This certificate is renewed quarterly. SSL certificates are also an important SEO ranking factor as Google prefers secure sites over non-secure ones.

Step 6: Backups, monitoring and detection

No website can be secure without regular backups, monitoring of website security and intrusion detection.

Backing up WordPress

WordPress backups are essential as they can help you to get back to a known good configuration in the case of an attack. Here’s what you must ensure while creating a backup:

  1. Keep your backups at a different location (also called offsite backups) from your server. Backups on your server can contain old unpatched software and make them vulnerable to exploits. Also, if your server drive fails, you will lose all your data
  2. Ask your web hoster if automatic backups can be provisioned or arranged. You can easily forget to back up your website, but a script will not. Remember—a skipped backup can make the difference between getting all your data back versus getting some or none of it instead. We at Pack Web Hosting can surely offer you the right advice.
  3. Backups must be redundant. Always keep another copy of your data backup at a different location.
  4. Test your backups periodically. Untested backups can result in you having a backup that cannot be restored.

There are hundreds of WordPress security plugins which can help you in the above tasks. The most highly recommended by us is WordFence. Amongst its several hundred features, the most prominent are Web Application Firewall (WAF) and 2FA (Two-Factor Authentication). To get a complete detail of this plugin, just checkout this link –


Your hosting type plays a significant role in the security of your website. A good hosting provider such as Pack Web Hosting will take measures to ensure that their servers are protected against common threats. Additionally, most quality hosts will perform the following:

  • Monitor networks for malicious activity
  • Deploy tools to prevent DDoS attacks
  • Keep VPS/Server software and services updated
  • Have disaster recovery and incident plans in place

It is best to invest in a hosting provider that you can trust with your business. WordPress security is much more than locking down and hardening a website. The security and safety net provided by your host also plays a major role in ensuring the safety and reliability of your website. Remember—in the end, it is the reputation of your business that is at stake. Making the right hosting decision and ensuring that you harden your website well will ensure that your site stays up and runs safely for years to come. Pack Web Hosting’s VPS hosting plans offer more than just agility and customisation—our experienced systems administrators have ensured that our networks and systems are ready to take the hit—if it passes through our detection systems!

Make the wiser choice—switch to Pack Web Hosting’s VPS hosting solutions today!