10 Essential Steps to Secure any WordPress Website

Securing or ‘Hardening’ WordPress is the process of preventing hacker attacks to your website by using the available controls you have, resulting in trimming down the chances of your website of being a target.

WordPress is the most used CMS platform, thus it grabs hackers attentions to finding ways to vulnerabilities in your website. Furthermore, WordPress is not secured out of the box.

There are many reasons why your website might get hacked. One reason is stealing your data, the other is send spam emails using your server.

When it comes to security, it is better to be safe than being sorry! In this post, we are summarizing the 10 essential steps you need to go over to raise the security standards of your WordPress Website.

0- Hosting

When you know that 41% of hacked WordPress were hacked through a security vulnerability on their hosting platform, then you must consider a secure hosting provider for your website.

1- Admin Username

Try to use an unpredictable username for the admin account. If you already have an easy one, you have to change it.

How to Change the Admin Username

Luckily, you can change your admin username directly from your WordPress dashboard by following these easy steps:

1. Download Adminer plugin from Github
   
2. Upload it as any other plugin from Plugins -> Add New -> Upload Plugin
3. Activate the plugin and go to Tools -> Adminer
4. Click ‘Start Adminer in a new tab’, this will open your website database.
   
5. Select your _users table and select the admin account and change these values: user_login, user_nicename, and display_name
   

Then you’ll be able to log in again with your new admin username.

2- Passwords

Since WordPress 4.3, you can generate a strong password for your account directly from your profile page. Consider changing it regularly.

Force Strong Passwords

Despite the built-in strong password generator in WordPress, users may use weak passwords and especially in a multi-authors website. To make sure that everyone in your website uses a strong password, install this beautiful plugin ‘Force Strong Passwords‘ and it’ll do the trick and force everyone to set up a stronger password.

3- Implement 2-Factor Authentication

2-Factor Authentication adds an extra layer of security by requesting a one-time password in addition to the standard credentials. The users will provide the extra login details for the component which chosen by the website admin.

Some great examples for 2FA plugins:

• Clef
• Duo
• Google Authenticator

4- Secure wp-config.php

Add the following code to your .htaccess file to protect it from unathorized access.

5- Disable Plugin and Theme Editor

Any user with an admin role can edit the themes and plugins files directly from WordPress dashboard. Either a hacker or a newbie admin can mess with your themes and plugins files easily. To disable the file editing, add the following line to your wp-config.php file.

define('DISALLOW_FILE_EDIT', true);

6- Disable WordPress Debug

In many cases, you may set the debugging options in WordPress to true. For example, by some support staff for a theme or a plugin or when you need to to know what’s wrong with your website. Always make sure to set it back to false by setting the following lines in your wp-config.php

define('WP_DEBUG', false);
define( 'WP_DEBUG_DISPLAY', false);

7- Change Security Keys and Salts

When you open your wp-config.php file and just right after the database credentials, you’ll find a set of security keys as shown in the image below.

These security keys and salts improve the security of your WordPress login details. You should consider changing them regularly to keep your login sessions and admin credentials safe. You can change them manually by getting a new set of key using the WordPress online generator, or by using the Salt Shaker plugin that changes them manually and automatically on a daily, weekly or monthly basis. Read more about Salt Shaker plugin.

8- Security Plugin

Security plugins can help you scan your files for malware and provide you with multiple security options such as brute force attacks protection, anti-spam, double authentication and so forth. There are multiple options for security plugins out there, we have reviewed SecuPress and it’s really awesome. Other examples of security plugins: (pick only one)

• Wordfence Security
• BulletProof Security
• iThemes Security

9- Backup Solution

No matter how your website is secured, you must have a backup plan! Using a backup solution is a must if you really care about your website, not only for security.

Examples of great backup solutions for WordPress:

• VaultPress
• UpdraftPlus
• WP-DB-Backup

10- Update, Update, and Update!

Keep everything in your website updated. Your WordPress core, themes, and plugins. Developers are improving their code security as well as making new features and fixing bugs.

Hope you find these steps useful. If you have any questions or feedback, please post them in the comments section below.