WordPress core developers work hard to keep the WordPress CMS safe, yet its increasingly under attack by hackers. Though, WordPress platform is strictly audited for security, it’s easy to make mistakes in your own WordPress installation and its your responsibility to keep your website from being compromised.

WordPress Security Best Practices

The most common attacks against a WordPress blog usually fall under two categories.

  • Sending specially-crafted HTTP requests to your server with specific exploit payloads for specific vulnerabilities. These include old/outdated plugins and software.
  • Attempting to gain access to your blog by using “brute-force” password guessing.

We have  compiled a list of tips that can greatly improve the security of your WordPress website.

How to Secure WordPress

1) Always update to the latest version of WordPress.

2) Always use the latest version of plugins/widgets and themes. Visit your WordPress dashboard, hover over the Dashboard menu item, and click Updates — if you see any plugin updates, download and install them. Furthermore, Check plugin’s ratings and popularity before installing it.

3) Always use strong passwords. If you have an admin account, create a new administration account and delete admin.

4) Keep your computer virus free, and keep your anti-virus software updated.

5) Do regular backups or you may lose all of your work if being hacked. Furthermore, remember to back up every time you make changes. You can do that through the use of a backup plugin or manually.

6)  Monitor your WordPress core files for changes using a security plugin.

7)  Ensure your WordPress core files have the correct file permissions.

8) Make sure you’re not using the default `wp_` table prefix in your database. If you run multiple blogs on the same server, it is wise to consider keeping them in separate databases each managed by a different user.

Secure wp-includes

Use below code and paste in your WordPress .htaccess file.  Note: to ensure the code below is not overwritten by WordPress, place it outside the # BEGIN WordPress and # END WordPress tags in the .htaccess file. WordPress can overwrite anything between these tags.

# Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>

# BEGIN WordPress

This code won’t work well on WordPress Multisite, as RewriteRule ^wp-includes/[^/]+\.php$ – [F,L] would prevent the ms-files.php file from generating images. Omitting that line will allow the code to work, but offers less security.

Secure wp-config.php

wp-config.php can be stored one directory level above the WordPress (where wp-includes resides) installation. However, moving wp-config.php have minimal security benefits and if not done carefully, may actually introduce serious vulnerabilities. Furthermore, make sure that only you (and the web server) can read this file (it generally means a 400 or 440 permission).

You can also add the given code in your .htaccess file to make it secure.

<files wp-config.php>
order allow,deny
deny from all
</files>

Disable File Editing

A hacker will try to do edit your PHP files through the Dashboard interface, since The WordPress Dashboard by default allows administrators to edit PHP files. Add the following line of code to your to your wp-config.php file.

define('DISALLOW_FILE_EDIT', true);

Placing the above line in wp-config.php is equivalent to removing the ‘edit_themes’, ‘edit_plugins’ and ‘edit_files’ capabilities of all users. Although, this will not prevent an attacker from uploading malicious files to your site, but it does stop some form of attacks.

Use WordPress Security Plugins and Services

iThemes Security: iThemes Security hides common WordPress security vulnerabilities, preventing attackers from learning too much about your site and away from sensitive areas like your site’s login, admin, etc. It also monitors your site and reports changes to the filesystem and database that might indicate a compromise. iThemes Security also works to detect bots and other attempts to search vulnerabilities.

All In One WP Security & Firewall: A comprehensive, user-friendly, all in one WordPress security and firewall plugin for your site. This plugin helps to add some extra security and firewall to your site by using a security plugin that enforces a lot of good security practices. It reduces security risk by checking for vulnerabilities, and by implementing and enforcing the latest recommended WordPress security practices and techniques.

Wordfence Security: Wordfence Security is a free enterprise class security and performance plugin that makes your site up to 50 times faster and more secure.

A firewall can also be added between your hosting company and the Internet by modifying your DNS records to pass-through the firewall. That causes all traffic to be filtered by the firewall before reaching your site. A few companies offer such service, like CloudFlare, Sucuri and Incapsula.