How to Secure a WordPress Site? The Ultimate Guide

WordPress is one of the most used open source software in the world. Therefore it is important to be vigilant and protect it as best as possible.

A hacker can use data however he wants! Know that WordPress is one of the most popular content management systems in the world! It has been installed over 76.5 million times.

ESSENTIAL SECURITY SOLUTIONS FOR YOUR WORDPRESS SITE

1. Keep your WordPress updated

This will allow you to secure WordPress effectively, believe me! And yes, it seems simple, but only 22% of WordPress sites use the latest version! Between us, who has never been lazy not to update their site? If you want to have a clean and virus-free website, it’s a must!

WordPress incorporated auto-update in version 3.7, however, it only works for small security updates. So, major updates must be done manually to secure WordPress!

2. Use Less Common Login Information

Are you using  admin  as your WordPress admin username? If your answer is yes, know that it will be easier to hack you. So now change the username!  You can also create a new Administrator account with a different username and delete the old one. If you prefer this method, follow these simple steps:

1. Access the WordPress Dashboard
2. Go to the Users section and tap  Add .

1. Create a new user and assign them an Administrator role.

1. Re-login to WordPress with your new username.
2. Return to the Users section and delete the Admin user.

A good password is the key to effectively securing WordPress. It is much more difficult to force a password that consists of numbers, upper and lower case letters, and special characters. Tools like  LastPass  and  1Password  can help you create and, above all, manage complex passwords!

3. Enabling two-step authentication

Two-step verification allows you to keep WordPress as secure as possible. As the name suggests, it adds another step that you will need to complete to log in. It is very likely that you already use it to access your emails, your bank or any other account containing sensitive information. So why not use it on WordPress?

Although it may seem complicated, today there are simple solutions to use this two-step verification. All you need to do is install a 2-step authentication app (on your phone for example) and set up WordPress. You will find a detailed guide on enabling WordPress two-step authentication here -in English-.

4. Disabling PHP Error Reporting

PHP error reporting can be useful if you’re a web developer and want to make sure everything is working correctly. However, showing errors publicly is a major security breach!

You need to fix this ASAP! Rest assured, you don’t need to be a coder to disable PHP error reporting for WordPress! Many hosting providers will offer you the option to disable error reporting in the control panel. If it doesn’t offer this, simply add the following lines to your wp-config.php file. You can use your FTP client or File Manager to edit  wp-config.php .

error_reporting(0);
@ini_set('display_errors', 0);

That’s all ! Error reporting is now disabled

5. Don’t use cracked WordPress plugins

“If it’s free, you are the product” The same goes for a majority of pirated software! If you want to secure WordPress and use it especially for professional purposes, use what you pay for!

There are thousands of pirate plugins and themes on the Internet. Users can download them for free from various Warez or torrent sites. Unfortunately, most of them are infected with malicious links or blackhat SEO.

If you want a healthy site, stop downloading cracked plugins because you will end up paying more for a seasoned developer to clean up your website!

6. Scan WordPress with anti-virus

Hackers often use vulnerabilities in themes or plugins to infect WordPress with malware. Therefore, it is crucial to scan your blog frequently to secure WordPress! There are many extremely well-coded plugins for this use! WordFence  is the plugin that stands out. It is easy to use and complete! It offers manual and automatic scanning options as well as many different settings. You can even restore modified/infected files in just a few clicks. And on top of that, it’s free and open source. So, hurry up and install this plugin!

Other popular WordPress security plugins:

• BulletProof Security  – unlike WordFence, which we described earlier, BulletProof will not scan your files, but it will mainly provide you with a firewall and additional database security. The good thing about this plugin is that it will be configured and installed in just a few clicks!
• Sucuri Security  – this plugin will protect you from DDoS attacks, it will keep a blacklist, scan your website and control your firewall. If it detects something, it will notify you by email. Google, Norton, McAfee – all these engines are included in this plugin to give you maximum security.

7. Migrate your WordPress site to more secure hosting

This may seem like strange advice, but statistics show that over 40% of WordPress sites have been hacked due to security vulnerabilities in the hosting accounts themselves! This is also very important advice if you want to secure WordPress! This statistic should make you reconsider your current hosting choice and migrate your WordPress site to more secure hosting. There are a few key facts to consider when looking for new accommodation:

• If it is shared hosting, make sure that your account is isolated from other users and that there is no risk of just one of the websites infecting all the others on the server.
• It should make automatic backups.
• It must have a server side firewall and antivirus.

8. Back up as often as possible

Even the biggest websites are hacked every day despite their owners spending thousands to secure WordPress.

Even if you have good habits and complete the other tips in this article, it is still crucial to back up your site regularly.

There are several ways to create a backup. For example, you can manually upload WordPress files and export the database or use your host’s backup tool. But you can also use backup plugins. The most popular WordPress backup plugins are:

• VaultPress
• BackUpWordPress
• BackupGuard

You can even automate the backup process and store your WordPress backups in Dropbox.

9. Disabling File Editing

As you may know, WordPress has a built-in file editor that allows editing PHP files. Although this feature is very useful for developers, it can also be fatal! If the attacker gains access to your admin board, the first thing he will look for is this same editor. It will trash all your files and it will be the end of your site. Some people (like us) disable this feature completely to secure WordPress. It can be  disabled  by editing the  wp-config.php file  and including the following line of code:

define( 'DISALLOW_FILE_EDIT', true )

Yes, as you see, with just a few lines of code, we can better secure WordPress!

IMPORTANT If you want to re-enable this functionality, use your FTP client or your host’s file manager and remove this same code from the wp-config.php file.

10. Remove unused themes and plugins

To have better security on WordPress, clean up your WordPress site and remove all unused plugins and themes. Hackers often look for disabled and outdated themes and plugins (even official ones!) and use them to access your dashboard or send malicious files to your server. By removing plugins and themes that you have stopped using (and may have forgotten to update), you will reduce the risk of WordPress hacking.

11. Use htaccess to its full potential

The .htaccess file is necessary for WordPress links to work correctly. Without correct rules in that same .htaccess file, you would get a lot of 404 errors. This may seem complicated, I admit. But rest assured, everything has been done for you!

Few users know that .htaccess can be used to secure WordPress. For example, with .htaccess you can block PHP access to specific folders. The examples below show how to use .htaccess to secure WordPress

IMPORTANT Before making any changes, it is strongly recommended to backup the .htaccess file and keep a copy of it, just in case. You can use your FTP client or File Manager for this.
Prohibit access to the WordPress Administrator area

The code below will allow access to the administration area to certain IP addresses only (yours?).

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "WordPress Admin Access Control"
AuthType Basic
<LIMIT GET>
order deny,allow
deny from all
allow from xx.xx.xx.xxx
allow from xx.xx.xx.xxx
</LIMIT>

You need to edit XX.XX.XX.XXX and replace it with your IP address. You can use  this website  to find out your current IP. If you use more than one connection to manage your WordPress site, be sure to include any other IPs you use (feel free to add as many lines as you like). However, do not use this code if you have a dynamic IP address.

Disabling PHP execution in certain folders

Hackers like to upload backdoor scripts to the WordPress download folder. By default, this folder is used to download media files only. So it should not contain PHP files. You can easily disable PHP execution by creating a new .htaccess file in  /wp-content/uploads/  with these rules:

<files *.php>
deny from all
</files>

Protect the wp-config.php file

The wp-config.php file contains basic WordPress settings and MySQL database details. So it is the most important WordPress file. This is why it is the main target of all WordPress hackers. However, you can easily protect this file using .htaccess rules:

<wp-config.php files>
order allow,deny
deny from all
</files>

With these few lines you have just significantly improved the security of WordPress!

12. Change the Default WordPress Database Prefix to Avoid SQL Injections

The SQL database contains and stores all the information your site needs to function. As a result, it becomes a prime target for hackers and spammers who then execute automated code and perform SQL injections. When installing WordPress, most people don’t bother to change the default database prefix which is  wp_  . According to  WordFence  , 1 in 5 WordPress hacking cases are due to SQL injections. Since  wp_  is the   default  setting , attackers will choose  to target this value first. In this step, we will briefly explain how you can secure WordPress against such attacks.

Changing the table prefix for an existing WordPress site

IMPORTANT! Since we’re talking about WordPress security, make sure to back up your MySQL database before continuing.

Part 1 – Changing prefix using wp-config.php

Using your FTP client or File Manager – in English – open your  wp-config.php  and look for the $table_prefix value.

You can add numbers, letters or hyphens. Save your changes and move on to the next step. In this tutorial, we will use wp_1securite2_ as our new table prefix.

In your  wp-config.php file  , also look for your database name, so you know which database you need to modify. define(‘DB_NAME’

Part 2 – Updating all database tables

Now you will need to update all entries in your database to secure WordPress. To do this we will use phpMyAdmin!

Navigate this to the database you searched for in Part 1.

A typical WordPress installation has 12 tables. Each must be updated. Please note that you can do this quickly in the  SQL section  of phpMyadmin.

We will use SQL queries to speed up the process. Indeed, you like me don’t want to spend hours updating the tables manually! Use the following syntax to update all tables in your database.

RENAME table `wp_commentmeta` TO `wp_1securite2_commentmeta`;
RENAME table `wp_comments` TO `wp_1securite2_comments`;
RENAME table `wp_links` TO `wp_1securite2_links`;
RENAME table `wp_options` TO `wp_1securite2_options`;
RENAME table `wp_postmeta` TO `wp_1securite2_postmeta`;
RENAME table `wp_posts` TO `wp_1securite2_posts`;
RENAME table `wp_terms` TO `wp_1securite2_terms`;
RENAME table `wp_termmeta` TO `wp_1securite2_termmeta`;
RENAME table `wp_term_relationships` TO `wp_1securite2_term_relationships`;
RENAME table `wp_term_taxonomy` TO `wp_1securite2_term_taxonomy`;
RENAME table `wp_usermeta` TO `wp_1securite2_usermeta`;
RENAME table `wp_users` TO `wp_1securite2_users`;

Some WordPress themes or plugins may create additional tables in the database. In case you have more than 12 tables in your MySQL database, add the rest to the SQL queries manually and run them.

For example :

RENAME table `wp_tabledevotreplugin` TO `wp_1securite2_tabledevotreplugin`;

Where you will replace table of your plugin with… the table created by it!

Part 3 – Verification options and usermeta tables

Depending on the number and type of plugins installed, some values ​​in your database will need to be updated manually. To do this you will need to  execute  SQL queries  to look for these values ​​in the wp_1securite2_ options  table  and the wp_1securite2_ usermeta table  .

For the options table   , you will need to run:

SELECT * FROM `wp_1securite2_options` WHERE `option_name` LIKE '%wp_%';

For the  usermeta table  , you will need to run:

SELECT * FROM `wp_1securite2_usermeta` WHERE `meta_key` LIKE '%wp_%'

When you have obtained the results of the SQL query, you simply need to update all the values ​​from  wp_  to  wp_1securite2_  (in our example) and you will be done. In the  usermeta table  you will need to modify the  meta_key value  , while in  options the option_name  value   will need to be modified.

Changing the table prefix for a new WordPress site

If you plan to install new sites under WordPress, there will be no need to carry out this tedious process. You can simply change your table prefix to secure WordPress during installation:

Congratulations ! You have successfully increased WordPress database security!