10 Ways to Secure & Hardening Your WordPress Sites

To begin with, I would like to give you a figure which would highlight the reason I’m writing this thread, “10 Ways to Secure Your WordPress Website” and the reason for your presence here, and please, don’t be shocked!

In case you didn’t know, in 2013, 73% of the popular WordPress-based sites were regarded as “vulnerable”. By “vulnerable”, it means that your WordPress sites are likely to be attacked by hackers, stolen information from, or just simply hacked for fun!

Now, are you thinking about the security system protecting your beloved WordPress websites yet? I suggest you should because the hackers can get there anytime.

Take my case, for example, I once got hacked by a humorous hacker, who did nothing to my website but pointing out how “vulnerable” it was.

I’ve asked my friends and colleagues who had the same problems for suggestions, and here I am, having a collection of tips to protect WordPress website, and they have all proved to be really efficient.

Protecting your WordPress sites from threats is no hard task as long as you put your mind to it. Down here, I will cover 10 ways of doing it, ranging from the easiest steps to the more complex, respectively:

  • Set Complicated Passwords
  • Do Not Set “Admin” as Your User Name
  • Keep Up with WordPress Updates
  • Back Up Your Site
  • Reduce Plugin Use
  • WordPress Keys in wp-config.php
  • Blocking Search Engine Spiders from Indexing the Admin Section
  • Terminate PHP Error Reporting
  • Protect WordPress Admin Files
  • Protect Files with .htaccess

Now, let’s go!

Set Complicated Passwords

Secure & Hardening Your WordPress Sites

Don’t ever underestimate the importance of your passwords! They act as the gate and the first thing any hacker comes to if they want to hack your site.

Most attacks are based on dictionary, which can be simply understood that if you use simple letters to make up your password, it will likely be figured out by using elimination. Therefore, at least, your password should consist of 8-10 characters and remember not letters only, but a complicated combination of numbers, letters, and special characters (for example: ^, #, %.*). Setting complicated passwords can put attackers in a much more difficult situation, hence, protecting your website more effectively.

Moreover, remind yourself to change the passwords often to prevent any leak of previous passwords. The new passwords should also be a chain of random letters, numbers and special characters.

Do Not Set “admin” as Your User Name

Secure & Hardening Your WordPress Sites

Everyone knows that the default WordPress login is “admin”, and so do hackers! Thus, it’s advisable you change this into something else only you know and no one else can guess when you first set up your website. You could do this by deleting the default admin and create a new custom login. Needless to say, this is a nice security method to help protect your website from the global WordPress wp-login.php brute force attack.

Keep Up with WordPress Updates

Secure & Hardening Your WordPress Sites

Keeping up with WordPress updates is no trivial thing! In fact, it plays an important role in securing your website.

Whenever you see “Update available” banner on your dashboard, do not hesitate to click it and update your site, and do it regularly. It is common knowledge that if you aren’t using the latest version of WordPress, then it seems like you will encounter plentiful vulnerabilities – bugs that can be utilized by hackers to get access to your database.

WordPress’s new software update is always excelled at fixing security vulnerabilities, so it’s wise to keep your WordPress updated. In addition, the same thing should be done with any plugin, theme or widget already installed on your website, as each plugin plays the part of a backdoor into your site’s admin.

One more tip you should bear in mind is only to download plugins and themes from well-known sources, such as WordPress.org, Themeforest or a well-respected developer’s website.

Back Up Your Site

Secure & Hardening Your WordPress Sites

Backing up your website is an essential step that shouldn’t be missed.

You can back up the entire database manually or by using available plugins. This is the first step and the most vital one. What’s more, remember to schedule backups regularly so that your website can be easily restored to the previous version in the event of unexpected damage. There are many plugins to recommend, I personally believe Backup Buddy is a good choice as it exports the whole database with images, files and everything else you have. Other recommendations include VaultPress, BlogVault, or WordPress Backup.

Reduce Plugin Use

Secure & Hardening Your WordPress Sites

This measure includes two essential points that should be followed strictly in order to maintain a healthy website, which are:

  1. Be critical when selecting plugins to install and limit the total number;
  2. Delete plugins and themes that are not used anymore.

The truth here is this method does not just help guarantee your website’s security, it’s also to ensure the website’s loading speed and performance. The loading time of a site can be affected badly if it contains too many plugins, especially the unnecessary ones. Therefore, make up your mind and get rid of those you believe your website can function well enough without. Remember one golden rule: The fewer plugins you install, the fewer opportunities granted to hackers to approach your information.

WordPress Keys in wp-config.php

If considering your WordPress as a plate of food, WordPress keys will act as seasoning, which means it guarantee better encryption of user data. To be honest, I don’t have much knowledge about these keys but I can ensure you that it is another vital security measure. You may use the WordPress Key Generator to generate these keys.

After the keys are generated, open up your wp-config.php and look for the lines similar to those below and substitute them with the generated ones:

define(‘AUTH_KEY’, ‘put your unique phrase here’);
define(‘SECURE_AUTH_KEY’, ‘put your unique phrase here’);
define(‘LOGGED_IN_KEY’, ‘put your unique phrase here’);
define(‘NONCE_KEY’, ‘put your unique phrase here’);

Don’t forget to click ‘save’. Tada! Mission completed!

Blocking Search Engine Spiders from Indexing the Admin Section

Secure & Hardening Your WordPress Sites

It’s a matter of fact that search engine spiders will crawl the entire blog and index every possible content along the way if there’s nothing holding them back. However, as an admin of a website, we all understand that there’s information in the admin section which we do not want to be indexed. What to do then?

The easiest and fastest way to prohibit the spiders from indexing information placed in the admin directory is to create a robots.txt file in the root directory. After that, simply place the following code in the file you’ve created:

User-agent: *
Disallow: /cgi-bin
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins/
Disallow: /wp-content/cache/
Disallow: /wp-content/themes/
Disallow: */trackback/
Disallow: */feed/
Disallow: /*/feed/rss/$
Disallow: /category/*

And done!

8. Terminate PHP Error Reporting

You might have known that if a plugin or theme malfunctions, it may generate an error message. Needless to say, an error message is really helpful to detect and troubleshoot the problem, but have you ever thought about the fact that these error messages do include your server path? Chances are that many hackers would think of this way to gain access to your website.

Therefore, the idea here is to disable PHP Error Reporting so as to shut the door at hackers’ face!

Add this code snippet to wp-config.php, and the problem is solved:

@ini_set(‘display_errors’, 0);

9. Protect WordPress Admin Files

The right to gain access to Wp-admin should only be granted to you and your editors in case you have any. In order to limit access and allow only intended IP addresses to approach this directory, you could use .htaccess.

However, there are two cases emerging here.

  • If your IP address is static and you always access your blogs from the same computer, then .htaccess is the best choice.
  • If you have more than one bloggers working for your blog, then you can choose between this or allowing access from a range of IPs. To get full instruction on setting this up, you can go to Apache’s documentation on mod_access for help.

To block browser access to any file, simply copy and paste the code below to the .htaccess in wp-admin folder (not root folder)

# deny access to wp admin
order deny,allow
allow from xx.xx.xx.xx # This is your static IP
deny from all

10. Protect Files with .htaccess

You may have figured out why I put this as the last measure to talk about. Yes, because it is the most complicated!

For those who have yet to know what .htaccess file is, well, .htaccess (hypertext access) is the default name of directory-level configuration files which allow for decentralized management of configuration when put inside the web tree. .htaccess file is more important than you might think. It has a huge influence on the entire security system of your website and on how your website structures permalink.

For beginners, you’d better conceal your wp-config.php because it contains your personal information and especially many details that can wreck your security. Here’s how to hide it: add this code to .htaccess:

<files wp-config.php>
order allow,deny
deny from all

Another way is to limit admin access by following these steps:

  • Build a new .htaccess file and upload it to the wp-admindirectory.
  • Insert the following code:
order deny,allow
allow from
deny from all
  • Insert your IP address in the appropriate place. If you intend to allow access from multiple IP addresses, just list each of them out on a new line.

In order to limit access to wp-login.php, the steps are alike.  Just add the following code into .htaccess and everything’s done:

order deny,allow
Deny from all
# allow access from my IP address
allow from

In case you just want to block some specific IP addresses, use this code:

order allow,deny
deny from 456.123.8.9
allow from all

Furthermore, if you simply want to prohibit someone from viewing your site’s directories, just make them non-browsable by utilizing this code:

Options All -Indexes

Asides from these tricks, there are loads of others to modify .htaccess with the aim of enhancing your site’s security. But I personally think these are the most basic and also the easiest to carry out.

So, these are all I’ve got to offer. Last words, be alert with threats, and have fun with your beloved websites!