Top 15 Ways to Increase WordPress Security

WordPress Security is the most important issue for WordPress webmasters. Each week, Google releases a list of about 20,000 malware-infected websites and about 50,000 phishing websites.

If you care about the security of your website, you need to know the latest WordPress security techniques.

At Cyber, we aim to share the best ways to increase WordPress security to protect your website from hackers and malware attacks.

WordPress has a team of hundreds of developers who are constantly updating and developing WordPress. That is why the WordPress kernel has stable security.

WordPress security is not just about risk management but about reducing the risk and as a webmaster, you need to do these 15 important ways to secure WordPress.

Why is WordPress Security Important?

When a site is hacked, it can seriously damage your reputation and reputation. Hackers can steal user information and passwords, and by installing malware on the site to promote malware among users, a prominent example is the promotion of ransomware.

Worst of all, a hacker may want to pay you to access your site;

So if your website has a business, you need to pay more attention to your WordPress security.

1. Keep WordPress up to date

WordPress is constantly updating and fixing security bugs, and you need to pay close attention to updating WordPress plugins and templates in addition to WordPress updates. These updates are essential to the security and stability of the site.

For WordPress security, you need to download WordPress plugins and templates from reputable sources. Many external websites release free plugins and plugins for free, and some site administrators can hack your site if you install it by adding malicious code snippets to the released plugins.

2. Strong passwords and pay attention to user permissions

The most common way to hack WordPress is to get a WordPress admin password. Make it difficult for hackers by choosing a strong and complex password.

And not just for WordPress management, but for your FTP accounts, databases, WordPress hosting accounts, and email accounts.

So login to this site and create strong and random passwords and use it

You don’t have to remember your password at all, pick a strong one, and keep it out of the reach of others.

Another way to reduce the risk of site hacking is to be careful about choosing WordPress user roles and not giving excessive access to regular users.

3. The Role of WordPress Web Hosting

Your WordPress Hosting Service plays an important role in the security of your WordPress site.

If you use shared hosting, the server shares its resources with many other clients.

This increases the risk of a site being hacked, a hacker can hack into one of the vulnerable sites on the server and then attack your site and other sites on the server easily. Then, be careful in choosing your server.

4. Install WordPress Backup Plugin

Backing up your site is your first defense against hacker attacks. Remember, nothing is 100% safe. When government websites can be hacked, then it is not difficult to hack your site.

There are many plugins for backups of WordPress.

Recommended, the plugin is BackupBuddy and Duplicator. The ideal settings for backing up WordPress are two days a week from the database and once a week from the entire site.

Backup allows you to quickly save your WordPress site if any unpleasant factors occur.

So you should back up your site regularly and save it in a place outside your host, such as Dropbox and cloud. Introduced plugins do this easily.

5. Install the best WordPress security plugin

A good WordPress security plugin should include, Web Firewall (WAF), full file health monitoring and unsuccessful login attempts,

Scan malware, change database table prefix, change admin username, and alert administrator emails and more.

The easiest way to protect a website and ensure WordPress security is to use a Web Firewall (WAF). The firewall stops all malicious traffic before an attacker attacks your site.

After thoroughly reviewing and comparing the best WordPress security plugins for cyberattacks and everything that a site should have for its security, Cyber ​​recommends the Shield Security for WordPress plugin.

You can also use CDN, which can speed up site loading, save site bandwidth, and eliminate malicious traffic. CloudFlare cloud flare is the best free CDN.

6. Change the default “admin” username

Many WordPress sites use the default “admin” username, which gives hackers the opportunity to gain easy access by simply managing the password.

There are three ways to change your username by default in your WordPress admin panel.

Use usernames

Update username via phpMyAdmin
Create a new management username and delete one.

7. Hide the admin username

The first author of the site is its administrator. So just enter a link after your site link? Autor = 1 ( to easily display the site admin username.

The best way to prevent a site admin username from appearing is to redirect the site author’s page to the site homepage.

To do this, open the .htaccess file in your public_html folder for editing and paste the following code at the end of this file and save it.

# BEGIN block author scans
RewriteEngine On
RewriteBase /
RewriteCond %{QUERY_STRING} (author=\d+) [NC]
RewriteRule .* – [F]
# END block author scans

8. Disable editing plugin files and WordPress templates

WordPress comes with a built-in code editor that lets you edit your plugin’s templates and files from your WordPress admin section.

In this case, this feature can be a big security risk as you can edit your own php code templates and plugins through the panel.

The intruder can only create a Backdoor by adding malicious code through this editor after logging into the site manager.

To disable the editor, open the WordPress wp-config.php file and add the following code.

// Disallow file edit
define( ‘DISALLOW_FILE_EDIT’, true );

9. Disable Php file execution

Disable running the PHP file in directories that do not need to be executed, such as / wp-content / uploads /.

Save the following code in a file called .htaccess and upload to the uploads folder.

<Files *.php>
deny from all

10. Limit the number of login attempts

By default, WordPress allows users to try passwords without restriction.

This makes your WordPress site vulnerable, so hackers try to try different passwords with multiple attempts and attempt Brute Force.

There are three ways to prevent these attacks.

Limit the number of times you are allowed to enter a password
Two-step entry

11. Delete the error message on the WordPress login page

When you enter an incorrect username or password on the login page, a message will appear (incorrect xxx username or invalid ID).

According to the message displayed, the hacker detects which part he entered correctly and guides him smoothly.

To delete the message, add the following code to your WordPress theme in the Functions.php file.

// Remove error message on login screen
add_filter(‘login_errors’, create_function(‘$a’, ‘return null;’));

12. Change the prefix of the WordPress database tables

By default, WordPress uses wp_ as the prefix for all tables in the WordPress database.

If your WordPress site uses the default prefix, hackers can easily guess it.

For this reason, we recommend that you change the prefix tables using the db prefix change plugin for WordPress security.

13. Protect the wp-admin folder

Typically, hackers can visit the site administration login page ( and launch Brute Force or DDoS attacks.

Put a password on the wp-admin folder via cpanel hosts or do it manually to prevent these attacks.

14. Prevent indexing of directories

The biggest security risk to the site is the default directory browsing enabled.

The intruder can access the files in your host by browsing the site directory.

To prevent directory browsing, paste the following code into a .htaccess file.

Options -Indexes

15. Disable XML-RPC in WordPress

XML-RPC is enabled by default in WordPress 3.5 and helps you connect and manage your WordPress site with mobile and web applications.

The problem starts from the fact that with XML-RPC enabled, the hacker can use the system.multicall function to test thousands of passwords by sending 20 requests and worse performing DDOS attacks.

That’s why if you don’t use XML-RPC, we recommend disabling it.

Add the following php code to your template function.php file.

add_filter( ‘xmlrpc_enabled’, ‘__return_false’ );

What to do when WordPress is hacked?

Many WordPress users do not understand the importance of website backup and security until their website is hacked.

Cleaning a hacked WordPress site can be very difficult and time consuming. By making sure B can take action to remove any vulnerabilities and hacking your site and also protect your site from future attacks.

Leave a Reply

Your email address will not be published. Required fields are marked *