27 Ways to Improve Your WordPress Website Security

As a business owner, you quickly come to realize the value of security, especially as it relates to your office, retail stores, or any other business facilities. Yet all too often, business owners seem to forget that it’s equally important to secure their website and internet presence with the same amount of vigilance they apply to their physical security.

A staggering 40% of the web has been built using a content management system called WordPress, and if you’re a small business owner, there’s a good chance you’re using WordPress too. WordPress is the most popular content management system in the world, it’s a fantastic tool to grow your business on, and it can be a very secure platform in the right environment. The problem we see is that many people who own a WordPress website do not understand how to secure it properly.

And with WordPress, a little bit of security know-how goes a long way. In a bid to help you stay on top of your game when it comes to the digital realm, we’ve shared our best website security techniques, from quick security tricks you can implement today to some that will require a bit more planning.

27 Ways to Improve Your WordPress Website Security

1. Select a Trustworthy and Secure Web Hosting Company

Not all hosts are created equal, and in today’s world, picking the wrong host can lead to data breaches. Your website can only be as secure as the hosting it resides on. We can help you pick the best hosting for your business.

2. Set up a Firewall or a Web Application Firewall to Protect Your WordPress Website

Just like a computer, your website can benefit from the security of a firewall. Firewalls can keep bad actors off your website, preventing them from trying to breach your website’s admin panels, customer databases, or other sensitive information. For this, you can use a security plugin or a third-party service, like Cloudflare’s Web Application Firewall.

3. Restrict Access to Sensitive Files

Any website running a content management or e-commerce system likely has files containing sensitive information like logins or access to your site database. Keeping access to these files as limited as possible is highly recommended.

For WordPress websites, securing your WP-config file with permissions set to 400 is ideal but may break some sites. If this breaks your website, you can set your WP-config file permission to 644.

4. Move Your WP-config.php File 

WordPress powers millions of websites. Over 35% of the Internet runs on WordPress, and by default, the wp-config.php file for every one of these websites is in the website’s main (root) directory. This makes it easy for hackers to find and attempt to target/access your wp-config.php file. You can move this file to a sub-directory, making it harder for hackers to locate and manipulate your wp-config.php file.

5. Keep Your Server PHP Version Up to Date

Keeping your PHP version up to date is an important step to safeguarding your website from attacks, and it can also positively impact your website loading times. PHP doesn’t update as often as WordPress plugins do, but that doesn’t mean you should ignore it. Most modern-day web hosting providers make it easy to upgrade or downgrade your PHP version.

If upgrading your PHP version happens to crash your website, you can downgrade your PHP version, and everything should return to normal.

6. Don’t Allow Easy-to-Guess Admin Usernames

Don’t use easy-to-guess usernames for accounts with elevated privilege or access to sensitive information on your website. Usernames to avoid include, but are not limited to, admin, administrator, webadmin, webmaster, websitemanager, or anything similar.

7. Enable 2FA for All Privileged Users

2FA, or two-factor authentication, is a way to safeguard your login. You may have already set up a 2FA login for accounts on other websites, like your social media profiles, banks or retirement accounts, etc. WordPress makes it easy for you to add this extra layer of security, just in case your username and password get compromised.

8. Make Your WordPress Admin Login URL Unique

Changing the default page for logging into your site admin area is another way to mitigate certain types of attacks, as it will make it harder for the attacker to find your WP admin login screen.

9. Use Reputable WordPress Plugins from Official Sources

It can be tempting to find nulled or cracked WordPress plugins to save a few bucks, but this not only hurts developers (you’re stealing from them) but can also be a back door for attackers. Poorly developed plugins can also be a threat to your WordPress website if they don’t follow best practices for coding WordPress plugins.

Only use the best WordPress plugins for your websites created by highly rated developers.

10. Keep Your WordPress Software Up to Date

One of the main ways WordPress websites get hacked is due to an out-of-date WordPress plugin with a security flaw. Keeping your WordPress plugins and themes up to date is a must. It’s surprisingly easy to manage WordPress websites if your site is built professionally.

11. Use an SSL Certificate and Force HTTPS Protocol

Having an SSL certificate for your website is a must. There was a time when it was acceptable for your website to only include an SSL connection (HTTPS://) on sites that process sensitive data, but that has changed.

Google and other search engines have decided to favor websites using secure (HTTPS://) protocols. SSL certificates protect data being sent from the client (the website visitor’s browser, such as Firefox, Chrome, or Safari) and the web server (your website and web hosting server). Data sent over HTTPS connections will be encrypted end to end, keeping the message contents private. If your website is a web store like Shopify or Woocommerce, then an SSL is absolutely necessary to keep your customer’s data safe.

12. Scan Your Website for Malware and Malicious Code

Scanning your website directories for malware regularly is important to keeping your website secure. Even if your website is basic, that doesn’t mean you are safe from malware. Your web server can still house malware if a hacker is able to breach your site and upload malicious code to the server.

Using a WordPress plugin like Wordfence to scan your website for malware or suspicious file edits will let you automate the process and receive notifications when security issues are found. Professional malware scanning services will keep a close eye on your website security, scan your web pages regularly, and look for malicious code or threats. Cloudflare or Sucuri are great options for website malware scanning services.

13. Limit Failed Login Attempts

Bruteforce attacks occur when a hacker or group of hackers try guessing your username and password using rapid, automated login attempts. You can make bruteforce attacks difficult by blocking an IP address if it fails to log in too many times or if it requests too many password resets.

14. Require Strong Passwords for Users

For years we’ve been told to use strong passwords. And for years, people have continued to ignore one of the easiest ways to increase security while online. USE A STRONG PASSWORD and a unique password for every website.

15. Use a Password Manager for Saving and Sharing Passwords

It’s not going to be easy to remember your strong passwords for every website you visit, so a password manager is absolutely essential. We won’t go into the details of what a password manager is, but in short, it’ll let you access all of your passwords once you’ve entered a master password. This is a far better way to store and share passwords.

Using a password manager is just as easy as using a Google Spreadsheet or a card on Trello but far more secure.

16. Automate Recurring Website Backups 

A backup of your website is one of the most important parts of good website security practice. Should something happen to your website, from malicious intent or simply by accident, a website backup can save the day. Great web hosting companies take daily backups of your website and provide easy access to restoring site backups.

You can also add an automated, offsite backup for your WordPress website using a plugin like UpdraftPlus.

17. Hire a Trustworthy WordPress/Woocommerce Security Expert

If your website plays a major role in your business’s growth or revenue, it is best to leave website security to professionals. If you run a Woocommerce web store, an experienced e-commerce designer will provide not only a better shopping experience for your customers but also a more secure checkout and payment gateway.

It’s important to protect your web stores’ checkout from hackers or people attempting to commit credit card fraud through your website. Yes, it most absolutely happens, even to tiny Woocommerce web stores. This is why you must employ anti-bot and anti-fraud monitoring tools on your checkout page if your website handles credit card transactions.

18. Update Security Keys, WordPress Salt, and API Keys

If you feel your site may have been breached, clearing any API keys or salt/hash keys will allow you to harden your security if someone was able to access your server data. You may need to reconnect third-party services or applications afterward, but the inconvenience is worth the added security benefit it brings.

19. Do Not Store Customer Credit Card Information on Your Server

Reducing risk and liability from data breaches should always be at the forefront of your cybersecurity planning. A simple way to reduce your risk if you are attacked is to avoid housing sensitive customer data that you don’t really need.

Don’t store your customer’s credit card information on your web server.

You can still store your customer’s name, email address, phone number, mailing address, and billing address in your database, but avoid saving any credit card information.

This way, a repeat customer doesn’t have to re-enter all their personal information, just their credit card information. Many online shoppers have their credit cards saved in their browsers or security tools like password managers, making it easy for them to check out.

Using companies like Stripe and PayPal is more effective, more trustworthy, and helps the store owner avoid any responsibility if there is a breach. 

20. Configure WordPress User Roles for Limiting Access

WordPress makes it easy for you to set user roles based on necessary access. Whenever you hire somebody to work on your website, ensure you understand what type of access they need.

If you’re hiring somebody to develop a new area of your side, and they need to install plugins, they probably need to be an administrator. However, if you’re hiring somebody to write blog posts, help you manage the shop, or set up your SEO plugin settings, you should not create an administrator account for them. You can create an author account, an SEO manager account, or a shop manager account based on the necessary access.

In addition to limiting access to newly created accounts, it’s important to audit old accounts. Every few months, take a look at every user with elevated access and verify whether this still applies to your business. If you hire somebody who wants to do a job, you should restrict their access back to a standard subscriber or customer once the job is done.

You can always upgrade them if you hire them again in the future. Don’t leave the door unlocked for contractors you are not actively working with.

21. Monitor Your Website Response Time and for Unexpected Downtime

Website response time and downtime monitoring can help you catch problems before they occur.

When somebody is trying to gain access to your admin area, they might bruteforce attack your login pages. This generally makes your website slow; sometimes, you can even knock your website offline briefly. If you see this happening on a recurring basis, you should contact your web host for more assistance.

22. Log User Activity

Web servers do a great job at logging activity on them, but they’re not accessible to most people. If you use a WordPress website and work with a team, including an activity monitor plugin can help you understand which users are performing which actions in WordPress. You can see who’s been editing which pages, who’s been publishing content, and at what time somebody might have logged in and deleted something. You get the idea.

User activity logs can help you understand what happened before an issue occurred, what steps led up to your website breaking, or even what wasn’t done, resulting in your website breaking.

23. Restrict FTP / SFTP / SSH Account Directory Access

Anytime you create an FTP account for your web server, it’s important to make sure you’ve limited that account’s access to the necessary directory or directories. 

24. Enable Geoblocking for Your WordPress Admin Dashboard

If you only access your website admin from your office or a few locations, geoblocking can add another layer of security to your website. Geoblocking your admin login page, for example, will make it so anyone who’s not from your region will be redirected away from the login page if they try to visit it. 

25. Restrict WordPress Admin Dashboard Access During Out-of-Office Hours

Restricting access to your website’s login panels while you’re asleep makes it nearly impossible for attackers to breach your WP admin dashboard. There are plugins that make it so you can lock out the login page between certain hours; just be careful because it will lock you out during those hours too.

26. Prevent Theme or Plugin File Editing in the WordPress Admin Dashboard

You can use security tools to adjust file permissions, disallowing the editing of plugin or theme files from within the WordPress dashboard. This makes it harder for an automated or novice attacker to infect your files, but a persistent hacker will be successful. This is just one of many security steps we use when securing WordPress. By itself, it’s not that great, but combined with everything else on this list, it enhances your web security.

27. Prevent Snooping Eyes from Scanning Directories on Your Web Server

Adding a blank index.html file to every directory on your web server can make it difficult for hackers or scrapers to scan your folders for files. This can make it a little harder to attack your website, more difficult to copy your website, and more difficult to steal pictures or sensitive files from folders on your server.

If you use WordPress, most of this is done for you, and a good WordPress security plugin will handle the rest.

Top WordPress Hosts for Security 

We can debate forever on which WordPress web hosts are the best for security, but hosting is just one of many parts of a strong security plan. Here are five different WordPress website hosts, listed in no particular order, that will provide an excellent base for keeping your website protected.

  1. WP Engine
  2. WordPress.com
  3. SiteGround
  4. Kinsta
  5. Green Geeks

Top WordPress Security Plugins 

There are several top WordPress security plugins available on the market today, some free, some paid. Our recommended WordPress plugins are Wordfence and All In One Security.

Both plugins can protect your website from automated attacks, make it harder for persistent hackers to be successful, and they can scan your website for malware or suspicious files.

Wordfence offers a $99/yr. premium service that extends its website protection services even further.

All In One Security offers a visual pie chart of “how secure your website is” on a 515-point scale. Activating different security settings on the plugin will improve your security score between 5 and 20 points.

  1. Wordfence Security – used on over 4,000,000 websites
  2. All In One Security – used on over 1,000,000 websites

5-Step WordPress Security Plan for Beginners

Now that we’ve explained how to secure your website, it’s time to put that knowledge to the test. There are many quick and easy ways to drastically improve your website security without needing to be overly technical.

  1. Audit who has access to your WordPress admin dashboard. You can do this by logging into WordPress and visiting the user list. This will let you see all user accounts and their access level. Remove or downgrade any accounts that aren’t actively admins for your website.
  2. Make sure all administrators have strong passwords.
  3. Install UpdraftPlus and set up the automatic backup tool on a daily, weekly, or monthly basis, whichever makes the most sense for your needs. 
  4. Have someone manage your WordPress website plugins and updates. There are professional WordPress management services to keep your site up to date, but with an hour or two each month, you can do this yourself for the most part.
  5. Install Wordfence or All In One Security and run through the options, enabling security settings. This might be a little more complicated than some people might feel comfortable doing, but there are many great YouTube videos that can show you how to configure your WordPress security plugin of choice.

Don’t Let Your Guard Down: No Website Is Truly 100% Secure

Even by completing the steps above, your website could still be the target of an attack, but it will be much harder for the attacker to succeed. The goal of today’s post was to share with you just how easy WordPress security can be if taken seriously and if you put a little bit of effort into it.

The tips we’ve shared above will make your website more secure than most WordPress websites on the internet and, therefore, less of a target of automated attacks. 

Bocain Designs
Bocain Designs

Dan is a founding partner of Bocain Designs, a web design company that specializes in WordPress web design and WordPress management. We've earned over 2,000 five-star reviews for our work with 2,500+ clients from over 80 countries. Let's talk about how we can make your business awesome online!