How to increase WordPress security is probably the most widely discussed topic in different WordPress-related forums. You can choose from many great security plugins for sure, however there are also a handful of great tips that don’t require any third-party tools but can remarkably increase security on your WordPress site.
Some of these best practices can be easily performed from the WordPress admin, while others can be completed from the cPanel of your hosting account or by editing two configuration files: wp-config.php
(for WP config) and .htaccess
(for server config). You can access these config files in the public_html
folder of your WordPress install.
In this article, I’ll show you 15 WordPress security tips that don’t require the installation of a plugin.
1. Perform Regular Updates
Where: WordPress admin
The WordPress Core team regularly monitors security issues and whenever there’s a new vulnerability, they patch it. Bug fixes and security patches are available as updates from the Dashboard > Updates
menu in the WordPress admin.
Always pay attention to regularly update your site. Not just the WordPress Core, but also update your plugins and themes, as plugin and theme authors also tend to release security updates when it’s necessary.
2. Use the Principle of Least Privilege
Where: WordPress admin
Site owners giving too high privileges to users is a common WordPress security issue. According to the Principle of Least Privilege (PoLP), users should only have as many permissions as it’s necessary to properly do their job on the site. WordPress has an excellent user management system with five distinct user roles:
- Subscriber
- Contributor
- Author
- Editor
- Administrator
Only grant admin privileges to users who really perform admin tasks such as updating plugins, modifying settings, or installing themes. When you add a new user, you can easily select their user role from a dropdown list. Plus, it’s also easy to change user roles of existing users on the Users
admin page.
To make your site more secure, scrutinize the “Roles and Capabilities” table in the WordPress Codex and decide what permissions each of your users needs. If they have too high privileges consider changing their role. Not just because they may abuse their permissions, but if their accounts get hacked hackers will be able to cause less harm to your site.
3. Change the Default admin Username
Where: WordPress admin
The default admin
username can cause serious problems to WordPress security. Automated brute force attacks frequently target admin
user accounts in bulk. These are low-quality attacks that aren’t directed against a particular site, but rather try to find the ones that didn’t change the default admin
username.
Changing the admin
username is not that easy though, as WordPress doesn’t allow users to change their usernames from the admin area. You can change the username in the database for sure, however the easiest solution is to create a new admin user with a new username. Then, you just need to log in with the new admin and delete the old one.
4. Use Strong Passwords for High-Level Users
Where: WordPress admin
Using strong passwords for high-level users is crucial to good WordPress security. When a new user registers, WordPress generate strong passwords by default, however users can change it to a weaker one. Pay attention that your high-level users (admins and editors) always use strong passwords. If they are afraid they won’t remember complicated passwords recommend them using a password manager application.
5. Regularly Export Your Content
Where: WordPress admin
If you have a successful WordPress blog your content is your most important asset. During certain types of attacks, your posts, pages, images, and other content types may be compromised. So, never forget to save them to your local machine or into a cloud storage.
You can easily export all your content from the Tools > Export
menu in the WordPress admin. By hitting the “Download Export File” button, WordPress creates an XML file you can download. Whenever it’s necessary, you can easily reproduce your content by uploading the same XML file on the Tools > Import
admin page.
6. Remove Plugins and Themes You Don’t Need
Where: WordPress admin
Site owners tend to overuse plugins and don’t delete themes they don’t use, which sometimes can seriously compromise WordPress security. More plugins and themes mean more vulnerability. Each new plugin or theme increases the risk of being hacked.
Therefore, only use plugins that are completely necessary. Don’t only deactivate but also delete the ones you don’t need. And, as you can use only one theme on a WordPress site, it doesn’t make much sense to leave installed themes you don’t use. For better WordPress security, consider deleting the inactive ones. If you need them in the future you can quickly reinstall them.
7. Regularly Back Up Your Database
Where: cPanel
Besides exporting your content via the WordPress admin, it can also be helpful to create database backups. You can back up your database via the cPanel of your hosting account. Choose the File > Backups
menu in your cPanel and download your SQL backup file. If anything goes wrong you can quickly restore your full database using the backup file.
Some hosting plans include an automated database backup option as well. If you want to secure your database consider choosing a hosting plan in which your hosting provider takes care of the backup.
8. Change Your Database Table Prefix
Where: wp-config.php
By default, WordPress uses the wp_
prefix for database tables. To make your site more secure, you can use a more complicated table prefix by changing the value of the $table_prefix
variable in your wp-config file. Keep in mind that you can use only numbers, letters, and underscores in the table prefix. Any other characters, for instance special characters, will result in an invalid table prefix.
9. Force Secure Login
Where: wp-config.php
Forcing users to log in to the admin area via the secure SSL protocol can greatly increase WordPress security. However, you can only do that if you have an SSL certificate installed on your site. You can buy an SSL certificate at your hosting provider, however these days many hosting plans come with the free Let’s Encrypt certificate.
With the SSL certificate, you can use the secure HTTPS protocol for either the admin area or the whole site. You can force users to log in via the secure https://
link by adding the following line to the top of your wp-config file:
define( 'FORCE_SSL_ADMIN', true );
10. Disable Plugin and Theme Modifications
Where: wp-config.php
By default, admin users can edit plugin and theme files from the WordPress admin. In a perfect world, this would be a great feature, however if a malicious attacker gets access to their accounts it can turn dangerous as well.
You can disable the plugin and theme editors for administrators by adding the following line to your wp-config file:
define( 'DISALLOW_FILE_EDIT', true );
If you don’t only want to disable the plugin and theme editors but also want to prevent administrators from updating plugins and themes from the WordPress admin use the following rule:
define( 'DISALLOW_FILE_MODS', true );
Don’t use both constants at the same time. If you want to update plugins and themes as a WordPress admin use DISALLOW_FILE_EDIT
. If you don’t mind performing the updates from the background (via SFTP) use DISALLOW_FILE_MODS
instead.
11. Disallow Unfiltered HTML
Where: wp-config.php
WordPress allows admins and editors to post HTML markup and JavaScript code (inside a <script>
tag) from pages, posts, widgets, and comments. However, this can be dangerous if their account gets compromised. You can filter the HTML they post by adding the following rule to your wp-config file:
define( 'DISALLOW_UNFILTERED_HTML', true );
This way the HTML and JavaScript they post won’t be executed. Instead, it will appear on the website as a plain text string.
12. Deny Access to Your wp-config File
Where: .htaccess
By default, anyone can get access to your wp-config file which contains all your configurations such as the database name, username, password, salt, and other highly sensitive data. You can deny access to the wp-config file by adding the following code snippet to your .htaccess file:
<Files wp-config.php> Order Allow,Deny Deny from all </Files>
Place the above snippet below the Rewrite
rules in the default WordPress .htaccess file, but above the closing </IfModule>
tag.
13. Deny Access to All Your .htaccess Files
Where: .htaccess
It’s also possible to deny unauthorized access to all the .htaccess files in your WordPress install. Your .htaccess files contain your Apache server configuration, however they are publicly available in the browser.
If you type http://yoursite.com/.htaccess
into your browser’s URL bar you can check if your main .htaccess file can be accessed by anyone on the internet. Use the following .htaccess rule to protect you .htaccess files:
<Files ~ "^.*\.([Hh][Tt][Aa])"> Order Allow,Deny Deny from all Satisfy all </Files>
14. Disable Access to XML-RPC
Where: .htaccess
WordPress uses the XML-RPC protocol that can be used either for remote publishing or by third-party apps to connect to your site. However, it’s also a security vulnerability, as attackers may exploit the feature. If you don’t use any third-party apps consider disabling XML-RPC by adding the following snippet to your .htaccess file:
<FilesMatch "^(xmlrpc\.php)"> Order Deny,Allow Deny from all </FilesMatch>
Note that some popular WordPress plugins such as Jetpack also use the XML-RPC API. If you want to use Jetpack don’t disable access to XML-RPC.
15. Disable Directory Browsing
Where: .htaccess
Although many WordPress users don’t know it, some of the WordPress directories can be listed in the browser in the following way:
Public access to your directory tree can be extremely harmful to WordPress security, as anyone can obtain a lot of sensitive information about your install. You can disable the feature by adding the following line to your .htaccess file:
Options -Indexes
Learn More about WordPress Security
Putting security best practices into use is a crucial part of WordPress site management, however there are many other security-related tasks you may want to do. To learn more about WordPress security, check out our articles on the best two factor authentication and backup plugins, or read our guide on how to identify WordPress vulnerabilities.
To stay updated with the latest web development news or to get some cool WordPress tips, don’t forget to follow OnExtraPixel on Twitter or Facebook—we have great online communities.