A Comprehensive WordPress Security Guide (2022)

Why is WordPress Security so Important?

WordPress powers over 32% of all websites on the internet, and it is becoming a huge target for hackers, DDOS and other malicious attacks. With thousands of themes and plugins out there, it’s not surprising that vulnerabilities exist and are being discovered on a daily basis. As a WordPress website owner, it is your responsibility to make sure that your website does not have any security flaws which could be exploited.

Below is a side by side comparison of the most popular Content Management Systems.

Infected Website Platforms

As you can see WordPress is by far the number one infected platform. This does not mean that WordPress is not secure. In fact, the core WordPress files are extremely secure. Most of these Infections are due to poorly coded plugins and themes.

A hacked WordPress site can cause serious damage to your business revenue and reputation. Hackers can steal information, passwords, install malicious software, and can even distribute malware to your visitors. When it comes to security, there are a lot of things you can do. So in this guide, we are going to be sharing our best tips, strategies, and techniques that you can use to secure your WordPress website.

Table of Contents

  1. Find Good WordPress Hosting
  2. Get a Secure WordPress Theme
  3. Remove Unused Plugins & Themes
  4. Keep WordPress Up to Date
  5. Backup, Backup, Backup!
  6. Disable File Editing
  7. Remove WordPress Version
  8. Disable Directory Browsing
  9. Protect Sensitive Files
  10. Limit Login Access
  11. Limit Admin Panel Access
  12. Protect Against SQL Injection
  13. Change the Default Database Prefix
  14. Disable XML-RPC
  15. Our Recommended Security Plugins
  16. My Final Thoughts

Find Good WordPress Hosting

When it comes to WordPress security, there is much more than just locking down your website. There is also web server security for which your WordPress host is responsible.

Using WordPress hosting provides a more secure platform for your website. Unlike normal shared hosting, WordPress hosting is a hosting environment that’s specifically designed to cater to WordPress websites. Every aspect of the server is set up with WordPress reliability, speed, security and ease-of-use in mind.

Three important things to look for in a good WordPress host are:

  • Automatic WordPress Updates
  • Automatic WordPress Backups
  • WordPress Specific Security

Here at Zuziko, we used Hostgator WordPress Cloud Hosting for years. We recently switched over to Rocket.net hosting to get a speed edge but also like Kinsta WordPress hosting. All are good options.

Related: Read our Rocket.net Review.

Get a Secure WordPress Theme

A secure WordPress theme is one that doesn’t include any known security vulnerabilities, is consistently updated, follows proper code standards, and is compatible with both your version of WordPress and your site’s other elements such as plugins.

Having a theme that meets all these criteria will help you avoid unnecessary bugs, compatibility errors, and similar issues. You’ll also make it a lot harder for hackers, malware, and other undesirable influences to impact your website because there will be fewer security holes for them to exploit.

We use GeneratePress as our theme and have for years. It is secure, lightweight, constantly updated and has excellent support.

You can always check if your theme is secure using the tools we’ll discuss in a moment. However, the best way to find a safe theme is to get it from a reputable source. Below are a few themes that I use myself and highly recommend:

If you already have a WordPress theme you can use a plugin such as Theme Check. The theme check plugin is an easy way to test your theme and make sure it’s up to spec with the latest WordPress theme standards. A passing score doesn’t necessarily mean your theme is perfect, but it is an indicator of solid coding practices.

Remove Unused Plugins and Themes

When you are creating your WordPress website you will most likely be testing out several plugins and themes before you decide on your final ones. Make sure to remove any that you are not going to be using on the live website.

Even though a theme or plugin is not enabled and active it can still open up security holes for hackers to get in. This is because the plugin or theme files that could potentially be a security risk are still located in your /wp-content/ directory.

Keep WordPress Up to Date

Almost every WordPress website that is not kept up to date will be hacked sooner or later. Hackers use scripts that search the internet specifically for outdated and vulnerable WordPress plugins and themes.

For this reason, it’s extremely important to keep your plugins, themes, and core WordPress files up to date. In fact, this might be one of the most important things you can do in this whole guide.

Most of the time you can do WordPress updates from the Dashboard > Updates. However, if you have purchased premium plugins or themes you may have to go directly to their website to download the latest version.

Make sure to get a backup of your website files and database before you update. Sometimes updating to a newer version of WordPress can break your website especially if you are using plugins and themes that are outdated.

Backup, Backup, Backup!

Keeping a current backup of your website is crucial. This is not only important for security reasons but is just a good idea in general. Having a backup of your website allows you to quickly restore your WordPress site in case anything were to happen.

Depending on how often you edit your website, you may want to update weekly or even daily. I personally get a backup anytime I make changes big or small. You can manually backup your WordPress website (this is what I do) or you can use one of the many backup plugins available. UpdraftPlus is our WordPress backup plugin of choice.

Related: Our pick for Best WordPress Backup Plugin

Disable File Editing in the Dashboard

By default, WordPress allows admins to edit the theme and plugin code through the dashboard. While it is a great feature, it can be a security risk especially if you have multiple users.

If you have multiple users that login to your WordPress dashboard, it’s important to assign the correct role to each user. Only allowing access to the things that are necessary. If you happen to forget or make a mistake when assigning roles it could give someone access to your file editor.

A single typo in one of these files can completely break your website. The file editor is also an easy way for a hacker to run malicious code. For these reasons, I recommend that you disable it completely.

You can disable this feature completely by adding the following code to your wp-config.php:

define('DISALLOW_FILE_EDIT', true);

Remove WordPress Version

By default, WordPress displays its version info in your source code. This is used for tracking purposes and can be a big security risk. Hackers can use this information to exploit known vulnerabilities on a particular version. For this reason, it’s a good idea to remove the version number from all areas of your website.

Remove WordPress Version

To remove the WordPress version number from all areas of your website, add the code below to your theme’s functions.php:

// remove version from head
remove_action('wp_head', 'wp_generator');

// remove version from RSS
add_filter('the_generator', '__return_empty_string');

// remove version from scripts and styles
function shapeSpace_remove_version_scripts_styles($src) {
if (strpos($src, 'ver=')) {
$src = remove_query_arg('ver', $src);
}
return $src;
}
add_filter('style_loader_src', 'shapeSpace_remove_version_scripts_styles', 9999);
add_filter('script_loader_src', 'shapeSpace_remove_version_scripts_styles', 9999);

If you always use the latest version of WordPress this is not as big of a deal. However, I still remove my WordPress version because I want to give out as little information as possible to a potential hacker.

Disable Directory Browsing

Have you ever visited a webpage and noticed a listing of files instead of the actual HTML similar to the picture below? Servers will display the directory listing in the absence of an index page. What this means is that if a visitor types the path of a certain directory such as https://zuziko.com/wp-includes/ and there is no index.php file, the server will display everything inside this folder. This can be dangerous, as it gives a hacker the ability to explore the inner workings of your website.

Disable Directory Browsing

The good news is that this can easily be prevented by adding a single line of code to your .htaccess file. To disable directory browsing open your .htaccess file and paste the following code inside:

# Disable directory browsing
Options All -Indexes

Protect Sensitive Files with .htaccess

A WordPress installation contains sensitive files, such as the wp-config.php, license.txt, and readme.html files. It’s best to keep these files hidden from outside access as they contain sensitive information.

Some of these files can be deleted. However, they will be back again when you update to a newer version of WordPress. For this reason, it’s best to just hide them using your .htaccess file. That way you don’t have to worry about it anymore.

Copy and paste the code below into your .htaccess file located in the root directory:

# Protect .htaccess
<files .htaccess>
Order allow,deny
Deny from all
</files>

# Protect readme.html
<files readme.html>
Order allow,deny
Deny from all
</files>

# Protect license.txt
<files license.txt>
Order allow,deny
Deny from all
</files>

# Protect wo-config.php
<files wp-config.php>
Order allow,deny
Deny from all
</files>
 
# Protect error_log
<files error_log>
Order allow,deny
Deny from all
</files>

Limit Login Access

A Brute Force Attack is one of the more common ways to gain access to a website. By default, WordPress will allow users to enter usernames and passwords as many times as they want. Hackers use programs that try usernames and passwords, over and over again, until they get in or the server dies. A common attack point on WordPress is the wp-login.php.

There is an easy way you can fix this problem. Open your .htaccess file and paste the code below inside. Replace xx.xx.xx.xx with your external IP and anyone else’s IP that will need access to login. You can find your IP at https://www.whatismyip.com.

# Limit Login Attempts
<Files wp-login.php>
order deny,allow
Deny from all
allow from xx.xx.xx.xx
allow from xx.xx.xx.xx
</Files>

This will prevent everyone (except the IP’s you specify) from accessing the wp-login.php page.

Limit Access to WordPress Admin Panel

The same way we blocked wp-login.php above we can also block the Dashboard area of WordPress. If you are the only person who needs to login to your Admin area, you can deny wp-admin access to everyone but yourself using an .htaccess file. For this, we will need to create a new .htaccess file inside of your wp-admin folder.

Create a new file inside your wp-admin folder named .htaccess and add the following code:

# Block access to wp-admin
order deny,allow
allow from xx.xx.xx.xx
allow from xx.xx.xx.xx
deny from all

Replace xx.xx.xx.xx with your external IP address and anyone else’s IP that will need access to the WordPress Dashboard.

If your theme or plugins use AJAX, you will most likely need to add an additional group of settings to your .htaccess so that functionality continues to work:

# Allow access to admin-ajax.php
<Files admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any
</Files>

This will prevent everyone (except the IP’s you specify) from accessing the WordPress dashboard.

Protect against SQL Injection

SQL Injection is the most commonly used hacking technique to manipulate WordPress databases. SQL injection attacks occur when a web application does not validate values received from a web form, cookie, input parameter, etc.

An attacker can easily abuse the input fields by inserting malicious code that can execute SQL commands. These commands can create, retrieve, update, and even delete the data in your WordPress database.

Below I have shared some code that can be inserted into your website’s .htaccess file. This code will lay down a strong set of rules to help protect you from many serious SQL injection attacks.

# Protect Against SQL Injection
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC]
RewriteRule ^(.*)$ - [F,L]
RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR]
RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
RewriteCond %{QUERY_STRING} tag\= [NC,OR]
RewriteCond %{QUERY_STRING} ftp\:  [NC,OR]
RewriteCond %{QUERY_STRING} http\:  [NC,OR]
RewriteCond %{QUERY_STRING} https\:  [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|ê|"|;|\?|\*|=$).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(&#x22;|&#x27;|&#x3C;|&#x3E;|&#x5C;|&#x7B;|&#x7C;).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127\.0).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare).* [NC]
RewriteCond %{HTTP_COOKIE} !^.*WordPress_logged_in_.*$
RewriteRule ^(.*)$ - [F,L]
</IfModule>

Change the WordPress Database Prefix

Your WordPress database contains sensitive information such as usernames, passwords, emails etc. This is why it’s a popular target for hackers. Hackers develop SQL injections, automated scripts, and other malicious code to attack your database and break into your website. For this reason, it’s very important that you protect your database.

Although there is no security measure that is guaranteed to be foolproof, you can still protect your website’s database from novice attackers simply by changing its default table prefix. Changing the default table prefix of wp_ to something else will make it much harder for an attacker to guess.

You can change the default database prefix by following our tutorial: How to Change the Default WordPress Database Prefix.

Disable XML-RPC in WordPress

XML-RPC is a feature of WordPress that enables data to be transmitted with HTTP acting as the transport mechanism and XML as the encoding mechanism. Since WordPress isn’t a self-enclosed system and occasionally needs to communicate with other systems, this was created to handle that job.

The biggest issues with XML-RPC are the security concerns that arise. The issues aren’t with XML-RPC directly, but instead how the file can be used to enable a brute force attack on your site. Hackers can effectively use a single command to test hundreds of different passwords. This allows them to bypass security tools that typically detect and block brute force attacks.

Sure, you can protect yourself with incredibly strong passwords, and WordPress security plugins. But, the best way to protect yourself is to simply disable it.

Copy and paste the code below into your .htaccess file located in the root directory:

# Block WordPress xmlrpc.php
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

Our Recommended Security Plugins

Investing in a solid security plugin like the ones listed below will let you scan your website for vulnerabilities, monitor actions, provide a WAF or “Web Application Firewall”, and alert you through email when something is not right. This will help harden your WordPress website even more.

Not to mention, all of these plugins will do everything I have written about in this guide (and much more) in just a few clicks.

Sucuri Security

Securi Security

iThemes Security (Better WP Security)

iThemes Security

All In One WP Security & Firewall

All In One WP Security and Firewall

Wordfence Security

WordFence Security

My Final Thoughts

Hopefully, this guide has helped you learn a little bit about WordPress Security and has given you some ideas about how you can better protect your Website. If you have any questions or see anything that I can add, let me know in the comments below.

David Green

My name is David and I am the founder and author of Zuziko. I love WordPress and have built sites, themes and plugins. I am passionate about web development and have created Zuziko as a way to share my knowledge and experience with the world. My WordPress user profile.

Leave a Comment

Share via
Copy link
Powered by Social Snap