Professional WordPress development services, and awesome WordPress content, including as tutorials, snippets, reviews, downloads, and more.

Essential Plugins and Tips for Securing WordPress

Updated · Ren Ventura · 0 Comments

Tutorials

Did this tutorial help you? Perhaps you'd like to show thanks by treating me to a burrito?

Essential Plugins and Tips for Securing WordPress

Unless otherwise noted, any code snippet in this post goes in your theme's functions.php file or a plugin for your custom functions.

WordPress Security and Securing Your WordPress Website

If you have a WordPress site and do not secure it with at least some basic security practices, you are setting yourself up for a major pain in the ass. Once your WordPress website is live on the internet, there will be people trying to hack it. Hackers may be attempting to do anything from completely destroy your site to conspicuously injecting affiliate/spam links. While the less severe end of this spectrum may not seem like a huge deal, it is because Google will tank your site’s rankings if it is riddled with spam. Bottom line, you want to protect your WordPress website from ALL types of hacks. To do this, you need to implement some security measures. Here’s an overview of some of the best suggestions for securing your WordPress website.

Plugins for Securing WordPress

iThemes Security (formerly Better WP Security)

iThemes Security is a free plugin that has actually been around for a while but was known as “Better WP Security” until iThemes assumed ownership. It is a comprehensive security plugin that includes dozens of security options. It’s a great all-in-one solution for securing your WordPress websites. Visit its WordPress page for a detailed list of how it secures your site.

Sucuri Security Scanner

The Security Scanner from Sucuri is a free malware from the security experts at Sucuri. It checks for:

  • Obfuscated JavaScript injections
  • Cross Site Scripting (XSS)
  • Website Defacements
  • Hidden & Malicious iFrames
  • PHP Mailers
  • Phishing Attempts
  • Malicious Redirects
  • Anomalies
  • Drive-by-Downloads
  • IP Cloaking
  • Social Engineering Attacks

It also features a few lightweight security measures:

  • Verify WordPress Version
  • Protect Uploads Directory
  • Restrict wp-content Access
  • Restrict wp-includes Access
  • Verify PHP Version
  • Disable the theme and plugin editors

Wordfence

Another amazing option (and free) is Wordfence. According to its plugin page:

Wordfence starts by checking if your site is already infected. We do a deep server-side scan of your source code comparing it to the Official WordPress repository for core, themes and plugins. Then Wordfence secures your site and makes it up to 50 times faster.

I’ve used Wordfence on a few sites and I really like it. Like iThemes Security, it is a pretty comprehensive security solution.

Limit Login Attempts

This plugin is a simple solution for limiting the number of attempted logins per IP. It does one thing and does it well. It’s so good at what it does, some WordPress hosting companies like SiteGround automatically include it in all of their Managed WordPress Hosting installations. Limit Login Attempts can be downloaded from the WP plugin repository. You will not need this plugin if you are using Wordfence or iThemes Security.

Rename wp-login.php

Rename wp-login.php is a simple plugin that renames your WordPress login page to whatever you want to call it. For example, you can name it “custom-login” and the login page will be yoursite.com/custom-login rather than yoursite.com/wp-login.php. The wp-login.php is a very common way for hackers to access your admin area via brute force attacks, which means they repeatedly enter username/password combinations to access your site. This feature is included in the iThemes Security plugin so you do not need this plugin if you’re using that one.

Stealth Login Page

I really like the Stealth Login Page plugin because it adds a login authorization code that is required when logging into your site, which adds a new layer of protection.

Security with .htaccess

For more .htaccess security awesome-ness, check out WordPress .htaccess Tips and Tricks on Elegant Themes.

Protect .htaccess

Add this to your root .htaccess

<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</files>

Protect wp-config.php

Add this to your root .htaccess

<files wp-config.php>
order allow,deny
deny from all
</files>

Protect /wp-content

Create a .htaccess file in your /wp-content directory and add this code:

Order deny,allow
Deny from all
<Files ~ ".(xml|css|jpe?g|png|gif|js)$">
Allow from all
</Files>

Protect /wp-includes

Add this to your root’s .htaccess

# Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>

Restrict /wp-admin to IP

Create a .htaccess file in your /wp-admin directory and add this code:

# Limit logins and admin by IP
<Limit GET POST PUT>
order deny,allow
deny from all
allow from 12.34.56.78
</Limit>

Use this one only if the front-end of your site does not utilize any AJAX because, if it does, the AJAX calls are processed by admin-ajax.php, which is now limited to the IP’s you specified. This means that only those IP’s will see the AJAX functionality and others will see the process fail (i.e. an endless loading spinner).

You can look up your IP by using the What Is My IP tool. Also, if you need to include multiple IPs, just separate them with a comma (i.e. 12.34.56.78, 12.34.56.78, 12.34.56.78).

Disable Directory Browsing

Add this to your root’s .htaccess

# directory browsing
Options All -Indexes

Other Security Practices

  • Change the default database prefix.
  • No admin with ID = 1. Create a new admin account and delete the administrator with the ID of 1.
  • No admin with the username of “admin”.
  • Use strong passwords
  • Post and comment under an Author account
  • Always run updates. I do a lot of client work where the client has a ton of outdated plugins and just never runs updates. Please, run your updates.
  • Take regular backups. If you create a lot of frequent content, create backups that are beneficial to your content schedule (i.e. daily, weekly, etc.). It’s best to use a plugin to automate this process at regular intervals.

Conclusion

Although this may seem like a long list, it’s not even all-inclusive. If any WordPress security pros have other suggestions, feel free to drop them in the comments below.

Has your WordPress site been hacked?

For quick, professional, reliable help with a hacked or infected WordPress site, contact Sucuri.

Ren Ventura

Hey, I'm Ren. I like to sling code, build stuff for WordPress and write about the stuff I do. If you need help, have a question or just want to shoot the breeze, you can hit me up in the comments, via email, or on Twitter.

Featured Blog Post

We host EngageWP on SiteGround WordPress hosting service. Read our SiteGround review to find out why we love them so much.

Affiliate Disclosure

Some of the links in this post may be "affiliate links." This means that if you click on the link and purchase the item to which we are linking, we may receive an affiliate commission. We want to emphasize that we do not, and never will, link to a product only for possible financial gain. Doing so does not provide real value, and is a disservice to our readers. We do not link to products we feel are inferior, and we are not compensated for any positive review. Privacy Policy

Leave a Reply

Your email address will not be published. Required fields are marked *

Before Commenting

If your comment contains a bogus name or email, or is an obvious promotion, it will be discarded.