WordPress is very beginner-friendly and easy to learn, but many users often forget one factor – Security.

Creating your WordPress site is both exciting and overwhelming.

There’s a lot you need to do to set everything up, from picking out a theme to writing your first blog post. Yet, one factor many people neglect is security.

WordPress is very beginner-friendly and easy to learn, but that comes with some caveats.

Hackers like to take advantage of relatively inexperienced users and breach new websites.

They do so to get access to sensitive information or use the site to spread malware to unsuspecting visitors.

After all, WordPress powers almost 35% of the web.

That means more than a third of all sites share similar vulnerabilities, making it a lucrative target for hackers.

So is WordPress still really worth using? Aren’t we just opening ourselves up to being hijacked?

The truth is, with the right knowledge, using WordPress is arguably just as safe, if not safer, than making your own website.

It’s impossible to develop an impregnable website that will never ever be breached.

Even if you’re trying to create your own site from scratch, remember that you’re on your own.

WordPress users have access to hundreds of resources, like this one that can help patch security holes, making it all but impenetrable.

Let’s go over the pros and cons of WordPress security in detail, and give some tips for making your website safer.

In this article, we’ll go over the pros and cons of WordPress security in detail, and give you tips for making your website safer.

Is an Open Source Product Really Secure?

WordPress is open-source, which means that the code that runs your website is free to be examined by anyone who wants to.

This includes hackers searching for vulnerabilities to exploit.

With that in mind, is it safe to use open-source platforms?

As it happens, using open source platforms can be much safer than making your own site, especially if you have no idea what you’re doing.

Many programmers will have an understanding of how to make a secure system, but you’ll often need to hire a security engineer to be fully protected.

And even then, you’ll have to maintain your own code and keep it updated, and that’s expensive.

WordPress’ code isn’t only scoured by hackers.

It’s also maintained by the WordPress security team, volunteer developers, ethical white hat hackers, and other interested parties with good intentions.

So even if something slips through, there’s a good chance it’ll be caught fast.

Most security breaches aren’t even caused by a vulnerability in an up-to-date WordPress installation.

They happen because people don’t keep WordPress and its plugins up to date, they may install malicious software accidentally or use insecure passwords.

If you follow good practices, chances are you’ll be perfectly safe.

That said, let’s dive into some of the things you can do to protect your WordPress site.

Why Website Security is Important

A hacked WordPress site can cause serious damage to your business revenue and reputation.

Hackers can steal user information, passwords, install malicious software, and can even distribute malware to their users.

Worst, you may find yourself paying ransomware to hackers just to regain access to your website.

In March 2016, Google reported that more than 50 million website users have been warned about a website they’re visiting may contain malware or steal information.

Furthermore, Google blacklists around 20,000 websites for malware and around 50,000 for phishing each week.

If your website is a business, then you need to pay extra attention to your WordPress security.

Similar to how it’s the business owner’s responsibility to protect their physical store building, as an online business owner it is your responsibility to protect your business website.

WordPress Root Directory

When you buy a web domain, your hosting asks you which operating system to install. WordPress is generally installed in /HTTP/”wikicat.net” or /WWW/”wikicat.net”.

It is absolutely important to make sure that the write permissions of the root (“/”) directory are disabled for the public, the permissions for the public should only be read and enforced.

Fortunately, by default, all the files are configured in the right way, but you always have to be careful.

When a file or folder has the writing from the active public, any person can edit it at will.

This likely isn’t the issue, but it’s still worth checking.

In your WordPress directory, permissions for folders and files should be 755 or 644.

Setting permissions to anything else may cause problems, including 500 internal server errors.

Open your root directory in an FTP client. Many clients, including FileZilla, have a Permissions tab you can use to quickly check the permissions for each file and folder in your root directory.

Make sure these are not set to anything other than 755 or 644.

Choose Secure Hosting

One major factor behind these security vulnerabilities is low-quality hosting. 

Invest in a host that places a high value on security.

You aren’t doing yourself any favors if you feel that cheaper hosting costs outweigh security.

Part of your market research must include looking into the hosting company’s security record.

Are they security-conscious?

Do they rely on the latest technology and standards? 

This is also true for shared hosting.

While it is a cheaper option, it also means that you’re sharing server space with other customers.

Unfortunately, all it takes is for one website to get infected, and the malware to spread across every site on the network. 

This is why we should consider upgrading to the cloud, VPS, or dedicated hosting when we can afford it.

In addition, we should be looking for a host that offers the following services:

  • Monitoring – They continuously monitor their network for suspicious activity.
  • Up to date server software – They keep their server software and hardware up to date to prevent hackers from exploiting a known security vulnerability in an old version. Too many hosts still run on PHP 5, which has long lost support. At this point in time, servers should at least use PHP 7.0+. The same goes for other software like cPanel, MySQL or other database programs, and the operating system.
  • Malware monitoring and removal – Pick a host that actively makes an effort to detect and prevent malware infections, and possibly offers malware scanning and removal for when you do get breached. Not all web hosts have a policy for removing malware from an infected site, and among those that do, some will charge extra for this service.
  • Firewalls and other security measures – All good hosting companies have tools in place to prevent large scale DDOS attacks. There are many ways that hosting providers can increase their server security. Possibly, the most effective among them is to rely on a firewall as it prevents unauthorized outside access to the server. It might be a good idea to check whether a provider has this and other means of prevention in place before making a choice.
  • Data Protection – They have ready to deploy disaster recovery and accident plans which allows them to protect your data in case of a major accidents.

On a shared hosting plan, you share the server resources with many other customers.

This opens the risk of cross-site contamination where a hacker can use a neighboring site to attack your website.

Using a managed WordPress hosting service provides a more secure platform for your website.

Managed WordPress hosting companies offer automatic backups, automatic WordPress updates, and more advanced security configurations to protect your website

We recommend WPEngine as our preferred managed WordPress hosting provider.

They’re also the most popular ones in the industry.

Install an SSL Certificate

A Secure Sockets Layer (SSL) certificate encrypts the data served between the user and your website.

This is something that is perhaps crucial to sites where users exchange payment info, and less relevant to informational blogging websites. 

SSL grants you an HTTPS URL and a certificate to go with it, without which users will receive a red “Not secured” notification in the address bar when visiting our site.

Tech-savvy visitors will know that this does not pose a risk if they’re merely browsing, but it will definitely scare off many others.

Over the years SSL certificates have built trust among users, and practically tells them that our identity is verified and authenticated by a trusted provider.

It won’t directly prevent us from getting hacked, but it’s still good to have.

If your website does collect info through forms, for payments, etc, you absolutely must get one.

IdenTrust and Comodo are currently the most popular providers of SSL certification.

Plugins like Really Simple SSL can help you set up the certificate and get HTTPS running.

Back-Up Your Website

Before you even begin making changes to your site, before updating WordPress or installing a plugin, the very first thing you should do is set up your backups.

This way, no matter what the worst-case scenario is, an accidental change to the code, WordPress glitch, a corrupted database – we have a solution.

Even if our site gets hacked, and the damage is irreparable, we won’t have to build it all over again from scratch.

Manual backups, copying files and transferring them manually to hard-drive or cloud, are free but time-consuming.

True, we can do this as often (once a day) or as rarely as we want. Although a backup is done once every 6-months might be a little risky.

Check to see if your host offers weekly, monthly, or daily automated backups.

This service is usually commercial, but occasionally free. If this is the case, and your host backs up both your files and database, you don’t need to do anything else.

Though it may be a good idea to keep a few manual backups just in case.

If our host doesn’t offer website backups, or if the backup provided by our host excludes files or our database, we can also rely on plugins.

It’s a good idea to have at least a solid solution for each website you own or administer, and WordPress backup plugins can provide that extra layer of protection.

iThemes is one good example.

This security plugin offers free database backups, along with its suite of tools and patches.

Their related plugin BackupBuddy allows you to do a full site backup as well.

Free or freemium plugins like UpdraftPlus, BackUpWordPress, and VaultPress also do the job efficiently and are worth checking out. 

Remember that even if you decide to rely on a backup plugin, you will still need a security plugin, such as WordFence, if you want to stay safe.

Don’t wait till it’s too late.

Setting up your security at the last minute is as effective as fixing the holes in your roof during a rainstorm. 

Spending an hour or so to set up your backups and security will save you months, perhaps even years of work.

Keep Your Plugins and Theme Secure

If you’ve chosen a good host, and your backups are set up, you have a fairly good security infrastructure in place.

But there are still a few more things that you should do to fully secure your site. 

An outdated plugin or an insecure theme is the huge gateway for infiltrating your website.

Keeping them updated helps to patch up potential holes, preventing this from happening.

Updating your site components is as simple as going to your WP admin dashboard and checking for update notifications under Dashboard > Updates.

Mark any themes or plugins you want to update by ticking the boxes, then click the button at the top/bottom to start updating them.

If you have a habit of ignoring these alerts, it’s time to stop. 

As you know, plugins and themes can be updated through the Plugins and the Themes tabs.

Also, not all premium third-party themes push automatic updates, so you might want to check their websites every now and then.

More importantly than updating your plugins and themes is keeping WordPress up to date.

39% of hacked WordPress sites were outdated. Sometimes you may need to push off an update because it may interfere with a plugin you’re using, but eventually, you may have to lose the plugin to save your site.

Leaving WordPress outdated for months is possibly the worst thing you can do.

(Pro tip: Always back-up your site before introducing updates. Just in case there is a hiccup.)

While you’re at it, you should remove the version number from your source code.

By default, WordPress websites carry a meta tag containing the WordPress version number that the site is using.

We have to agree with security specialists that this just makes life too easy for hackers. 

You can manually remove WordPress’ version number by placing some simple code into your functions.php file.

If, as we’ve suggested, you are using a WordPress security plugin, many of them hide your WP version automatically.

If you’re considering using a performance plugin, the Perfmatters plugin also includes an option to hide the WP version.

Install Plugins and Themes From Reliable Sources

Another big mistake WordPress users make is getting their plugins and themes from unreliable vendors.

A bad theme or plugin can corrupt, deface, or inject malware into your pages. 

Third-party websites and developers are not endorsed by WordPress, and as such, you never know what you’re getting.

It would be best to avoid anything coming from unknown websites. If the plugin in question has many positive reviews and seems to be popular, it should be safe enough to install. 

Bad plugins can slip through the cracks.

Even if a plugin is in the official directory, it is not guaranteed to be safe.

Before downloading anything from the repository, take a look at the stats listed in the sidebar on the right of the page.

Avoid downloading plugins that haven’t been updated over the last year or more, have less than a few hundred installations, or receive low ratings. 

The same is true for themes. WordPress offers some themes in the theme repository.

If, like many users, you’re looking for more variety, be sure to only purchase your themes from vendors and creators who are trusted and well-known in the community.

You should avoid “nulled” WordPress plugins and themes.

Nulled software is a term used for premium plugins distributed for free and without permission.

Besides being questionable and possibly illegal, nulled themes and plugins are a huge security risk.

By relying on a developer already acting unethically to not include malware in the code, it is about as sensible as asking a mouse to guard your cheese.

Some nulled distributors include code that causes excessive ads to appear on your site, distribute malware, or outright corrupt your database.

Plus, you won’t have access to any updates, and that can leave you vulnerable to attack when the software becomes outdated.

Disable File Editing

WordPress comes with a set of easy-to-reach theme and plugin editors.

You can find them under Appearance > Theme Editor and Plugins > Plugin Editor. These allow direct access to your site’s code.

While these tools are useful to some, many WordPress users aren’t programmers and will never need to touch anything here.

Playing around with this code without knowing what you’re doing is a sure way to break things.

If you are such a user, it’s best to just disable file editing, as hackers can use the file editor to quickly execute malicious code or delete entire parts of your website.

Disabling this slows them down.

You could also turn off the theme and plugin editors with one line of code in “wp-config.php”.

If you end up needing to edit your site or plugins, just temporarily turn them back on.

Alternatively, you can edit them via an FTP client.

Disabling file editing won’t necessarily prevent attackers from doing damage, but it can confuse less experienced hackers and stop them in their tracks.

At the very least, it’ll make it a little more difficult for them and give us more time to realize something is wrong.

You can easily do this by adding the following code in your “wp-config.php” file.

// Disallow file edit
define( 'DISALLOW_FILE_EDIT', true );

Alternatively, you can do this with 1-click using the Hardening feature in the free Sucuri plugin that we mentioned above.

Disable PHP File Execution in Certain WordPress Directories

Another way to harden your WordPress security is by disabling PHP file execution in directories where it’s not needed such as /wp-content/uploads/.

You can do this by opening a text editor like Notepad and paste this code:

<Files *.php>
deny from all

Next, you need to save this file as .htaccess and upload it to /wp-content/uploads/ folders on your website using an FTP client.

Alternatively, you can do this with 1-click using the Hardening feature in the free Sucuri plugin that we mentioned above.

Disable Directory Indexing and Browsing

Directory browsing can be used by hackers to find out if you have any files with known vulnerabilities, so they can take advantage of these files to gain access.

Directory browsing can also be used by other people to look into your files, copy images, find out your directory structure, and other information.

This is why it is highly recommended that you turn off directory indexing and browsing.

You need to connect to your website using FTP or cPanel’s file manager.

Next, locate the “.htaccess” file in your website’s root directory.

After that, you need to add the following line at the end of the “.htaccess” file:

Options -Indexes

Don’t forget to save and upload .htaccess file back to your site

Disable XML-RPC in WordPress

XML-RPC was enabled by default in WordPress 3.5 because it helps to connect your WordPress site with web and mobile apps.

Because of its powerful nature, XML-RPC can significantly amplify the brute-force attacks.

For example, traditionally if a hacker wanted to try 500 different passwords on your website, they would have to make 500 separate login attempts which will be caught and blocked by the login lockdown plugin.

But with XML-RPC, a hacker can use the system.multicall function to try thousands of passwords with say 20 or 50 requests.

This is why if you’re not using XML-RPC, then we recommend that you disable it.

There are 3 ways to disable XML-RPC in WordPress.

Tip: The .htaccess method is the best one because it’s the least resource-intensive.

If you’re using the web-application firewall mentioned earlier, then this can be taken care of by the firewall like Sucuri or WordFence.

Strengthen Your Login Process

When someone figures out your password without resorting to exploiting the site’s code, it’s most likely a result of brute force attacks. This involves forcibly trying various combinations of letters and numbers until they get the password right.

Sometimes a potential attacker will try common combinations, before moving on to using programs run an automated process that tries several random password combinations per second.

If you’re beginning to feel as though you might as well give up all hope of keeping your sites secure, don’t. There are tons of ways to slow down hackers, deter, and even prevent attackers from doing things like brute force attacks.

WordPress’ default installation relies on a similar login path each time. Making this a prime and easy target for hackers trying common or easily guessable passwords.

The reason that so many people continue to use WordPress is that many of these issues are easily fixed.

Create a Strong Login Combination

The most common WordPress hacking attempts to use stolen passwords.

You can make that difficult by using stronger passwords that are unique for your website.

Not just for the WordPress admin area, but also for FTP accounts, database, WordPress hosting account, and your custom email addresses which use your site’s domain name.

Many beginners don’t like using strong passwords because they’re hard to remember.

The good thing is that you don’t need to remember passwords anymore.

You can use a password manager.

Another way to reduce the risk is to not give anyone access to your WordPress admin account unless you absolutely have to.

If you have a large team or guest authors, then make sure that you understand user roles and capabilities in WordPress before you add new user accounts and authors to your WordPress site.

The first and most important step is to choose a proper username and password.

We could hide the login page under a different URL, but if your login is something as mundane as admin/password, it wouldn’t make any difference once hackers find it. 

Here’s a list of usernames you should definitely avoid.

  • Admin – This used to be the default username for WordPress and is, therefore, one that will definitely be tried in a brute force attack.
  • Your real name or nickname – This is both public information and as easy to guess as “admin”. In addition, it can make sense to create a separate profile without an administrator right to publish content. That way, the username of the main login does not appear on the website.
  • Any personal information – Including birthday, etc. Only use a personal detail if it’s something no one could ever know.
  • The title of your site, or something obviously related to it  – “Kittens” for a cat adoption agency, etc.

You also need to choose a secure password.

The general gist of this is the same: avoid personal info, obvious choices like “password”, or anything clearly related to your website.

A good password is 10+ characters, uses a variety of characters, and avoids common words and phrases.

The best passwords are a long series of completely random letters, numbers, and symbols that no one could ever possibly guess.

Services like Secure Password Generator can help you create them.

If you have a hard time remembering your login information, consider using a service like LastPass, 1Password, RoboForm, or Dashlane.

Lock Down Your Login Page

By default, anyone can log into your website by going to yoursite.com/wp-admin.

You can stop them in their tracks by changing the URL entirely.

WPS Hide Login allows you to switch it to whatever you want. Just install it and go to the plugin settings to change it.

You should use a login path that isn’t obvious. It might deter them a little if you change it to something like /login or /new-login, but if they’re determined, they’ll figure that out pretty quickly.

Therefore, it’s better to choose something very hard to guess like /jacksparrowshideout.

Next, install a plugin to limit login attempts.

Any person can spam your server with hundreds of requests until they guess it right.

A plugin that limits login attempts will give them only a few chances before they’re locked out.

It can also detect and redirect bots away from your login page.

Alternatively, you could activate a CAPTCHA to slow them down even further.

At this point, most hackers will search for easier targets.

They can keep trying once their time is up, but at that time we could check our audit logs, notice their attempts to get in and issue an IP ban. 

You could also try Cloudflare Rate Limiting.

This automatically detects brute force as well as DDoS attacks and blocks the offending IP address.

Add Two Factor Authentication

The two-factor authentication technique requires users to log in by using a two-step authentication method.

The first one is the username and password, and the second step requires you to authenticate using a separate device or app.

We strongly recommend to set up two-step authentication using a plugin.

Besides requiring a username and password to get in, it asks the visitor for a third authenticator.

The most common is a text verification of a message sent to your phone.

A hacker might be able to gain access to your email, but it’s very unlikely they could steal your phone.

Most top online websites like Google, Facebook, Twitter, allow you to enable it for your accounts.

You can also add the same functionality to your WordPress site.

First, you need to install and activate the Two Factor Authentication plugin.

Upon activation, you need to click on the ‘Two Factor Auth’ link in the WordPress admin sidebar.

Next, you need to install and open an authenticator app on your phone.

There are several of them available like Google Authenticator, Authy, and LastPass Authenticator.

We recommend using LastPass Authenticator or Authy because they both allow you to back up your accounts to the cloud.

This is very useful in case your phone is lost, reset, or you buy a new phone. All your account logins will be easily restored.

We will be using the LastPass Authenticator for the tutorial.

However, instructions are similar for all auth apps. Open your authenticator app, and then click on the Add button.

You will be asked if you’d like to scan a site manually or scan the bar code.

Select the scan bar code option and then point your phone’s camera on the QRcode shown on the plugin’s Settings page.

That’s all, your authentication app will now save it.

Next time you log in to your website, you will be asked for the two-factor auth code after you enter your password.

Simply open the authenticator app on your phone and enter the code you see on it.

Add Security Questions to WordPress Login Screen

Adding a security question to your WordPress login screen makes it even harder for someone to get unauthorized access.

You can add security questions by installing the WP Security Questions plugin.

Upon activation, you need to visit the Settings > Security Questions page to configure the plugin settings.

Limit Login Attempts

By default, WordPress allows users to try to login as many time as they want. This leaves your WordPress site vulnerable to brute force attacks. Hackers try to crack passwords by trying to login with different combinations.

This can be easily fixed by limiting the failed login attempts a user can make. If you’re using the web application firewall mentioned earlier, then this is automatically taken care of.

However, if you don’t have the firewall setup, then proceed with the steps below.

First, you need to install and activate the Login LockDown plugin.

Upon activation, visit Settings » Login LockDown page to setup the plugin.

Automatically log out Idle Users in WordPress

Logged in users can sometimes wander away from the screen, and this poses a security risk.

Someone can hijack their session, change passwords, or make changes to their account.

This is why many banking and financial sites automatically log out of an inactive user.

You can implement similar functionality on your WordPress site as well.

You will need to install and activate the Inactive Logout plugin.

Upon activation, visit Settings » Inactive Logout page to configure plugin settings.

Simply set the time duration and add a logout message.

Don’t forget to click on the save changes button to store your settings.

Keep WordPress Safe

An untouched installation of WordPress is open to attackers.

Neglecting security leaves you vulnerable to hackers looking to defaced, deleted, or even injected your site with malware. 

However, a day spent installing and setting up the right security plugins and filling in all those little holes could make all the difference.

By following the advice we’ve provided, your site will be far safer from attackers.

The great part is, many of these methods are “set-it-and-forget-it” actions.

Simply changing one setting and you won’t need to think about it for a long time.

In summary:

Pick a trustworthy host with secure servers, install an SSL certificate if you’re collecting user data, keep your website backed up and your installation and themes up to date, and make sure you have a secure login.

Do all this and hackers, especially amateur hackers, will be stopped at the gate.

Keeping WordPress Updated

WordPress is an open-source software which is regularly maintained and updated.

By default, WordPress automatically installs minor updates.

For major releases, you need to manually initiate the update.

WordPress also comes with thousands of plugins and themes that you can install on your website.

These plugins and themes are maintained by third-party developers which regularly release updates as well.

These WordPress updates are crucial for the security and stability of your WordPress site.

You need to make sure that your WordPress core, plugins, and theme are up to date.

Change the Default “admin” username

In the old days, the default WordPress admin username was “admin”.

Since usernames make up half of the login credentials, this made it easier for hackers to do brute-force attacks.

Thankfully, WordPress has since changed this and now requires you to select a custom username at the time of installing WordPress.

However, some 1-click WordPress installers still set the default admin username to “admin”.

If you notice that to be the case, then it’s probably a good idea to switch your web hosting.

Since WordPress doesn’t allow you to change usernames by default, there are three methods you can use to change the username.

  1. Create a new admin username and delete the old one.
  2. Use the Username Changer plugin
  3. Update username from phpMyAdmin

Note: We’re talking about the username called “admin”, not the administrator role.

Scanning WordPress for Malware and Vulnerabilies

If you have a WordPress security plugin installed, then those plugins will routinely check for malware and signs of security breaches.

However, if you see a sudden drop in website traffic or search rankings, then you may want to manually run a scan.

You can use your WordPress security plugin, or use one of these malware and security scanners.

Running these online scans is quite straight forward, you just enter your website URLs and their crawlers go through your website to look for known malware and malicious code.

Now keep in mind that most WordPress security scanners can just scan your website.

They cannot remove the malware or clean a hacked WordPress site.

This brings us to the next section, cleaning up malware and hacked WordPress sites.

By using CloudFlare

Cloudflare is one of the best WordPress CDN and Firewall services available in the market.

They offer a free CDN that speeds up your website along with a suite of powerful security features for small business websites.

The challenge is that many entry-level users are not able to utilize Cloudflare because they think it is hard to set up.

In this guide, we will walk you through a complete Cloudflare setup in WordPress to help you improve your website speed.

CloudFlare automatically blocks man-in-the-middle and similar attacks.

Mostly, it automatically lists the IP address of the attacker.

Tor Browser & Tor Proxy

the tor project logo

We have detected visitors using Tor Browser or a Tor Proxy.

Ninja Firewall has blocked some IP addresses trying to enter the Root folder (“/”) of our Hosting.

We have no idea what they wanted to do, but certainly not a good thing.

Hackers can use a Tor as a proxy to execute its attacks, CloudFlare has a very tight policy with Tor users.

Browser Integrity Check

CloudFlare automatically checks the browser used for Hacking tools and various things.

When CloudFlare finds an “anomaly” or a “script” or “tool” not allowed CloudFlare will not allow you to enter the website.

Usually, CloudFlare does not last long to check the integrity of the Browser but it can belong.

WAF & Security Plug-ins

Even WordPress security plugins do their job. A plug-in can help you automate and facilitate the procedure.

Not all plug-ins really do what they say. Many “security plug-ins” don’t really protect your WordPress but slow it down and damage it.

These are security plug-ins that protect WordPress without slowing it down or damaging it.

Sucuri (Free and Paid)

Sucuri is a veteran computer security company.

Recommended by Yoast SEO, WPBeginner, WP Engine, and GoDaddy.

Sucuri is an all in one able to fully protect WordPress. We use the free version of Sucuri since we use WordPress.

We don’t use the Sucuri Firewall (also called WAF), because we use the Ninja Firewall.

Sucuri is essential to protect PHP files and the WordPress Root folder.

This is part of our configuration of Sucuri Security for WordPress.

These are the results.

It is one of the best anti-malware for WordPress, as well as one of the most used.

WordFence is an all in one.

We use it to fully scan WordPress for malware, infected or suspected PHP files, and so on.

The WordFence scanner looks for if the website has been blacklisted by Google, VirusTotal and others.

And not only is the WordFence scanner able to block unauthorized changes from plug-ins installed on WordPress, like the Android permissions.

HTTP Security Headers

HTTP Security Headers are security codes now used by almost the entire Web.

One of the most important ones is the: X-Frame-Options, X-XSS-Protection, and Referrer-Policy.

You can test your website for free on securityheaders.com.

To configure the HTTP Security Headers on WordPress is very easy, you simply have to install HTTP Headers plug-in.

This is our configuration:

Changing WordPress Security Keys

What are WordPress Salt Security Keys

When a user logs in to WordPress site, a number of cookies are created on the computer. These are used to verify the identity of the logged-in users. If a hacker gets into your database or finds your cookies, they may be able to read your password, thereby making your site vulnerable to attacks.

WordPress uses security keys and salts to give you a cryptic output that’s stored in the database or cookie, adding a layer of security to your website.

Two of these cookies are:

  • WordPress_[hash] used only on the admin page or the WordPress dashboard.
  • WordPress_logged_in_[hash] used throughout WordPress to determine whether or not you are logged in to WordPress.

The authentication details stored in these cookies by WordPress are hashed (assigned cryptic values) using the random patterns which are specified in the WordPress security keys. Find out more by reading: Ultimate Guide to WordPress Security Keys.

WordPress Security Tips

These are some tips to secure WordPress

  • Hide the WordPress version

Hiding the WordPress version, hackers won’t know what vulnerabilities there are in that version.

  • Hide the PHP and Apache version

Hiding the PHP and Apache version, hackers won’t know what vulnerabilities there are in that version.

  • Keep WordPress and all Plug-Ins updated

Keeping everything up to date can improve security

  • Do not leave Plugins disabled

Try not to leave even a disabled plug-in, doing this you will improve your WordPress security


Jonathan Terreo

Jonathan is a Software/Web Developer that loves blogging in the free time. He loves to upload quality content to his websites. He is a WordPress/SEO expert due to his experience.