How to Secure WordPress: Advanced Guide

WordPress simplifies the creation, customization, and content management for sites, but it's also a growing target for malicious attackers. Bots often crawl search pages for WordPress sites, automatically discovering their login page and try default email and password combinations. As a result, it's very important to secure WordPress even if you're just a small fish in the ocean of web content.

The WordPress development team takes a lot of the burden from users when it comes to WordPress security, publishing regular patches and running a responsible disclosure program. However, with thousands of themes, plugins, and custom setups out there, it's impossible for them to account for every configuration.

As a result, it's worth doing what you can to secure WordPress on a personal level, whether its basic tips like minimizing the number of plug-ins you install or the more advanced ones we'll cover below. By the end of this guide, you should have a better understanding of how to secure a WordPress site from hackers to prevent data or customer loss.

Protect Against Brute Force Attacks

As mentioned earlier, automated attacks on websites are becoming increasingly common. A 2017 study at the University of Maryland estimated a new attack occurs every 39 seconds on average. On WordPress sites, attackers tend to try what is referred to as a brute force attack – trying hundreds or thousands of username and password combinations on your WordPress login page until they find one that works.

Brute force attacks are often based on default username and password combinations, lists of accounts from other services, and dictionaries. As a result, you can protect yourself a lot with a unique, secure password, but limiting the number of times someone can attempt a login can make it near-impossible in combination.

The good news is that this functionality is available via several popular WordPress security plugins. Limit Login Attempts Reloaded has over a million downloads and is a particularly strong candidate due to its customizability and compliance with GDPR.

You should also consider changing the wp-login page to make it more difficult to find. WPS Hide Login is one popular option for this, but our recommendation is Loginizer security, which offers the functionality of the above plugins, plus password-less login, reCAPTCHA protection, two-factor authentication, and more.

Before you install any plugin, it's worth making a backup of your site in case of compatibility issues and searching the plugin vulnerability database to make sure it's safe.

Enable HTTP Authentication for WP-Admin

If you want to secure WordPress even further, you can add HTTP authentication that triggers before you even reach the login page. In most cases, this will entirely cut out automated brute force attacks.

Doing so requires the creation of a .htpasswd file, but the folks at Htaccess Tools have thankfully made that easy. Simply enter the username and password you desire (this should be different to your WordPress login), select a mode, and press Create .htpasswd file. Save it as ".htpasswd".

You can then log in to your server and create a new folder in wp-admin named "htpasswd" and upload the file you made earlier in ASCII mode. You'll then need to create a new file in your wp-admin folder with the following:

AuthName "Admins Only"
AuthUserFile /home/public_html/wp-admin/htpasswd/.htpasswd
AuthType basic
Require user Secur3UserName

<Files admin-ajax.php>
    Order allow,deny
    Allow from all
    Satisfy any
</Files>

Make sure to change the directory after AuthUserFile to the full URL of your .htpassword file, as this may be different depending on your configuration. You'll also want to change "Secur3UserName" to the username you chose earlier. You can now save the file as .htaccess.

Use SFTP for File Transfers

The use of FTP to transfer files to a remote site is still surprisingly common, despite its low security. Data send over FTP isn't encrypted, which means it can be intercepted easily and stolen, and it's generally just outdated.

Instead, you should consider using the SSH File Transfer Protocol, or SFTP. Though it functions very similarly to FTP, it ensures your password and files are encrypted between your PC and the server. You can still use popular applications like FileZilla do so, which we'll have a guide on very soon.

Secure the wp-includes Folder

Protecting your file transfers is a smart move, but so is securing the folders that genuine users rarely have a reason to access. There are scripts in the wp-includes folder that aren't intended to be accessed, and this can offer hackers a way into your site if a vulnerability is found in them.

Thankfully, it's quite easy to lock these folders down via your hosts' .htaccess file, which is usually found in the root of your WordPress site. Add the following code outside the #BEGIN and #END tags, for example at the start of the document:

<IfModule mod_rewrite.c>

RewriteEngine On  

RewriteBase /  

RewriteRule ^wp-admin/includes/ - [F,L] 

RewriteRule !^wp-includes/ - [S=3]

RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]

RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]

RewriteRule ^wp-includes/theme-compat/ - [F,L] 

</IfModule> 



\# BEGIN WordPress

Turn Off File Editing

In a similar vein, you can Secure WordPress by disabling file editing from the dashboard more generally. Rather than editing PHP, theme, or plugin files via the web interface, it's recommended to use a text editor on your local PC and upload the changes via SFTP.

The result is that an attacker will find it more difficult to discover a point of access and will have a slightly harder time causing serious damage if he does get in. You can disable file editing in WordPress quite easily by editing your wp-config.php file to include the following line:

define(‘DISALLOW_FILE_EDIT’, true);

Closing Tips

Though many attackers say they aren't too phased by Firewalls these days, it can still be a great way to Secure WordPress further. These can restrict access to the Apache server before WordPress processes.

Once again, the strength of WordPress here is that you can get a plugin to do it all for you. Wordfence is very popular and provides other security options, but Defender Security and All In One WP Security are also good options.

Finally a reminder to backup your WordPress site regularly. This protects you from data loss, but also ensure you can purge your entire server and restore a secure WordPress version from scratch.

Alternatively, sign up for BitLaunch for secure WordPress hosting and automated backup functionality.