Locked door

How Do I Harden WordPress Security?

Worried about the level of WordPress security on your site? You should be.
While at its core, WordPress is no more vulnerable than any other site, the nature of the platform means everyone should take the time to harden WordPress security.

Why is WordPress Security so Important?

As mentioned, the nature of WordPress makes it attractive to hackers. So site publishers want to do all they can to protect it.

For example, any smart person who expects a mob of thieves and bullies to show up at their house will do everything in their power to make sure their home is secure. They might have a checklist that looks something like this:

  • GSDs and Dobermans guarding the perimeter
  • Motion sensors and cameras
  • State-of-the-art locks on the doors and windows

You get the idea, right?

Your website is like the homeowner trying to protect their property. With layers of security. The problem with your WP website is that hackers know they’re likely to find sites that have no protection.

According to W3Techs, WordPress is used by 64% of the sites online that use a content management system (CMS) — and that W3T monitors. And by 43% of all websites. If even a fraction of these site admins doesn’t know how to harden WordPress security, there are a lot of easy targets.

Let’s make sure you’re not one of them!

How to Harden WordPress Security – The Basics

If you have a good foundation to build on, the rest is so much easier. So let’s start with some basics first.

A Reputable Web Host

Choosing a web host can be daunting. There are a ton of companies virtually waving their arms at you saying, “Pick me!” But a good web host can be your first line of defense because they’ll be doing all they can to stop threats at the server level, not even letting them get as far as your site.

Keeping WordPress Updated

This includes your WordPress core files and all themes and plugins.

The WordPress community maintains a database of all vulnerabilities — a database available to everyone, including hackers. An exposed and published vulnerability is like advertising to thieves that you don’t lock your doors, ever.

So if you’re not keeping everything up to date, you are a prime target for hackers.

Even if you have a plugin that’s providing a necessary function, if it’s out of date and no longer maintained, find a replacement. Plugins and themes that have passed their life cycles are dangerous. They’re not just unlocked doors, they may be doors left wide open.

Usernames and Passwords

Don’t use admin as your username. Change it to something unique.

Always use strong passwords. Sure, they’re harder to remember (password managers help!), but they’re also harder to crack. And just like your username should be unique, make sure your password is, too. So only use that password on your WordPress site, and not for any other website or service.

You might also want to force administrators to regularly change their passwords.

User Permissions

It’s understood that there may be more than one person—yourself—who is updating and or maintaining your site. That means you need to trust others with an admin account and password. The good news is you can create an event log and monitor user activities that could impact security.

Going back to the homeowner analogy again, monitoring your users would be the equivalent of motion sensors and cameras on your property.

Take Action: Harden Your WordPress Security

The above details several things you should do during your initial setup. The following will share additional steps you can take after the fact.

Update PHP

If your site is running on an outdated version of PHP, it’s vulnerable. Versions older than 7.2 have a number of security issues.

Log into your control panel. Note this screenshot is from cPanel, so yours may be different.

Scroll down and find Select PHP Version and then follow the prompts to select and update to a newer version if necessary.

cPanel screenshot
Example of a cPanel screen

Install a Firewall or Security Plugin

Even if your host is doing a good job at protecting your server, it’s good practice you have your own firewall as well. Think of it as an extra layer of perimeter defense.

Again using the homeowner analogy above, your firewall would be the guard dogs at the gate.

You have a few options here.

If you’re using a WordPress security plugin, it may have a firewall as part of the package. If so, make sure you have it turned on.

WordPress security plugins that have integrated firewalls include:

  • All-In-One Security
  • BulletProof Security
  • Sucuri
  • Wordfence

If you want a standalone firewall, a few options are:

  • BBQ Firewall
  • NinjaFirewall
  • Web Application Firewall

Simple Steps to Harden WordPress

If you’re using a security plugin that doesn’t do the following, here are some further steps to take.

1. Protect Your wp-admin Directory

You can make it difficult for hackers to access your site by locking down your wp-admin folder. Regardless of what control panel your host uses, you’ll be able to access and password-protect the directory.

For specific steps, follow the guidelines of your host’s control panel.

2. Change the Default wp_ Database Table Prefix

By default, every table in your WordPress database will begin with wp_
For example:

  • wp_comments
  • wp_users

Instead, change it to something random like:

  • dkdhsf_comments
  • dkdhsf_users

The easiest way to change this is using your wp-config.php file. This is the same file you used when you initially set up WordPress. It’s found in the root of your domain, and you can access it either via FTP or your host’s file manager.

Scroll down until you see the following:

wp-config.php File in the text editor
The wp-config.php file

Now change the wp_ at the end to something else and save the file.

3. Monitor Activity and Changes

Any activity on your site that you didn’t initiate yourself could be potentially dangerous. Fortunately, there’s a plugin that will monitor activity for you.

WP Admin Audit logs an audit trail, allowing you to keep track of any and all changes on your site. Better yet, it provides you with a threat level so you know if you should take immediate action.

WordPress Security with WP Admin Audit
WP Admin Audit – Event Log

Keep Your WordPress Site Secure

Ultimately, you may prefer to use some of the plugins mentioned above to keep your site secure. Especially if you’re uncomfortable when it comes to making changes to code.

And if anyone other than yourself has access to your site, be sure to have an activity log plugin like WP Admin Audit. Why not take it for a test drive? You can find a free version on WordPress.org.