This article is part of a series created in partnership with SiteGround. Thank you for supporting the partners who make SitePoint possible.
WordPress is not inherently insecure and the developers work hard to ensure breaches are patched quickly. Unfortunately, WordPress’s success has made it a target: if you can break just one WordPress installation, many millions of sites may be open to you. Even if WordPress is secure, not all themes and plugins are developed with the same level of care.
Some will attack WordPress for the challenge or to cause malicious damage. Those are easy to spot. The worst culprits sneak links into your content, place phishing sites deep within your folder structure, or use your server to send spam. Once your installation is cracked, it may be necessary to delete everything and reinstall from scratch.
Fortunately, there is a range of simple options to improve security. None of the following security fixes should take longer than a few minutes.
1. Switch to HTTPS
HTTPS prevents man-in-the-middle attacks where a third party listens in or modifies the communication between the client and the server. Ideally, you should activate HTTPS before installing WordPress but it’s possible to update WordPress settings if you add it later.
HTTPS can also boost your Google PageRank. Hosts such as SiteGround offer free SSL certificates and you can receive up to 65% off their hosting plans.
2. Limit MySQL Connection Addresses
Ensure your MySQL databases rejects connections from people and systems outside to your local server. Most managed web hosts do this by default but those using a dedicated server can add the following line to the
[mysqld] section of the MySQL my.cnf configuration file:
bind-address = 127.0.0.1
3. Use Strong Database Credentials
Use a strong, randomly-generated database user ID and password when you create your MySQL database prior to a WordPress installation. The credentials are used once during WordPress installation to connect to the database — you don’t need to remember them. You should also enter a table prefix different to the default of wp_.
The user ID and password can be changed after installation but remember to update the WordPress wp-config.php configuration file accordingly.
4. Use Strong Administrator Account Credentials
Similarly, use a strong ID and password for the administrator account created during installation. Anyone using the ID admin and password password deserves to be hacked. Consider creating another account with fewer privileges for daily editing tasks.
5. Move or Secure wp-config.php
wp-config.php contains your database access credentials and other useful information for someone intent on breaking into your system. Most people keep it in the main WordPress folder but it can be moved to the folder above. In many cases, that folder will be outside the web server root and inaccessible to HTTP requests.
Alternatively, you can secure it by configuring your web server such as an Apache .htaccess file:
order allow,deny deny from all
6. Grant Users the Lowest Role Possible
Users are the weakest point of any system — especially when they can choose their own weak passwords and happily pass credentials to anyone who asks! Few need administrative access. WordPress offers a range of roles and capabilities. In most cases, users should either be:
- an Editor: someone who can publish and manage their own and other people’s posts
- an Author: someone who can publish and manage their own posts, or
- a Contributor: someone who can write and manage their own posts but cannot publish them.
None of these roles can configure WordPress or install plugins.
7. Restrict Access by IP Address
If you have a few editors with static IP addresses, you can restrict access by adding another .htaccess file to the wp-admin folder:
order deny, allow allow from 22.214.171.124 # user 1 IP allow from 126.96.36.199 # user 2 IP, etc deny from all
8. Hide the WordPress Version Number
Some versions of WordPress have known vulnerabilities. It’s easy for anyone to discover which edition you’re using because it’s shown in the HTML
<head> of every page. Remove that information by adding the following line to your theme’s functions.php file:
9. Choose Third-Party Plugins and Themes Wisely
WordPress plugins and themes have power users can only dream of! A poor plugin can affect performance, leak private data or grant another method of access. Avoid installing code unless it’s absolutely essential. Verify a plugin’s authenticity and test on a local server before proceeding with live installation.
10. Regularly Update WordPress and Plugins
WordPress will update itself but major releases require a one-click activation process. Do it … after backing up your database and files, of course. Similarly, check for updates to themes and plugins on a regular basis.
The risk adverse should check updates on a duplicate test server before updating the live system. That said, the WordPress update process and backward compatibility rarely cause issues.
Do you have any other quick and easy WordPress security tips?
Craig is a freelance UK web consultant who built his first page for IE2.0 in 1995. Since that time he's been advocating standards, accessibility, and best-practice HTML5 techniques. He's created enterprise specifications, websites and online applications for companies and organisations including the UK Parliament, the European Parliament, the Department of Energy & Climate Change, Microsoft, and more. He's written more than 1,000 articles for SitePoint and you can find him @craigbuckler.
Jump Start Git, 2nd Edition
Visual Studio Code: End-to-End Editing and Debugging Tools for Web Developers
Form Design Patterns