Hardening WordPress: Step-by-Step Guide + WordPress Security Checklist

A 2021 report found that nearly 50% of businesses lack a formal plan to respond to a cyber-attack.

Do you have a plan in place?

The benefits of improving your website security include safeguarding your website from hackers, preventing SEO penalties or serious legal issues, and gaining trust from your website visitors.

If your website is powered by WordPress, we’re going to walk you through our top 20 tips for hardening WordPress security.

We’ll also provide you with a WordPress security checklist and detail our web developers’ maintenance services for your WordPress website.

What Is WordPress Hardening?

WordPress hardening is the process of securing a WordPress website by implementing various measures to prevent data breaches or cyber-attacks.

The security measures involved in WordPress hardening are a combination of technical configurations and best practices, to reduce the risks of vulnerabilities that can compromise your website’s integrity, confidentiality, and availability.

How To Secure Your WordPress Website

According to a recent survey by WordPress, just 61% of websites on the platform are up to date with the latest version, meaning that the remaining 39% are at risk of security vulnerabilities.

Your website’s security is not only important when it comes to keeping your business data safe — it’s also a vital part of building trust and credibility with your website visitors. This is one of the main questions businesses ask when evaluating WordPress.

Here are our top 20 tips for hardening WordPress security:

1. Use Strong Passwords

According to a recent “Worst Passwords” report, commonly used passwords such as “123456” and “password” are still prevalent among internet users.

One of the simplest things you can do to improve security on your website is to use unique, complex passwords for all user accounts, including your WordPress admin account.

To create a strong password:

• Use uppercase and lowercase letters, numbers and symbols
• Avoid using personal information, such as your name, address or birthdate
• Use a password that’s at least 8 characters long

2. Enable Two-Factor Authentication

Two-factor authentication adds an extra layer of security to your WordPress login by requiring a second form of authentication, such as a code sent to your phone or an authentication app.

Using a plugin such as Wordfence can enhance your login security levels.

3. Limit Login Attempts

Limiting login attempts can prevent brute force attacks, where hackers try to guess your password by repeatedly attempting to log in.

Use a plugin such as Limit Login Attempts Reloaded that limits the number of login attempts, or a web application firewall that can block suspicious login attempts.

4. Set Alerts For Suspicious WordPress Logins

Monitoring your website for suspicious logins can help you detect and prevent attacks.

Use a plugin such as Login SMS Alert that sends you alerts when a user logs in from an unfamiliar location or IP address.

5. Auto Logout Inactive Users

Automatically logging out inactive users can help prevent unauthorized access to your account. Use a plugin such as Inactive Logout that logs users out after a specified period of inactivity.

6. Keep WordPress Plugins Updated

It’s important to make sure you are always running the latest version of WordPress and all plugins installed on your website, as outdated software can be vulnerable to security threats.

In addition to security patches and bug fixes, updates can also include new features and functionality.

To identify outdated plugins:

• Log in to your WordPress dashboard
• In the left-hand menu, click on “Plugins”
• Check for an update notification next to the plugin list
• Click on “Update Now” next to the plugin to update to the latest version

7. Remove Unnecessary Plugins

Remove any unused or outdated plugins and themes from your website, as they can pose a security risk if they contain vulnerabilities or backdoors.

To check for unnecessary plugins:

• Identify which WordPress plugins are necessary for your website’s functionality
• Evaluate plugin performance and check compatibility with your WordPress version and theme
• Remove unused plugins that serve no purpose or duplicate other plugins’ functionality

Having too many plugins can also slow down your WordPress site.

8. Install Security Plugins

Install security plugins such as Sucuri, or iThemes Security to detect and prevent brute-force attacks, malware infections, and other security threats.

9. Install An SSL Certificate

SSL (Secure Sockets Layer) is a security protocol that encrypts data transmitted between a web server and a user’s browser.

By installing an SSL certificate, you can ensure that all data exchanged between your website and its visitors is secure and protected from interception by third parties.

When a website has an SSL certificate, a padlock icon appears in the browser’s address bar, indicating that the website is secure. Check out the lock icon on our website’s homepage, below:

10. Disable File Editing

Disable file editing in WordPress to prevent attackers from modifying critical files on your website.

You can do this by adding the following code to your wp-config.php file:

define(‘DISALLOW_FILE_EDIT’, true);

11. Disable User Registration

To prevent public users from registering on your WordPress website, registration is typically disabled by default.

However, to confirm that user registration is disabled, go to the Settings > General page in your WordPress dashboard area, navigate to the Membership section and make sure that the checkbox next to “Anyone can register” is not selected.

12. Set File Permissions

Set file permissions to restrict access to critical files on your website. Set permissions to the minimum required for each file and folder, and ensure that sensitive files are not publicly accessible.

The recommended file permissions for WordPress are:

• Directories: 755
• Files: 644
• wp-config.php: 400

13. Backup Your Website Regularly

Backup your website regularly to ensure that you can restore it in case of a security breach or other unexpected event.

One of the easiest ways to back up your data on WordPress is to install a backup plugin, such as BlogVault or Updraft Plus.

If you prefer to perform a manual backup, access your website’s files through an FTP client, and copy all the files to a safe location. You can also use phpMyAdmin to export your database.

14. Change Security Keys

WordPress uses security keys to encrypt data stored in cookies.

These keys add an additional layer of security to your website and help prevent attackers from gaining access to sensitive data.

WordPress generates these keys automatically during installation, but it’s important to change them regularly to ensure maximum security.

To generate new security keys, you can use the WordPress API or generate them manually. To generate them manually, add the following lines of code to your wp-config.php file:

• define(‘AUTH_KEY’, ‘put your unique phrase here’);
• define(‘SECURE_AUTH_KEY’, ‘put your unique phrase here’);
• define(‘LOGGED_IN_KEY’, ‘put your unique phrase here’);
• define(‘NONCE_KEY’, ‘put your unique phrase here’);
• define(‘AUTH_SALT’, ‘put your unique phrase here’);
• define(‘SECURE_AUTH_SALT’, ‘put your unique phrase here’);
• define(‘LOGGED_IN_SALT’, ‘put your unique phrase here’);
• define(‘NONCE_SALT’, ‘put your unique phrase here’);

Be sure to replace “put your unique phrase here” with new WordPress keys and if you decide to use the codes here you can generate WordPress keys.

15. Secure Wp-Admin

The wp-admin folder is the most sensitive area of your WordPress installation, as it contains your dashboard and administrative functions.

Protect this folder by using strong passwords, limiting login attempts, using two-factor authentication, and restricting access to certain IP addresses — only those associated with approved users, like you and your team members.

16. Limit Access To Your WordPress Files

Limiting access to your WordPress files is an important step in hardening your WordPress site’s security.

This involves restricting access to sensitive files such as wp-config.php, .htaccess, and the wp-content folder.

These files contain important information about your site’s configuration, login credentials, and sensitive data such as user data and payment information.

One way to limit access to these files is by modifying the file permissions on your server.

By default, WordPress files are set to readable by anyone on the server. However, you can change the file permissions to restrict access to these files to specific users or groups.

17. Change The Default WordPress Login URL

By default, the WordPress login page is located at /wp-admin.

This makes it an easy target for cyber-attacks.

The easiest way to change your WordPress Login URL is by using a plugin.

You can install and activate the WPS Hide Login plugin from the WordPress repository.

Once you have activated the plugin, go to Settings > WPS Hide Login in your WordPress dashboard.

In the WPS Hide Login settings, look for the “Login URL” field. Enter a new URL that you want to use as your login page. This can be anything you like, such as yourdomain.com/mylogin or yourdomain.com/customlogin.

18. Delete The Default WordPress Admin Account

The default admin account in WordPress has a predictable username and is a common target for attacks.

Delete this account or change the username to something more unique, to increase your website’s security.

Before you delete the default admin account, make a duplicate administrator account with the new username so you’re able to gain access to the website from the new account.

19. Log User Activity

Logging user activity can help you track changes made to your website so you can identify suspicious activity.

A plugin for logging activity can send you alerts and notify you of any unusual website behavior.

20. Limit WordPress User Permissions

Limiting user permissions can help prevent both accidental and intentional changes to your website.  

Only give users the permissions they need to perform their specific tasks and avoid giving anyone full administrative access unless necessary. 

Why Harden Your WordPress Website?

There are several reasons why you should harden your WordPress website:

1. Protect Your Website From Security Threats

Websites are regularly targeted by hackers and malware, and without proper security measures in place, your website can become vulnerable to attacks.

By implementing security measures such as firewalls, anti-virus software, and strong passwords, you can safeguard your website from security threats and prevent unauthorized access.

These security measures can also help you detect and respond to security breaches quickly and efficiently, minimizing potential damage.

2. Ensure Data Privacy

If your website collects sensitive user data, such as login credentials or payment information, hardening your WordPress site is crucial to ensuring that this data remains secure and private.

Data breaches can cause significant harm to your business, customers and brand reputation, leading to loss of trust and credibility.

By implementing security measures such as encryption, access controls, and secure hosting, you can protect user data from unauthorized access and theft.

Ensuring data privacy can also help you comply with data protection regulations such as GDPR and CCPA, so you can avoid legal penalties and reputational damage.

3. Boost Website Performance

Implementing security measures can also improve the performance of your website. Resource-intensive attacks, such as Distributed Denial of Service (DDoS) attacks, can slow down your website and cause it to crash.

By preventing these attacks through security measures, such as Content Delivery Networks (CDNs) and caching, you can ensure that your website runs smoothly and provides a positive user experience.

Additionally, a secure website can improve your search engine ranking, as search engines prioritize secure websites in their search results. This can lead to increased traffic and improved business outcomes.

Hardening WordPress Security Checklist

With the steps we mentioned above, we conducted a final checklist for you to go through if you’re planning on hardening your WordPress site.

• Use Strong Passwords
• Enable Two-Factor Authentication
• Limit Login Attempts
• Set Alerts For Suspicious WordPress Logins
• Auto Logout Inactive Users
• Keep WordPress Plugins Updated
• Remove Unnecessary Plugins
• Install Security Plugins
• Install An SSL Certificate
• Disable File Editing
• Disable User Registration
• Set File Permissions
• Backup Your Website Regularly
• Change Security Keys
• Secure wp-admin
• Limit Access To Your WordPress Files
• Change The Default WordPress Login URL
• Delete The Default WordPress Admin Account
• Log User Activity
• Limit WordPress User Permissions

Explore Our WordPress Hardening Services

As a full-service agency specializing in WordPress web design and web development, we also offer comprehensive WordPress hardening and maintenance services to help keep your website secure and updated around the clock.

Our services include WordPress software updates and backups, security plugin installation and configuration, server hardening, and regular website maintenance.

If you’re not comfortable with the technical aspects of securing your WordPress website, outsourcing to a professional agency for WordPress maintenance and hardening services is the ideal solution.

Partnering with us will ensure that your website is properly secured and maintained 24/7, so you can focus on running your business.

Gary Kuznetsov

Head of Development

With experience in expanding technical expertise, Gary spearheads the adoption of modern software development standards and technologies at Digital Silk. He is a Certified Laravel Developer, specializing in developing complex B2B and B2C platforms, and focuses on identifying and implementing technology trends that support the future success of businesses.