How To Apply WordPress Security Hardening Settings to your site

Nobody wants to be included in the long list of famous data breaches all over the world due to poor security. However, as more business is moved online and the world's digital revolution continues, hacking is becoming more lucrative. So as these attacks continue to increase and change, it is important to beef up your website's armour now.

WordPress websites are a good target for hackers and malware because it is such a popular platform and so many WordPress websites are neglected and insecure. Because of this, there are more attacks targeted to WP, making security a vital part of WordPress maintenance.

What Are WordPress Security Hardening Settings?

There are a bunch of default settings and capabilities built into WordPress which make the platform more flexible and adaptable but are not necessary or if kept default are more easily targetted by attacks.

  1. Delete the default WordPress readme text file

    The WordPress root directory has a readme.txt file which can sometimes reveal sensitive information and is not necessary for the website to function. This is usually generated when new versions of WordPress are installed. It is safer to delete this.

  1. Change the primary user from the name 'admin'

    The default primary user on the site will be called ‘admin’ it is a lot easier to brute-force attack a website is you know the username. Change this to something unique.

  1. Block php files and changes from wp-includes

    This folder contains the core files and folders that are used for WordPress, this generally should not be edited, and no additional php should be added, so blocking this prevents malware from messing with your website’s core. In some cases, however, plugins or functions may need this access so don’t do this without knowing if it will stop your website from functioning properly.

  1. Secure your wp-config.php file by blocking access in htaccess

    This file stores the keys and rules for connecting to the website database, so this is a prime target for attacks. You can deny access to the file in your htaccess file.

  1. Disable XMLRPC

    XMLRPC is used to allow third-party apps to interact with your website, if you are not actively using this function, it is better to disable it as it is a common target for attacks.

  1. Change the WordPress login page address

    By default, WordPress uses a predictable URL for login (/wp-login.php), making it easy for hackers to find and target your login page. By changing the address to something unique, you throw them off the trail.

Other essential security tips for WordPress websites

  1. Keep your software up-to-date:

    Make sure that your WordPress core, theme & plugins are always updated with the latest security patches and bug fixes. Outdated software can make your site more vulnerable to attacks.

  1. Use strong passwords and two-factor authentication:

    Passwords are the first line of defence for your website. Make sure that you and your users are using strong passwords that are long and include a combination of uppercase and lowercase letters, numbers, and special characters. Consider using a password manager like LastPass to generate and store strong passwords. It is also best you set up two-factor authentication to prevent unwanted logins.

  1. Add Security Headers:

    Security headers control interaction between the user's browser and your website, making it more difficult for malware to spread. Learn more about Security Headers here.

  1. Limit user access and only give permissions to trusted individuals.

    Limiting users means choosing only trusted people to access your website. This will reduce risk exposure, protecting your business and your customers.

  1. Use security plugins to detect and prevent threats.

    The earlier you spot the threat, the quicker you can stop the attack. Initially, you should have a web application firewall (WAF) that acts as a shield protecting your website from common attacks. Further, security plugins can limit and block malicious IP addresses especially when they exceed the threshold. Security plugins also provide complete security reports for your site.

  1. Backup regularly:

    Regular backups ensure that you can restore your website quickly in case of a security breach or other disaster. Choose a safe location, like Dropbox, to store these backups.

By implementing stronger website security, you can eliminate brute force attacks and reduce the success of hackers and fraudsters, safeguarding your site and continuing to focus on growing your business.

If you need help with your WordPress website's security, you can get our Security Hardening service HERE (discount available for existing clients) or check out our monthly Security Management plan.