An Ultimate Guide of 27 WordPress Security Steps for FREE

Why do I have to worry about securing my WordPress website?

WordPress is a wonderful platform, and in general, it is pretty secure from the everyday average Joe. We use WordPress daily for our clients. It would be absent-minded of us not to consider our clients website safety beyond what WordPress already offers. What you have to be aware of are the inevitable WordPress “vulnerabilities” that are likely to arise from time to time. These vulnerabilities are what need to be addressed to keep you, your customers and visitors data safe. Statistically, 30,000 new websites are hacked each day so it isn’t an IF you will get hacked, it is WHEN if you don’t secure your website now. I’m giving you 25 steps on how you can secure WordPress for FREE, right here. You’ve got no excuses now!!

All of these steps are tried and true too.We do all of the below and more for our current clients that have managed services with us. We know they work. We’ve tested them and found ourselves very satisfied.

Why do hackers want to hack my website anyway?

There are ALWAYS going to be people out there that want what you got. It’s sad but it’s the truth. Your little space on the web is no different. In fact, there are so many things that someone can do with your website, that I could write another post (or two) on it as well. For now, I’ll just link this great article instead.

Why is my website being targeted?

Unless you have someone with a vendetta against you, someone is probably NOT going to target you specifically. Typically a hacker doesn’t just sit around looking for the weakest link on the web either. Instead, they attack a hosting company and try to hack their servers. For instance, if the server you are hosted on is a shared server, there are a lot of websites on that server with you and a lot of potential suckers for those hackers to hack. What’s that old saying again? Kill two birds with one stone? Yeah, it’s that same concept.

By attacking a server, this allows a hacker to attack multiple sites at once. If they get into yours, that’s a win for them. Luckily your website host usually offers a few things to help with keeping your site secure. WordPress itself is also under constant development in response to security risks that are found daily. Even this though is not enough to keep the bad guys out. Ultimately there is a bit more you need to do to secure and harden your website from attackers.

We personally use for all of our customer’s websites. They take extra care to help secure your site. They’ve tested WordPress and Joomla related vulnerabilities that were announced publicly more than one month before the test. On all 12 tested hosts, both vulnerabilities were still exploitable with no problem. At SiteGround both were patched on server level at SiteGround in up to 48 hours after their public announcement: WPTouch vulnerability patch and Virtuemart Vulnerability patch. Siteground also has site isolation for their shared hosting environment, free SSL, and a free Cloudflare account. If you upgrade your Cloudflare you can take advantage of its firewall. Check out our affiliate link if you’re looking for a good host for WordPress.

What causes WordPress security risks?

Let us start out with a few quick things you can do to help safeguard yourself from hackers. These are maintenance items that should be done anyway. If you don’t have someone helping with your website MONTHLY maintenance then you better be doing these yourself. Otherwise, it isn’t, IF you are going to be hacked…it’s when.


1. Keep your WordPress version up to date

If you are hosted on Siteground, this is something you can turn on in your Siteground account so that it will automatically update the WordPress version for you. If you’re a managed service client of ours we will always turn it on for you.

2. Keep your WordPress backed up

It’s always a very good thing to have a backup of your website. Especially if you’ve been compromised and need to clean your hacked site. You’re looking at close to around $200 to $300 to clean a simple website. More if you have an e-commerce website. It takes a lot of man-hours checking all your files for malicious code to get it clean…again. Restoring a clean backup, however is MUCH easier. Siteground can turn this on for you automatically. Depending on your plan, you will have anywhere from one back up to 30 days worth of backups at your disposal.

3. Keep your Plugins up to date, all the time

Plugins are one of the items that should be checked daily really. You need to keep these up to date to fix vulnerabilities in them as they arise. Plugin developers will push out new versions each time they want to make sure to take care of a known WordPress vulnerability.

4. Have secure usernames and passwords

Make sure you and your site users all have secure passwords. Don’t allow them to use their names, or their emails or something else as their passwords. Don’t allow simple usernames like “admin” to be used either. And an easy way to do this is to use a plugin called Force Strong Passwords. There are a lot of plugins out there that do the same exact thing. Pick your favorite and feel more secure knowing that’s one thing down.

5. Install a security plugin

Wow, there are so many of these out there! We can give you our suggestions on our favorites and then we will move on. These security plugins all do different things. For a simple security (before a hack) we recommend using iThemes Security. iThemes Security will do a Security Check, ensuring your site is using the recommended features and settings, configure some global settings, block snoopers trying to look at pages they shouldn’t be, band IPs that are attacking your site, create backups of your site, monitor for file changes, enforce strong passwords (so you don’t need a separate plugin for it) and so much more.

6. Limit login attempts

Limiting login attempts to your website can help stop brute force attacks on your site. We recommend installing the plugin Cerber Security for this. It does a lot more than just limit login attempts as well!

7. Kick out users that leave themselves logged in.

This can be a big security risk, so it is best to log out forgetful users. For this, we recommend the plugin Idle User Logout.

8. Add some login security questions for a 2-factor security measure

For some added peace of mind, you can also add some custom questions for the login page. Try out WP security questions.

9. Use SSL to encrypt data

This should be a given today, but you really should have an SSL for your site. It not only helps with security but it also helps your Google rankings for your SEO! So implementing an SSL (Secure Socket Layer) certificate is a must. SSL ensures secure data transfer between user browsers and the server, making it difficult for hackers to breach the connection or spoof your info.SiteGround users get this for free by the way…

10. Change Login URL address

Keeping the default /wp-admin or /w-login for logging in can make it easy for others to access the login screen and test out whatever usernames or passwords they want. When hackers know the direct URL of your login page, they can try to brute force their way in. They have these really cute databases full of commonly used usernames and passwords like “admin” or “administrator” or “my login”, etc. and will hit your site with some code to try them all. Changing the direct URL can help prevent this. The above plugin Cerber Security can help you make these necessary changes. DON’T forget that new URL though. If you do..there is NO getting back into that site!

More advanced methods of securing your WordPress site, but STILL FREE.

For the following, you may need access to your host files. You can do this by logging into your host to get access to your Cpanel, or by using a simple FTP connection. We recommend using FileZilla as your free FTP software.

11. Clean up and harden the wp-config.php file.

Add this to the BOTTOM of the wp-config.php file:

					## Disable Editing in Dashboard
define('DISALLOW_FILE_EDIT', true);
## Allow Auto Updates
define( 'WP_AUTO_UPDATE_CORE', true );

12. Cleaning up and hardening the .htaccess

I have a template that I use for this because there are multiple things that you can do here. I past it in each time that I do a site and it goes live. I’m going to break down what each of these accomplishes, but here is the template to start out with. Keep in mind this following code ALL goes in your site’s root .htaccess file:

The following code her isn’t for security, but I put it here so you don’t just copy all your code and replace it with below. When working with WordPress, that snippet below is the only .htaccess code that is actually required by WordPress, and even then, it’s only necessary if you are using so-called “pretty-permalinks” on your site. If you see something else in there that you can’t figure out where it came from…that could be something you don’t want.

					# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress

13. Protecting the include-only files from being accessed

There’s some file in WordPress that nobody has any business getting into, including you. Luckily we can simply block access to those files with this bit of code. Make sure the code below is not overwritten by WordPress by placing it outside the # BEGIN WordPress and # END WordPress tags in the .htaccess file. WordPress can overwrite anything between these tags.
					#Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]

14. Protect yourself against XSS attacks

Here we are going to add an X-Security Header to help protect against XSS attacks. X-XSS-Protection is an HTTP header understood by Internet Explorer 8 (and newer versions). This header lets domains toggle on and off the “XSS Filter” of IE8, which prevents some categories of XSS attacks.

					# X-XSS-Protection
<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"

15. Protect against page-framing and click-jacking

Here we are adding an X-Security Header to help protect against page-framing and clickjacking. We’re adding the X-Frame-Options header to your server responses. This basically keeps people from pretending like your site data is theirs.

					# X-Frame-Options
<IfModule mod_headers.c>
Header always append X-Frame-Options SAMEORIGIN

16. Do away with the ability to do content-sniffing

Adding an X-Security Header to disable content-sniffing by adding the X-Content-Type-Options header to your server responses. Most modern web browsers understand this header and will use it to ensure proper MIME types for all loaded resources (e.g., CSS, JavaScript, fonts, images, video, etc.).

					# X-Content-Type nosniff
<IfModule mod_headers.c>
Header set X-Content-Type-Options nosniff

Steps 14-16 can be combined to look like the following.

I separated them to give a good example of what was going on here. These three steps we have to give credit to for putting it out there. You can check out their website for the details.
					# Extra Security Headers
<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
Header always append X-Frame-Options SAMEORIGIN
Header set X-Content-Type-Options nosniff

17. Disable Access to XML-RPC File Using .htaccess

WordPress comes with a file called xmlrpc.php. This file allows third-party apps to connect to your WordPress site. Most WordPress security experts advise that if you are not using any third party apps, then you should disable this feature. If you are using this, however, this could break your site. Test your site before to make sure it works. Add the code, then test it again. If all works well you are good to go. If it crashes, go back in and remove this code. To safeguard yourself, at the end put your own IP address where it says “YOUR-IP-ADDRESS-HERE” to keep it from affecting you. And the same line “allow from YOUR-IP-ADDRESS-HERE if you have to add a second or third IP address too.

					# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all

18. Protect your wp-config.php file

In WordPress, wp-config.php is the file where your hosting, database and other important credentials are saved. Therefore it is also required to restrict unauthorized access to this file. This can help with that. Again, to safeguard yourself, at the end put your own IP address where it says “YOUR-IP-ADDRESS-HERE“, adding a new line of code for a second or third IP address to whitelist.8

					<Files wp-config.php>
order deny,allow
deny from all

19. Block any and all Author Scans in WordPress

This is yet another brute force attack used. It runs author scans on a WordPress site and then attempts to crack passwords for those usernames. Use the following code to stop that in its tracks.

					# BEGIN block author scans
RewriteEngine On
RewriteBase /
RewriteCond %{QUERY_STRING} (author=\d+) [NC]
RewriteRule .* - [F]
# END block author scans

20. Disable Directory Browsing

It’s best to disable directory browsing. With directory browsing enabled, hackers can look into your site’s directory and file structure to find a vulnerable file. This is also the last bit of code we are recommending to add to the .htaccess file.
Simply put, Options All -Indexes at the very end of the file.

Remember to add all of the .htaccess code tips above separately, testing after each step, as some might break your site. It a depends on the theme and plugins your using.

					# BEGIN block author scans
RewriteEngine On
RewriteBase /
RewriteCond %{QUERY_STRING} (author=\d+) [NC]
RewriteRule .* - [F]
# END block author scans


21. Review and reset the default file permissions

To strengthen up security on some of your WordPress files, we need to change the permissions. You can do this in your website Cpanel on your host. We recommend changing the following:

—– All folders should be set to 755
—– Files should be set to 644
—– wp-config.php to 444

—– .htaccess to 444

22. Remove unnecessary files

The following files should just be removed, to keep malicious attacks from trying to alter them.

—– readme.html
—– install.php
—– license.txt

23. Add blank index.php files where needed

Adding blank index.php can help directories from being hit with malicious file uploads. We recommend adding the files here.

—– wp-includes
—– wp-content
—– wp-content/plugins
—– wp-content/themes
—– wp-content/uploads

24. Password protect your admin area

This is a very good thing to do. It adds an extra password to anyone that wants to access the admin area of the website. If’ you have done all the steps above, it makes your site have a 3-step verification process. This step has to be done inside your hosts cpanel. How to do this is all up to your host so you probably need to Google how to do this, in accordance with what host you’re currently using.

25. Change Your Database Prefix from WP_ to something new.

Your WordPress database is going to get targeted as well. They target various database tables with automated scripts, SQL injection, and other malicious code so it is critical to protect your database and keep recent backups (like said before.)You can change your site’s database default table prefix to something obscure and difficult to guess. You can either do this before the install using the WordPress installer tool your website host has (most give this option these days) or you can get into your wp_config file and do it there. If you do it AFTER it is already installed…you’ve got to update all the current database tables too. I’m not getting into that but here is a great blog on it!

26. Monitor your files constantly

If something does seem to be changed in a file on your website, you aren’t going to know it unless you are monitoring. You can EASILY monitor the changes to the website’s files via plugins. iThemes Security, for instance, does this. I also find the Wordfence and Sucuri does a great job at doing this too.

27. Remove your WordPress version number

I have one final EXTRA security tip for you, and that is to remove your WordPress version number. It can be found very easily and It’s basically sitting right there for hackers to know which version of WordPress you use. This makes it easier for them to know what vulnerabilities you have and they can exploit it to pull off the perfect attack. You can easily hide your WordPress version number though with almost every security plugin that I mentioned above.

Some final thoughts

Well wow right? There is a LOT you can do to help secure your sites better. All of this information is free and out there on the web. We just simply put it in ONE spot for you. Your welcome! This is most of what we do for every client once a site is launched, with a few extra things here and there that changes with the times.

Oh, What if you are already hacked??

Check out this link here for a GREAT short-and-to-the-point-guide on what to do if you are already hacked.

Leave us some love below and let us know if we left anything out we should have added! Thanks for the read!