How to Improve WordPress Website Security

Website Security

Enhancing the security of your WordPress site is one of the most effective methods to protect it from typical malicious threats. There are various approaches to securing your site, and some solutions might not be compatible with specific plugins, themes, or hosting services. Below are several strategies to boost the security of your WordPress website.

  • Security improvement performed through the Sucuri Security plug-in.
  • Security improvement performed without the Sucuri Security plug-in.

Security improvement performed through the Sucuri Security plug-in

Managing your WordPress security with this plugin has these different options:

1. Verify WordPress is up-to-date

  1. You should always backup your site before making any changes.
  2. Log in to WordPress.
  3. Go to Sucuri Security > Settings.
  4. Click on the Hardening tab.
  5. Find the section labled Verify WordPress Version.
  6. If the section is red, click on the Apply Hardening button.

If the section appears green, the plugin will ensure your website operates on the most recent version of WordPress. If the section remains red, this feature is incompatible with your hosting, as it may already be performing automatic updates.

2. Make the WordPress version private

If a person is aware of the version of WordPress you have, they could identify the specific vulnerabilities present on your site. Keeping your version confidential is crucial, especially if you don’t immediately upgrade to the latest release when it is available.

  1. You should always backup your site before making any changes.
  2. Log in to WordPress.
  3. Go to Sucuri Security > Settings.
  4. Click on the Hardening tab.
  5. Find the section labled Remove WordPress Version.
  6. If the section is red, click on the Apply Hardening button.

You have now prevented your WordPress version from being viewed publicly.

3. Block PHP in directories

One method by which a site can be compromised is through the injection of PHP files into your WordPress directories, from which they can be executed. The steps outlined below will assist you in preventing PHP files from being accessed in those folders; however, it is important to test your site’s functionality to confirm that these configurations do not disrupt your theme and plugins.

  1. You should always backup your site before making any changes.
  2. Log in to WordPress.
  3. Go to Sucuri Security > Settings.
  4. Click on the Hardening tab.
  5. Find the section labled Block PHP Files in Uploads Directory.
  6. If the section is red, click on the Apply Hardening button.
  7. Repeat the previous two steps for Block PHP Files in WP-CONTENT Directory and Block PHP Files in WP-INCLUDES Directory

If the section changes to green, it means the plugin successfully enabled this feature. Conversely, if the section remains red, the plugin lacks the necessary permissions to implement this change.

4. Remove WordPress readme file

A readme file that includes your WordPress version comes with every installation. To safeguard against harmful visitors identifying your version, it’s crucial to delete this file.

  1. You should always backup your site before making any changes.
  2. Log in to WordPress.
  3. Go to Sucuri Security > Settings.
  4. Click on the Hardening tab.
  5. Find the section labled Information Leakage.
  6. If the section is red, click on the Apply Hardening button.

You have now prevented detailed information about your WordPress site being exposed.

5. Enable DISSALLOW_FILE_EDIT in WordPress

To enhance the security of your WordPress site against unauthorized alterations, it can be crucial to activate a feature that helps block adjustments to your theme and plugin files.

  1. You should always backup your site before making any changes.
  2. Log in to WordPress.
  3. Go to Sucuri Security > Settings.
  4. Click on the Hardening tab.
  5. Find the section labled Plugin and Theme Editor.
  6. If the section is red, click on the Apply Hardening button.

You have successfully made it more difficult for harmful code to modify your WordPress plugin and theme files.

Security improvement performed without the Sucuri Security plug-in.

1. Limit Login Attempts

Follow the video article How to Limit Login Attempts in WordPress.

2. Disable Directory Browsing

Directory browsing permits anyone to view all the files within a directory along with their content. To enhance the security of your website, it’s advisable to use your hosting provider’s file manager to modify the files.

  1. You should always backup your site before making any changes.
  2. Navigate to the different folders of your website (ex. http://myonlinefurniture.com/wp-content) in your browser to see if a list of files is displayed instead of a web page.
  3. If you don’t find any folders that are displaying file lists, there are no further steps for you to follow.
  4. Access the File Manager for your hosting plan.
  5. Navigate to the folder that displayed a directory listing.
  6. Edit the .htaccess (Linux) or web.config (Windows) file.
    • Linux: at the top of the .htaccess file, insert the following line:

      Options -Indexes

    • Windows: in the web.config file, find and remove the following line:

      <directoryBrowse>

  7. Save the changes to your file.

Directory browsing has now been turned off. If you can still access the directory through your browser, you might want to clear your browser cache, use a different browser, or carefully go through the steps once more to ensure they were followed correctly.

3. Disable XML-RPC

XML-RPC enables mobile applications and external connections to submit content to WordPress. If you prefer to disable remote posting on your site, follow the instructions below to enhance your site’s security.

  1. You should always backup your site before making any changes.
  2. Access the File Manager for your hosting plan.
  3. Navigate to the folder in which WordPress is installed.
  4. Edit the .htaccess file.
  5. At the bottom of the .htaccess file, insert the following lines:
     <Files xmlrpc.php>
     Order Allow,Deny
     Deny from all
     </Files>

6. Save the changes to your file.

You have now turned off access to the XML-RPC feature and decreased the potential methods by which your site could be compromised.

Thanks for visiting. For queries and suggestions, emails are welcome at learnweb@hostingcolumn.com.

Subscribe to Hosting Column for the latest updates and posts.