WordPress security is a topic of huge importance for every website owner. Google blacklists around 10,000+ websites every day for malware and around 50,000 for phishing every week.
If you are serious about your website, then you need to pay attention to the WordPress security best practices. In this guide, we will share all the top WordPress security tips to help you protect your website against hackers and malware.
1. Integrate Google’s V3 Captcha on login & forms
First & the foremost important thing to do is integrate Google’s Captcha feature on your website forms & login areas. I personally prefer V3 captcha. You can integrate this security tool easily without any coding skills by a plugin called Advanced noCaptcha & invisible Captcha.
2. Customize your default WordPress Login URL
Next step to secure your WordPress website is by changing your default login URL or so called End Point to something else. You can do this by installing & configuring a security plugin called WPS Hide Login. Again no programming knowledge is required for this setup. It is more of a plug and play thing.
3. Activate Loginizer Alerts & Limit Login Attempts
Loginizer is a security plugin that sends regular alerts after every 3 failed login attempts along with the users IP address. It also prevents the attackers IP from logging in for about 15 minutes. This way you can find the hackers IP and simply block it from cPanel or any other hosting management panel.
4. Change your default login credentials to complex
No plugin is required for this step. Simple go to settings>users>select your profile and change the default username from “admin” to something else & password to at least 8 digit including special characters with alphanumeric pattern.
5. Add SSL to your WordPress website
SSL is a security protocol that adds security from man in the middle attacks by advanced hackers. It is a must have thing for any website. SSL is paid and even it is Free. You can start experimenting by getting it free from Let’s Encrypt.
6. Disable File Editing & PHP Execution
For this step you will need to access wpconfig.php file from your hosting file manager & add the following line:
define( ‘DISALLOW_FILE_EDIT’, true );
This code disables the built in code editor in WordPress admin panel. Also you will need to disable the PHP execution in uploads folder by adding following lines into your .htaccess file inside /wp-content/uploads/ folder
deny from all
If the file does not exists, create it from your file manager in hosting management panel.
7. Disable XML-RPC in WordPress
Hackers use this technique to since WordPress 3.5. As it is enabled by default to connect your website with mobile apps & deliver data over APIs. In this case attackers are not blocked by Loginizer & they can use system.multicall function to try thousands of password with just 30 to 40 simultaneous requests. All you have to do is paste the following code in the .htaccess file.
deny from all
allow from 220.127.116.11