How to Improve WordPress Website Security

Making your WordPress site secure is one best ways to ensure it’s safe from common malicious attacks. There are multiple ways to secure your site and some options may not work with certain plugins, themes, or hosting accounts. Here are the options to improve the security of your WordPress website

Security improvement performed through the Sucuri Security plug-in.
Security improvement performed without the Sucuri Security plug-in.

Security improvement performed through the Sucuri Security plug-in

Managing your WordPress security with this plugin has these different options:

1. Verify WordPress is up-to-date

You should always backup your site before making any changes.
Log in to WordPress.
Go to Sucuri Security > Settings.
Click on the Hardening tab.
Find the section labled Verify WordPress Version.
If the section is red, click on the Apply Hardening button.

If the section turns green, the plugin will now keep your site running the latest version of WordPress. If the section is still red, this feature is not compatible with your hosting as it may already do automatic updates.

2. Make the WordPress version private

If someone knows what version of WordPress you are running, they may know exactly what vulnerabilities your site has. It is important to keep your version private in the event you do not update to the latest version right when it comes out.

You should always backup your site before making any changes.
Log in to WordPress.
Go to Sucuri Security > Settings.
Click on the Hardening tab.
Find the section labled Remove WordPress Version.
If the section is red, click on the Apply Hardening button.

You have now prevented your WordPress version from being viewed publicly.

3. Block PHP in directories

One of the ways a site can be compromised is by PHP files being injected into your WordPress folders and executed from there. The following steps will help you block PHP files in those directories, but you will want to test your site functionality to ensure these settings are not interferring with your theme and plugins.

You should always backup your site before making any changes.
Log in to WordPress.
Go to Sucuri Security > Settings.
Click on the Hardening tab.
Find the section labled Block PHP Files in Uploads Directory.
If the section is red, click on the Apply Hardening button.
Repeat the previous two steps for Block PHP Files in WP-CONTENT Directory and Block PHP Files in WP-INCLUDES Directory

If the section turns green, the plugin was able to enable this feature. If the section is still red, the plugin does not have permission to make this change.

4. Remove WordPress readme file

A readme file containing your WordPress version is bundled with every install. To help prevent malicious visitors from knowing which version you are running, it’s important that you remove this file.

You should always backup your site before making any changes.
Log in to WordPress.
Go to Sucuri Security > Settings.
Click on the Hardening tab.
Find the section labled Information Leakage.
If the section is red, click on the Apply Hardening button.

You have now prevented detailed information about your WordPress site being exposed.

5. Enable DISSALLOW_FILE_EDIT in WordPress

To further harden your WordPress site from unwanted changes, it can be important to enable a setting to help prevent modification of your plugin and theme files.

You should always backup your site before making any changes.
Log in to WordPress.
Go to Sucuri Security > Settings.
Click on the Hardening tab.
Find the section labled Plugin and Theme Editor.
If the section is red, click on the Apply Hardening button.

You have now prevented your WordPress plugin and theme files from being edited as easily by malicious code.

Security improvement performed without the Sucuri Security plug-in.

1. Limit Login Attempts

Follow the video article How to Limit Login Attempts in WordPress.

2. Disable Directory Browsing

Directory browsing allows anyone to see all the files in a folder and their contents. To help secure your site, you’ll want to use your hosting’s file manager to edit the files.

You should always backup your site before making any changes.
Navigate to the different folders of your website (ex. http://myonlinefurniture.com/wp-content) in your browser to see if a list of files is displayed instead of a web page.
If you don’t find any folders that are displaying file lists, there are no further steps for you to follow.
Access the File Manager for your hosting plan.
Navigate to the folder that displayed a directory listing.
Edit the .htaccess (Linux) or web.config (Windows) file.
- Linux: at the top of the .htaccess file, insert the following line:
  
  Options -Indexes
- Windows: in the web.config file, find and remove the following line:
  
  <directoryBrowse>
Save the changes to your file.

You have now disabled directory browsing. If you are still able to browse the directory in your browser, you will want to consider clearing your browser cache, trying another browser, or review the steps again for accuracy.

3. Disable XML-RPC

XML-RPC allows mobile apps and remote connections to publish to WordPress. If you don’t want to be able to post remotely to your site, follow the steps below to improve your site security.

You should always backup your site before making any changes.
Access the File Manager for your hosting plan.
Navigate to the folder in which WordPress is installed.
Edit the .htaccess file.
At the bottom of the .htaccess file, insert the following lines:

     <Files xmlrpc.php>
     Order Allow,Deny
     Deny from all
     </Files>

6. Save the changes to your file.

You’ve now disabled access to the XML-RPC function and reduced the number of ways your site can be attacked.

Thanks for visiting. For queries and suggestions, emails are welcome at learnweb@hostingcolumn.com.

Subscribe to Hosting Column for latest updates and posts.