WordPress holds a market share of nearly 60% of all websites that uses content management system. So theirs is a good possibility that you are using one right now for your business.

How to Safeguard Your WordPress Website in 2018 Using These Essential Security Measures

Knowing how to safeguard your WordPress website in 2018 is not only beneficial for you but also mandatory. Having a strong password just isn’t enough today. You need to do more.

Security is a big concern for WordPress sites. Since it’s the most widely used CMS, it suffers from most attacks. Protecting your site is your responsibility and more often, it is improper care that leaves the website vulnerable.

As prevention is better than cure, you need to be proactive. Here are some essential security measures to safeguard your website from attacks:

Customize Login URL & Username

WordPress’s login URL is a common knowledge. By default it is set as either wp-login.php or wp-admin. This is an open invitation to hackers.

By knowing your direct URL, they can use brute force to get access. Customizing your login URL increases the effort needed to penetrate your site. It makes your website more secure & unbreakable. There are many plugins available to change your URL.

Same goes for the username for WordPress sites. WordPress automatically sets the new username to ‘admin’ when installing. Keeping that username is one of the biggest mistakes you can make.

Newer versions of WordPress allow users to select a custom username when installing. If that’s not possible, there are three ways you can change username:

  • Create a new admin user and remove the other one
  • Use plugins
  • Use phpMyAdmin to make changes

Two-factor Authentication

Two-factor authentication is the best way to further strengthen the security of your WordPress website. It is very effective against brute force attacks where a hacker uses an unlimited number of combination to penetrate your site.

In addition to the custom URL and username, an authorization code is required to log in to the admin panel. This code is usually sent to your phone. Which means, if the hackers don’t have access to both your password and the code, they won’t be able to get it.

There are plugins like the Google Authenticator that provide you with such functionality.

Limit Number of Login Attempts

WordPress overlooked an important aspect of their security; the number of login attempts that can be made without any backlash. Generally, users can attempt to log in as many times as they want.

This is good if you are having trouble remembering your password, but terrible for safeguarding your WordPress website. It leaves an opening that is easily exploitable by hackers.

Hackers use aforementioned brute force technique to crack your security. The good news is, it is quickly fixable thanks to WordPress’s vast reservoir of plugins.

Setting up a limitation on how many login attempts can be made after which the user triggers a rest period both protects your site and discourages the hackers.

Implement TLS/SSL Encryption

Secure Socket Layer or SSL encryption establishes an encrypted link between the web server and browser. It has been the industry standard for a secure connection.

However, SSL encryption is vastly outdated. What most people refer to as SSL today is actually TLS or Transport Layer Security. It is the current technology that secures privacy and data integrity.

As a WordPress website owner, getting an SSL/TLS certificate is the smartest move you can make. Many hosting packages come with SSL certificates, if not, you can easily purchase it from authorized sources.

The encryption certificate makes it difficult for a hacker to breach. It takes them more time & effort to create an opening. Thus, it makes the effort too costly.

Looking for SSL certificates, here eknowledgetree offers Cheap Wildcard SSL Certificates.

Hide WordPress References & Version Number

Knowledge is power. The less the hackers know about your website & CMS the better. You restrict this knowledge from hackers in two ways:

  • Removing any WordPress reference, including URL structure; and
  • Hiding the version number of WordPress

Since WordPress is the most widely used CMS, its directory structure and how the website works is familiar to them. In conjunction with the knowledge of the build number, hackers are able to tailor-build powerful attacks.

By hiding this two information, those with malicious intent would have to work twice as hard just to gather intel.

Hiding the version number of your CMS is as easy as inserting a single line. Go to your theme’s function.php file and add <?php remove_action(‘wp_head’, ‘wp_generator’); ?> to it.

Limit Access to Users

This point is vital for those who have to provide multiple access to the admin panel, which includes employees within the organization or multi-authors in blogs.

The admin panel is the core of your website and you need to restrict these other users to safeguard your WordPress website. You don’t want them to fiddle around and disrupt important functionality.

A particular user should be given access to only those functionalities that are required for the task.

Furthermore, disallowing edit of any file that is part of the WordPress installation, even for your account, will restrict the damage if hacked.

Plugin Management

WordPress plugins, although a blessing, are the most susceptible aspect of the content management system. To safeguard your WordPress website, you need to focus on three aspects of plugin management:

  • Remove unnecessary or unused plugins

If a theme or plugin is not being used or necessary, it is best to outright remove it. They are both cumbersome and leave your website open to attack. Hackers can use these to find a backdoor to your site and gain access.

  • Always update your plugins

Every plugin can be exploitable if given enough time. That is why these plugins are regularly updated with new security measures and features. Failing to maintain an up-to-date plugin database creates vulnerabilities.

  • Avoid downloading premium plugins for free

Getting a premium plugin from an unreliable source is a definite gateway for opening a can of worms. These sources prey on the naivety of the users. When installed, these plugins corrupt the WordPress sites with malware.

Block Directory Browsing

Preventing directory browsing is in the upper echelon of essential security measures to safeguard your WordPress website. By enabling directory browsing, you are letting the hackers have an opportunity to see the blueprint of your website.

It can be used to see your files, copy images along with your data structure. If the directory access is not manually blocked, visitors can see everything that is in the directory. Not even a password is required for access.

You can go about in two ways to prevent such catastrophic security threat:

  • Upload empty index.html or index.php in every directory and subdirectory, but not in the root directory
  • Create a .htaaccess file in the root directory and add Options –Indexes at the top

Protect wp-config.php File
The wp-config.php file is the most valuable file in your WordPress system directory. It contains the key information’s such as database name, security keys, table prefix etc. protecting it from a security breach is of utmost importance.

By default, the file is placed in the root directory, from where the server can access it. However, what a lot of people don’t know is, even if it is moved somewhere else, WordPress can still find & access it. This is thanks to the current WordPress architecture.

Another way to protect wp-config.php is to add several lines to the .htaacess file. They are:

  • <Files wp-config.php>

order allow,deny

deny from all


Regular Backup

Last but not least, backing up your website regularly is vital. If anything goes wrong, it works like an insurance. You can do a cleanse and restore everything to the last stable set up.

Even if you feel like everything is in order, it is best to keep backups. The best practice is to upload a backup to a separate cloud on a daily basis. Clouds like Dropbox, Amazon or any other servers out there are more than capable of taking care of it.

Luckily, there’s no need manually update your backups. There’s plenty of plugins that automate the process.

Wrapping Up

Whether you use WordPress or a custom CMS for your business, security is always an issue. Especially if you DIY a WordPress site.

But the security measures mentioned here will be at the forefront to safeguard your WordPress website in 2018 so that you can reap its benefits.

About Author:

Maruf Iftekhar is a content writer for WebAlive, a digital agency that is renowned for creating innovative digital marketing strategy and web design in Melbourne or any part of Australia has ever seen. A web design, development and digital marketing enthusiast, he aims to tell stories that’ll bring fortune to his readers.