WordPress Security Best Practices

upqode | Mar 5th, 2018

Hacks are common in the development field. There is always someone out there who might find hacking your site beneficial: a dishonest competitor or simply an amateur developer, who has nothing better to do. That’s why our WordPress development company‘s knowledge of how to improve WordPress security can save you a lot of headache in the long run.

Before we delve into the actual steps to improve security, here is a breakdown of reasons why WordPress security is so important:

Why WordPress security is so important?

WordPress site is like your office or retail store. Your business relies on it to make revenue. If your website gets hacked, it’s not only you who gets affected but customer data as well. Loss of customer information is the biggest danger for business, that undermines customer trust and can lead to a total business destruction.

From a financial standpoint, you might find yourself in a tricky situation of having to pay ransom to a hacker in order to regain access to your site.

Here are some other consequences of security breaches: malware distribution to users, Google blacklisting, problems with logging in and passwords. 

As you can see, it’s important for each WordPress site owner to know how to protect themselves. Here are some simple steps to better WordPress security:

WordPress security best practices

1. Passwords and User Permissions

The easiest way for hackers to attack your site is to use your password. Password protection isn’t a complex science. Make all passwords unique to your site and use a stronger password.

Most novice users choose extremely weak passwords because they’re easier to remember. But, in fact, you can use a password manager and stop worrying about forgetting your password. Password managers will securely store all your passwords and notify you when a hacking attempt takes place.

Another mistake that WordPress owners make is that they set up strong passwords for the admin area but totally forget about other passwords such as FTP accounts, hosting account, database, and email addresses.

Be careful to not give admin access to everyone. Even if the person is a team member, there are numerous ways to invite them to WordPress dashboard other than disclosing admin password.

2. Two-factor Authentication

While most users got used to Google 2-factor authentication, many remain unaware of the same option available in WordPress. Two-factor authentication is basically a process of verifying identity using the knowledge about you: something you know or something you have.

In WordPress, you can set up 2-factor authentication that will use your mobile device as an additional security check. You can easily set up two-factor authentication with iThemes Security Pro plugin.

3. Regularly Change WordPress Salts

WordPress salts and keys are the additional passwords for your site. They are stored in the wp-config.php file and are used to verify each user or commenter.

For better protection, you can try changing WordPress salts and keys using iThemes Security Pro or another similar plugin.

4. Keeping WordPress Updated

WordPress updates are crucial to the security of your site. There are two ways to install updates in WordPress: manually and automatically. Usually, minor updates will be handled by WordPress. For major updates, you’ll have to trigger updates manually.

Since WordPress isn’t only a website platform but also a repository of plugins and themes, you need to make sure that these components are updated on a regular basis as well. The updates are usually released by developers and you’ll be asked if you want to update.

5. Use Secure File Permissions

If your website files are available to the public, then your site isn’t protected properly. How can you adjust file and directory permissions? Have your files between 400 and 444 and directories between 700 and 744.

Again, you can use security plugins to make the necessary changes. But if you keep using permission mode of 777 you’re basically allowing any user to view your files and folders.

6. Disable directory indexing and browsing

Directory browsing is a process of displaying your directory including the information about plugins and themes to the public. This happens when the server doesn’t find index.php or index.html file.

You can check if directory browsing is enabled. Simply create a text file and then visit directory via a web browser. If you can see the link to the text file, then directory browsing is enabled. If you see “Page not found” message instead, then directory browsing is disabled.

So how do you disable directory browsing? You can add “Options All -Indexes” code to your .htaccess file, and also add a blank index.php files to wp-content/themes and wp-content/plugins folders.

7. Enable Web Firewall

You can also try to raise the security level of your site by enabling web firewall. The firewall will help you block malicious traffic before it enters your site. A Web Application Firewall manages HTTP/S traffic to and from a web application to protect against malicious attempts to compromise the system or exfiltrate data.

8. Backup regularly

As with everything in life, prevention is the best medicine. Backups allow you to quickly restore your site when it gets hacked. Backups are easy to manage and can be set to be done automatically, so you don’t really have to worry about anything. Save all backups to a remote location, not your WordPress hosting so that when the hosting is hacked you still have access to a backup.

You can easily backup your site using free or paid plugins. The most popular ones include VaultPress and BackupBuddy.

Final Word

All the aforementioned methods help raise the security level of your site but no one can be completely sure when it comes to WordPress security. If for some reason the hacking attempt happened, it’s best to consult the professionals. The major problem with a hacked website is that it becomes very vulnerable to all the subsequent attacks if you don’t close all the backdoors that hackers installed.

Additionally, remember that keeping your site secure is a never-ending process. You should always stay aware of the best practices and latest updates. But once you make WordPress security a priority, you’ll have a piece of mind.

Filed under: WordPress Development

Related posts


What They Say

This is a team that pays great attention to detail and does great work. I had a design done for my website by a separate designer, and Nick implemented the design perfectly for both mobile and desktop. His team uses project management software to track tasks and break up the work for his team into sprints. You aren’t just getting a developer when you hire Nick, you’re also getting great project management and organization. I 100% recommended it.

Erik DiMarco

Manager, NimbleDesk

UPQODE delivers high-quality web work quickly, thanks to their expertise in PHP and WordPress. Regular communication and reasonable prices further smooth the workflow. We've been very pleased with the results. UPQODE responds far more quickly to development changes than our core team would be able to. They are highly knowledgeable about best practices in WordPress, and their ability to rapidly scale up whenever we need a project completed makes them a valuable asset for us in our development needs.

Jim Kreyenhagen

VP Marketing and Consumer Services, doxo

The engagement resulted in an aesthetically pleasing website that satisfied internal stakeholders. They dedicated capable resources that ensured effective collaboration. UPQODE’s attentiveness and flexibility support a successful partnership. They created a beautiful website that we love. The site functions to advertise a certain medical procedure, so I can’t speak to any traffic metrics. UPQODE's responsiveness was their most impressive quality.

Jessica Echevarria

Administrator, University Division

UPQODE delivered a functioning and accessible website. Their adaptable approach to customer service allowed for a smooth development process and set the foundation for possible future collaborations. The delivered website met all of my requirements and explains everything I need it to. UPQODE was very understanding and accommodating of my changing needs throughout the project. The communication was excellent. I plan to work with them again for future needs.

Darren Devost

Owner, Devost's Dynamic Marketing

The vendor succeeded in creating innovative WordPress solutions. Their availability enabled the client to deliver products more quickly. UPQODE's project management was good—their staff met weekly with the client and was always very punctual. UPQODE brought troubleshooting, recommendations, and ideas that our previous partner was unable to provide. They deliver work on-time and within budget. The design they’ve inserted into the product has enabled us to deliver products more quickly. They have always been very helpful in recommending better solutions.

David Bill

President & Founder, Liquid Knowledge Group
Request a Design