WordPress is the most used CMS in the world. Currently, around 40% of all websites run on WordPress. Unfortunately, due to its popularity, it is also very popular with hackers. That's why we recommend that you add some extra security to your WordPress website to minimise the risk of getting hacked.
Below we have compiled a list of recommendations you can implement to guarantee a more secure WordPress site:
- Always update
- Remove plugins and themes you don't use
- Monitor the status of your website
- Protect the wp-admin directory with a password
- Create a custom administrative username
- Disable PHP execution in your uploads directory
Part of WordPress updates fix security issues that hackers could exploit, so it is essential to update as soon as possible. You can easily update your WordPress version, plugins and themes from your WP Admin. If you don't have access to your WP Admin, you can also update your core installation manually.
Besides your core WordPress installation, it is also essential to regularly check if updates are available for your installed plugins and themes.
Tip: If you don't want the hassle of updating manually, read more about one.com's Managed WordPress and its integrated Update Manager.
Remove plugins and themes you don't use
Every plugin and theme you have installed can pose a security risk, so the fewer you have, the better.
We recommend removing all themes you don't use, except the default WordPress themes (Twenty Nineteen, Twenty Twenty, etc.). The same goes for plugins that you no longer need. You can remove them directly via your WP Admin or delete them from your webspace.
This also applies to any old WordPress installations you might have on your web space, maybe for testing purposes or as a backup. These are also vulnerable to hacks.
Tip: Only install plugins and themes from trusted sources. If you find a free version of a theme you normally need to pay for, there is a big risk that it comes with "free" malware.
Monitor the status of your website
Make sure you have the free one.com parent plugin installed to benefit from its helpful website-analysing features like Health Monitor.
Health Monitor runs basic checks of the website, for example, if you are using the latest WordPress version. This tool allows you to keep an eye on essential security and performance checkpoints and informs you about issues that need to be fixed. Depending on whether everything is okay, you'll get either "All Good" or a list of recommendations regarding what needs to be taken care of.
Tip: With Health Monitor Pro, included in the Managed WordPress add-on, you can fix such issues with just one mouseclick.
Protect the wp-admin directory with a password
Block hackers and protect your wp-admin folder with a password, adding an extra security layer to your WordPress administration.
You can follow our guide to protect your website with .htaccess. Make sure to protect only the wp-admin directory and not the whole site. Otherwise, your website will not be reachable. Place the files inside the wp-admin folder.
Note: If there already is an .htaccess file in the wp-admin directory, add the generated code to the existing file. Don't replace it.
Another way of preventing hackers from exploiting your WordPress site is by redirecting your WordPress login page through your control panel with Advanced Login Protection.
Create a custom administrative username
Hackers often try to access your WP Admin with a Brute Force Attack, where robots try millions of different password and username combinations to log in. We recommend creating a unique username to make it more difficult to guess your login details.
You can change the administrative username in phpMyAdmin, in the wp_users table. Check out our guide on how to access your database.
Once you are logged in:
- Locate the table called wp_users (can also be called 0_users).
- Find the admin username and click Edit.
- Under user_login, enter a new username in the Value field.
- Click Go to save.
Disable PHP execution in your uploads directory
If you have done a manual installation of WordPress, we recommend disabling PHP execution in your uploads folder. If you have used the 1-click installer, you can skip this section. For 1-click WordPress installations, PHP execution is disabled by default.
It is common for a PHP backdoor to be located in the uploads directory. From there on, malware is spread to other locations on your site. You cannot prevent the backdoor from being uploaded, but you can block it from spreading anywhere else by disabling PHP execution.
You can disable PHP execution by adding these lines of code to your .htaccess file located inside the uploads folder (wp-content/uploads).
# Block executables <FilesMatch "\.(php|phtml|php3|php4|php5|pl|py|jsp|asp|html|htm|shtml|sh|cgi|suspected)$"> deny from all </FilesMatch>
Check out our guide on creating a .htaccess file and disable file execution for all necessary steps.
Note: If you already have an existing .htaccess file in your uploads directory, you don't need to create a new file. Instead, you can add the code to the existing file.