Improve the security of your WordPress site

WordPress is the most used CMS in the world: currently, around 40% of all websites run on WordPress. Unfortunately, due to its popularity, it is also a very popular target for hackers. That's why we recommend that you take care of the security of your WordPress website to protect it against hackers.

In this article we have compiled a list of recommendations you can implement to guarantee a more secure WordPress site.

Keep WordPress updated

WordPress releases may include fixes to security issues, which is why you should always update WordPress as soon as a new release is available.

This is also important because a new WordPress release always includes notes about what has been fixed. These notes could contain information about fixed vulnerabilities, making them an easy target for hackers on sites which have not been updated yet.

You can easily update your WordPress version, plugins and themes in your WP Admin. If you don't have access to WP Admin, you can also update your WordPress installation manually.

In addition to the WordPress installation, it's also important to regularly check if updates are available for your installed plugins and themes.

Did you know?
If you don't want the hassle of updating manually, read more about one.com's Managed WP and its integrated Update Manager.

Buy Managed WP

Remove plugins and themes you don't use

Every plugin and theme you have installed can pose a security risk, so the fewer you have, the better.

We recommend removing all themes you don't use, except the default WordPress themes (Twenty Nineteen, Twenty Twenty, etc.). The same goes for plugins that you no longer need. You can remove them directly via your WP Admin or delete them from your webspace.

This also applies to unnecessary WordPress installations you may have on your web space, which could have been created for testing purposes or as a backup. These can also be vulnerable to hackers.

Tip: Only install plugins and themes from trusted sources. If you find a free version of a theme you normally need to pay for, there is a big risk that it comes with "free" malware.

Monitor the status of your website

Make sure you have the free one.com parent plugin installed to benefit from its helpful website-analysing features like Health Monitor.

Health Monitor runs basic checks on your website: for example, it checks if you are using the latest WordPress version. This tool allows you to keep an eye on essential security and performance checkpoints and informs you about issues that need to be fixed. Depending on whether everything is okay, you'll get either "All Good" or a list of recommendations regarding what needs to be taken care of.

Tip: With Health Monitor Pro, included in the Managed WP add-on, you can fix issues with just one click.

Protect the wp-admin directory with a password

Protect your wp-admin folder with a password to block hackers and add extra security layer to your WP Admin.

You can follow our guide to protect your website with .htaccess. Make sure to protect only the wp-admin directory and not the whole site. Otherwise, your website will not be reachable by visitors. Place the files inside the wp-admin folder.

Note: If there already is an .htaccess file in the wp-admin directory, add the generated code to the existing file instead of replacing it.

Another way to prevent hackers from exploiting your WordPress site is to redirect your WordPress login page through your Control Panel with Advanced Login Protection.

Create a custom administrative username

Hackers often try to access WP Admin with a Brute Force Attack, where bots try millions of different passwords and usernames to find the right combination for logging in. We recommend creating a unique username to make it more difficult to guess your login details.

You can change your administrative username in phpMyAdmin, in the wp_users table. Check out our guide on how to access the database:

Once you are logged in:

  • Locate the table called wp_users (can also be called 0_users).
  • Find the admin username and click Edit.
  • Under user_login, enter a new username in the Value field.
  • Click Go to save.

Disable PHP execution in your uploads directory

If you have done a manual installation of WordPress, we recommend disabling PHP execution in your uploads folder. If you have used the 1-click installer, you can skip this section. For 1-click WordPress installations, PHP execution is disabled by default.

It is common for a PHP backdoor to be located in the uploads directory. From there on, malware is spread to other locations on your site. You cannot prevent the backdoor from being uploaded, but you can block it from spreading anywhere else by disabling PHP execution.

You can disable PHP execution by adding these lines of code to your .htaccess file located inside the uploads folder (wp-content/uploads).

# Block executables
<FilesMatch "\.(php|phtml|php3|php4|php5|pl|py|jsp|asp|html|htm|shtml|sh|cgi|suspected)$">
    deny from all
</FilesMatch>

Check out our guide on creating a .htaccess file and disable file execution for all necessary steps.

Note: If you already have an existing .htaccess file in your uploads directory, you don't need to create a new file. Instead, you can add the code to the existing file.

Related articles:

Was this article helpful?

Can’t find what you are looking for?

Start a chat

It's the quickest way to get in touch, every day of the year.

Start chat

Give us a call

Available on weekdays from 10am to 2pm (UTC).

Call +44 20 8106 0910