Keeping your WordPress site secure is easier with the right plan in place. This WordPress security checklist covers essential steps like installing firewalls, scanning for vulnerabilities, and protecting your backend and database. Whether you’re managing an eCommerce platform or a personal blog, following this guide ensures safety for visitors and shields your site from hackers. From encryption to plugin efficiency, every aspect of your site can benefit from these proven strategies.
For those looking to dig deeper, this guide also serves as a WordPress pentest checklist, helping you test and strengthen your website’s defenses. Learn how to maintain safe browsing, safeguard your themes, and ensure regular updates with automatic sync and patches. By following these steps, you’ll create a robust security framework that keeps your site running smoothly and securely.
1.) Protect Your WordPress Admin Area
Ensuring the safety of your WordPress admin area is crucial for maintaining your site’s protection. In this WordPress hardening checklist, we’ll walk you through key steps to safeguard your wp-admin area from unauthorized access and potential attacks. These practices focus on strengthening your site’s defense, from using strong login credentials to adding firewalls for extra shielding. By following this security protocols, you can enhance your WP site’s security and ensure your admin area remains safe and protected. This WordPress pentest checklist will help you implement the best defense strategies for your site or blog.
1.1 :- Use a Strong Username and Password
Start with a unique username and a strong password. Avoid using common names like “admin”. A good password should be a mix of letters, numbers, and symbols. This simple step can make a big difference in keeping your site secure.
1.2 :- Turn on Two-Factor Authentication (2FA)
Two-factor authentication (2FA) adds extra security. After entering your password, you’ll also need to confirm your identity, usually by entering a code sent to your phone. It’s an easy step that makes it much harder for hackers to access your admin area.
1.3 :- Limit Failed Login Attempts
To protect against brute-force attacks, set a limit on the number of failed login attempts. This way, if someone tries to guess your password, they’ll get locked out after too many incorrect tries.
1.4 :- Change the Login URL
WordPress has a default login URL, which makes it easy for hackers to find. Changing the URL to something unique will make it harder for attackers to target your admin area.
1.5 :-Restrict Login Access by IP
If possible, limit login access to specific IP addresses. This means only trusted devices or locations can log in to the admin area, adding another layer of protection.
Here’s a code you can add to your theme’s functions.php file:
function do_anything_administrator() { if (current_user_can('administrator')) { $ip = $_SERVER['REMOTE_ADDR']; $dataArray = json_decode(file_get_contents("http://www.geoplugin.net/json.gp?ip=" . $ip)); if (!empty($dataArray->geoplugin_request) && $dataArray->geoplugin_request != 'Your IP Add') { wp_logout(); exit; } } } add_action('admin_init', 'do_anything_administrator');
Or you can use .htaccess to limit IP access:
order deny,allow
Deny from all
# Allow your IP address
allow from xx.xxx.xx.xx
# Add additional IP addresses
allow from yy.yyy.yy.yy
2.) Enable HTTPS encryption by installing an SSL certificate.
In this WordPress website security checklist, HTTPS is critical for protecting your site from cyber threats. It encrypts data, making sure sensitive information like passwords and credit card numbers are safely transmitted. HTTPS also ensures that the data hasn’t been tampered with, providing both privacy and safety. With encryption and authentication, HTTPS helps shield your website from unauthorized access and potential attacks.
Additionally, HTTPS offers SEO benefits, as search engines favor secure sites. It also builds trust with users, who are more likely to stay on a secure website. For beginners, the free Let’s Encrypt version is a great way to get started with HTTPS. Always combine HTTPS with other security measures like firewalls, antivirus software, and two-factor authentication to ensure comprehensive protection and effective defense against cyber threats. To further enhance security, add the following code to your functions.php to force SSL for all actions.
define( 'FORCE_SSL_LOGIN', true ); // Only secrue the registration/login process define( 'FORCE_SSL_ADMIN', true ); // Force SSL for the whole WordPress admin
3.) Remove Readme File
One quick step to improve your WordPress website security is to remove the readme.html file. This file can give hackers useful information about your site, like which version of WordPress you’re using. By getting rid of it, you prevent unnecessary exposure of your server details.
It’s a simple but effective way to reduce your site’s vulnerability. Along with other steps like setting up a strong firewall, removing the readme.html file helps lower the chances of an attack, making it a smart addition to your security checklist.
4.) Stop Malicious Scripts
To enhance security and prevent malicious scripts from exploiting your site, you can add the following code to your wp-config.php file. This code blocks external HTTP requests by default, reducing the risk of unauthorized connections:
define( 'WP_HTTP_BLOCK_EXTERNAL', true ); // Block all external HTTP requests
define( 'WP_ACCESSIBLE_HOSTS', 'api.wordpress.org,*.github.com' ); // Only allow particular hosts
The first line blocks all external HTTP requests, while the second line whitelists specific trusted domains (like api.wordpress.org and *.github.com) that WordPress needs to access for updates and other features. This helps stop malicious scripts from connecting to your site while still ensuring essential functionality.
5.) Modifying Files
To improve the security of your WordPress site by restricting file modifications, you can add the following lines to your wp-config.php file:
define( 'DISALLOW_FILE_EDIT', true ); // Disable the WordPress file editor in the admin panel define( 'DISALLOW_FILE_MODS', true ); // Prevent users from updating core, themes, or plugins define( 'IMAGE_EDIT_OVERWRITE', true ); // Allow image editing to overwrite the original files
6.) Remove WordPress Version
To enhance security and hide your WordPress version from potential attackers, you can add the following code to your functions.php file:
remove_action( 'wp_head', 'wp_generator' ); // Remove WordPress version from the HTML source
7.) Disable PHP Error Reporting
To boost your WordPress security, it’s essential to disable PHP error reporting. Displaying error messages can reveal details about your site’s structure, making it easier for attackers to exploit weaknesses. You can disable error reporting by adding the following code to your wp-config.php file:
define( 'WP_DEBUG', false ); // Disable WordPress debug mode define( 'WP_DEBUG_LOG', false ); // Disable logging errors to a file define( 'WP_DEBUG_DISPLAY', false ); // Prevent errors from showing on the site @ini_set( 'display_errors', 0 ); // Turn off PHP error display
8.) Change the Database Prefix
Changing the WP database prefix is a simple yet effective step to improve your site’s security. By default, WordPress uses the wp_ prefix, which is well-known to attackers. Changing it to a custom prefix makes it harder for hackers to guess your database tables. Additionally, to prevent SQL injection attacks, always use prepared statements and parameterized queries when interacting with the database. Regular WordPress security checks can help identify vulnerabilities and strengthen your site’s defense against common threats like SQL injection.
Note: When updating the database prefix, it’s not recommended to manually change the prefix in the wp-config.php file for any live website, blog, or eCommerce application. It’s safer to use a plugin specifically designed for this task, as it will ensure all necessary changes are made without causing any issues.
9.) Proper Permissions and Ownership
Setting the correct file and folder permissions is essential for WordPress security. For most files, use permissions of 644 and for directories, 755. Special attention should be given to the wp-config.php file, which holds sensitive information. Set its permissions to 440 or 400 to prevent unauthorized access. Regularly performing a WordPress security check to review file ownership and permissions helps safeguard your site from potential threats.
10.) Tuning .htaccess for WordPress Security
If you’re using a Linux hosting server, the .htaccess file is a powerful tool to enhance WP security. Properly configuring it can prevent unauthorized access to sensitive files and protect your site.
10.1 :- Protect .htaccess
Add the following code to your domain’s root .htaccess file to block external access:
# STRONG HTACCESS PROTECTION order allow,deny deny from all satisfy all
10.2 :- Disable Directory Browsing
Hackers can exploit directory browsing to find vulnerabilities. Prevent this by adding the following lines to your .htaccess file:
# Disable directory browsing Options All -Indexes
10.3 :- Protect wp-config.php
The wp-config.php file is critical for your WordPress site. Secure it by adding this code:
# Protect wp-config.php order allow,deny deny from all
10.4 :- Prevent SQL Injection
To protect your WordPress site from SQL injection attacks, add the following code to the end of your .htaccess file in the root directory:
# Protect from SQL injection Options +FollowSymLinks RewriteEngine On RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) RewriteRule ^(.*)$ index.php [F,L]
This code helps block malicious queries that target vulnerabilities in your database. Regularly reviewing such configurations as part of a WordPress security check is essential for keeping your site safe.
11.) Disable XML-RPC via PHP Code
Disabling XML-RPC via PHP is a simple way to improve WP security. Add the following code to your theme’s functions.php file:
// Disable XML-RPC add_filter( 'xmlrpc_enabled', '__return_false' );
This disables XML-RPC functionality, reducing the risk of brute-force and DDoS attacks. Including this step in your WordPress security tips helps safeguard your website from potential threats.
12.) Block Hotlinking
Blocking hotlinking prevents other websites from stealing your media files and overloading your server. For Apache servers, add this code to your .htaccess file:
# Block Hotlinking RewriteEngine On RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER} !^https://(www\.)?yourdomain\.com/ [NC] RewriteRule \.(jpg|jpeg|png|gif|mp4)$ - [F,NC,L]
For Nginx, include this snippet in your configuration:
# Block Hotlinking location ~ .*\.(jpg|jpeg|png|gif|mp4)$ { valid_referers none blocked yourdomain.com *.yourdomain.com; if ($invalid_referer) { return 403; } }
Adding these rules to your WordPress pentest checklist helps secure your media and save server resources.
13.) Update SALT Security Keys
SALT security keys encrypt sensitive information, such as user sessions and login cookies. Regularly updating them strengthens your WordPress security. Follow these steps to update your SALT keys:
12.1 :- Generate New Keys
Visit the WordPress SALT Key Generator to get fresh keys.
12.2 :- Edit the wp-config.php File
Open your site’s wp-config.php file and locate the section with the following lines:
define('AUTH_KEY', 'put your unique phrase here'); define('SECURE_AUTH_KEY', 'put your unique phrase here'); define('LOGGED_IN_KEY', 'put your unique phrase here'); define('NONCE_KEY', 'put your unique phrase here'); define('AUTH_SALT', 'put your unique phrase here'); define('SECURE_AUTH_SALT', 'put your unique phrase here'); define('LOGGED_IN_SALT', 'put your unique phrase here'); define('NONCE_SALT', 'put your unique phrase here');
12.3 :- Replace the Keys
Paste the newly generated keys over the existing ones and save the file.
14.) Use Some Good Security Plugins
Once you’ve set up the basics of your site’s security, it’s a good idea to take things further with trusted WordPress security plugins. Extentions like Wordfence, WPScan, All-in-One WP Security, and Jetpack offer key features such as firewalls, malware scanning, and access controls. These tools help protect your site from cyberattacks, phishing attempts, and vulnerabilities, making sure your users stay safe.
Additionally, using these plugins can save you the extra costs of relying on hosting security services like Kinsta Security, WP Engine Global Edge Security, or SiteGround Security. These services cover everything from network security to data encryption and risk assessments. By integrating security plugins, you boost your site’s defenses while staying on top of best IT security practices.
Conclusion
To wrap things up, following a solid WordPress security checklist is crucial for safeguarding your site against potential threats. Regularly assessing vulnerabilities, conducting threat analysis, and focusing on hardening your site are essential practices to ensure ongoing protection. By selecting good themes and plugins and promoting safe browsing habits, you can greatly reduce the risk of fraud and breaches.
Also, using a virtual assistant to monitor security or carrying out periodic penetration tests helps spot weaknesses early on. Staying updated with the latest code snippets and security methods can reinforce your defenses. By implementing these strategies, you’ll strengthen your site’s security and create a safer environment for both you and your users.