WordPress security

The Ultimate WordPress security guide for 2024

Spread the love


The Ultimate WordPress Security Checklist is an indispensable resource for website owners seeking to fortify their online presence. In an era where cyber threats loom large, ensuring a secure WordPress environment is paramount. This checklist offers a comprehensive array of strategies and best practices to secure WordPress websites effectively. From keeping WordPress, themes, and plugins updated to implementing robust password policies and enabling two-factor authentication, every aspect of securing a WordPress site is covered. By diligently following these guidelines, website owners can confidently navigate the digital landscape with a secure WordPress foundation, safeguarding their online assets against potential threats. With the Ultimate WordPress Security Checklist, achieving a truly secure WordPress environment has never been more attainable.

Table of Contents

Update WordPress

  • Go to your web hosting provider website
  • Login and go to the dashboard
  • Click on updates screen, once you are in then scroll down
Updates WordPress
  • After you scroll down you will see current WordPress version installed with the option to check for latest again or re-install the latest version of WordPress.
  • If there is a new version of WordPress then you need to click on update now button to install the latest.
  • You shouldn’t need to do anything else and, once it’s finished, you will be up-to-date.

Choose reputable WordPress theme

Every WordPress website needs a theme and when it comes to choosing a theme then you need to look for certain criteria

  • Reviews: Check recent reviews and make sure the theme has overall good reviews, in this example we are looking at Astra WordPress theme
Astra WordPress theme
  • Maintenance: make sure the developer is keeping the theme updated

For instance let’s say you want to install Astra as theme for your WordPress website, all you have to do

  • Navigate to WordPress themes
  • Search for Astra in the search box
  • Select the theme
  • Look for Last Updated
Astra WordPress theme last updated
  • Responsiveness: make sure you select a WordPress theme is responsive and designed for mobile first (smaller screen) with more than half of traffic coming from smartphones and tablets. So you will be creating for the majority of the audience.
  • Performance: Choose the theme offers the features you need for your website to load fast because having a theme loaded with features you don’t need will make your website slower and this will impact your website’s ranking in searching engines and visitors to your website will leave a slow website quickly.

Update WordPress themes and plugins

Updating WordPress plugins comes with many benefits like enhance security, fix bugs, optimize performance, new features and ensure compatibility.

To update WordPress plugins

  • Go to your web hosting provider website
  • Click Login
  • Go to the dashboard
  • Click on plugins, once you are in then scroll down and you will see list of installed plugins.
WordPress plugins settings

To find out which plugins has updates then as shown in the below image, at the top there is an option to filter results based on Update available. Click on update available

WordPress plugins updates

Now you should see a page shows all plugins has udpates

List of WordPress plugins needs to be updated

There are two ways to update plugins in WordPress

1-You can update plugins individually and to do that then you need to select a plugin(s) then click update

Update WordPress plugin step 1

2- To update all plugins

Update all WordPress plugins step 2

Use stronger unique username and password

Having a unique user name and stronger password makes it harder for hackers to guess your web hosting account credentials.

If you need information about how to create a stronger password then you can checkout this FREE guide created by HostPapa. Click here for more details.

Enable Two step Authentication

This feature basically double check your identity is legit.

Enabling this feature helps to make your account information safe and secure.

Below is a list of provider offering FREE tutorials on how to enable the feature

Backup your WordPress

The benefits of doing a regular backup to your WordPress website so you can restore the site in case of database gets erased or corrupted.

Having a backup enables your to quickly restore your website and getting your site back to normal.

There are many options/tools you can use to backup your website, we recommend Updraft plus.

Updraft plus:  is one of the most popular WordPress plugins for backup your website with installations over 3 millions, allows you to backup and restore your site, you have the option to backup your site to a cloud service of your choice such as Dropbox, Google Drive, Amazon S3 and Rackspce and if you have premium then you can backup to Microsoft One Drive, Microsoft Azure, SFTP and WebDAV.

With updraft plus you can use the FREE or get premium version which offers more features for example you get incremental backups, dedicated support and more.

Updraftplus subscription comes with a different plans such as Enterprise, Agency, Business, personal or Gold and each one of them comes with different pricing and features. Click here to view/Buy now.

To backup your site with updraft plus, all you have to do, install > activate > then setup the plugin to start backing up your website to your chosen cloud platform.

Remove unused plugins and themes

Keeping unused WordPress plugins and themes can have an impact on your website

  • Security: Unused plugins and themes can become a security risk if they are not regularly updated. Hackers can exploit vulnerabilities in outdated plugins and themes to gain access to your site and cause harm.
  • Performance: Having too many plugins and themes installed can slow down your website. Each plugin and theme adds additional code and resources that need to be loaded, impacting your site’s performance and load times and this will have an impact on your website ranking in search engines since Google search won’t be happy with a slow website.
  • Clutter: Unused plugins and themes clutter your WordPress dashboard, making it harder to find and manage the ones you actually use. Removing them can help streamline your workflow and improve productivity.
  • Resource Usage: Even if not active, plugins and themes can consume server resources. Removing them frees up resources for other essential tasks, improving overall server performance.

Limit logins attempts

By default WordPress doesn’t have limit on number of times you can attempt to login. However, hackers can use this as a backdoor to take control of your website.

There are many plugins you can use to help to limit number of login attempts

Limit Login Attempts Reloaded WordPress plugins has free and paid option

Click here to download the plugin

Install SSL certificate

Installing SSL certificate helps to establish secure data transfer between website and its users.

To install an SSL certificate you can read our FREE tutorial which is how to fix site not secure and we will cover many areas including how to install SSL certificate to your WordPress website.

Hide WordPress version

By hiding WordPress version can significantly prevent hackers from gaining access to your WordPress website.

To hide WordPress version then follow steps below

Using Plugin

For users who are using Really Simple SSL plugin

1- Login to WordPres
2- Dashboard
3- Plugins
4- Search for Really Simple SSL plugin
5- Click settings and you will be navigated to the dashboard

Really Simple SSL plugin gives list of recommendations and as you can see one of them the option to hide WordPress version, simply click on view.

really simple ssl dashboard

Next is to enable Hide your WordPress version and click Save and Continue

really simple ssl settings

Using Code

1- Login to WordPres
2- Dashboard
3- Appearance
4- Theme file editor
5- Select Theme Functions (functions.php),

Theme function file

6- Paste this code remove_action(‘wp_head’, ‘wp_generator’); as shown in the image below

remove WordPress version code

Once you paste the code then scroll down and click Update file.

Use secure a secure web host

Using a secure web host is crucial for maintaining a safe and reliable website. A secure web host implements robust security measures, such as firewalls, malware scanning, and regular updates, to protect your site from cyber threats. By choosing a reputable web host, you can ensure that your website remains secure and accessible to your visitors.

Below is a list of reputable web host providers your can choose from

Disable theme editor and plugin editor

Disabling the theme and plugin editors in WordPress is a security best practice that helps prevent unauthorized access to your site’s code. By removing the ability to edit themes and plugins from the WordPress dashboard, you reduce the risk of malicious users injecting harmful code into your site. It’s a simple yet effective way to enhance the security of your WordPress website.

To disable both theme and plugin editor then go to

1- Login to WordPress
2- Select settings as shown in the image below (the way to find the settings might be different in your case since your web host provider might have a different layout in this example we are using Bluehost)

Edit WordPress website

3- Click on File manager

file manger

Search for wp-config.php and then right click and select Edit

file manager dashboard

Paste the following code after the opening <?php tag

define( ‘DISALLOW_FILE_EDIT’, true );
define( ‘DISALLOW_FILE_MODS’, true );

Once complete then click save changes

Change WordPress Login Page URL


Changing the WordPress login page URL is a security measure that can help protect your website from unauthorized access.

By default all WordPress websites have this yourdomain.com/wp-admin

Using default url for WordPress makes it easy for hackers to target your login page.

Plugins like WPS Hide Login enables you to have a custom login url to your WordPress website.

Scan your WordPress site for malware

According to AVTest every day, the AV-TEST Institute registers over 450,000 new malicious programs (malware) and potentially unwanted applications (PUA).

total malware

Regular malware scans are crucial for maintaining the security of your WordPress site, as attackers continually evolve their tactics to develop new threats.

We recommend these security plugins to install on your site

  • Wordfence Security – Firewall, Malware Scan, and Login Security: a security plugin protect against commonly exploited vulnerabilities, we also block attacks against vulnerabilities specific to WordPress plugins, attempts to upload malicious files, and brute-force login attempts.
  • Really Simple SSL: helps you to configure your website to use SSL, it adds extra security features to protect your website and It also improves your SEO rankings.
  • Shield security is a security plugin for WordPress which provides protection and intrusion prevention before repair. With Shield, your site will start to block visitors as they probe your site looking for vulnerabilities, and before they can begin to do any damage.
  • BulletProof Securit: Malware scanner, Firewall, Login Security, DB Backup, Anti-Spam, click here to view the features. (scroll down to BulletProof Security Feature Highlights).
  • WordPress security: includes an endpoint firewall, malware scanner, robust login security features, live traffic views, and more. 

Disable error reporting

PHP error reporting displays vulnerabilities, which can be a security risk and also impact the user experience.

Follow steps below to turn off PHP reporting

1- Login to WordPress
2- Select settings as shown in the image below (the way to find the settings might be different in your case since your web host provider might have a different layout in this example we are using Bluehost)

Edit WordPress website

3- Click on File manager

file manager

Search for wp-config.php and then right click and select Edit

file manager disabled

Inside your wp-config.php file, look for the following line

define(‘WP_DEBUG’, true);

You might already have the code inside the file and it should look like this

define(‘WP_DEBUG’, false);

Next you will need to replace this line with the following code

Code to turn off PHP errors inside wp-config.php file

Once complete then click save changes

Disabling Directory Browsing in WordPress


Disabling directory browsing in WordPress is an essential security measure to protect your website from potential vulnerabilities. By default, WordPress allows users to see the contents of directories on your server if there is no index file present.

The problem is that attackers can exploit this feature to gain access to sensitive information or exploit vulnerabilities in your site. Disabling directory browsing ensures that visitors cannot view the contents of directories, enhancing the security of your WordPress site.

How to check is Directory browsing in WordPress?

The easiest way to find out is by simply visiting yourwebsite.com/wp-includes/

If you get 403 forbidden then directory browsing is already disabled on your WordPress website.

Forbidden

But if you see list of files instead of forbidden then this means that directory browsing is enabled for your website.

How to disable Directory browsing in WordPress?

To turn off the feature in WordPress then you need to make changes to .htaccess file by adding code.

To make the changes to .htaccess file

1- Login to WordPress
2- Select settings as shown in the image below (the way to find the settings might be different in your case since your web host provider might have a different layout in this example we are using Bluehost)

Edit WordPress website

3- Click on File manager

file manager

Search for .htaccess and then right click and select Edit

Add this code to the file like this

Options -Indexes

edit-htaccess-file

Once complete then click save changes.

Now if you visit yourwebsite.com/wp-includes/ you get 403 forbidden.

Forbidden error

Install security protection plugins

To protect a WordPress website from cyber threats such as malware, hacking, and unauthorized access and to enhance the security of your WordPress website and protect it from potential threats.

You can install one of the following plugins since they offer many security features such as

  • Malware scanner
  • Firewall
  • Login Security
  • DB Backup
  • Anti-Spam
  • Manage the security for multiple sites in one place.
  • Live Traffic
  • Monitor visits and hack attempts 
  • Block attackers by IP or build advanced rules based on IP Range
  • BulletProof Securit: Malware scanner, Firewall, Login Security, DB Backup, Anti-Spam, click here to view the features. (scroll down to BulletProof Security Feature Highlights).
  • WordPress security: includes an endpoint firewall, malware scanner, robust login security features, live traffic views, and more.