My immunity is strong.

WordPress Security Tips

Updated Jul 27, 2020
Tips to make you WordPress site secure from hackers.
Tips to make you WordPress site secure

WordPress Security can be hardened, simply by increasing the degree of difficulty to hack.

WordPress Security Tips

  • Host your blog with a reputed host.
  • Always Keep WordPress Updated.
  • Use secure themes, and make sure you regularly update them.
  • Delete unused WordPress themes.
  • If not required disable new user registration.
  • Make your nickname different than WordPress login username.
  • Change WordPress “Display name publicly as” to something different than login username.
  • Use long complex password for WordPress login.
  • Create new WordPress administrator with login username other than “admin”.
  • To avoid brute force attack, create new WordPress login page.
  • Disable WordPress login hints in login error messages.
  • Remove lost password link from WordPress login, if not required.
  • Redirect failed WordPress login to homepage.
  • Redirect lost password link to homepage.
  • Disable XML-RPC completely if you do not connect to external service.
  • Plugins are the biggest reason WordPress sites get hacked.
  • Make minimum use of WordPress plugins.
  • Delete unused WordPress plugins.
  • Always keep plugins updated.
  • Create WordPress Blog Specific Plugin for code snippets specific to your site.
  • Change WordPress database table prefix from the default wp_ to avoid SQL injection attack.
  • Change WordPress user ID to hide login username from your-site.com/?author=1 which redirects to author url [your-site.com/author/username/].
  • Change WordPress Author URL Base, and Slug (user_nicename).
  • Keep a log of WordPress Database and PHP errors.
  • Enable HTTPS.
  • Remove unnecessary server response headers like Server, X-Powered-By, X-backend, etc…
  • Enable HTTP Strict Transport Security (HSTS) header.
  • Enable Content Security Policy.
  • Enable XSS protection.
  • Enable referrer policy.
  • Only allow authorized applications to access WordPress Rest API.
  • Block global access to readme, license, quickstart, and changelog file.
  • Activate web application firewall to filter traffic.
  • Always use SFTP or SSH to connect to server.
  • Disable directory listing for WordPress files and folders.
  • Disable PHP execution in WordPress uploads directory.
  • Enable TLS 1.3.
  • Disable direct access to your server IP.
  • Always keep your server OS and other software’s updated.

Tips for Optimal WordPress Security

Aim of the above guide is to minimize loopholes, and secure WordPress website from hackers.

Moral of the Story

Prevention is better than cure.

Email Newsletter

Be first to receive notifications of new articles.

Thank you my dear friend for coming here.