WordPress is one of the most popular content management systems (CMS) in the world. It runs 18.9% of all websites and has been downloaded over 76.5 million times. Unfortunately, popularity also has some downsides. WordPress is the most hacked CMS in the world, according to a hacker report by Securi, a company specializing in website security. But there is no need to panic! You can make a big difference in WordPress security if you follow some of the general guidelines in this guide and apply various techniques.

1. Update Version

This is the first and most important reminder. If you want a clean and malware-free website, you should keep WordPress up to date. While this may seem like a simple recommendation, only 22% of WordPress installations use the latest version. WordPress added an auto-update functionality in version 3.7, but this only applies to minor security updates. Therefore, major kernel updates must be done manually.
 

2. Using Strong Passwords

Still using admin as your WordPress username? If yes, any attacker can try to login to your admin panel more easily. If you don’t know how to change the admin username to another one, please create a different admin account and delete the old account. If you choose the second option, please follow the steps below:
 
  1. Login to WordPress admin panel
  2. Click on the users section from the menu section
  3. Click on create a new user
  4. Enter a username and password that no one can find
  5. Login to the panel with the username you just created and delete the old admin account.
A good password plays an important role in WordPress security. Brute force passwords that contain numbers, uppercase and lowercase letters, and special characters are much more difficult to use. LastPass and 1Password help you manage complex passwords. Also, if you need to login to the WordPress dashboard while connected to an unsecured network (eg cafe, public library, etc.), please remember to use a secure VPN to protect your login information.
 
 

3. Two-Step Verification 

Two-step verification creates a huge layer of security on your login page. As the name suggests, it adds a step to follow to sign in. You may be using this feature for emails, online banking, or other accounts that contain sensitive information. So why not use it in WordPress? While it may sound complicated, enabling WordPress two-step verification is very simple. All you have to do is install a two-step verification app and set up your WordPress.
 

4. Disabling PHP and Reporting

If you’re developing a website and want to make sure everything is OK, PHP error reporting can be helpful. But to show everyone that a bug is a serious vulnerability. You should fix this problem as soon as possible. Don’t worry, you don’t need any coding knowledge to turn off PHP error reporting in WordPress. Most hosting providers offer the option to turn off error reporting from the control panel. If this feature is not available, please add the following line to your wp-config.php file. You can use an FTP client or file manager to edit the wp-config.php file:
error_reporting(0);
@ini_set(‘display_errors’, 0);

5. Not Using Nulled Plugins and Themes

There are thousands of invalid plugins and themes on the internet. Users can download them for free from various Warez or torrent sites. What they didn’t know was that most of them were filled with malware and black hat SEO links. Do not use invalid plugins and themes. This is not only unethical, but also very detrimental to the security of WordPress. You can pay developers more money to fix your website.
 

6. WordPress Software Scan

Hackers often use vulnerabilities in plugins or themes to infect WordPress with malware. That’s why it’s important to scan your blog site frequently. Many well-designed plugins are available for this purpose. WordFence is one of the highlights right now. It offers manual and automatic scanning options as well as a variety of different settings. You even have the ability to recover modified/malicious files with a few clicks. It is free and open source. These reasons alone are enough for you to install the plugin right away.
 
BulletProof Sec : Unlike WordFence, BulletProof does not scan your files, but can be used by firewalls, databases, etc. provides. One of the biggest advantages of this plugin is that it can be installed and installed in just a few clicks. 
 
Sucuri Security : This plugin can protect you from DOS attacks, create a blacklist and manage your firewall by scanning your website for malware. If it detects something, it will provide a notification via email. Google, Norton, McAfee – all these blacklist engines are included in this plugin.

7. Host Your WordPress Site on a Safer Server

This may seem like a strange suggestion, but statistics show that 40% of WordPress sites are exploited by hackers who exploit vulnerabilities in their hosting accounts. This trick should cause you to question your current hosting options and move your WordPress site to a more secure hosting service. Here are some guidelines to keep in mind when looking for a new host: If it’s shared hosting, please make sure your account is isolated from other users and that there is zero chance that one site will harm other sites on the server. Make sure it has automatic backup function. Make sure you have a server-based firewall and virus scanning tool. 

If it’s shared hosting, please make sure your account is isolated from other users and there is zero chance of a site harming other sites on the server. Make sure it has automatic backup function. Make sure you have a server-based firewall and virus scanning tool. 

8. Always Have a Backup

Even the biggest websites, whose owners spend thousands of dollars to improve their security, are hacked every day. If you’re using best practices and following the tips in this guide, it’s important to back up your WordPress site frequently. There are multiple ways to create a backup. For example, you can manually download WordPress files, upload a database, or use a hosting company’s backup tool. Another way is to use a WordPress plugin. The most popular WordPress backup plugins are:
  • VaultPress
  • BackUp WordPress 
  • BackupGuard

9. Turning Off File Editing

As you know, you can modify PHP files with the help of WordPress’ built-in file editing tools. While this feature is useful, it also has some disadvantages. If an attacker hijacks your WordPress admin panel, the first thing they should look at is the file editor. Some WordPress users prefer to disable this feature entirely. You can turn this feature off by editing the wp-config.php file and adding the following line:
 

define( ‘DISALLOW_FILE_EDIT’, true );

10. Remove Unused Themes and Plugins

 Clean your WordPress site and delete all unused plugins and themes. In most cases, attackers scan for disabled and outdated themes and plugins (including official WordPress plugins) and use them to try to access the administration panel or upload malicious files to your server. You can further increase the security of WordPress by deleting the plugins and themes that you stop using.

11. Using .htaccess for WordPress Security

WordPress links require .htaccess files to work properly. You’ll get lots of 404 errors when the .htaccess file doesn’t have the correct rules. Most users do not know that .htaccess files can be used to increase the security of WordPress. For example, you can disable PHP execution in certain folders and use .htaccess files to block access. The following example shows how to use .htaccess files to increase WordPress security.
Using the code I will give you, you can open your WordPress panel only to certain IPs.
AuthUserFile /dev/null
AuthGroupFile / dev / null
AuthName “WordPress Admin Access Control”
AuthType Basic
<LIMIT GET>
order deny,allow
deny from all
allow from xx.xx.xx.xxx
allow from xx.xx.xx.xxx
</LIMIT>
Please note that you need to replace xx.xx.xx.xxx with your own IP address. You can find your IP address using this website. If you are using multiple connections to manage your WordPress site, make sure to add other IP addresses here (you can add as many as you want). This code is not recommended if you have a dynamic IP address.
Block some of your folders from running PHP
 
Attackers like to install backdoor scripts in the WordPress installation folder. By default, this folder is only used for uploading media files. Therefore, it should not contain any PHP files. You can disable PHP execution by creating a new .htaccess file in /wp-content/uploads/ with the following rules
<Files *.php>
deny from all
</Files>

Protecting the Wp-config.php File

The wp-config.php file contains WordPress settings and MySQL database information. Therefore, it is the most important WordPress file. That is why it is the main target of every WordPress hacker. However, you can easily protect this file with the following .htaccess rules:

<files wp-config.php>

order allow,deny

deny from all

</files>

Tightening the wp-config.php file

The most important file in the WordPress infrastructure is the wp-config.php file. You can increase system security by making some adjustments to the content of this file. First we need to verify the security of the wp-config.php file. To protect the wp-config.php file on the Apache server, enter the following code in the content of the .htaccess file. With this code, the contents of the wp-config.php file cannot be read by external calls and external access will be closed.

<files wp-config.php>

order allow,deny

deny from all

</files>

At the same time, using different plugins to extract the wp-config.php file from the html folder will add value in terms of security. This file is the most important file in the WordPress log. wp-config.php contains the necessary information to connect to the database.
Encrypting Wp-Config File
 
Another way to restrict access to the wp-config.php file is to encrypt the contents of the wp-config.php file. For encryption you can use ionCube, Zend Guard or the simplest free tool from phpr.org. In this way, those who can access the wp-config.php file can only see the encrypted data and your database connection information will be kept confidential.
We can change the direct name of the directory or file where the wp-config.php file is located. To do this, we need to open the wp-load.php file in the main directory of our site and change the wp-config.php text to our own folder. Note: Since these settings will be restored after each update, you can use plugins that make them permanent.
Blocking Access to Wp-load.php File
Another step to protect WordPress is to block access to the wp-load.php file. Using the .htaccess file, we can prevent external access to the wp-config.php file and restrict possible unauthorized access to the wp-load.php file.
<files wp-load.php>
order allow,deny
deny from all
</files>

Protecting the Plugins Directory

The plugins you use in the WordPress system may also have weaknesses. Attackers can also exploit vulnerabilities in these plugins to gain unauthorized access to your system. To do this we must take security measures in the plugin folder called Plugins in WordPress. Under normal circumstances, folders in the directory should not be listed when accessing the directory. However, in some versions or due to user error, this directory can be opened and folders can be listed. In this way, the attacker can obtain information about the plug-ins in the system. If you want to prevent them from seeing your plugin in external requests, you can prevent the directory from being listed by creating an empty file called index.html in this folder.
Disabling the .htaccess File
The .htaccess file is very important on the WordPress Apache server. This file usually contains WordPress standard redirect content. On the other hand, as we mentioned above, you can also use it to prevent unauthorized access. If we add the code below to our .htaccess file, we will also ensure the security of our .htaccess file.
<files .htaccess>
order allow,deny
deny from all
</files>
Turning off Debug Mode
You can prevent potential security vulnerabilities by turning off WordPress error messages. You can turn off debug mode by adding the following code to the wp-config.php file. Debug mode is used to view possible WordPress errors. Developers often enable this mode and use it to check for errors in the system. You can turn off the “false” value mode in the code or re-enable the error mode by changing it to “true”.
define( ‘WP_DEBUG’, false );

12. Prevent SQL Injection Attacks by Modifying WordPress Database Attachment

The WordPress database records and stores all the information your website needs to run. As such, it is an enviable target for attackers and spammers who run automated code to perform SQL attacks. Most people won’t bother to change the default wp_ attachment during WordPress installation. According to WordFence, one in five WordPress sites have been hacked due to SQL attacks. Since the default setting is **wp**, attackers mainly target this value. In this step, we will focus on how to make your WordPress site more secure against such attacks.
To find the wp-config.php file, use an FTP client or file manager and ctrl f to search for $table_prefix.
 
 
You can add numbers, letters, or underscores. Then save the changes and go to the next step. In this guide, we will use wp_1secure1_ as the new table insert. In wp-config.php you can also find the database name so you know which database you need to edit. Description (look for the “DB_NAME” part)