Here is the complete beginner’s guide to help you start your blog and see the bottom section to learn how to use WordPress.

All this information is free, feel free to take action and start building something new.

• Part 1: WordPress.com vs. WordPress.org: Which Should You Choose?
• Part 2: How to Buy Hosting for Your WordPress Blog
• Part 3: How to Install WordPress on Bluehost
• Part 4: Basic Setup After Installing WordPress
• Part 5: How to Install WordPress Plugins
• Part 6: How to Choose a WordPress Theme
• Part 7: How to Install a WordPress Theme
• Part 8: << You are here >>
• Part 9: Pro Tips to Speed ​​Up WordPress and Reduce Loading Times

Want to improve the security of your WordPress website?

Here I will share all the tips and strategies I have learned while running this WordPress blog for over 10 years.

Just wanted to let you know,

Recently, WordPress has become a popular target for hackers. Many users ask, "Is WordPress safe?"

Here are my answers:

Yes, WordPress is secure.

However, when we use various plugins, themes, and sometimes hosting, it follows the worst security practices, making our WordPress website vulnerable to different types of attacks and hacks.

Fact: WordPress powers about 33% of the world's websites, which not only makes it the most popular CMS platform, but also more vulnerable to hacker attacks. If this is your first time here, check out the beginner's guide to WordPress .

As an end user, there are steps you can take to keep your WordPress blog secure.

Also Read: Best WordPress Security Plugins

My website has been hacked nearly 2 times in the past by some Arab and Turkish hackers (at least that's what they claimed). They hacked into my website and left an ugly black background with a GIF of a skull and a crow. This made me discover how to strengthen the security of WordPress.

Over the past 10 years, I’ve learned a lot of tricks that I’m going to share with you today so that you don’t have to deal with the hassle of your WordPress site falling into the hands of hackers.

If WordPress is secure, then why is WordPress security important?

As I mentioned above, WordPress is secure by default, but when you host it on an insecure server or add new code in the form of themes and plugins, the chances of getting hacked increase.

This help page about hardening WordPress has been added

“ The vulnerabilities that have the greatest impact on WordPress site owners stem from the extensible parts of the platform, specifically plugins and themes. These are the primary attack vectors used by cybercriminals to compromise and abuse WordPress sites.

These vulnerabilities are usually not introduced intentionally, but rather are caused by mistakes and oversights during the development process. Many plugin and theme developers are not very familiar with security, so it is easy for them to inadvertently write vulnerable code. When vulnerabilities are discovered, developers usually address them by releasing updates "

Hackers often hack into WordPress sites for personal gain, usually in the form of adding backlinks to some spam site or redirecting the WordPress site to some other site. Sometimes, hackers do it so cleverly that you don’t even know that you’ve been hacked or that a backdoor has been installed on your site.

However, over time, the owners start losing traffic (SEO penalty), and by the time they realize the actual problem, things are out of their control. Another worse scenario that can happen is getting blacklisted by a well-known blacklisting agency. This will cost you a lot of time and money to get your site removed from the blacklist.

According to security firm Sucuri ,

Of all the CMS cleaned in 2018, WordPress topped the list with a 90% infection rate .

Those are some scary numbers for any WordPress owner, which is why it’s crucial that you roll up your sleeves and follow these best practices to enhance your WordPress security.

14 Proven WordPress Blog Security Tips

1. Configure WordPress Backup

Even though I’ve given you many proven tips below for keeping your WordPress blog secure, you need to make sure that you don’t lose anything if something were to happen.

Not having a proper WordPress backup solution is the biggest mistake you can make. While large websites like Sony or Dropbox can get hacked, your WordPress blog will be relatively easy to hack.

So, the first thing to do is to make sure you back up your blog every day.

You can use the backup system provided by your hosting company, or you can use a third-party backup system such as Blogvault , VaultPress , or Teamupdraft . You can find a list of WordPress backup plugins here.

If your hosting company offers backups, make sure they store the backups on different servers.

2. Use a reliable and secure hosting company

Your WordPress installation is just software installed on a server. The foundation of a secure website is a server with adequate protections in place to keep your website safe from hacker attacks.

Secure WordPress hosting usually has:

• Server-level firewalls can mitigate DDOS attacks.
• Ensure physical security using the latest hardware and best-in-class data centers
• Update your operating system regularly and apply the latest security patches
• Have an intrusion detection system in place for malicious activity or policy violations

I know it’s hard to know which hosting company is safe from hackers, that’s why I created this list of secure WordPress hosting companies:

1. SiteGround : An award-winning hosting provider that uses an anti-bot AI system to prevent some well-known attacks.
2. Bluehost : One of the highest rated hosting providers that offers excellent security.
3. WPEngine : A managed WordPress hosting company recommended for commercial WordPress websites. They offer multiple levels of backup and security protection.
4. Kinsta : This host is perfect for WordPress blogs with a lot of traffic. ShoutMeLoud.com is also hosted on Kinsta.

If your existing hosting company is not secure and does not provide security related support, then migrating to any of the hosting companies listed above can have a huge impact.

3. Use the latest version of WordPress

Keeping your WordPress software updated is the most basic security tip for any WordPress blogger. It’s something you can’t afford to miss.

Whenever WordPress sends out an update, it means they fix some bugs, add some features, and most importantly, add some security features and fixes.

When you see the message: “WordPress xxx is available!”

Update it.

Now it is very easy to upgrade your blog with just one click.

Make sure your theme and plugins are compatible with the latest version of WordPress. If an update is rolled out and it is not a security update, I recommend waiting 5-6 days until other users stop reporting bugs in the latest version.

4. Update WordPress plugins

As I mentioned above, WordPress releases updates to fix bugs and security vulnerabilities, and the same goes for plugins.

Many times, vulnerable plugins or third-party scripts can create security holes in your WordPress website.

One issue we’ve seen in the past is the Timthumb vulnerability. This was due to a single script, and many plugins that used that script were also vulnerable. This type of zero-day vulnerability is hard to avoid, but by limiting the number of plugins, scripts, and themes you have, you can make your WordPress site more secure.

Always use plugins that are consistently updated and well-supported. If you use a plugin that hasn’t been updated in a while, look for an alternative.

5. Use the latest PHP version

PHP is the backbone of WordPress, and the latest version of PHP is 7.4. According to the official PHP statistics page , they only provide 2 years of security support for any stable version of PHP.

This means that if you use any version below PHP 7.1, you will not get security updates.

Here’s an interesting statistic from WordPress.org that approximately 71.8% of WordPress sites are using outdated PHP.

Depending on the hosting environment you use, you can quickly change PHP versions. I highly recommend that you create a staging environment first and test the latest PHP version. This is to ensure compatibility, as sometimes outdated plugins and themes can cause issues.

You can check the PHP version of WordPress from your dashboard and ask your hosting support to test and update your PHP version. Bluehost users can follow this tutorial to update PHP version on cPanel .

6. Use a Web Application Firewall (WAF)

There is a firewall between the hosting server and the network traffic. The job of the firewall is to filter out the most common threats and prevent them from reaching the machine hosting your WordPress website.

There are three most common firewall solutions you can use with WordPress:

1. At the network level : This is usually stored at the network level or machine level and is available when you host WordPress in your own data center. This is the most expensive option and is usually used by enterprise-level websites who have control over the physical space where the server is installed.
2. At the host level : This is hosted at the web application level, in our case WordPress. This is not recommended because ultimately your host has to take on the heavy lifting of filtering your traffic. This is certainly better than a network-based WAF, but it requires local server resources, which isn’t the best option.
3. Cloud-based WAF: A cloud-based WAF is usually implemented at the DNS level, filtering out the most common threats before they reach your WordPress server. This is the easiest and most economical type to implement. The only downside is that it may require you to change your DNS.

Some common types of threats that a WAF can detect and protect against include: cross-site scripting (XSS) attacks, SQL injection attacks, session hijacking, and buffer overflows. This is a protocol level 7 defense in the OSI model.

There are two recommended services for implementing a WAF:

• Cloudflare : Starting at $20 per month
• Sucuri : Starting at $9.99/month

This is a highly recommended WordPress security feature for WooCommerce and other WordPress sites designed for business.

7. Hide WordPress version

Assuming you don't have 2 minutes to update the WordPress core files. The WP versions listed might inspire hacker ideas. If you are running an old version of WP and everyone knows it, trust me, you are doomed.

Most theme designers these days will remove this for you, but just to be sure, go to your functions.php and add the following line:

01.remove_action('wp_head', 'wp_generator');

8. Use complex login passwords

I shouldn't have to mention this, but I know too many people who use clever and extremely complex passwords like:

• password
• I Love Jesus
• 123123

Outstanding.

Make sure your password is complex, add a few special characters (%&*#), and change it every 5 or 6 months.

I would also like to recommend a plugin called "Limit Login Attempts" . This plugin will log the IP and timestamp of all failed login attempts. After a certain number of failed login attempts from a specific IP, that IP will be blacklisted. This will go a long way in preventing any brute force attacks.

On your end, you should also start using a password manager like Dashlane , which will help you improve your password security even further.

Also read:

• How Hackers Crack Your Password
• Create a strong and smart password

9. Change WordPress Login URL:

By changing the WordPress login URL page, you can prevent many attacks and hacking attempts. Especially, if you are one of the few people or just need to log in to the WordPress dashboard, changing the login page will be a great help. In my previous tutorial on how to change the WordPress admin login URL , you can find some additional benefits.

10. Set up Google alerts for indexed pages

This is one of those lesser-known tricks that you can use right away. You can use Google alerts, which will send you alerts every time Google indexes a new page for your domain. Many times, WordPress hackers add new pages and posts that don’t show up on the backend or frontend but get indexed in Google.

When you set up alerts like this, you'll know if something is happening without your knowledge. Since it's free and only takes 2-3 minutes to set up, it's well worth it.

Here are the specific steps:

• Go to Google Alerts
• In the Create Alert field, add site:domain.com

• Change Frequency to "When it occurs", Language to "Any language", and Quantity to "All results"

Now you will be notified instantly when search engines index new pages.

11. Check WordPress folder file permissions

Go to the File Manager in cPanel , or log in to your FTP software, and check the file properties of the WordPress folder.

If it is 744 (read-only), you are good. If you find it is 777, you are lucky because you have not been hacked.

Most bloggers don’t realize that file permissions change when they switch hosts. Make sure to verify all file permissions after migrating hosts.

12. Delete the default administrator user

This is one of the most important tips for anyone who wants to create a secure WordPress blog. The default "admin" username is vulnerable to brute force attacks because most people never change it.

When installing WordPress, make sure to use a custom username and do not use "admin".

You can create a new user with "Administrator" privileges and give this new admin a nickname which will be displayed publicly when he/she makes posts. Now, log out and log back in to the newly created admin account and delete the old "Administrator" user.

Make sure to attribute all usernames and links to the new user you created.

Here's another way to change your default username:

• Read: How to Change WordPress Default Username

13. Hide plugin directory

The plugins folder /wp-content/plugins/ should not show a list of folders and files inside it.

Try accessing your plugin folder ( replace domain.com with your domain name):

• domain.com/wp-content/plugins/

If you see a list of folders and files, you need to hide them.

To hide these folders, you need to create a new .htaccess file and place it in your plugin directory.

BEGIN WordPress

RewriteEngine On

RewriteBase /

RewriteCond %{REQUEST_FILENAME} !-f

RewriteCond %{REQUEST_FILENAME} !-d

RewriteRule ./index.php [L]# Prevent directory listing

IndexIgnore *

END WordPress

If you already have a well-written .htaccess file in your root directory, adding separate .htaccess to individual folders won't do any harm.

Also, check out this article to better understand how to edit .htaccess files.

14. Error closing database

In older versions of WordPress, if an error occurs in the MySQL database, it will display the exact error on the browser itself and provide valuable information about the database to the hacker.

To prevent this, you need to update WordPress to the latest version so that it will only show a generic error message like "Database connection error" instead of showing exactly what the error is.

Login to your WP dashboard and update your WordPress core files.

WordPress Security: Over to You

Well, I hope this guide helped you understand the importance of WordPress security and helped you strengthen it.

• Read: Useful WordPress Security Plugins

Again, it’s a smart idea to automatically back up your WordPress blog on a regular basis to ensure that you can always restore your blog to a healthy state.

Let us know what other security tips you’d like to offer other bloggers to keep their WordPress blogs secure. Share your tips in the comments below!

Don’t forget to bookmark and share this article!

Further reading:

• 10 Smart Ways to Speed ​​Up WordPress and Reduce Loading Times

Disclosure: Some of the links in this article contain affiliate links, which means we may earn a commission if you click through to visit us, at no extra cost to you. See how SidelinePlay is funded, why it’s important, and how you can support us.