The Ultimate Guide to WordPress Security-2021

The Ultimate Guide to WordPress Security

Introduction to wordpress security

WordPress Security is one of the hot subjects in the IT business world.
WordPress is the world’s most popular website building software which powers
nearly 27% of all websites.
With so many hacking attempts made to infiltrate sites based on WordPress, one
might begin to wonder if WordPress is secure or not. The security team behind
WordPress works tirelessly to fix any vulnerabilities that surface within the
WordPress core.
They also release Security patches from time to time. It comes with many bug
fixes that are released consistently and on a regular basis.
Bookmark this article and return to it whenever you want to check whether your
WordPress site has all the WordPress security measures in place.

Why WordPress Software?

Content Management System (CMS) is popularly used by many online
businesses to create their own official websites. A popular CMS platform is
WordPress. WordPress is proven to be one of the founding platforms in terms of
the content management system (CMS). Instead of relaying to a website
developer, WordPress allowed users freedom to design their own websites in an
easier way.

Why WordPress Security is Important?

If your WordPress site gets hacked, it can cause serious damage to your
business and brand. Cybercriminals who were responsible for the attack can steal
confidential user information, passwords, inject malicious codes on your site, and
can even distribute malware to the visitors of your site.
If your site gets infected by ransomware, you may have to pay ransom to hackers
for regaining access to your website. All these highlights the importance of
WordPress security.

How do I secure my WordPress site?

The WordPress company is doing its best to secure their users. After all, they’re a
business benefiting from their own customers. They’ll do their best from assisting
to protecting their customers from online attacks. Though, there are factors that
may still lead to website security failure such human error.
Is your website based on WordPress? If it is then, that’s an excellent choice.
WordPress is the world’s leading Content Management System (CMS) with loads
of useful features.
But with that immense popularity, comes a risk of cyber-attacks. As with any
popular software, hackers tend to target WordPress CMS and exploit your
Here is the step by step Instructions for ensuring security of WordPress Sites,

WordPress Security Optimization Guide

  1. Less Add-Ons – Always run plugins that are required for your site and
    dismiss all unused, testing, or debugging plugin.
  2. Less Scripts – Tracking pixel affects the overall performance of a website
    by the increasing the browser load.
  3. Caching Headers – Set proper caching headers on the site to minimize the
    number of requests.
  4. Compression – The compressed files enable a web server to reply with a
    much smaller file, this helps in presenting a better experience for the user.
  5. Optimize Images – Compressing and optimizing images for the web retains
    the quality and never bites the load time.
  6. Enable Keep Alive – By enabling Keep Alive, the browser will do the
    handshake once and reuse the same session to download all others files.
  7. Disable DNS Lookups – It is vital to reduce the DNS lookups and speed
    them up for your WordPress site.

Step by Step Instructions for Security of
WordPress Sites

We’re very concerned about the security of many WordPress users. That’s why
we dedicate our time to educating many of you to secure your WordPress website
properly. Remember, WordPress gives you the freedom to maneuver your own
security controls. Your own security is also in your own hands.

Step by step instructions to secure WordPress sites
  1. Setup Website Lockdown and ban users
  2. The 2-Factor Authentication
  3. Use email as login
  4. Rename your login URL
  5. Play Around Your Passwords

Update Your Website Software and CMS

You might be using a content management system (CMS) like WordPress,
Joomla or Drupal, etc. A CMS is easy to use, and it is an excellent platform for
managing your site, but if it is not updated from time to time, it can lead to
CMS providers regularly release latest updates and patches for their CMS
products to provide a higher level of security and patch are known vulnerabilities.
Hence, it is important to make sure that your CMS, plugins, themes, extensions
are up-to-date. This is one of the essential tips for website protection.

Use Web Application Firewalls

Web Application Firewalls serve as the shield for your website protecting it from
malicious traffic and hackers. A web application firewall examines your website
traffic on a regular basis.
It also analyses the source of the website traffic and the type of information
requested by the source.
Based on all those factors, the Web Application Firewall allows the legitimate
traffic and blocks the malicious ones like hackers and spambots.

Set Strong Passwords

Using a strong and complicated password that is hard to guess, for admin access,
can serve as an extra layer of protection to your site. If you haven’t set a strong
password, head to your CMS portal and change it right away.
A strong password is the one that contains more than eight alpha-numeric
characters, i.e., with a mix of uppercase and lowercase letters, numbers, and
special characters.

Cehpoint web security solution can
Strengthen Your WordPress Site Security

Websites offer businesses massive potential for sales, marketing, and customer
service. Thus, it is critical for businesses to address any security vulnerabilities in
their sites as soon as possible.
You can secure your websites and prevent hacking attempts by Wordfence
Plugin, its an excellent site security plugin that will provide complete protection to
all your websites.

wordpress security

WordPress Firewall

Wordfence includes a Web Application Firewall (WAF) that identifies and blocks malicious
traffic. It runs at the endpoint, enabling deep integration with WordPress. Unlike cloud
alternatives it does not break encryption, cannot be bypassed and cannot leak data. An
integrated malware scanner blocks requests that include malicious code or content.
Defends against brute force attacks by limiting login attempts, enforcing strong passwords
and other login security measures. Upgrading to Premium enables real-time firewall rule and
malware signature updates as well as the Real-time IP Blacklist, which blocks all requests
from the most malicious IPs, protecting your site while reducing load.

WordPress Security Scanner

The Wordfence scanner checks core files, themes and plugins for malware, bad URLs,
backdoors, SEO spam, malicious redirects and code injections. It also compares your files
with what is in the repository, checking their integrity and reporting any
changes to you. Repair files that have changed by overwriting them with a pristine, original

version and easily delete any files that don’t belong. It also checks your site for known
security vulnerabilities, abandoned and closed plugins. Content safety checks ensure that
your files, posts and comments don’t contain dangerous URLs or suspicious content.
Upgrading to Premium enables real-time malware signature updates, reputation checks and
better control over scan timing and frequency.

Steps for securing wordpress website

Set users and their roles

Understanding roles and properly assigning them to users is essential in the process of
segregation of duties. By default, WordPress has a set of six pre-defined roles: Super Admin,
Administrator, Editor, Author, Contributor, and Subscriber.
Further, each of these roles can perform a set of tasks called ‘Capabilities’. Now, the
capabilities include the power to “publish_posts“, “moderate_comments“, and “edit_users“,
Assigning predefined roles to users
Now, only the admin can assign roles. If you have powers of the admin then, assign roles to
users as:
Step 1 – Log in to your dashboard
Step 2 – Go to users section
Step 3 – Assign proper roles to users

Assigning custom roles by the use of a plugin for defining custom roles for each user, you
can do this by following these steps:
Step 1 – Install a plugin ‘User role editor”
Step 2 – Go to ‘Users’>Other roles
Step 3 – Define/add custom roles for a particular user.

You can better control and monitor who does what on your website with these roles. This is
a simple but great measure to secure your website.

Modify Wp-Config File outside the
root folder

wp-config.php is that one file that can literally make or break your website.
This special file contains the WordPress configuration details and is one of the
most vital files on your website.
It holds confidential information on your WordPress database among other
necessary information required to access the database. This makes it crucial
to secure it.
Here are some ways to Secure wp-config.php file:

  1. Protection through .htaccess file
    Step 1 – Connect your WordPress website using an FTP Client.
    Step 2 – Navigate to the public_html directory and download the .htaccess
    Step 3 – Edit and include the following lines of code at the end of the
    .htaccess file:
#protect wpconfig.php

order allow, deny from all
Once you’re done editing save and upload it back to the server.
These lines will resist internal access and code modifications to your

2.Protect by Moving wp-config.php

Usually, the wp-config.php file is located in the root directory. Changing its
default location can reduce the risk of it getting hacked.
You can do this by following a few steps:

  1. Step 1 – Connect your website using an FTP client.
  2. Step 2 – Select the wp-config.php file and cut its content and place it in
    a file outside to public_html as shown in the video.
  3. Step 3 – Few steps here are a little tricky, hence you’d need to follow
    video rigorously.

3.Setting up the correct file permissions for wp-config.php

The wp-config is one of the most sensitive files in the entire directory since it
contains all the information about base configuration and also the database
connection information. The appropriate file permission for this file will be 400.
This means that the user has permission to only read and others will not be
able to access the file.

Restrict Access To Wp-Admin

wp-admin is the cockpit of your WordPress. You can control your whole
website from the wp-admin area. This is one central area of your website that
holds supreme powers. And, hence the desired target.
Now, restricting access and disabling user registration can help secure your
wp-admin from hackers. Learn the step-by-step process here.
Restrict Access To wp-admin
Allowing only a select IP can resist a hacker’s IP from reaching your website.
Here is how you can restrict others from accessing your website.
Step 1 – Connect to your website through an FTP client
Step 2 – Navigate to public_html directory>wp-admin
Step 3 – Create a .htaccess file there
Step 4 – Paste the following code there and save it

Order, Deny, Allow
Deny from all
Allow from xx.xx.xx.xx

Edit the “Allow from” line to allow your IP address. For multiple IP whitelisting,
repeat the “Allow from” in the next line and so on.

Disable User Registration
Usually, there is a Register link on your WordPress login page. You can
disable this Registration form to discourage access to wp-admin.
This will redirect visitors to the standard login form if they try to access the
registration form after being shown an error message.

To disable user registration on your WordPress, follow the next steps:
Step 1 – Go to your WP dash>general>settings
Step 2 – Uncheck ‘Anyone can register’ option from there.
Step 3 – Save the changes.

Understand And Fix WordPress
File Permissions In 5 Minutes

WordPress file permissions: Various components and files and their
appropriate permissions

file permission

Correct file permissions for wp-content

wp-content stores all the themes, plugins and uploads to your WordPress
account. Allowing random modifications to these files may cause errors to
your site. Hence, set proper permissions to restrict editing by users in this
folder. The correct WordPress file permission for this folder would be
755, and all the files within the folder must have 644. This will ensure your
website’s safety as no one can write anything within the folder except the

Correct file permissions for wp-includes

wp-includes is where all the core files reside. In addition to core files, it also
includes all the other important files that are necessary for the proper
functioning of the WordPress admin and API. Protect this folder by allowing
editing permission to the owner only, i.e, the permission of 755.

Correct file permission for wp-content/uploads:

The wp-content/uploads file contains all your uploads to the website.
Generally, only the owner should have editing access to files. However,
wp-content is an exception. It needs to be writable by www-data too. That is,
we need to allow the server writing access. Set 755 permission and add the
user to the www-data group. Or, use ‘su’ temporarily to change the user to
www-data. The appropriate permission for this file can be 755

Correct file permissions for all the files

The appropriate permission for all files in WordPress should be 644. This
means that the users have read and write permissions and groups and others
can only read the files. This will ensure that no one accessing the files can
alter them, apart from the owner.

Correct file permissions for all folders

The safe permission of all the folders is 755. This means permission to read,
write and execute for the user; only read & execute access to the group and
none at all to others.

Correct file permissions for wp-config

The wp-config is the configuration file of your WordPress and is one of the
most sensitive files in the entire directory. Protect this with permission of 400.
This means even the user and the server has no right to edit, whereas others
can not even read.

Correct file permission for the PHP file in the wp-root

PHP file in the wp-root is a blank file that hides the entire directory. Without
this, the entire file directory will be bare for all to see. The suggested file
permission for this PHP file is 444. It is permission to read-only for all,
including the user and the group.

Files/Folders Permissions
wp-content 755
wp-includes 755
All .php files 644
All folders 755

wp-config.php (public_html folder) 400
index.php (public_html folder) 444

This is precisely how file & folder permissions should be set in your