How to improve WordPress website security

1. Introduction

Nowadays we face a lot of security issues with different content management systems (CMS) and web applications. WordPress is not an exception as it`s one of the most popular and powerful blogging content management systems.

There are several reasons for it:

• CMS uses typical files for passwords and settings located in the same directories for each account (wp-config.php, wp-admin/ directory etc) so they are very easy to locate, modify after gaining partial access.
• The admin panel (wp-admin) runs under the same domain and uses the same codebase/permission as the rest of the application.
• Admin users can install a plugin/theme, which can then modify any file or change anything in the database (this is related to corrupted, non-official, non-updated, self-modified or fraudulent themes or plugins).

This article provides you with a list of tips and instructions that can improve a security level of your WordPress installation.

2. Making backups regularly

Making regular backups of your WordPress site is the first and the most important step. Before you apply any changes, make sure to backup your entire WordPress installation or databases.

It is recommended to create regular backups for your entire cPanel account using cPanel > Backups tool and creating Full cPanel Backup.

Also, you can backup your WordPress site using CodeGuard.

3. Updating WordPress, themes and plugins to the latest version

The latest version of WordPress is always available on official WordPress site. Official release is not available from other websites or resources, thus, NEVER update WordPress from third party resources. Also, you can easily update WordPress from Admin Dashboard directly or via Softaculous.

Make sure that your blog’s version is up to date. WordPress team works on creating patches for fixing security ‘holes’ and backdoors on a constant basis. That`s why it is very important to have the latest version of WordPress.

It is strongly recommended to update your plugins and themes to the latest versions too, as a bug in one of these can affect your whole installation. You can update both plugins and themes via Admin Dashboard > choose Plugins or Themes menu and click ‘Update now’ near the necessary plugin or theme:

NOTE: it is recommended to create backups of your WordPress files and database before applying any changes.

4. Using trusted sources

Many custom ‘free’ WordPress themes included base64 encoding, which is often used to hide malicious code. So, with such themes or plugins you can easily upload malware into your account. This is how most of the ‘hackers’ get access to your files and site.

We recommend using content only from official resource like http://wordpress.org/ as it`s the safest place to get themes and plugins.

5. Using secure username and password

The default WordPress login is ‘admin’ and most hackers know that. It should be changed to custom one with a strong password which include upper/lower keys, numbers and symbols.

Assuming you use Softaculous, you specify the username on the install screen:

Also, it is not recommended to use passwords or email addresses similar to your accounts from other web-resources.

You can change your Admin username or Password via the database, you can find the corresponding instructions here.

6.1 Changing database prefix

It is highly recommended to change the database prefix as the default table prefix for WordPress is wp_ . SQL Injection attacks are easier with the default table prefix because it is easier to guess. We recommend to change the database prefix to something more secure than wp_.

NOTE: create backup of your database before applying any changes.

If you install WordPress from Softaculous, you can set custom table prefix and database name at installation screen:

If you have already installed WordPress you can still change database prefix in two ways: either manually or using a special plugin.

For manual database prefix change, go to cPanel > phpMyAdmin menu > choose the necessary database from the left side > click on SQL option above.

Here you need to run RENAME SQL queries on tables in your WordPress database:

*where newprefix_ should be replaced with new database prefix you wish to have instead of wp_, then click Go:

Once done, you will see the new database prefix has been applied to your WordPress database:

After that you will need to search the options table for any other fields that is using wp_ as a prefix in order to replace them. It is necessary to run the following query in the same way:

Then click Go and you will get the result as on the screenshot below:

Here you will need to go one by one to change these lines and replace the old database prefix with the new one. Once done, we need to search the usermeta for all fields that is using wp_ as a prefix with the help of this SQL query:

After that click Go and the following results will appear:

Number of entries may vary on how many plugins you are using and such. Here you need to change everything that has wp_ to the new prefix as well.

Once done, make sure to update your wp-config.php file with new database prefix:

Also, you can change database prefix using special plugins, like Change DB prefix or Change table prefix.

6.2 Changing database username and password

In order to change the database username or password, log into cPanel >> and click on MySQL Databasesmenu in Databases section:

Under Current users you will see all created database users in your account. Here you can Set new password orRename the necessary database user by choosing the corresponding option:

For changing password, click on Set password. In the new window insert your new password two times and click Change password:

To change the database username, click Rename. In the new window you need to specify the new username you wish to have (this will be the part after cPanelusername_ ) and click Proceed in order to save changes:

Once the database username or password are changed, you need to update your wp-config.php file with the corresponding details:

7. Setting password protection for important files and folders

In order to prevent your WordPress site from being hacked we recommend setting the password protection for system files and folders.

To create the password protection follow these steps:

7.1 Go to cPanel > Security > Password Protect Directories to access a list of your site’s folders:

7.2 Choose the directory you wish to protect and click on it:

7.3 Put a tick on Password protect this directory and name your protected directory, insert the username and password and click on Add or Modify the Authorized User button to save your changes:

NOTE: it is very important to protect wp-config.php file and wp-adminfolder since they are more susceptible for hacker attack.

8. Using secure FTP (SFTP) and Shell access (SSH)

Uploading files via FTP is a quick way to make a new site up and running or add new files to your account. However, SFTP is more secure and your passwords are encrypted to help prevent hackers from learning it. You can find a more detailed guide on how to upload your files via FTP or SFTP.

If you do want to use FTP (or use cPanel details for FTP connection), it’s a good idea to delete any FTP accounts that you’re not using to prevent them from being accessed without your consent. This is a great way to help keep your site and information more secure.