7 ways to improve your WordPress security

Time to Read: 10 minutes Difficulty Level: Beginner
Tools Needed: Wordpress installation Last Updated: 08/11/2024

Introduction

Maintaining your WordPress website’s security for the benefit of your customers and for your business is just one of those ongoing tasks that’s never really ‘done’. Things change, certain security measures can fall out of date, and new platform vulnerabilities can develop or be discovered. The more regularly you can review your site’s security practises, the better.

Re-evaluate your online passwords
Lock admin access to your IP address
Update your WordPress version
Listen out at online communities
Disable WordPress trackbacks
Install WordFence – do it now!
Set up two-factor authentication for admins

Re-evaluate your online passwords

Sometimes the simpler things are the most effective – like making sure that you’re using a strong, unique password for your WordPress site. The National Cyber Security Centre suggest using Three random words (https://www.ncsc.gov.uk/collection/top-tips-for-staying-secure-online/three-random-words). Don’t use the same two or three passwords across all your sites, and don’t rely on combinations of words and dates that might be easy to guess! If you don’t already, now’s the time to start using a password manager like KeePass, LastPass or BitWarden to generate strong, random passwords and store them safely.

Lock admin access to your IP address

The default Wordpress admin URL is one of the most common locations for hacking attempts, so if only you can access it, you are protecting yourself from a lot of unwanted attention. If you have a static IP you can lock your admin to only be accessible from your IP.

This can be setup in multiple ways, Apache within your .htaccess using code, via Apache or nginx additional directives, WordPress plugins or even rules within Cloudflare.

Update your WordPress version

Just 22% of WordPress sites are up to date, according to Torquemag. Updating your WordPress site to the latest version of the platform will provide patches against previous vulnerabilities, as well as security enhancements and new features. It’s an easy, effective way to keep your site more secure, and WordPress version 3.7 onwards updates automatically for new security features (just keep your WordPress version itself up to date.) Remember too that your plugins, themes and core files will have their own updates too, which you’ll need to apply yourself through your site’s admin.

Taking advantage of WordPress Toolkit within Plesk could also help manage your site(s) allowing quick updates to the Core, Plugins and Themes all within your Plesk Control panel. WordPress Toolkit’s functionality may depend on your Plesk License.

Listen out at online communities

With over 810 million websites using WordPress, there’s a massive community around the platform. Often just keeping your ear to the ground can be one of the best ways of staying secure, so it pays to be involved in community forums to know what’s going on with the platform. You’ll be up to date with any vulnerabilities when they’re found; you’ll find forum discussions on what’s being done about threats and where to find the latest patches… and best of all you can get to know your platform more in-depth, which may even benefit your WordPress site overall.

Disable WordPress trackbacks

Trackbacks are a WordPress feature that let you know when other webpages have linked to content on your site, and they’ll appear as notifications in your comment moderation panel. Not a threat themselves, but they can also be used by third parties to hack your site – so while they sound handy, it’s probably better in the long run to lock this back door on your WordPress site.

To disable trackbacks: Please note that this will disable trackbacks for your future WordPress posts, but not existing ones. To do this you’ll need to enter the following query in your WordPress site’s SQL, or ask your site’s developer to do this for you:

  • Click Settings in your WordPress control panel
  • Go to Discussion
  • Find Default article settings
  • Untick Allow link notifications from other blogs’.
  • Don’t forget to save your new settings!

Please note that this will disable trackbacks for your future WordPress posts, but not existing ones. To do this you’ll need to run the following queries on your WordPress site’s database, or ask your site’s developer to do this for you:

UPDATE wp_posts SET ping_status='closed' WHERE post_status = 'publish' AND post_type = 'post';
UPDATE wp_posts SET ping_status='closed' WHERE post_status = 'publish' AND post_type = 'page';

Install WordFence – do it now!

One of the best WordPress security plugins you can install is Wordfence. It provides your website with an additional layer of protection against both malware and hack attempts, it’s free to download, and with 5 million websites using it worldwide, it’s the most popular WordPress security plugin available (so download it now!). It secures multiple WordPress sites, firewalls your site against third-party scans and false Googlebots, scans your WordPress site/s for a wide range of threats (including the Heartbleed vulnerability) and blocks against whole networks that are found to be malicious. You also have the option to sign in via your mobile phone, giving you an extra layer of security too.

Set up two-factor authentication for admins

As its name suggests, two-factor authentication doubles up your site’s steps to access. Authentication extensions like the Clef and Duo plugins are an easy way to establish secure access for your WordPress site admins by using email or mobile verification to confirm their identity. You’re bound to have run across similar signup procedures yourself when creating sign-ins for a variety of websites. A little annoying sometimes to have to go to your email inbox just to click a link to confirm you are who you say you are, but at least you know the sites you use are taking your security seriously and add that extra layer to keep you safe. Shouldn’t you do the same when it comes to admins accessing your WordPress site?

So there you go – our top recommendations to help keep your WordPress site secure. Remember that there’s never a 100% guarantee of immunity from attacks online, but the more security measures you implement, the greater your chances of keeping your website safe.