• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

ReviewsLion

Reviews of online services and software

  • Hosting
  • WordPress Themes
  • SEO Tools
  • Domains
  • Other Topics
    • WordPress Plugins
    • Server Tools
    • Developer Tools
    • Online Businesses
    • VPN
    • Content Delivery Networks

WordPress Security: Tips and Guide

April 24, 2020 By Pramod

WordPress Security Tips and Guide

As WordPress is a self-hosted CMS, the onus of its security is up to the user or the hosting company. If the user doesn’t take precautions to protect his/her website and if the site is hacked, the user may have to hire a WordPress security expert or a company that fixes hacked sites. The site will also be marked as hacked by Google. To make sure that its user doesn’t visit the hacked site, Google will display “this site may be hacked” message beside your site’s name in its search result pages.

How to secure WordPress sites? The answer to this question is in the below paragraphs:

Table of contents:
  • Check and block
  • Use a security plugin
  • Use the latest version of a theme or a plugin
  • Don’t use something that you have not paid for
  • Disable XML-RPC
  • Back up the server files and database regularly
  • Use hosting that offers malware scanning and removal service
  • Check WordPress site health often
  • Use Cloudflare

Check and block

Log files make you aware of the users that are trying to get access to your WordPress dashboard. It is easy to identify the failed login attempts. You just have to find out the IP address that has requested the WordPress login/wp-admin page repeatedly. Once you find the IP, you can block it with IP Tables or Firewalld. If you don’t want to check log files often, you can use the Fail2Ban tool. If you don’t have root access, you can use a WordPress Security plugin that will do this job for you. You can also reduce the unauthorized login attempts on your WordPress site by using a captcha plugin. The plugin asks you to generate Google ReCaptcha site/security keys and enter them in its settings interface. Once you enter the valid keys and click the submit button, the person who tries to log in to our site will have to solve Google’s sophisticated Captcha challenge to enable the “login” button.

Use a security plugin

WordPress security plugins can identify modified core WordPress files and fix them. They can also scan your site for security issues, block IP addresses, filter malicious requests, add a two-factor authentication system to your site, etc. The WordPress rating system and download statistics help users in identifying the best security plugin among the lot.

Use the latest version of a theme or a plugin

Security experts find loopholes in the WordPress themes and plugins and share their discovery with the developers. The developers fix the issue by introducing a new update. The WordPress CMS allows you to see the changelog of the plugin. Before updating the plugin, you can see the changelog to see if the update was introduced to fix a security issue. If the update has been introduced to address a critical security issue, you must update the plugin/theme.

Don’t use something that you have not paid for

You might come across a site that allows you to download premium WordPress themes and plugins for free. You should never download files from such sites unless the website is running a giveaway campaign or is owned by a trustworthy company or a person. This is because the theme/plugin may have malicious code.

Disable XML-RPC

Unless you’re using a plugin that works only when XML RPC is active, you can disable the XML RPC feature of the WordPress. You can do so by configuring the Apache/Nginx server to throw 503/404/403 error when a user/bot tries to access the XML RPC PHP file or install and use a plugin that will disable it.

Back up the server files and database regularly

Although the above tips will keep your site safe, you should always be ready for the worst. If some files on the server have been modified by a plugin or a malicious code of a theme, a backup will be a lifesaver for you. The backup will restore the original file and will fix the issue that has affected your site. If you’re using a shared hosting company, you’ll be able to back up your entire site from the CPanel. Cloud hosting companies allow uses to create snapshots of the entire OS. You can also backup your site/files manually with the Mysqldump command-line utility.

Use hosting that offers malware scanning and removal service

Some hosting companies fix malware issues on their client’s website for free or they offer malware removal service as a paid add-on. When your site is affected by malware, you can ask the company’s staff to remove the malware for you. Siteground and WPX Hosting are two companies that I’m aware of that offer malware removal service to the users.

Check WordPress site health often

The WordPress CMS has a section called “Site Health” that makes you aware of useful tips such as removing inactive themes/plugins, updating an outdated version of WordPress, etc. It also displays the reason for the same. If you visit the “Site Health” section often and follow the suggestions displayed there, your site will be secure. To access the “Site Health” interface, log in to the WP dashboard and hover your mouse cursor on the “Tools” menu. Now, click the “Site Health” option.

Use Cloudflare

Cloudflare has a sophisticated and proven anti-DDOS system. It can also prevent malicious IPs from accessing your website pages by making the users solve captcha problems. Cloudflare offers free and premium services. CF’s free services include SSL, CDN, DNS hosting, Analytics, etc. To enjoy advanced security and performance features, you can buy the premium plan of Cloudflare.

Final thoughts: Although WordPress is a great content management system, it doesn’t have a firewall, IP blocker, 2FA enabler, backup tool, etc built-in. I’ve recommended you to use some third-party services, tools, and install plugins to protect your WordPress site in this article. If you want to secure your site, make sure that you follow the tips I’ve shared above.

Filed Under: Tips Tagged With: Security, WordPress Optimization

About Pramod

Hi, I have started this site to share honest reviews of WordPress products, hosting and software. If you have any doubts about a product I've reviewed on this site, you can get in touch with me on LinkedIn.

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Recent posts

FileBird review

Jannah WordPress theme review

Navigation Pro theme review

Hetzner DNS console review

Fedora 33 Workstation review

Kadence WordPress theme review

GeneratePress vs Genesis Framework

Best Domain Valuation Tools

GeneratePress vs Astra vs OceanWP – Which is the best free theme?

Elegant Themes Black Friday sale – 25% discount

Namecheap banner

Footer

Join us

  • Facebook

Affiliate Disclosure: This page may have affiliate links. When you click the link and buy the product or service, I’ll receive a commission.

  • Privacy Policy
  • Contact Us

Copyright © 2021 · Reviewslion