8 Tips For Improved WordPress Security (WP Security Guide Part II)

Do you know “How to secure WordPress site?”

Are you looking for some improved strategies to avoid WordPress security vulnerabilities? 

You are in the exact place to learn some advanced WordPress security techniques!

In my previous article or better say in part 1 of the WordPress Security Guide, I have listed some of the basic WordPress security tips that don’t need any advanced skills or programming expertise.

However, the thing is that with the technology evolving at a constant speed, a WordPress website is getting more vulnerable to malicious attacks from any corner of the world.

Most of the times, these are bots or malicious scripts that are distributed on the network to track down and infect any WordPress blog, they come across.

In addition to that, there are also some hardcore hackers out there, who are capable of some advanced tricks or hacks to get into your WP dashboard.

Unlike bots or malicious scripts, these hackers aim popular blogs, and their primary intention is to take control of a top earning site, sometimes for fun and most of the times for ransom.

Now, the basic security tips can help you securing WordPress from scripts or bots. However, to tackle the attacks of these hackers, you need to be extra smart and follow some advanced security tips for WordPress. 

Without further ado, let’s check out some of the pro security measures that you must implement for hardening WordPress safety!

8 Pro Tips To Avoid WordPress Security Issues 

Remember this famous line, “Desperate times need desperate measures.” And, the same applies here as well.

To prevent any sophisticated hacking attempt, you must follow some advanced WordPress security methods!

advanced-wordpress-security-tips

1. Change Your Login URL

The Login URL of your WordPress is the ideal gateway to your website. Just as you would need to login to your WP dashboard for executing some changes or updates, a hacker also requires the same admin access to be able to take control of your WP website.

Hence, it’s an ideal move to change the default login URL, “wp-login.php” into something else.

Well, if registrations are open on your WordPress blog, then it is still possible to track down the new login URL. So, it is advisable to remove the link to “Login Page” on your WP website, if user registrations are closed on your blog.

If you have multiple authors on your blog, who make regular contributions, then you can always share the login URL exclusively with them for advanced protection.

In this way, it will be tough for any hacker program to sneak into your WordPress website as they are designed for default WordPress settings and most importantly, it will ensure the safety of your site from malicious scripts or bot attacks.

You may use either Custom Login URL or WPS Hide Login WordPress Plugins to set a custom login URL to your WordPress blog 

If you use iThemes Security (formerly Better WP Security) WordPress plugin, you’ll be able to change the Login URL of your site with it.

2. Hide Your Username

To secure WordPress, the next important thing is to hide your WP username!

If by any chance, you can’t close registrations on your blog, there are possibilities for the hacker programs to determine your login URL.

Hence, it is highly advisable to hide your username as it will make sure that the hackers don’t have access to the right user credentials for the admin access once you have hidden your username.

How to hide Username on WordPress?

As you know, each and every post published on a WordPress blog is assigned to an author. By default, WordPress picks up the username of the author to generate an author URL such as

http://www.blogname.com/?author=1

So, to hide your username on the author URL, you must alter the settings from the database.

Step 1: Login to the cPanel of your web host.

Step 2: Go into PhpMyAdmin and select the WP database assigned to your blog.

Step 3: From the database, open the table, wp_users.

Step 4: On the wp_users table, you will find a list of users on your site. Every user has two specific columns having same values; user_login and user_nicename.

Step 5: Simply change the entry from the column “user_nicename” and enter something different than the “user_login”

Step 6: Hit “Save” button to execute the new update.

That’s it. You have successfully changed the Author URL such that nobody can trace down your username through http://www.blogname.com/?author=1

3. Change File Permissions

Now, if you have some knowledge about file permissions, then you must be aware that every file and folder on your computer or a hosting server can have permissions based on user privileges.

These user rights or file permissions require opening a folder or a file. The permits are divided into three major aspects; Read, Write and Execute.

Most of the directories on your WordPress system have 777 permissions, which allows anyone with a user access can read, write and execute those folders. 

To avoid such WordPress security issue, it is recommended to assign 755 or 750 as suggested by WordPress.org to all these folders.

Also, set the files on your WordPress to 640 or 644 and most importantly, assign the main wp-config.php file to 600.

How to change file permissions for files and folders?

There’s no rocket science involved in changing the file permissions for files and folders on your WordPress website.

However, you need to be extra cautious that you are making the right changes to the right files and folder or else you may tamper the functionality of your WordPress website completely.

Step 1: Simply use your FTP credentials to access the server hosting your WordPress website.

Step 2: Go to “public_html” folder, which is the default folder where all your web files are stored.

Step 3: Now, right-click on the desired file or folder and select “File Permissions.” A window similar to the below image would appear.

wordpress-change-file-permission

Step 4: Assign the number as recommended above under the “Numeric Value” field for the specific files and folders and click “OK.”

That’s it. You have successfully changed the file permissions and thereby added an extra layer of security on your WP website.

4. Disallow Access To WordPress Files or Folders 

You can also secure your WordPress website from sneaky people, who would use the explorer tool to browse through your files and folders unnecessarily. Hence, it is advisable to prevent them from browsing your folders.

Simply add the following line to your .htaccess file to restrict everyone from browsing your important folders:

Options -Indexes

Now, you have successfully disabled the directory browsing of your WordPress site.

For this to work on your themes and plugins folder, you need to ensure that both these folders contain a blank index.php file within the directory.

5. Disallow WordPress Folders Index Using Robots.txt

Robots.txt is a default file on your server that works as a guide for all kinds of crawling bots. These bots would be restricted once they are disallowed from crawling any files and folders mentioned on the Robots.txt.

Mainly used for SEO purpose, to let Google and other search engines crawl relevant pages on the website while ignoring other unnecessary files or folders irrelevant to search engine rankings.

However, a robots.txt can also make sure that crawling scripts or bots, other than search engines, are entirely restricted from crawling into sensitive items such as themes or plugins folders on your WordPress website.

User-agent: *
Disallow: /wp-admin/
Disallow: /wp-includes/
Disallow: /wp-content/plugins/
Disallow: /wp-content/themes/

These settings will ensure that none of the bots can enter through “wp-admin”, “wp-includes” or “wp-content/plugins” and “wp-content/themes” folders and access important data about your website.

6. Remove Password Reset Option In WordPress Login

Eliminating the password reset option is one of the best advanced security tips for WordPress and let me tell you why and how!

What would have happened if your email (Associated with WordPress) gets hacked? The Cyberpunk may try to reset your WordPress password after knowing your username or email. 

To prevent this illegal happening and harden WordPress reliability, you may remove the password reset option in WordPress login. 

Step 1: Go to cPanel > File Manager

Step 2: Under Public_html folder, find wp-content > themes > your theme

Step 3: Click on your theme directory, you will be able to see the several files on your right side in table format.

Step 4: Navigate to functions.php file, right click the file to get the “Edit” option.

wp-security-remove-password-reset

Step 5: Now, add the below codes to take out the “Password Reset Option” in WordPress login

function disable_password_reset() { return false; }
add_filter ( 'allow_password_reset', 'disable_password_reset' );

Now, if someone tries to reset your WP admin password, they will be getting the below message

eliminate-password-reset-wp-security

If you forgot your password, don’t worry!

Just log in to cPanel and remove the codes that you have added in the functions.php file and get the new password. 

7. Disable Email As Username

WordPress 4.5 has arrived last month with a new feature “Login Using Email“. You can log in using to your WordPress site through the email address linked to the user account.

Hence, despite the fact that you have changed your username, if someone tracks down your email address, they can still use the same for logging in.

Therefore, it is advisable to disable the email option as username and strengthen the security of your WordPress blog.

Last year, I have read a WP tutorial post where they have added the email login option in the WordPress login by adding the following codes in functions.php 

remove_filter(‘authenticate’, ‘wp_authenticate_username_password’, 20);

I have modified the same codes like below

remove_filter('authenticate', 'wp_authenticate_email_password', 20);

And it is working!

Yes, if anyone finds out the email associated with your WordPress account and try to login with it, then they will get the invalid username error 😀

8. Move/Hide wp-config.php File

Do you know that the cracker can easily locate the wp-config.php file that contains the essential settings like Username, Password, MSQL database and so on? If anything goes wrong with the PHP, then they can view the wp-config.php file directly on the browser. 

So, securing WordPress is more important and it’s better to move this file to another folder just above the installation of WordPress. Before moving the wp-config.php file, make sure that you have installed WordPress in the public_html directory of your site. Don’t try if it is in a subfolder. 

For Example: If you have WP installation files in home/yourblog/public_html/, you may move the wp-config.php file to home/yourblog. If this file is not in the root folder, WordPress will look for this file in other directories. So, you don’t need to bother. 

However, you can also stop accessing the wp-config.php file by the adding the following codes at the top of the .htaccess file and avoid the common WordPress security issues. 

<files wp-config.php>
order allow,deny
deny from all
</files>

Final Words On Hardening WordPress Security

Well, as you go deeper into WordPress, there are new vulnerabilities as well as solutions to contain these vulnerabilities to ensure WordPress security. However, the fact is that most of the times, the solutions are determined only after the vulnerabilities are exploited by several evil forces on the web.

Despite that, the most beautiful feature of WordPress is that the whole community is thriving hard to provide the excellent features and resources for the WP users to safeguard their website from any attacks or security threats.

Hence, it is always recommended by the experts to keep up with the new WordPress updates to keep your website or blog safe and secure all the time. There are no guarantees that your WordPress site is 100% safe from any malware attacks.

There are chances that some way or the other, your site is hacked or compromised. Schedule regular backups of your WordPress website daily to prevent any loss of data even if you lose access to your website owing to some malware attack.

I hope that you have learned some advanced WordPress security tips through this post. What is your opinion about the malware & hackers attacks and the methods that we need to implement for hardening WordPress security? 

Do you follow the basic WordPress security strategies to preserve your precious data? Did I miss to mention any other improved method in securing WordPress? Share your valuable viewpoints in the comment section. 

9 thoughts on “8 Tips For Improved WordPress Security (WP Security Guide Part II)”

  1. Hi Nirmala,

    Before reading your article, I knew that if you display your author name and the relevant link on your blog, that’s a sure way for a hacker to discover your username. This was one of the reasons why I removed that field from my blogs.

    What I didn’t know is that user_nicename exists and if you make it different from user_login, then your username won’t be displayed anymore even if you display your author name and the link to author’s page. The URL of the author’s page will show the “nicename.”

    I’ve learned something new today. Thank you very much!

    • Hi Adrian,

      Nice to see you here again.

      Glad I could help in learning a new WordPress stuff.

      You are very exact! The hackers can easily find out the username through the URL that I have provided in the post.

      Nicename in cPanel is really a nice option to hide the usernames.

      Thanks for getting time to check my post and share it on social media.

      Have a great week ahead.

  2. Nirmala, all valid and relevant points, my dilemma is that I am after a light weight plugin which offers me good protection quickly and easily. Unfortunately, all security plugins I have used to date either clash with my cache plugin or give me some sort of errors and problems.

    Is there any light-weight and yet highly effecive plugin you can recommend?

    Nice article by the way. Regards

    • Welcome to my blog, Ahmad! Glad you liked my post 🙂

      I’ll be writing the best WordPress plugins for tight security in my next post.

      BTW, I would recommend iThemes security or Sucuri to prevent hackers attacking your WP site.

      What are the other security plugins that you have used on your blog?

      Thanks for your visit, stay tuned!

  3. Most of us use WordPress for launching our sites and blogs. Taking a look at these tips made me realized that there is always a room for improvement on the internet. Thanks to Nirmala ma’am for creating this piece and sharing with us.

    I have been using WordPress (self-hosted) program for more than 6 years, as the platform grows, new things come up, so do the challenges.

    Thanks, again!

    • Hi Hassaan Khan,

      Thanks for checking the security tips for WordPress. Great that you have been blogging with WP CMS for the past 6 years. I hope that you have a wide knowledge on handling WordPress stuff and maintaining a healthy site.

      Yes, we have improved methods to harden the WordPress saftey, however, we need to implement them exactly. Stay tuned!

  4. Hii, Nirmala ,
    Your article is really nice and I got lots of ideas about WordPress security . I love to read articles and blogs on SEO , WordPress, digital marketing , social media marketing and all . and trying to learn the facts and concepts about all these terms and I got really very good knowledge from all of u like experienced bloggers. Thank you for sharing this wonderful information with us and keep sharing such kinds of updates with us so that we can learn

    • Hi Aditya,

      Thanks for reading my post, good to know that you would like to learn the new helpful stuff from the experts.

      We need to offer a great security to the valuable data that we craft and thus, following these strategies would help us to stay safe from the Cyberpunks.

      Thanks for showing your presence, keep coming!

  5. Great information, Nirmala.

    For non expert bloggers and coders, I suggest installing a WordPress plugin, to make things easier.
    From the ones you mentioned, I found “Wordfence Security” plugin a free solution to secure blogs and make them faster.
    Tested and happy with it!

Leave a Comment