Protect your WordPress website

Security 4 minute read

If there's anything we've learnt about about building websites on WordPress, it's that they are prone to attacks. From pharmahacks to uploaded shell scripts, the popularity of WordPress makes it an easy target, being used on around 43% of all sites on the web.

That being said, there are a number of things you can do to reduce the chance of your WordPress website being compromised. Here we'll list some of the main things you can implement to keep the bots and hackers away.

1. Protect your wp-admin directory

The wp-admin directory is where the administrator side of WordPress is stored. Gaining access to this directory can allow an attacker to compromise a lot of important scripts, and run their code while you write and update posts etc. Attackers will also attempt to brute force your WordPress login page and, if they guess your username and password correctly, they will be able to wreak havoc within your website.

You can lock the directory down by adding a .htaccess file within it and preventing access to all IP addresses, other than the ones you wish to allow.

order deny,allow

allow from

deny from all

Unfortunately, the WordPress AJAX endpoint is also situated within the wp-admin directory, so if you need that file to be publicly accessible, you can add the following to the end of the .htaccess file:

<Files admin-ajax.php>
order allow,deny
allow from all
satisfy any

Now, even if an attacker did guess your password and was able to login to your WordPress dashboard, they wouldn't be able to see anything anyway.

2. Protect wp-login.php

Locking down the wp-login.php file isn't always an option. For example, if you have a password protected page on WordPress, nobody from the public would be able to gain access to the page. If you don't need the public to be able to login though, you can add the following to the .htaccess in your WordPress installation's root directory.

<Files wp-login.php>
order deny,allow

allow from

deny from all

Now anyone who is not using your IP address will be greeted by a Forbidden error page.

3. Use secure keys and salts

The wp-config.php file contains a number of settings called salts and keys. These are used for hashing and encryption and should be set to something very secure. Don't leave them as default values, be sure to change them.

You can generate these on the WordPress website, here.

4. Don't use insecure usernames and passwords

Stay away from using admin as your username as this will be one of the first ones a brute force attack will try. Try not to use your business name either as this is too easy to guess.

Choose a strong password also, include letters, numbers and symbols and make it unrelated to you and random. If you can, use a 2-factor authentication plugin to add that extra layer of security.

5. Use Cloudflare to stop DDoS and bots in their tracks

Cloudflare is a great tool to prevent unwanted guests ever reaching your server. Bots and automated traffic can flood your server, overwhelm it and cause it to crash. This could have a negative effect on your reputation to both customers and to search engines, losing you business. You want your website to be online all the time. Cloudflare adds an extra layer between visitors (good and bad) and your website, intercepting known bots and those performing a lot of requests, preventing them from ever reaching your server.

Even just the free version of Cloudflare gives you a huge amount of protection.

On top of that, you may even see better performance from your website as using Cloudflare's content delivery network (CDN), your website will be served to your visitor from a location closer to them.

6. Use a security plugin

There are many security plugins out there, but the two main ones are either Wordfence or Securi. Here at Continio, we use Wordfence the most as we like the ease of set up and the functionality it offers out of the box. It offers functionality such as IP safelisting, a break down of brute force attacks and will compare IPs to its database of known attackers and bots.

In summary, although the above techniques won't guarantee your WordPress website won't get attacked or hacked, they do significantly reduce the risk. It's all about adding as many layers of protection between your attackers and your website.