wpthemedetector-logo
WordPress Theme Detector Blog

Secure your WP site with minimal plugins

Securing your WP Site is not always a job left to those who are expert system administrators. With some new tools, combined with a friendly hosting, you can do that by yourself and have a secured site without any outside assistance. Today I’m going to show you how to do just that with the least amount of plugins possible. Following my own advice of “the less plugins the better”, in today’s article I’m going to use just one !

On your Hosting

The first step to have a very secured site comes directly from your hosting account. If your site is not secured by a certificate, now it’s the time. Securing your site with a certificate is easy enough and everyone should be able to do it from cPanel & Plesk based services without outside intervention.

wp-secure-14

Before proceeding to enable https inside WordPress we need to load the certificate into our domain. This is fully automatic on cPanel through a button and some newer cPanel installations comes with automated Let’s Encrypt certificates so as soon as your account is created you’ll have a certificate loaded into your domain.

wp-secure-15

If you’re using Plesk, you can create a Let’s Encrypt certificate from the main menu. You should also include the “www” and mail certificate. This will increase the security of your site by not allowing to load unsecure content and it’s the most recommended first step to secure your site.

Changing Permissions on Important Files

The single second most important security rule is to limit file access to Read Only on the following files: wp-config.php, wp-settings.php and index.php on the WordPress root folder.

This can be easily done on cPanel & Plesk and the vast majority of Control Panels by changing the permissions like this:

wp-secure-03

The only one that should have “write access” on those specific files should be the owner.  No other group should have any other permissions applied as those files will be read by WordPress alone.  This will effectively reduce the security risk of your site by not exposing any kind of access to the outside world.

If by any chance your site gets hacked or has a malicious worm, this is how it’s going to look like.

wp-secure-11A bad file permission or outdated theme could inflict serious harm to your WordPress installation by allowing injection of malicious code into your site. This is a classic example. Notice the @include surrounded by /*f2e34*/ ? That code is actually a “worm” that was injected by bad file permissions into a WP site. This kinds of codes could potentially create a backdoor for anyone to access your site and inject advertising, steal information and any kind of bad behavior. This is why manually changing permissions on those important files is so essential.

On your WordPress

Now let’s tweak our WordPress site to improve the security even more.

wp-secure-1

Now that we have our SSL certificate we should now change the URL address to https.

Once our site changes to https we can move forward and install a security plugin.  For this tutorial I selected one of the best and that’s All in One WP Security & Firewall. This is a very simple plugin that does not mess with extra rules and does not add any latency to your site.

wp-secure-5

The first thing we are going to do is to limit login to our wp-admin by enabling the Login Lockdown.

wp-secure-6

With this option turned on we are going to have a max of 5 retries to a login attempt before WP lock access to that specific IP. You’re free to modify these variables as best fits your needs, but these are the most secured so far.

wp-secure-7

This next tweak will disable the server signature and limit file upload, protecting wp-config.php is something we already did on the hosting level.

wp-secure-8

A good technique to block login attempts is to just change the login page to something else, this will effectively remove the wp-login link from WordPress so any automatic login attempt will be responded with “disabled page”. Put whatever page you want and the plugin will disable the standard login page. Just be sure to remember what you did before saving settings!

Now onto comments spam:

wp-secure-9

Enabling both options is almost essential to protect your site from spambots and all kind of intrusive advertising that gets in the way of a good blog experience.

wp-secure-12

Securing your DB is also good practice. Lots of attacks try to hijack the database by accesing the default wp_ tables. By changing the prefix of those tables to something else you’re creating an extra step for any automated attacker to be able to get in.

wp-secure-10

The objective with this plugin is to manage to get at least 100 points in security. Don’t forget to check that Login Lockdown, File Permission & Basic Firewall are all enabled.

Further Security Advice

It is always suggested to use at least one letter, one number and one symbol with a character length of no less than 8. If you refuse to improve your password strength, no security measure will be good enough, it is also recommended to never give your Control Panel access to anyone who is willing to help unless you really know that person or if that person is part of the hosting company you’re using. By borrowing a user’s Control Panel access an attacker can do  a lot of harm and any advice given here will be rendered useless. Always store your WP & Control panel passwords in a safe place.

Use Complex passwords provided by the automated saving of passwords services like LastPass. This can save you time and improve your security by not trying to remember each password, this will also remove your need to put addresses, name of your kids and numbers from your house as passwords as that could prove to be the single most fatal flaw you could make.

Always use very complex database passwords with no less than 10 characters composed of numbers, letters and symbols.

Always update your plugins & themes.  Do not accept any theme that is a year old without updates.

Older themes & plugins are the number one cause of hacking attempts and malware injections. And last but not least don’t you ever use cracked or nulled themes as those are the first candidates to have malware inserted. Nobody benefits from a hacked theme more than the hacker that nulled said theme, and the vast majority will go to great lengths to include their “shaddy” practices and advertising links inside the theme, so you’ll have a nightmare in your hands, plus the majority of search engines could target your site as malicious and severely penalize your score. If you care about your business and customers, always buy legitimate themes for your sites.

The most basic security advice is to always use common sense.

Wrapping Up

Having a secure WP site is pretty straightforward and fairly easy to do if you follow these steps, and you’d be reducing the risk of infection/attacks by more than 90%. The vast majority of attacks comes from having basic security disabled, by not having a secured certificate loaded or by simply allowing anyone to login to your basic wp-login page. And last but not least, lots of attacks come from using older themes & nulled themes. Reduce risks by implementing this steps and you’ll have a pretty fun time working with WordPress without having to worry too much about its security.

Alex Vojacek

Alex Vojacek is a full-time sysadmin for ESH, his own hosting company, a veteran in WordPress Design and a speed freak. He is also the founder of TecnoGaming, a Gaming & Tech magazine in Latin America. When he is not managing or designing something, he loves to write about technology.

Latest posts by Alex Vojacek (see all)

Liked this post? Please share it!

26 Comments

  1. Nice article alex. Green padlock ( ssl certificate) is one of google algorithum factor.

  2. Wow, thank you for this suggestions. What about WordPress I Theme Security plugin. ?

  3. All In One WP security is one of the best security plugins for WordPress.

  4. Thanks Alex. It was really awesome using this. My site finally has the green padlock – SSL Certificate.

  5. Hello ,I used this plugin but unfortunately my WordPress site database was very heavy and large. But in general, it has good security.

  6. Great tips to protect a website, i’ll try to use this tip.

  7. Wonderful tips, I can already see my site loading faster than before, still struggling with CDN configuration.

  8. I 100% agree with you. I tend to develop WordPress websites with as few plugins as possible, SSL, and clean code.

  9. great tips, I can already see my site loading faster than before, still struggling with CDN configuration.

  10. Hey Alex,

    Recently I come across an article about WordPress security. The typical points discussed were having custom admin page URL and username. I could see still many WordPress sites use the default URL as wp-admin and username: admin. What is your opinion about it?

    By the way, Google is gonna mention the site not having SSL as “Not secure.” how does it impact those website’s performance?

  11. Alex,

    I did come across more articles crunching WordPress security presenting loads of plug-ins. Obviously resulting in slow performance. Thanks for sharing this article about WordPress security with minimal usage of plug-ins for better performance.

  12. iThemes Security plugin is one of the best such plugins out there, and I’ve been using it for quite some time. The plugin has a lot to offer in this respect.

  13. I used two of these plugins and was very useful.

  14. Nowadays web security is a main concern. Your this great article will definitely help me to secure my site.

  15. Wordfence is the best plugins for WP site Security.
    Best customization option.
    Recommended!!

  16. Securing our web has become very crucial these days, your article is very useful I would like to share this because its been easy to understand and helps to lot of people.

  17. is it safe to use Let’s Encrypt only ?

  18. I did come across more articles crunching WordPress security presenting loads of plug-ins. Obviously resulting in slow performance. Thanks for sharing this article about WordPress security with minimal usage of plug-ins for better performance.

Submit a Comment

Your email address will not be published. Required fields are marked *