Making your WordPress site more secure, tips 7-12.
Welcome to part 2 of our 18 tips that will help you make your WordPress installation more secure. If you’ve not yet looked at part 1, we’d recommend you start there, 18 tips to secure your WordPress website: Part 1.
7. Harden your database
By default all the tables inside your WordPress database will start with wp_ e.g. wp_options, wp_posts etc. This means any automated tools out there that are looking for security holes in your site that allow them to access your database (known as SQL injection attacks) already know the names of the tables they need to access.
Fortunately when initially configuring WordPress it allows you to set your own database prefix, and we’d recommend you set something random with 5 or 6 characters e.g. d84hh_, wj4lf9_ etc. (but not those ones!). This means any tools that are trying to run their own queries against your database will also have to work out the table prefix you’re using and they might not be able to do that depending on permissions, and the tool.
If you’re installing WordPress from your providers control panel, hopefully it is intelligent enough to set a random prefix for you so you don’t need to worry about this. If you find your tables still have the default wp_ prefix then there are plugins such as:
That will allow you to change the DB prefix, and you can then remove the plugin. Many of the popular WordPress security plugins will also allow you to change the prefix as well, but we’ll come to them later!
Of course you can also do it manually, but we’d not recommend it unless you’ve plenty of experience working with databases, and even then it’ll take longer than using a plugin.
As always, with changes like these, please please please backup your database first.
8. Two factor authentication (2FA)
Chances are you’ve already made use of two factor authentication (2FA) elsewhere on the web such as with your online banking, with PayPal, with Google or Facebook etc.
With 2FA you have your normal password, but you also need to provide another piece of information, a second factor, to login and this makes it harder, if not impossible, for someone who has discovered your password to login to your account.
The most common methods of providing this second factor are:
- A code sent via text message
- A popup on another device, “do you want to approve this login?”
- A code from an authenticator app (the ones where you scan a QR code to set them up) such as Google Authenticator
- A code from a physical device, as often used by banks
- A physical key device you insert into your PC or use via NFC on your phone, such as a YubiKey
As always with WordPress, there are various plugins with different features for 2FA and we’d recommend testing them to see what works best for you, on a staging/dev copy of course. Some popular plugins are:
Once again, many of the popular WordPress security plugins will let you implement 2FA as well.
9. Protect your wp-admin directory
wp-admin directory reduces the ability of hackers to access files inside of it, meaning if there are any security issues with code inside
wp-admin then the hackers can’t exploit them. There are a number of ways to achieve this:
- Password protect the directory
- Only allow specific user IP addresses
- Move your
Ideally you’d use all of these together for an extra layer of security, and as every with WordPress there’s lots of ways of doing it and some things to watch out for along the way!
Password protecting wp-admin
The main thing to watch out for when password protecting your
wp-admin directory is that you don’t break the AJAX functionality of
wp-admin/admin-ajax.php, as some plugins use this.
Your web host probably provides a way for you to password protect a specific directory – but this will break the
admin-ajax.php – but it’s not a bad place to start and then customise afterwards.
In cPanel you can use the Directory Privacy feature inside your control panel to protect the
If your provider uses Plesk then you can use the Password-Protected Directories feature to do the same and protect
wp-admin, but this will break
admin-ajax.php used by some plugins as Plesk doesn’t store the configuration in a
.htaccess file we can’t modify it.
cPanel will create a file called
.htaccess (or modify it if it exists already) inside the
wp-admin directory, the contents will look similar to:
We need to edit this
.htaccess file and change the above entry to:
It might say not to edit it, but unless we want to break
admin-ajax.php then we have no choice, that’s why we’ve also removed all the warning lines so that cPanel doesn’t try and edit it again as well – as that’ll break it.
Only allow specific IP addresses
This one can be tricky if you’ve not got a fixed IP address at the locations you want to administer your site(s) from, plus it limits you to those locations.
One way around this, is to make use of a VPN (Virtual Private Network) that provides you with a fixed IP address and limit your
wp-admin directory to the VPN IP address.
For most WordPress sites you can IP restrict your
wp-admin in the following way:
- Create a new file:
- In the file add the following, making sure to change 192.0.2.45 for your own IP address:
- For additional IP addresses you can add more allow lines e.g.:
Allow from 192.0.2.87
So what does this code do? We’ll take a look at it line-by-line:
<FilesMatch (?<!admin-ajax\.php)$>– Match all files inside this directory, except admin-ajax.php
Order Deny,Allow– First carry out all deny requests, then process allow requests
Deny from all– Deny all requests
Allow from 192.0.2.45– Allow requests from the IP address 192.0.2.45
</FilesMatch>– The end of the matching block
There are situations where this may not work for you though:
- Your web host isn’t using Apache or a compatible web server such as LiteSpeed – you’ll need to ask them how you can do it with their platform
- Your website is using Cloudflare or a similar reverse proxy CDN/security service – as your website will see Cloudflare IP addresses accessing it only
Once again, many of the security plugins will allow you do to this as well.
Move your wp-admin directory
We’re not really going to move the
wp-admin directory, as that would cause a lot of problems and would be easily rediscovered if you’ve got plugins that make use of AJAX functionality.
What the plugins do that alter the wp-admin directory is make it so that to access any other files inside it you need to use a different address in your browser other than
One such plugin that allows you to make such a change is All In One WP Security & Firewall, but others are available.
10. Disable file editing
Did you know that if you’re logged in to your wp-admin dashboard you can edit files? No? Well you can, and so can anyone that gets one of your user logins with the right permissions.
It’s a convenience feature and isn’t really needed so it’s best to disable it.
- Open your
- After the
<?phpline, add the following:
- Save the file
File editing from the dashboard will now be disabled.
11. Enable logging
How do you know no one else has been logging in as you? Have you checked? Just because nothing looks out of place it doesn’t mean something bad hasn’t happened.
One way to keep an eye on things is to enable better audit logging inside of WordPress, which can be done with a number of different plugins such as:
Sucuri Security will also carry out many of the other tasks we’ve already talked about, read on for more…
12. Install a security plugin
If you want to automate many of the tasks we’re highlighting then using a security plugin can be a good way to do this. Not all of them cover everything we’ve pointed out so far (and will in part 3) but they’re often a really good place to start. Some of our favourites are:
- All In One WP Security & Firewall
- Sucuri Security
They’re all far too feature rich for us to dive in to here, but keep an eye on our blog for articles on each in the future.
We’ve always had a soft-spot for All In One as it’s feature packed and free, although Wordfence is probably the most well known and very comprehensive as well. Sucuri Security is with a mention as it integrates with their hosted Web Application Firewall and CDN service as used by our own site, so if you’d like to make use of that, please get in touch.
That’s it for part two, please keep an eye on our socials for Part 3 and remember, backup your website.