WordPress is the most used CMS worldwide. Around 25% of all websites are currently based on WordPress. However, due to its popularity, it is also very popular among hackers. That is why we recommend you to improve the security of your WordPress website to minimize the risk of being hacked.
Part of the updates to WordPress are security fixes that could otherwise be exploited by hackers. So it is very important to update it as soon as possible. You can update it directly in your WordPress administration. If you don’t have access to it, you can also update it manually.
Also, it is important that you check for updates to all your installed plugins and themes. Remove any plugins and themes you don’t use, you can reinstall them later.
Tip: If you find it too much effort to update everything manually, you can install the so-called Easy Updates Manager Plugin, which manages all your WordPress updates for you.
Remove unused plugins and themes
Every plugin and theme you use can pose a potential security risk. So the less you have of it, the better.
We advise you to delete all unused themes, except for the default themes (2017, 2018, etc.). The same applies to unneeded plugins.
Make sure you remove any old WordPress installations you may have on your web space, perhaps for testing or as a backup. These are prone to hacks.
Tip: Only install plugins and themes from trusted sources. When you find a free version of a theme that you usually have to pay for, it often comes with “free” malware as well.
Protect your wp-admin folder with a password
Another alternative to ward off hackers is to password protect your wp-admin folder. How to add another layer of security to your WordPress administration.
Take a look at our guide on how to protect your website with a .htaccess file. But make sure that you only protect the wp-admin folder and not your entire site, otherwise your website will not be accessible.
Notice: If you already have a .htaccess file in your wp-admin folder, just paste the generated code into the existing file. But please do not replace them.
Create a custom admin username
Hackers often try to gain access to your WordPress administration using brute force attacks. Robots try to log in with millions of different username and password combinations. To make it as difficult as possible to guess your login details, we recommend creating a unique username.
You can change your admin username in phpMyAdmin, in the wp_users table. Please refer to our guide on how to access the database.
Once you are logged in:
- Find the table named wp_users (this can also be called 0_users)
- Find the admin username and click Edit.
- Under user login enter a new username in the under field Value one.
- click Go to save this.
Disable running PHP code in your upload directory
If you performed a manual installation of WordPress, we recommend disabling PHP from running in your uploads folder. If you used the 1-click installation tool, you can skip this section. 1-click WordPress installations have execution disabled by default.
PHP backdoors are mostly found in the upload directory. From there, the malware spreads to other areas of your site. You cannot prevent this backdoor from being uploaded to your webspace, but disabling the execution of PHP code will prevent the malware from being propagated on your site.
You can disable PHP file execution by adding these lines of code to your .htaccess file located in the uploads folder (wp-content/uploads).
# Block executables <FilesMatch ".(php|phtml|php3|php4|php5|pl|py|jsp|asp|html|htm|shtml|sh|cgi|suspected)$"> deny from all </FilesMatch>
Feel free to see our guides on how to create an .htaccess file and stop the file from executing in the uploads folder for all the steps involved.
Notice: If you already have a .htaccess file on your webspace, you don’t need to create a new one. Instead, you can edit the existing file.