WordPress security is something that every website owner should take seriously. Keeping your website secure is essential for protecting your business and your customers.

Welcome to the second part of our series on WordPress security! My name’s Seb, and I’m a WordPress developer at Fhoke, a London-based web design agency, so I deal with WordPress and website security daily. Part of my responsibilities includes ensuring all our client sites are kept up to date, perform well, and, most importantly, are secure.

This blog post will look at 10 Advanced WordPress Security Tips to help you keep your website secure and protect your online presence. If you’re not very confident about PHP and changing code files, we suggest you stick with the advice we gave in our first post, as the tips contained in it are more general advice than actual code changes.

All the code snippets below should be placed inside the functions.php file of your theme unless stated otherwise.

1 Use SALT Keys in WordPress

SALT keys are fundamental to the overall security of your site. They’re long strings of random letters, numbers, and symbols that aid in encrypting your user’s cookies. They also help protect your passwords from being easily hacked. A well-encrypted password could take years to hack, whereas a non-encrypted one could take only minutes.

By default, WordPress generates unique salt keys during the installation process. These keys are then stored in your website’s wp-config.php file, but checking in older installations is always good. Here’s how:

  • Open up your FTP client (we recommend FileZilla).
  • Connect to your website and navigate to your WordPress install.
  • Double-click the file titled wp-config.php to download it. We advise saving a copy of this file before you make any changes, just in case anything goes wrong.
    In the left pane, right-click on the file and go to “Open”.
  • Scroll down to around line 49; you should see your SALT keys.
  • Important: If any of them say “put your unique phrase here”, it means you don’t have a salt key for that line. To fix this, go to https://api.wordpress.org/secret-key/1.1/salt/, which will generate a new set for you. Now just copy/paste that code into your wp-config.php file where the old code used to be, re-upload to your server and test your site is still working as it did before.

To further enhance your WordPress website’s security, updating your salt keys regularly is recommended. This can be done by visiting the WordPress SALT Keys Generator website and generating a new set of keys. Once you have generated the new keys, you can copy and paste them into your wp-config.php file, replacing the existing keys.

FileZilla Pro Website
FileZilla Pro Website

By using SALT keys in WordPress, you add a layer of protection to your website’s user passwords. This makes it more difficult for hackers to gain unauthorised access to your website’s data. Implementing this security measure is relatively simple and can significantly enhance the security of your WordPress website.

2 File & Folder Permissions in WordPress

File and folder permissions are essential to keeping your site secure. They’re exactly as they sound, permissions that are granted to give certain users access to certain areas of your website.

To set the correct file and folder permissions, you need to understand the different levels of permissions. In general, files should have permissions set to 644, which means the owner can read and write the file while others can only read it. On the other hand, Folders should have permissions set to 755, allowing the owner to read, write, and execute files while restricting others to read and execute only.

It’s crucial to regularly check and update the permissions of your files and folders, especially after making any changes to your website. Incorrect permissions can leave your website vulnerable to attacks and compromise the security of your data.

The correct permissions for your WordPress install should be as follows:

  • Folders 755 (or 750 if your host doesn’t allow 755)
  • Files 644 (or 640 if your host doesn’t allow 644)

Here’s how to set your folder and file permissions:

  • Open up your FTP client (we recommend FileZilla).
  • Connect to your website hosting and navigate to your WordPress install.
  • Select all folders, right-click and go to file permissions at the bottom.
  • Folders: Type in 755 (or 750) into the text box, check “Recurse into subdirectories”, and then check “Apply to directories only”.
  • Files: Type in 644 (or 640) into the text box, check “Recurse into subdirectories”, and then check “Apply to files only”.
  • Important: It’s paramount that after doing that, you change the permissions of wp-config.php to 600 and .htaccess to 604 as those two need to be different for added security.

3 Hide Your WordPress Version Number

By default, WordPress automatically adds its version number to your theme, which can be a problem because it lets the more malicious users know precisely how to attack your site.

By hiding your WordPress version number, you make it more difficult for hackers to target your website. It adds an extra layer of obscurity, making it harder for attackers to find potential vulnerabilities. Even if your website is not running the latest version of WordPress, hiding the version number can prevent hackers from specifically targeting known vulnerabilities in older versions.

Here’s how to remove the version number from showing in the source code of your site. Add this code to your themes functions.php file:

//----- Stop WP version being generated in the head tag
add_filter('the_generator', '__return_false');
//----- Remove WP version from CSS and JS
function fhoke_remove_wp_version_from_asset_urls($src) {
    return strpos($src, 'ver=' . get_bloginfo('version')) ? remove_query_arg('ver', $src) : $src;
add_filter('style_loader_src', 'fhoke_remove_wp_version_from_asset_urls');
add_filter('script_loader_src', 'fhoke_remove_wp_version_from_asset_urls');

Alternatively, you can use a security plugin like Hide My WP or WP Hide & Security Enhancer to hide your WordPress version number. These plugins allow you to easily remove the version number from the source code of your website.

4 Move wp-config.php One Level Up

By default, the wp-config.php file is located in the root directory of your WordPress installation. This file contains sensitive information about your website, including your database username and password.

If your WordPress site is in a subdirectory, for example, mysite.com/blog, you can move the wp-config file one level above it.

Some people will tell you this is minor and not worth it, but we disagree. An example of why moving wp-config.php one level above the root is when a hacker is trying to search your server for that file; if they look inside the WordPress directory, they’ll find it if they look, but you’ve moved it like we’re suggesting here, then they’ll have no luck.

How to Move wp-config.php

  • Download the wp-config.php file.
  • Navigate one level above your WordPress install.
  • Paste the file, and delete the original inside your WordPress install folder.
  • Test your site’s front-end and back-end is working, and you’re done. Simple!

Moving the wp-config.php file one level up adds an extra layer of protection to your WordPress website. It makes it more difficult for hackers to access sensitive information and compromise your website’s security. Implementing this security measure is relatively simple and can significantly enhance the security of your WordPress website.

5 Secure wp-includes & wp-config.php in WordPress

The wp-includes directory contains core WordPress files that are essential for the functioning of your website, while the wp-config.php file contains sensitive information, including your database credentials. A layer of protection can be added to the wp-includes folder to prevent any user from accessing the scripts.

Unfortunately, this technique won’t work well if you’re using WordPress multisite but it will work fine for single installs.

How to secure wp-includes

All you need to do in order to secure the wp-includes folder from being accessed by any user is add the following to your .htaccess file:

<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^wp-admin/includes/ - [F,L]
    RewriteRule !^wp-includes/ - [S=3]
    RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
    RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
    RewriteRule ^wp-includes/theme-compat/ - [F,L]

Make sure you paste the code above the line #BEGIN WordPress, as this means it won’t be overwritten if you happen to change your permalink structure at any point.

This rule restricts direct access to files in the wp-includes directory, preventing unauthorised users from viewing or modifying these files. Additionally, regularly updating your WordPress installation ensures you have the latest security patches and bug fixes.

How to secure wp-config.php

On top of moving the wp-config.php file one level above your WordPress installation, you can also deny surfing of the file by adding the following code:

<files wp-config.php>
    order allow,deny
    deny from all

The above restricts anyone who may be searching your server for the configuration file, which is incredibly important as this file controls your entire WordPress installation.

6 Disable File Editing in WordPress

Disable File Editing is an important security measure for your WordPress website. By default, WordPress allows administrators to edit theme and plugin files directly from the WordPress dashboard. While this feature can be convenient for quick changes, it poses a significant security risk. If hackers gain access to your WordPress admin account, they can easily modify these files to inject malicious code or create backdoors.

To disable file editing, modify the wp-config.php file of your WordPress installation.

If you go to the dashboard of your WordPress site, hover over “Appearance”, and go to “Editor”, you can start editing your theme’s files. To disable file editing, you’ll need to add this line of PHP to your wp-config.php file:

define('DISALLOW_FILE_EDIT', true);

This code snippet tells WordPress to disable the file editing functionality, preventing anyone from editing theme and plugin files from within the dashboard.

Disabling file editing ensures that even if a hacker can access your admin account, they cannot modify critical files to compromise your website’s security. It adds an extra layer of protection by limiting the avenues through which unauthorized users can exploit vulnerabilities. Implementing this security measure is relatively simple and significantly reduces the risk of unauthorized file modifications on your WordPress website.

7 Two-Factor Authentication

Two-Factor Authentication (2FA) is a robust security measure that adds protection to your WordPress website. It provides an additional step to the login process, making it more difficult for unauthorized users to access your website.

With 2FA enabled users must provide two pieces of identification: their password and a unique, time-sensitive code. This code is typically generated by a smartphone app, sent via SMS, or received through email. By requiring this second form of authentication, even if a hacker obtains a user’s password, they will still be unable to log in without the code.

Wordfence Security
Wordfence is great for 2FA

Implementing 2FA is relatively simple. There are several plugins available that can easily add this feature to your WordPress website. Some popular options include Google Authenticator, Authy, and Wordfence. These plugins integrate seamlessly with your existing login page, making the setup process quick and user-friendly.

By enabling Two-Factor Authentication on your WordPress website, you significantly reduce the risk of unauthorized access, even in the event of a compromised password. It provides an extra layer of security, giving you peace of mind that your website and its data are well-protected.

8 Password Security

We’ve already covered this in the first part of our series on WordPress security, but it’s worth mentioning again. Password security is one of the most crucial aspects of keeping your WordPress website secure. Weak passwords make it easy for hackers to access your website and compromise your data. To enhance password security, you should implement a few key strategies.

First, make sure to use unique and complex passwords for your WordPress admin account. Avoid using shared or easily guessable passwords such as your name, birth date, or “password123”. Instead, create a password that combines uppercase and lowercase letters, numbers, and special characters.

Another important measure is to update your passwords regularly. Changing your passwords every three months is recommended to minimise the risk of unauthorised access. Additionally, enable the “Force Strong Passwords” feature in WordPress to ensure users use secure passwords.

To further strengthen password security, consider implementing a password manager. Password managers securely store all your passwords and can generate strong, unique passwords for each website you use. This way, you only need to remember one master password.

Remember, a strong password is the first line of defence against unauthorised access to your WordPress website. By following these password security tips, you can significantly reduce the risk of a security breach and keep your website safe.

9 Limit Login Attempts

Limiting login attempts is a crucial security measure to protect your WordPress website from brute-force attacks. Brute-force attacks involve hackers repeatedly attempting to guess your login credentials until they gain access. Limiting the number of login attempts can prevent these attacks and significantly enhance your website’s security.

Several plugins, such as Limit Login Attempts Reloaded and Wordfence, can easily add this functionality to your WordPress website. These plugins allow you to set a specific number of login attempts before users are locked out for a designated period.

When configuring the plugin, it is important to balance security and convenience. Setting a low limit, such as three attempts, can effectively prevent brute-force attacks but may also inconvenience legitimate users who mistype their passwords. On the other hand, setting a high limit may allow hackers more chances to guess the correct login credentials. It is a simple yet effective security measure that every website owner should consider implementing.

10 Inactive Logout

The Inactive Logout Plugin is a valuable security measure for your WordPress website. When users log in to the CMS, they often forget to log out, leaving their accounts vulnerable to passing users in the room. The Inactive Logout Plugin helps to address this issue by automatically logging out users after a certain period of inactivity.

Inactive Logout Website
Inactive Logout WordPress Plugin

By setting a specific time limit for inactivity, such as 30 minutes or an hour, the plugin makes sure that users are logged out when they are no longer actively using the website. This prevents unauthorised access to their accounts and adds an extra layer of security to your WordPress website. Easy to install and configure, the plugin has various options to customise the settings according to your needs.

What Next With WordPress?

Not all security issues can be devastating; some can be inconvenient if discovered. Nevertheless, any security measure is worth taking seriously, so you’re always prepared. With these tips, your WordPress site should now be much safer than ever, but there’s still more you can do to keep it safe. Keep an eye out for our next post in this series, where we’ll review things in more depth, such as two-factor authentication, how to set it up and which WordPress plugins to use.