How to Secure a WordPress Site

Updated at

So many times I see people asking for help at the WordPress Indonesia Facebook Forum. Some of them ask why their WordPress site turns into japanese character on google search results, some others ask why they have posts they have never created.

Despite the fact that WordPress is updated frequently by the team behind it, the possibility of a WordPress site being hacked still exists. The nature of being opensourced makes WordPress also open to be attacked by looking at its codes.

As a regular user who knows php just a little bit, I choose to utilize WordPress plugin to secure my WordPress site. I know a little bit of managing nginx server, I believe combining them both will be strong enough to secure my WordPress site. Anyway, here are some tips on how to secure a WordPress Site I want to share with you.

Use the Latest WordPress

Eventough sometimes the latest WordPress comes with something people do not like, for example Gutenberg, using the latest WordPress is a must.

The reason behind this is simply because of security. Using the latest WordPress script ensures us having the latest security patch from the team. Minimizing the risk of being hacked at its core.

Always Use Up-to-Date Plugins and Themes

Every time you want to install plugin or themes, always check when was the last time it is being updated by the author. Altough we don’t have any knowledge whether it is vulnerable or not, just avoid it.

This thing also applies to paid plugins and themes. Always check when was the last time it’s being updated.

On codecanyon, they include the date of the plugin last updated.

codecanyon last update information

Never Use Nulled Plugins and Themes

This is super important. If you find nulled plugins or themes, never ever ever install it to the live site. I don’t want to encourage this actually, but IF, you desperately want to try a plugin or theme, you better install it on a development site. If you feel it suits your need, BUY from the developer!

On codecanyon, you can try plugins before buying. The developer will create a temporary demo site for you to test out the plugin. The process is automatic, you do not even need to register on the demo site. Check out newsomatic.

Protect Login Form

I recommend you to use “Advanced noCaptcha & invisible Captcha (v2 & v3)” by Shamim Hasan. It has the option to protect your WordPress site’s login form using google Recaptcha. Not only that, it can also be set to show reCaptcha if only maximum login attempts has been reached.

Use Strong Password

You can use sites like PasswordsGenerator.net to generate complicated password for you. Just make sure you save it somewhere as it’s very randomly generated. I personally use the service from lastpass to manage my passwords.

Deny wp-config.php and .htaccess File Access

Last thing is, block or deny direct access to our wp-config.php and .htaccess file. For nginx users, add this rule below on your nginx configuration.

location ~* /(\.|wp-config\.php) { deny all; }

For apache users, put this on your main .htaccess file. The .htaccess file located right under your public_html folder.

# protect wpconfig.php
<files wp-config.php>
order allow,deny
deny from all
<files ~ "^.*\.([Hh][Tt][Aa])">     
order allow,deny     
deny from all     
satisfy all 

Okay, that’s it! Actually there are plenty methods available like changing the login URL, but I’m not a fan of it. Sometimes if I’m accessing my site from a public computer, I forgot the login URL, it is a disaster, lmao.

Anyway, if you have other techniques or want to ask more about securing WordPress site, feel free to leave a comment.