The Ultimate WordPress Security Guide – Step by Step

The title of this article may allude to WordPress being an insecure or highly vulnerable platform. WordPress gets a bad rap for having numerous security vulnerabilities and thus not being a secure platform for business. Usually, that’s only because businesses and users are being lazy by not taking the time to use industry best practices to secure their WordPress site. 

WordPress websites get compromised because they have a poor administration setup, use nulled plugins, the credentials management systems don’t work, and all of this happens because there is a non-techie person behind the website. However, even industry leaders like Reuters get hacked because they were too lazy to update to the latest version or they didn’t want to risk a new WordPress Installation breaking their website. 

WordPress powers over 43% of all websites on the internet, and with millions of themes, plugins, and any number of combinations, there is no surprise that there are vulnerabilities. The good thing about WordPress is that there is a healthy community around the platform, ensuring that vulnerabilities get patched almost as soon as they are discovered. 

According to Internet live stats there over 100k websites are hacked every day. If you don’t want to risk becoming a statistic, we’ll go over a few simple things you can do to secure your WordPress website in 2022. 

Start Your Website With Secure WordPress Hosting 

One of the places you should start is with secure hosting; that way, you’re locking down the website in the best possible way. This is mainly web server-level security, which your WordPress host will handle, freeing you up from having to worry about it. 

While there are many hosting companies, we’d strongly advise that you choose one with repute. Don’t worry if the most secure hosting you are aware is secure costs a few hundred dollars more because it will save you a bundle in the long term. 

You could alternatively choose to host your own VPS, but doing that requires having technical knowledge since you are solely responsible for everything. If you are a business owner, this approach will mean you’ll focus less on your business and more on keeping your VPS secure. 

Updated Your WordPress Website To The Latest PHP Version 

Now for those who may not know, PHP happens to be the backbone of a WordPress website, so it is essential to update to the latest version. Each major version update is fully supported for around 24 months. During this time, security vulnerabilities, bugs, and other issues are fixed regularly. This means if you are currently running on PHP v7.0 or 7.2, or below, it is no longer supported, and you may be potentially exposed to unpatched vulnerabilities. 

Surprisingly over 48% of users, according to WordPress Stats, are using version 7.4, which was outdated a while back. That means hundreds if not thousands of websites are using an unsupported version of PHP file. 

Sure, it may take time for businesses and their developers to test and make sure that the code is compatible with their website, but there is no excuse for running a version that’s been outdated years ago. Furthermore, this also has a significant performance impact on the website. 

If you want to check which version of PHP you’re currently running, your host should provide this information in the header request. The easiest way to check is to head on over to tools.pingdom.com, then click on the first request, and search for “X-powered-by”. This will show the current PHP version of your web server. However, some hosts remove this information for obvious security reasons. If your hosting provider has blocked this information, you can manually go into cPanel to update your PHP version. 

If your WordPress website is hosted on a host that uses cPanel, you can switch between PHP versions by choosing “PHP Select” under the “Software” category. You can Google to find out which is the currently supported version and switch to that. 

Use A Challenging Password and Username Combo

The next thing you’d want to do is use a password that nobody but you can remember for your WordPress login page. While it may sound pretty straightforward, it isn’t. Most people choose a password that is very easy for them to remember. However, these passwords are also one of the several hundred commonly used ones. So, all hackers need to do is run a brute-force attack using the most common passwords list. That’s why many hosts force users to use a challenging password, and though it may come across as an inconvenience, it is undoubtedly necessary. 

The other thing you never want to do is use the default “admin” username. You will want to create a unique WordPress username for your administrator account and delete “admin.” Doing this only requires that you head over to the WordPress Dashboard, click “users”, add a new user, give it a name and assign it an “Administrator” profile.  

Once the new account is assigned the admin role, you can delete the original “admin” user. Ensure that you choose “Attribute all content to” is chosen when you delete. 

Alternatively, the current admin username can also be updated manually by heading over to the “phpMyAdmin,” but make sure that your database is backed up before making any changes to it. 

Use the following: “UPDATE wp_users SET user_login = ‘newcomplexadminuser’ WHERE user_login = ‘admin’;”

You will also want to limit login attempts to your WordPress website to thwart brute force attacks. 

Finally – Always Update To The Latest Version of WordPress and WordPress Security Plugins  

Make sure that your WordPress plugins, themes, and everything else are updated to the latest version as it becomes available. Most of these updates will include security and performance enhancements along with bug fixes which are imperative to your website’s stability. 

You will also want to install a web application firewall, to inspect traffic to prevent unapproved visitors from entering your system from an external unapproved network. This will help keep your WordPress sites and associated WordPress users associated with your website secure. 

Also, make sure to update the core WordPress platform as soon as it becomes available. As of this writing, WordPress 5.9 is the latest version. Make sure to run the update if you’re currently not on it. Updating helps prevent instances of cross-site scripting, and other types of attack vectors.