Get a free quote

360-Web-Firm-Circle-with-numbers-360-and-words-web-firm-NEW-LOGO-2024-1.webp

Call us Today

Securing Your WordPress Website in 2025

by | Dec 30, 2024 | Website Security, Wordpress Security, WordPress Website

WordPress is a great platform for your website and/or web blog. However, it requires measures in place to keep your website safe and secure.

I understand this is a lengthy post about WordPress security, but it’s important to consider various aspects, and I wanted to provide as much information as possible to assist you. I’m sharing the practices I implement on my own sites for your benefit. Please remember that this is offered as a courtesy, and any actions you take with your WordPress website based on my suggestions are at your own risk.

Here is a list of recommended steps you could take to try and secure your WordPress website. Some of these recommended steps below are with using CPanel as your web hosting control panel.

Table Of Contents

Secure password and change regularly, never give out through unsecure email.

Understanding the Importance of Secure Passwords

When it comes to managing a WordPress website, safeguarding your content and sensitive data should be a top priority. A secure password is your first line of defense against unauthorized access. To maintain the security of your WordPress site, it is crucial to create strong passwords that are hard to guess.

Creating Strong Passwords

A strong password should include a combination of uppercase and lowercase letters, numbers, and special characters. Aim for a minimum of 12 characters to enhance your password’s strength. Additionally, avoid using easily obtainable information such as birthdays or common words that can compromise your site’s security.

Regularly Updating Your Password

One of the best practices in maintaining your WordPress site’s security is to change your password regularly. It is advisable to update your password every three to six months. This routine, coupled with the use of unique passwords for different accounts, can significantly reduce the chances of unauthorized access.

Importantly, never share your password via unsecure email or any other insecure communication methods. If you must share access to your WordPress site, consider using secure channels and tools designed for sharing sensitive information.

Make those usernames unique do not use on front end anywhere.

Understanding WordPress Usernames

When you set up a WordPress website, your usernames are often displayed publicly. This can lead to privacy concerns and unwanted attention. Therefore, many website owners want to take proactive steps to hide their usernames and instead display a nickname or an alias.

Benefits of Using Nicknames

Using a nickname instead of your original username on WordPress can enhance your privacy. It reduces the risk of targeted attacks, spam, and unwanted queries. Moreover, nicknames can create a more approachable and friendly atmosphere on your website, encouraging more engagement from your visitors.

Enable Two Factor Authentication (2FA) on your login.

Understanding the Importance of Two-Factor Authentication

In today’s digital landscape, securing your website is more critical than ever. With a significant number of cyber threats targeting WordPress sites, implementing robust security measures like Two-Factor Authentication (2FA) becomes essential. By requiring a second form of identification, 2FA significantly reduces the risk of unauthorized access to your account.

How to Enable 2FA on Your WordPress Site

Enabling Two-Factor Authentication on your WordPress website is a straightforward process. Begin by installing a reliable 2FA plugin from the WordPress repository. There are many high rated plugins to choose from, which are user-friendly and effective.

After installing the plugin, navigate to the settings and configure 2FA by linking your account to a mobile authentication app. This link typically involves scanning a QR code that will be displayed during the setup process. Once linked, each time you log in, you will enter a temporary code generated by the app, adding an extra layer of security.

Hide your default WordPress login links.

Concealing the default WordPress login is essential for protecting your site from unauthorized access while significantly reducing the likelihood of login spam and attempts. By obscuring this entry point, you not only enhance your website’s security but also create an additional barrier that deters potential intruders and bots from exploiting common vulnerabilities. This proactive measure contributes to a safer online environment, ensuring that only legitimate users can gain access to your site.

A great plugin to use for this is WPS Hide Login which you can set your own private login and the default login will be ignored and not used.

Limit login attempts on your WordPress website & disable registration.

Limiting login attempts on your WordPress website is crucial for preventing spam and enhancing security, as it deters unauthorized access by blocking the IP address of anyone who continues to attempt logging in.

A well known plugin that works great on your WordPress website is Limit Login Attempts Reloaded. You can set the number of failed logins which will block the IP if not successful for a period of time you set.

Use a rate limiter such as Word Fence or Cloudflare to limit BAD bots and spam.

wordfence and cloudflare for rate limiting.jpg

Introduction to Rate Limiters

If you’re running a WordPress website, combating bots and spam is likely a major concern. One effective strategy to protect your site is to use rate limiters like Wordfence or Cloudflare. These tools help manage traffic to your website by limiting the number of requests from bots, preventing malicious activities, and enhancing your site’s overall security.

How Rate Limiters Work

Rate limiters function by monitoring the number of requests received within a specific time frame. When a user exceeds this limit, their access is temporarily restricted. Tools like Wordfence and Cloudflare employ various algorithms to analyze traffic patterns, thereby distinguishing between legitimate users and harmful bots. This proactive approach minimizes server load and decreases potential vulnerabilities.

Benefits of Implementing Rate Limiters

Implementing rate limiters on your WordPress site offers several advantages. First and foremost, it reduces the likelihood of spam attacks and DDoS threats. By effectively filtering out unwanted bots, you ensure that genuine visitors have a seamless experience. Additionally, rate limiters can enhance your website’s loading speed by preventing excessive requests from overwhelming your server. In conclusion, using tools like Wordfence or Cloudflare is essential for robust security, helping safeguard your site against various online threats.

With any forms such as contact, use reCAPTCHA from Google.

When using sign-up or registration forms on your WordPress website it is crucial to implement Google reCAPTCHA to help reduce spam. A contact form on your website is particularly prone to spam attacks. By applying reCAPTCHA to these forms you can effectively mitigate the risk of bot-generated spam.

Allow comments from registered users and do not allow trackbacks and pingbacks.

Enabling comments solely from registered users while disabling trackbacks and pingbacks is an effective strategy for minimizing spam on your WordPress site, as it enhances security by ensuring that interactions come from known contributors and prevents unwanted notifications from other sites.

Always use cPanel two factor authentication when logging into your cPanel account.

Two factor authentication (2FA) login screen with code.jpg
Always ensure that you enable two factor authentication for your CPanel account login, along with all other secure logins you use, as this crucial step significantly enhances your online security and protects your sensitive information from unauthorized access.

Add security headers to block several things such as clickjacking and cross-site scripting.

Security headers, also known as HTTP security headers, help protect websites and web applications from security threats by instructing browsers how to behave when handling a site’s content

Vulnerability exploitation

Security headers make it more difficult to exploit client-side vulnerabilities, such as cross-site scripting (XSS) and clickjacking.

Malicious code.

Security headers can limit the sources of embedded content, which can reduce the risk of malicious code.

Unauthorized access

Security headers help protect sensitive user data from unauthorized access and manipulation.

TLS communication

Security headers can configure browsers to only allow valid TLS communication and enforce valid certificates.

Server certificate

Security headers can enforce using a specific server certificate.

Implementing security headers on your WordPress website is essential for enhancing its security and protecting it from various online threats. These headers serve as a crucial defense, reducing risks like cross-site scripting and clickjacking while providing better privacy and data integrity for your users. Properly configured headers not only reinforce your website’s defenses against attacks but also build trust with your visitors, ensuring their sensitive information is safe as they interact with your content.

Using htaccess to add security headers to your WordPress website

Place the following code in your .htaccess file for each website and place it right after the closing

# END WordPress

<ifModule mod_headers.c>
Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options nosniff
Header set X-Frame-Options DENY
Header set Referrer-Policy: no-referrer-when-downgrade
</ifModule>

Security Hardening with WP Toolkit for cPanel.

Upon any new installation, you should apply all critical security measures, as recommended by WordPress experts. Additional security measure can also be specified and implemented, from forbidding the execution of PHP scripts in certain directories to turning off pingbacks, blocking.

Wp Toolkit offers a comprehensive set of tools designed to enhance your security measures, safeguarding against prevalent vulnerabilities, unauthorized access, and possible threats.

Disable XML-RPC and block access to xmlrpc.php.

Why should I disable XML-RPC?

Brute Force Attacks – Where an attacker can use xml-rpc to test hundreds of username and password combinations until they are eventually able to gain access to your site.
DDoS Attack – Where an attacker can use xml-rpc to pingback thousands of IPs.

Disabling XML-RPC for a WordPress instance can be accomplished through various methods including code snippets, htaccess modifications, using WP Toolkit or the use of a plugin; in this guide, I will demonstrate how to utilize with htaccess along with WP Toolkit for effective results.

Using .htaccess file

Go into your file manager and locate your .htaccess file and if its not shown, you might have to click the gear icon and show all hidden files within cPanel. Go to where it says:

# END WordPress

Then add the following.

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from xxx.xxx.xxx.xxx
</Files>

If you wish to give a certain user remote access to your site, then simply replace ‘xxx.xxx.xxx.xxx’ on line 5 with their IP address. You can add multiple IP addresses by separating them with spaces.

Or, if you want to disable XML-RPC completely, then delete the line with the ip (xxx.xxx.xxx.xxx) altogether.

Using WP Toolkit to disable XML-RPC

  1. Login to your control panel, could be Cpanel or Plesk.
  2. Open WordPress > example.com > Fix vulnerabilities > Security Measures.
  3. Select Block unauthorized access to xmlrpc.php and click Secure.
  4. Repeat for all your WordPress websites.

Firewall, intrusion detection, malware scanning service and protection against brute force and DoS attacks.

Imunify360-800-2.jpg
A robust server firewall acts as your website’s first line of defense, expertly monitoring incoming and outgoing traffic to thwart malicious entities before they can cause harm. By utilizing advanced filtering techniques, this vital security measure not only blocks unwanted access and protects sensitive data but also seamlessly integrates with other security protocols, such as intrusion detection systems and malware scanning, creating a fortified environment for your web applications. With a firewall in place, you can confidently focus on growing your business, knowing that your online presence is shielded from the ever-evolving landscape of cyber threats, thus ensuring a safer experience for both you and your users.

Imunify360 uses a multi-layered approach to protect your server, including:

  • Firewall: An advanced firewall with machine-learning rulesets.
  • Antivirus: Automatic scanning and removal of viruses and malware.
  • Patch management: Rebootless kernel patch updating.
  • Intrusion detection and protection system: A collection of rules for blocking known attacks.
  • Website reputation monitoring: Analyzes if your website or IPs are blocked by blacklists.
  • Proactive defense: Blocks potentially malicious executions against websites running PHP.

A good Firewall will block IP’s and even Countries. Its essential that you have a complete suit that will help you with security on your server. I would recommend using ConfigServer Security & Firewall (CSF) with Imunify360 on your server.

Bonus content for WordPress sent email

PHPMailer is a powerful code library that PHP applications utilize for sending emails, and it is widely used by various Content Management Systems, such as WordPress. WordPress employs a built-in PHP mail function called wp_mail to dispatch emails through your web hosting server, allowing you to start sending communications from your site immediately. This capability includes essential notifications for WordPress administrators, user management features like password reset emails, and alerts from plugins, including contact form submission notifications. However, a significant drawback is that both PHPMailer and wp_mail lack the necessary authentication measures to prevent your emails from being marked as spam. Additionally, if your web server is not configured to handle large volumes of emails, you may risk exceeding your hosting provider’s limits on bulk mailing. To circumvent these email-related challenges and resolve issues with PHPMailer, connecting your WordPress site to a third-party SMTP provider is highly advisable.

Solution: use a SMTP plugin

WP Mail SMTP fixes your email deliverability issues by reconfiguring WordPress to use a proper SMTP provider when sending emails.

There is an easy-to-use Setup Wizard and detailed documentation guide that will help you through the process.

WP Mail SMTP is free and has everything you need to reliably send your WordPress emails.