Your website should be ticking over smoothly now that we have created a backup strategy, updated WordPress and implemented some good website habits. Next, we’ll learn how to secure it further by adding more layers of security.
You will need a security plugin to implement the recommendations in this section. The security plugins we recommend are Wordfence and iThemes Security, and both can implement our recommendations below.
Limit Login Attempts
As explained previously, most “hacks” are simply automated bots guessing passwords for the users on your website. You have already removed the admin username, so now let’s block further automated login attempts.
Note: implementing this step may cause you and your users to be locked out of the site if you can’t remember your password. Please record your login details safely so you can refer to it when needed.
Wordfence: All Options → Firewall Options → Brute Force Protection → On. Configure the number of login failures that will result in a lockout.
iThemes Security: Settings → Local Brute Force Protection → Enable.
Disable File Execution
WordPress, plugins and themes are only allowed to upload files in the wp-content/uploads/ directory. If hackers find a bug, they could upload a script to the uploads directory, which they can then use to exploit further weaknesses in the site. We can close this security risk by preventing any scripts from functioning inside the uploads folder.
You can find the setting to disable file execution at the following locations.
Wordfence: All Options → Wordfence Global Options → General Options → Disable Code Execution for Uploads directory
iThemes Security: Settings → System Tweaks → Disable PHP in Uploads
Disable File Editing
WordPress comes with an editor which can be used to modify theme and plugin files. At best, it is occasionally useful but at worst, a security flaw that can be exploited by malicious users. We recommend disabling it entirely.
iThemes Security: Settings → WordPress Tweaks → Disable File Editor
Decide on other security features to implement
The above are the basic settings that you should implement for Wordfence and iThemes Security, but they have many more features and layers of protection. For example, we also like Wordfence for its firewall feature. We strongly recommend that you review them and decide which additional features to activate on your website.
Learn more about Wordfence (free and premium versions available)
Learn more about iThemes security (free and premium versions available)
Web Application Firewall
In simple terms, a “firewall” is just a barrier between one side and the other. Application firewalls are firewalls designed to work specifically with a program or software. Subsequently, Web Application Firewalls (WAFs) are firewalls designed to work with web software, like WordPress.
Adding a Web Application Firewall to your site will increase your website security and reduce annoyances like comment and analytics spam. As WAFs are usually cloud-based, they also add additional features like speed and miscellaneous optimizations to your website.
The WAFs we recommend are Cloudflare, Sucuri and Wordfence. We summarize what they offer in the table below.
|Web Application Firewall||Cloud||Cloud||Endpoint|
|Performance optimization (CDN)||Yes||Yes||No|
|Malware & hack cleanup||No||Available||Yes|
|Free plan available||Yes||No||Yes|
Install Cloudflare on your website
We are big fans of Cloudflare and recommend it to all WordPress website owners, even if you don’t want to upgrade to get the WAF. The free plan includes a basic firewall and will help speed up your website, so it’s a great addition to your website anyway.
Follow these instructions to Install Cloudflare on your WordPress site.
Need help installing Cloudflare on your WordPress website? ClickWP can help