Image from the secure WordPress blog

How to Secure WordPress: Essential Steps for a Safe Website

by

Daniel Berthiaume
in , ,

Updated the:

In today’s digital landscape, understanding how to secure WordPress is crucial for maintaining a trustworthy online presence. It’s no surprise that WordPress sites are increasingly targeted by cybercriminals. The reason is simple: as the world’s most popular content management system (CMS), WordPress is a prime target for malicious attacks.

For a cybercriminal, it’s enough to monitor the latest vulnerabilities in WordPress and its plugins, then use a bot network to automatically test the security of publicly accessible WordPress sites.

This guide is primarily intended for our shared hosting clients, but it will also be useful for anyone whose website is hosted in a similar environment to ours—namely, in a secure data center and on a server protected by Imunify360.

Choosing the Right Plugin to Secure WordPress

For several years, despite the many options available on the market, we have consistently chosen the same plugin to secure WordPress: Solid Security.

Over the years, we have tested various plugins. However, Solid Security has consistently stood out based on our criteria. Indeed, it provides all the essential features to secure a WordPress site while ensuring that performance remains unaffected.

Solid Security WordPress plugin logo

Since this guide is intended for users whose hosting already includes advanced security measures like Imunify360, some additional security features are unnecessary. For example, scanning for infected files is redundant because Imunify360 already takes care of it. It’s important to remember that adding too many features (including those from plugins) can slow down your website.

Our choice is based on the following key factors:

  • No unnecessary options
  • Minimal to no impact on site performance
  • A free version that offers all the essential features

Installing Solid Security Plugin

Before installing a security plugin, it’s important to note that, based on our experience with numerous websites, you should use only one security plugin at a time. Contrary to popular belief, installing multiple security plugins does not enhance your site’s protection; instead, it can create conflicts and potentially reduce overall security.

👉 Before proceeding, uninstall any existing security plugin from your site.

Installation Process

When you’re ready to install Solid Security, follow these steps:

  1. Go to the “Plugins” menu in your WordPress dashboard.
  2. Click “Add New Plugin“.
  3. In the search bar, type “Solid Security“.
  4. Locate the plugin “Solid Security – Password, Two-Factor Authentication, and Brute Force Protection“, then click “Install Now“.
  5. Once the installation is complete, click “Activate” to enable the plugin.

After activation, a new menu labeled “Security” will appear in the left sidebar of your WordPress dashboard.

Configuring the Plugin

Wizard Setup

With the plugin now activated, open it to complete the setup wizard. Subsequently, we’ll manually adjust certain settings to enhance your WordPress site’s security effectively.

Follow these recommended steps to configure the plugin:

  1. In the “Help us improve Solid Security” window, click “Skip”.
  2. In the “What type of website is this?” section, select “eCommerce” or “Blog”, depending on your site type.
  3. Skip the “Before we configure Solid Security, let’s scan your site for vulnerabilities” option by clicking “No, Skip Site Scan” at the bottom of the page.
  4. In the “Brute Force protection is the first brick in your firewall” section, click “Continue”.
  5. When prompted to choose a password protection type, click “Continue”.
  6. Keep Two-Factor Authentication enabled and click “Continue”.
  7. When asked to choose between “My Own Website” and “Client Website”, select “My Own Website”.
  8. Do not check the “Security Check Pro” option, then click “Next”.
  9. For IP detection, choose “Direct Connection”, then click “Next”.
  10. On the “Global Settings” page, simply click “Next”.
  11. On the “Features” page, click “Next”.
  12. Select “Default User Group” on the “User Groups” page.
  13. On the second “User Groups” page, click “Next” at the bottom.
  14. Finally, on the “Notifications” page, click “Next”.

Once these steps are completed, the plugin will automatically apply essential security settings. We can then explore the options in more detail to customize the protection without slowing down the website.

How to Configure the Plugin to Secure WordPress

Screenshot of Solid Security settings configuration.

Once the setup wizard is complete, we can manually review each aspect of the security plugin. To do this, access the plugin’s configuration menu:

👉 Go to the “Security” menu, then click on the “Settings” submenu.

The plugin settings are divided into several subsections, which we will go through one by one. This guide focuses only on the most important settings that are not necessarily enabled by default.

💬 If you believe other aspects should be covered, feel free to share your thoughts in the article’s comments!

Global Settings

The default settings are already well configured, but we’ll scroll down to the Other section at the bottom of the page to adjust a few essential options.

  • Check the “Hide Security Menu in Admin Bar” option
    • This hides the “Security” link from the top admin bar in WordPress. Disabling it slightly improves the loading time of pages within the admin interface.
  • Disable the “Allow Data Sharing” option
    • Make sure this option is unchecked. It allows the plugin to send usage data to StellarWP. For privacyand performance optimization, it’s best to turn it off.

Features Section

Login Security Tab

✔ Ensure that the “Two-Factor” option is enabled. If it is not, activate it.

This feature requires users to enter an additional verification code sent via email, adding an extra layer of security to protect login credentials.

Firewall Tab

Check the following settings in this section:

  • Ban User → Enabled: Blocks IP addresses that attempt to access your site suspiciously.
  • Firewall Rules Engine → Disabled: This feature applies WAF rules to incoming requests. However, Imunify360 and the server’s physical firewall already provide this protection.
  • Local Brute Force → Enabled: Monitors login attempts and blocks IPs that repeatedly try to guess passwords.
  • Network Brute Force → Disabled: This feature shares data with the plugin’s developer to create a blacklist of malicious IPs. However, since Imunify360 already manages this protection, enabling it may be redundant.
Site Check Tab

Disable both options in this tab.

These settings scan your site’s files for modifications or infections, but:

  • The first option can generate excessive email notifications.
  • The second is already handled by Imunify360.
Utilities Tab

Disable all three options in this section for the following reasons:

  • Enforce SSL: If the plugin forces HTTPS redirection, it adds a JavaScript file to each page, which can impact performance. SSL redirection should be managed directly in the .htaccess file and database.
  • Database Backups: Since most hosting providers (including ours) perform regular backups, enabling this feature would only consume unnecessary resources. As a result, it could slow down your site during backup creation.
  • Security Check Pro: This feature requires an external connection to analyze your site, which is unnecessary.

User Groups Section

The User Groups section allows you to adjust security settings and permissions based on user roles. This helps define specific access levels for each type of user.

👉 The default configuration is already optimized for most WordPress sites. Therefore, there’s no need to modify this section.

Notifications Section

This section allows you to manage the frequency and recipients of email notifications sent by the plugin. While it doesn’t directly impact how the plugin secures WordPress, it helps prevent excessive and unnecessary notifications.

Go to the “Security Digest” submenu and change the schedule to “Weekly”. This way, the plugin will send a weekly activity summary instead of daily reports.

In the “Site Lockouts” submenu, uncheck the option. It is unnecessary to receive email notifications listing IP addresses blocked by Solid Security.

Advanced Section

This section contains the settings that have the most significant impact on securing your WordPress site. It is divided into three parts, which we will review below.

Advanced Settings for Solid Security
System Tweaks

In this section, several options should be enabled to enhance WordPress security.

  • Protect System Files → Enable: Blocks direct access to critical WordPress files, such as wp-config.php, through the web server configuration.
  • Disable Directory Browsing → Enable: Prevents unauthorized users from viewing the contents of directories. While this restriction is typically in place on secure hosting environments like ours, enabling it here won’t slow down the site since it operates at the server level.
  • Disable PHP in Uploads, Disable PHP in Plugins, Disable PHP in Themes → Enable all: These options prevent PHP files from executing in the uploads, plugins, and themes directories. This blocks attackers from exploiting vulnerable files outside of WordPress’s core system.
WordPress Tweaks

Some built-in WordPress features can be exploited by attackers. It’s recommended to adjust them as follows:

  • Disable File Editor → Enable: WordPress includes a built-in file editor for modifying theme and plugin files. However, it’s safer to disable this feature and use a child theme for modifications instead.
  • XML-RPC → Select “Disabled XML-RPC”: This protocol allows external applications to send commands to WordPress, but it is commonly abused for brute-force attacks. Disabling it helps prevent such threats.
  • REST API → Select “Restricted Access”: By default, the REST API exposes certain sensitive information, such as the list of registered users. Restricting access reduces risks without completely disabling this functionality.
  • Force Unique Nickname → Enable: Requires each user to choose a unique display name, making it harder for bots to guess login credentials.
  • Disable Extra User Archives → Enable: If a user has not published any posts, they won’t have a public archive page, reducing the chances of bots gathering unnecessary user information.
Hide Backend

Activate this option. By default, the /wp-admin and /wp-login.php pages are used to access the WordPress admin dashboard. Since they are among the most targeted by malicious bots, it is recommended to hide them by setting a custom URL.

  • Login Slug: Enter a word that will replace the standard login URL.
    • For example, if you enter “atomic-potato”, you will now access your dashboard via “mysite.com/atomic-potato”.
    • Make sure to choose a unique but easy-to-remember word to avoid accidental lockouts.

Security Tools to Secure Your WordPress

Within the same plugin, several tools help enhance your WordPress security. These tools are accessible via the “Security” menu in the sidebar, under the “Tools” submenu.

Below are some useful tools and the situations where they are best used:

  • Change User ID 1
    • What is it? During an SQL injection attack, hackers often attempt to access a site by assuming that the main user is the first account created—which is usually the case.
    • When to use it? This tool is useful when creating a new site or if you are unsure whether this modification has already been applied. If your site is already secure in this regard, you don’t need to use it.
  • Change Database Table Prefix
    • What is it? By default, all WordPress database tables start with the prefix ‘wp_’. Consequently, if an attacker knows this prefix, they can more easily execute SQL injection attacks targeting your database.
    • When to use it? If your database still uses the default WordPress prefix or if your site has already been infected, it is recommended to change the prefix to reduce the risk of attacks.
  • Change WordPress Salts
    • What is it? Salting is a security technique used to protect sensitive data, such as session cookies and authentication information.
    • When to use it? You should change WordPress Salts if you move your site to a new host or if you suspect that an unauthorized person has gained access to your site.

Final Thoughts

By implementing these strategies, you can effectively secure WordPress and safeguard your site against potential vulnerabilities.

Nevertheless, it’s important to remember that no security setup is foolproof. For this reason, regular updates remain essential. In addition, always ensure that you are using only trusted plugins and themes that are actively maintained by their developers.

💬 If you notice any missing points or have questions about WordPress security, feel free to leave a comment below!

Daniel Berthiaume

Since discovering programming at the age of 7 with “Logo Writer”, Daniel has always been captivated by computing. After spending two decades in the hospitality industry, where he refined his customer service skills, he now brings his expertise to Astral Internet. Here, he is dedicated to developing and simplifying Cloud technologies, making access faster and more intuitive for everyone.

Outside of work, Daniel shares his passion for the web by teaching WordPress and HTML at the CEGEP of Saint-Jean-Sur-Richelieu. His teaching style and enthusiasm make him a beloved instructor, known for igniting the spark of curiosity in his students.

Commentaires

Leave a Reply

Your email address will not be published. Required fields are marked *

Catégories

Articles récents