Thank you for visiting the Rackspace Community
The The Community is live! Post new content or topics so our teams can assist.

Please contact your support team if you have a question or need assistance for any Rackspace products, services, or articles.

Hardening WordPress Security

If you own a WordPress site, then the first thing you should care about your site security. Because most of the times we create a website, install plugins, publish articles and almost forget that there is another most important thing we miss, that is WordPress security.

However, many of the beginners think that securing a WordPress site is quite a bit harder and time-consuming work, so they usually skip the task or hire a security expert to take care of it (they charge around $80-$200 per hour). 

But actually, it's very easy and you can also harden your WordPress security the good thing is that you wouldn't need to pay hundreds of dollars to a security expert. You can follow this step by step guide on "WordPress security - 24 ways to secure your website from hackers". It's totally an in-depth guide that you can easily understand.

But why website security is so important?

Your website represents your online brand, your business. It takes years over years to make a brand and gain trust from your customers. Your customers trust your website and purchase a product.

If your website is not secure, then your customers' data can be stolen by hackers. This will affect the relationship between you and your customers.

Besides, if your site contains malware, Google probably blacklist your website. This is the worst nightmare you can have.

How a website gets hacked?

There are many ways hackers can exploit your WordPress site.

  • Brute Force Attacks
  • SQL Injections
  • Cross Site Scripting (XSS)
  • Pharma Hacks
  • Malicious Redirects
  • Backdoors

How to Harden WordPress Security (follow WPMyWeb's guide to get this done)

  • Get a Good WordPress Hosting
  • Keep WordPress version Updated
  • Don’t Use any Nulled/ Cracked Theme or Plugin
  • Use Strong Passwords
  • Add (2FA) Two Factor Authentication
  • Change WordPress Login URL
  • Limit Login Attempts
  • Back up Your Site Regularly
  • WordPress security plugins
  • Automatically Logout Idle Users
  • Add Security Questions to WordPress Login Page
  • Change the Default “admin” Username
  • Assign Users to the Lowest Role Possible
  • Monitor File changes and User activities
  • Install SSL Certificate
  • Delete unused themes and plugins
  • Disable file editing in WordPress dashboard
  • Password protect WordPress login page
  • Disable directory browsing
  • Remove your WordPress version number
  • Change WordPress Database Table Prefix
  • Only use trusted WordPress themes and plugins
  • Disable PHP error reporting
  • Add HTTP Secure Headers to WordPress
  • Do you have any WordPress security plugins that you recommend?
  • WordPress is designed to prevent [directory browsing of sensitive folders] right out of the box.
    Actually, WordPress doesn’t prevent directory browsing in wp-content/uploads folder, which is one of the first thing you can check to see if a WordPress website is secure. DigitalOcean Siteground iPage
    Indeed, all files uploaded get there, even if it is on a private post, so it can be a way to take private content… which is not really good.
    I think WordPress should disable all directory browsing by default. from my humble opinion