Securing a WordPress website is essential because WordPress, as one of the most popular content management systems (CMS) worldwide, is frequently targeted by cybercriminals. Its widespread use makes it attractive not only to legitimate users but also to hackers who aim to exploit vulnerabilities in websites for various malicious purposes, including data theft, spam, defacement, and malware distribution.
This vulnerability doesn’t stem from WordPress being inherently insecure; instead, it arises from a combination of factors such as the large user base, a rich ecosystem of plugins and themes (which may have varying levels of security), and common misconfigurations or outdated software versions.
A compromised WordPress site can lead to severe consequences: loss of sensitive data, diminished user trust, search engine penalties, and in some cases, even legal repercussions. Moreover, recovering from a cyberattack can be costly and time-consuming, especially if backups aren’t regularly maintained or security measures aren’t in place.
To safeguard your site, it’s crucial to conduct regular security checks and take proactive steps to prevent vulnerabilities from being exploited. These steps cover everything from basic best practices—like keeping software updated and using strong passwords—to more advanced methods, such as disabling unused features, configuring firewalls, and monitoring user activities.
By following these essential security checks, you can significantly reduce the likelihood of your WordPress site falling victim to attacks and maintain a safe, reliable experience for your users.
1. Update Core, Themes, and Plugins
Ensure WordPress core files, plugins, and themes are always up to date. Developers regularly release updates to patch vulnerabilities.2. Strong Passwords and User Permissions
Use strong passwords for all users, especially administrators, and limit user permissions. Only grant necessary access to each role (avoid giving admin privileges unnecessarily).3. Two-Factor Authentication (2FA)
Enable 2FA for user logins to add an extra layer of security.
4. Limit Login Attempts
Restrict the number of login attempts to prevent brute-force attacks. Many security plugins offer this feature, but my favourite it Wordfence which offers free and premium versions.5. Change Default Login URL
Customise the login URL (e.g., from/wp-admin to something unique) to prevent automated login attacks.6. Install a Security Plugin
Use a trusted security plugin like Wordfence, Sucuri, or iThemes Security, which offer features like firewall protection, malware scanning, and login security.7. Enable Web Application Firewall (WAF)
A WAF protects against malicious traffic. Sucuri and Cloudflare offer WAF services that integrate with WordPress.8. SSL Certificate
Ensure an SSL certificate is installed to encrypt data between your site and visitors, which also improves SEO and credibility.9. Regular Backups
Schedule regular backups of your WordPress site. My favourite is UpdraftPlus which offers automated backups to Google Docs, Dropbox, MS OneDrive, Sharepoint and other platforms, but fundamentally it allows you to restore your site quickly and efficiently if it is compromised.10. Disable File Editing
Disable file editing in the WordPress dashboard by adding this line inwp-config.php:
define( 'DISALLOW_FILE_EDIT', true );
This prevents users from editing theme and plugin files directly in the dashboard.
11. Set Correct File Permissions
Restrict file permissions for key directories:
wp-config.php should be set to 440 or 400.Directories should generally be 755, and files should be 644.
12. Monitor and Scan Regularly
Run regular malware scans to detect any threats. Plugins like Wordfence and Sucuri provide on-demand and scheduled scans.13. Remove Unused Themes and Plugins
Delete unused themes and plugins, as outdated or inactive plugins can be a source of vulnerabilities.14. Hide WordPress Version
Remove WordPress version information from your site by adding this line to your theme’sfunctions.php file:
remove_action( 'wp_head', 'wp_generator' );This makes it harder for attackers to target known vulnerabilities in specific WordPress versions.
15. Database Security
Change the defaultwp_ table prefix to something unique during installation or with a plugin if it’s an existing site.Restrict access to your database to prevent SQL injection attacks.
16. Implement HTTP Security Headers
Use headers like Content Security Policy (CSP), X-Content-Type-Options, and X-Frame-Options to protect against cross-site scripting (XSS) and clickjacking attacks.By conducting these checks and maintaining a proactive security approach, you can significantly reduce the risk of your WordPress site being compromised.
wp-json/wp/v2/users endpoint are essential steps to protect your WordPress site further from potential exploits and information leaks. Here’s how to implement these security measures:17. Disable XML-RPC
XML-RPC can be exploited for brute-force attacks, DDoS, and other vulnerabilities. To disable it, you have a few options:
Using a Plugin: Many security plugins, like Wordfence and iThemes Security, offer an option to disable XML-RPC.
Manual Method (add to .htaccess): Add the following code to your .htaccess file to disable XML-RPC:
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>
Functions.php Method:
Add this line to your theme’s functions.php file to disable XML-RPC programmatically:
add_filter( 'xmlrpc_enabled', '__return_false' );
18. Redirect or Block Access to /wp-json/wp/v2/users
The /wp-json/wp/v2/users endpoint in the WordPress REST API can expose usernames, which may lead to targeted brute-force login attempts.
Option 1: Redirect the Endpoint
To prevent access, redirect requests to the users endpoint back to the homepage. Add the following code to your theme’s functions.php file:
add_action( 'rest_api_init', function() {
if ( !is_user_logged_in() ) {
remove_action( 'rest_api_init', 'wp_oembed_register_route' );
add_filter( 'rest_endpoints', function( $endpoints ) {
if ( isset( $endpoints['/wp/v2/users'] ) ) {
unset( $endpoints['/wp/v2/users'] );
}
return $endpoints;
} );
}
});
Option 2: Use .htaccess to Block the Endpoint
Another method is to block access via .htaccess:
# Block access to REST API Users endpoint
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/wp-json/wp/v2/users [NC]
RewriteRule ^(.*)$ - [F,L]
</IfModule>
Option 3: Disable REST API for Non-Logged-In Users
If you don’t need the REST API for non-logged-in users, you can disable it entirely for them:
add_filter( 'rest_authentication_errors', function( $result ) {
if ( !is_user_logged_in() ) {
return new WP_Error( 'rest_cannot_access', __( 'REST API restricted to authenticated users only.' ), array( 'status' => 401 ) );
}
return $result;
});
By disabling XML-RPC and securing the REST API user endpoint, you reduce common attack vectors and enhance your WordPress site’s security.
