WordPress security is becoming a much bigger issue nowadays because of its popularity. So many sites are using WordPress, with many developers building apps, themes, and extensions for it. But unfortunately this also makes it a common target for hackers.
But on the flip side, there are tons of documentation and support for WordPress and you’ll be able to secure it, no problem! The only issue is that some security methods slow your site down—BOO!
Two biggest goals of WordPress security:
- Prevent your site from getting hacked.
- Prevent bots or attacks from slowing down your server/website.
Here are some easy tactics to keep hackers/bots out without impacting server performance:
Avoid Slow Security Tactics
- IP blockers/security, any blacklists/whitelists, brute-force security, external checks on every visitor is gonna slow your site, using PHP to secure.
- Security scans, file/directory security, etc.
- Spam blocks, captchas, content-blocks…these add JS load.
- There’s also many useless features that security plugins add to appear more “full-featured”.
I’m not against doing any of these things, I don’t agree with how they’re implemented! And if you have CloudFlare, you don’t need many of them. Just remember that security is best done at server level, not software (php) level. Php is meant for application processing, not security. Kind of like using your GATE for security, rather than your doors and windows.
Let’s start with some actual security tips…
1. Choose properly-coded plugins (and keep them updated)
Most people think they’re already doing this but they’re not. Just because a plugin is popular and used by many doesn’t mean it’s well-coded. Please have a respected developer review the plugin or at least look up reviews online to see how certain plugins are viewed by again…RESPECTED DEVELOPERS!
2. Protect wp-admin from brute force
METHOD A) Use a security plugin to protect against brute force
- Something like WordFence.
METHOD B) Set-up HTTP AUTHENTICATION for your wp-admin login
- Very simple tactic that locks down your admin page. They can’t brute force it if they can’t get in! This is simple tactic that keeps your server from being slowed down.
- https://www.wpwhitesecurity.com/wordpress-security-hacks/securing-wordpress-wp-admin-htaccess/
3. Block XML-RPC protocol (if you’re not using it)
This protocol allows you to log into your WordPress from other apps like on your phone, desktop, etc. If you’ve always logged into your WordPress site from your browser, then you don’t need it. You can disable it easily from your htaccess file. Simple add the code below:
<Files xmlrpc.php>
Order Allow,Deny
Deny from all
</Files>
4. Other tactics
These can be useful extra precautions:
- Do not use the default “admin” user name, pick something else.
- Change login page from wp-login.php to something else.
- Change table prefix from “wp_” to anything else.
- Login attempts blocker – install a plugin to limit the number of failed login attempts.
- Prevent .php files from being in run in certain directories…like the wp-uploads directory.
- Installing regular malware scan – this will affect performance, only use as necessary!
- Firewall – you don’t need a plugin for this, simple edit your htaccess!
- DB password – don’t use the same password for your database as you would for WP-admin or email accounts.
5. Use a CDN
Using any CDN, like CloudFlare (free) is especially fantastic for preventing DDOS and attacks. Their servers block bots and bad traffic from ever hitting your server so that you’ll never have to process any of that. It’s a great way to secure your site and improve performance at the same time.
6. Set up Backups
Make sure you have a backup in case anything happens and you’ll be able to restore easily! Check out my WordPress backup plugin reviews.
What about WordPress security plugins?
Unfortunately many of them slow down your website and use php code to run features that could have been set up manually. The more code you run, the more your website slows down. I suggest doing as many manual options as possible. Many security measures can be done simply from your htaccess file! (No plugin needed!)
- My favorite security plugin is probably WordFence (mainly for its malware signature database).
Hi Johnny,
You have some good helpful articles, thank you for sharing them. I have been developing sites since early 2000 and always taken security seriously. I have a web agency on the Gold Coast of Australia ( creativeground.com.au ) which has been going since 2007.
What are your take on tighter file permissions that those recommended? – So many security agencies and security plugin developers always recommend 444 for .htaccess and config.php only. I like to go further and make config 400 and the index.php file 400, then add further .htaccess file in wp-content and wp-include, with an htaccess file in the wp-admin which has strict IP access only. I have never seen or read anywhere saying to make permissions below 444 so just wondering what you think. Hasn’t affected any of my sites or rankings.
What would your view be?
Thank you
I think it’s totally great if you have the time to change those file permissions. I like the idea and would indeed recommend to people if only they knew how to. With that said, most people aren’t being hacked because of htaccess/wp-config permissions, but rather because of a vulnerable theme or plugin. I sometimes change htaccess permissions anyway so plugins can’t overwrite it and lose my redirects. 🙂
I don’t know if you know the 7g firewall, I used it a lot in apache but I don’t know if it works in litespeed. Do you know anything about it?
I haven’t tried it. I feel like it’s confusing now. Every company just puts a higher number and the letter “g” after it. Soon we’ll have 37g. I would imagine that LiteSpeed being Apache-compatible shouldn’t have any problems with it. Try it and see.
I’m referring to this https://perishablepress.com/7g-firewall/.
I don’t see why that one wouldn’t work. Give it a try.
Hi Johnny,
great post. I always value your perspective since you never seem to follow the crowd and praise whatever is in fashion. Wanted to ask what’s your opinion on Jeff Star’s security plugins like BBQ Firewall or Blackhole for Bad Bots?
I’m a big fan of Jeff Starr and biased in favor of everything he does. Great stuff. Do I use it for all sites? No. But his stuff and overall philosophy and methodology of doing things is perfect to me.