With nearly over 60 million websites running WordPress, it is undoubtedly one of the most popular blogging systems today. Like any other blogging platform in the market, WordPress comes with it’s fair share of vulnerabilities. Don’t fret. Czar Securities has prepared a quick guide to harden your WordPress Website’s security in under 10 minutes!

# Install a Comprehensive Security Plugin – Astra

There are numerous plugins which give you a wide array of security options for your WordPress website. I recommend Astra Security plugin because it is by far the simplest security plugin to use. Wordfence claims to provide Enterprise class security and is yet 100% free.

Some of the key features –

  • Protection against Attacks like SQL Injection, XSS, base64, CRLF, CSRF, RFI etc.
  • Firewall
  • Anti-virus/Malware Scanning
  • Real-time blocking of known attackers / Rate Limit
  • Enhanced Login Security

After the initial security scan in Wordfence, make sure you complete all the critical steps to secure your WordPress website!

# Protect your .htaccess File

As you know.htaccess files play an important role in the functioning and security of your WordPress website. It is crucial that you also take measures to protect your sites .htaccess files.

Just copy and paste the below code in your domain’s root .htaccess file to prevent the external access to any file with .hta.

 <Files ~ "^.*.([Hh][Tt][Aa])">
 order allow,deny
 deny from all
 satisfy all

# Install Theme Authenticity Checker (TAC)

Beware of free third party WordPress themes which come with some malicious code embedded into them. Theme Authenticity Checker or TAC is a solid plugin that scans all of your theme files for potentially malicious or unwanted code. It’s a must have!

# Disable File Editing via Dashboard

Let’s say a hacker manages to gain access to your WordPress Dashboard, he could execute whatever code he wants to and can gain complete control over your website.

Therefore, it’s a good idea to disable file editing via Dashboard. You can do so by adding the following line to your wp-config.php file:

define( ‘DISALLOW_FILE_EDIT’, true );

# Limit Login Attempts

By default WordPress allows unlimited login attempts which allows hackers to brute-force passwords (or hashes) with relative ease. The Limit Login Attempts plugin lets you limit the rate of login attempts made on your WordPress website.

# Hide your Username from the Author Archive URL

It is highly advisable that you hide your username from appearing in the authors archive URL. This will make things difficult for a brute force hacking attempt on your website.

You can update this by following these simple steps –

  1. Login to your Hosting Account
  2. Open phpMyAdmin to view the Database Linked to your WordPress Install
  3. Select the wp_users table.
  4. Change the value in the user_nicename column to something you want to be displayed in the URL (preferably the value in display_name column). Make it different from the value in the user_login column.

If you find the above steps confusing, you install the Edit Author Slug plugin to do the job for you.

# Enable Two-Factor Authentication –Google Authenticator

It’s highly advisable to enable two-factor authentication using the Google Authenticator app for Android/iPhone/Blackberry. It can be seamlessly integrated into your WordPress website using the Google Authenticator plugin.

# Keep your WordPress Core Files and Plugins Up to Date

It is important to keep your WordPress version up to date along with all the plugins installed on your website. You might find this plugin handy – Automatic Updater.

# Automate Backups of your Website

It’s good to have a backup of your website for a rainy day. Using one of the following backup plugins, you can completely automate the backing up of your WordPress website –


Still not happy with your Website’s security? Contact Czar Securities to get your Website tested!