• Reading time:8 mins read

WordPress is the world’s most widely used CMS (content management system) for website creation, which also makes it a favorite target for hackers. It’s estimated that WordPress faces around 90,000 attacks every minute. In this article, I’ll explain how to secure a WordPress website easily. All these methods and plugins are complementary, so you can easily apply them all.

Securing your website from the hosting provider

Installing an SSL certificate

An SSL (Secure Sockets Layer) certificate is a security technology that establishes an encrypted link between a web server and a browser. This link ensures that all data exchanged between the server and the browser remains confidential and secure. SSL protects sensitive user information, such as credit card numbers, login details and other personal data.

Most hosting providers offer simple SSL installation via their control panel.

Redirect all HTTP requests to HTTPS

HTTP to HTTPS redirection is a process that ensures that all requests made to an HTTP (insecure) URL are automatically redirected to the corresponding HTTPS (secure) URL. Users accessing a site via an insecure (HTTP) connection will automatically be transferred to a secure (HTTPS) connection.

Many hosting providers offer options to automatically activate HTTP to HTTPS redirection via their control panel.

Manual configuration via .htaccess file

The .htaccess (Hypertext Access) file is a configuration file used by the Apache web server and its derivatives. It allows you to modify the server configuration directly from the directory where it is located, without having to access the main server configuration files.

You can add redirection rules to your WordPress site’s .htaccess file.

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Enable HSTS (HTTP Strict Transport Security) protocol

HTTP Strict Transport Security (HSTS) is a web security standard that protects sites against various forms of network attack, such as cookie hijacking and Man-in-the-Middle (MITM) attacks. By instructing browsers to always use HTTPS instead of HTTP for all communications with the server, HSTS enhances the security of users and data exchanged.

Manual configuration via .htaccess file

Enabling HSTS on a WordPress site requires modification of your web server configuration file.

  1. Add the following HSTS directive to your .htaccess file:
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
  • max-age=31536000 : Sets the length of time the browser should remember that this site is only accessible via HTTPS, here 31,536,000 seconds (1 year).
  • includeSubDomains : Apply this policy to all subdomains.
  • preload : Tells browsers to preload this rule, by adding your site to the HSTS preload list maintained by browsers (requires separate registration).
  1. Once you’ve activated HSTS and checked that everything’s working properly, you’ll need to submit your site to the HSTS preload list.

This list is used by browsers to apply HSTS even before the user’s first visit to your site.

Securing your website from WordPress

WordPress is highly regarded for its plugins, which make it easy to set up and manage websites. Among the many plugins available, Wordfence and WPS Hide Login stand out for their ease of use.

Wordfence acts as an antivirus for your website

Wordfence is one of the most popular security plugins for WordPress. It offers a full range of features to protect your site against threats:

WordPress Security Plugin Wordfence
  • Firewall (WAF) : Wordfence uses a firewall that identifies and blocks threats in real time, before they even reach your site. It is constantly updated to cope with new vulnerabilities.
  • Malware scanner : Wordfence’s malware scanner scans all files on your site (core, themes, plugins) to detect and eliminate malware, malicious URLs and file modifications.
  • Protection against brute-force attacks : Wordfence monitors and limits connection attempts to prevent brute-force attacks. It automatically blocks suspicious IP addresses after several failed attempts.
  • Dual authentication (2FA ): Wordfence offers dual authentication, adding an extra layer of protection for user connections.

Replace login URL with WPS Hide Login

WPS Hide Login is a simpler plugin that replaces the default WordPress login page URL. By modifying this URL, you can significantly reduce the risk of automated attacks on your login page:

WPS Hide Login
  • Change login URL : By default, the WordPress login URL is your-site.com/wp-login.php or your-site.com/wp-admin. By changing this URL with WPS Hide Login, you make it more difficult for attackers to gain access to your login page via automated scripts.