There are 3 things that you can do right now that will instantly increase the security of your WordPress website. There is nothing really that you can do to secure your website 100% and there are certainly more things you can do to really secure your WordPress website, but the following is what you can do right now that will significantly reduce the likelihood of your website becoming compromised. 

These steps are in addition to your regular maintenance of updating plugins, themes, WordPress versions and using strong passwords and secure admin usernames. Ready? Ok lets get started…

1. Install Sucuri Plugin

This plugin is pretty great, well made and supplied for free from the talented guys from Sucuri.

They have paid plans that will ensure the security of your website, including a Firewall feature that will block all kinds of SQL injection or PHP file injection. The plugin that is available for free is what we use on all our client websites and it is perfect. It includes a great function to harden your files, which puts .htaccess files in all the core files of your WordPress site, which will stop bad guys putting unwanted files that will do nasty things to your website.

There is also a monitoring system in place so that you know when those “bad guys” are trying to brute force into your WP-Admin page. One thing it does not have is a way to block IP address from those Brutes, but we’ll cover that in the next plugin. You could even turn off the notification feature and let the next plugin do it for you.

Go get Sucuri here

2. Install WordFence Plugin

The team from Wordfence have made a great plugin. The free features are all that you need if you don’t need premium support or the ability to schedule scans of your files.

The plugin has a full suite of features that are great out of the box, including, the ability to block IP’s or bots trying to guess logins and get into your website.

WordFence will also tell you if you have any compromised files, or files that have recently been altered. It will send you emails to let you know about plugins that need to updated and also who’s been trying to brute force their way into your website.

Go get Wordfence here:

3. Add a few lines to your .htaccess file

This step is a little technical, so you’ll need to grab a coffee or glass of wine, whatever your preference. Ok, are you ready? Great, lets get started.

1. You’ll need to log into your hosting control panel and go into your files area. If you are using cPanel, you can find the files under File Manager.  You may get a message box pop that has a couple of checkboxes, one which says, show hidden files, check that one. Reason – a .htaccess file is a hidden file and good to be also for security reasons.

2. Ok, so once you have opened the File Manager, you will see a whole group of files and you should see a file called .htaccess. You will want to select it and click on Code Editor, this will open the file in a new tab window. Click on the new tab to view the file. It should look something like the following:

 # BEGIN WordPress
 RewriteEngine On
 RewriteBase /aws/
 RewriteRule ^index.php$ - [L]
 RewriteCond %{REQUEST_FILENAME} !-f
 RewriteCond %{REQUEST_FILENAME} !-d
 RewriteRule . /aws/index.php [L]
 # END WordPress

Now copy / paste the following to the bottom of the .htacess file:

 Order Deny,Allow
 Deny from All
 Allow from "your ip here"

Replace the “your ip here” with your own IP address. If you do not know your IP, open up a new tab and do a Google search for “my ip.” Copy and paste the numbers you see in the Google result into the .htaccess file.

3. Your .htaccess files should look like the following. If so, then go ahead and Save.

 # BEGIN WordPress
 RewriteEngine On
 RewriteBase /aws/
 RewriteRule ^index.php$ - [L]
 RewriteCond %{REQUEST_FILENAME} !-f
 RewriteCond %{REQUEST_FILENAME} !-d
 RewriteRule . /aws/index.php [L]
 # END WordPress
 # Protect wp-login
 Order Deny,Allow
 Deny from All
 Allow from "your ip here"
# END Protect wp-login

Explanation of the above: The rule that we have added limits only your local connection or IP address to the WP-Login.php screen, thus not allowing any other person, bot or bad guy into your login screen. If you have other people needing to access the login, simply add add a new Allow from ip here including the ip address of the persons local connection and you are set.

Conclusion

So, that was easy was’nt it?

OK, so what did we just do. Let’s recap shall well.

Firstly, we want to be able to harden our core WordPress files so bad guys cannot inject PHP code into them and do unspeakable things to our website, so we installed the Securi plugin to harden the files for us. Second, we want to know what plugins are needing to updated, simply because we are not our Website mind reader and if the bad guy did get in somehow we can see what files have been altered, so we installed Wordfence. We also want to block any IPs that find a way into out website. Now to add that extra layer of security, so that bad guys cannot even reach our WP-Admin page, we inserted a rule into our .htaccess file to tell our website to not let anyone in unless they are at a specific IP address, that we add to the file.

So that’s it. You have now dramatically increased the security on your WordPress website.

Caveat: The above is of course only partial to what you can do to increase the security of your WordPress website. There are many other ways to secure your website, however the above will significantly improve your chances of safe passage into the interwebs. It still comes down to your own diligence, making sure plugins and theme files are upto date and you keep a backup stored off site (just in case)