Step-by-step instructions for configuring the security of WordPress version 5.6 and above.
Step 0 – Choosing a hosting provider
If you are reading this article – then you have hosting. And it’s too late to recommend anything:) Remember for the future hosting choose not by price.
Step 1 – Remove all unnecessary plugins, themes
Boldly remove all unused plugins and themes. Hackers often use disabled and outdated templates and plugins (even official WordPress plugins) to gain access to your control panel, or upload malicious content to your server. By removing plugins and templates that you no longer use, you reduce your risks and make your WordPress site more secure.
For example, you installed plugins to test and choose the one you will use. After selecting, don’t forget to delete any unnecessary ones.
- Remove unused plug-ins.
- Remove unused themes. You should have maximum 3 themes: the first one you use on your site, its child theme and Twenty One theme (the last official WordPress theme for 2021). Twenty One should be kept, that in case of failure (white screen often appears because of PHP errors, the more so if you have custom theme or plugins) your main theme, you can switch to Twenty One and fix problems.
Step 2 – Enable auto-update engine, plugins, themes
If you don’t want to update WordPress because you made changes to the files, it’s better to create a child theme, transfer the changes to it, and still enable updates.
Since version 5.5 in WordPress is a built-in feature to automatically update themes and plugins.
- Turn on theme auto-update: Go to “Appearance” -> “Themes”, hover your mouse over the desired theme, click “Theme info” -> Enable automatic updates.
- Turning on plugin auto-update: Go to the “Plugins” section and turn on auto-update against the desired one.
If you have software on your site that is not compatible with new versions of WordPress, a plugin or a theme, you can enable selective automatic updates of plugins or themes.
Step 3 – Remove the admin or use non-standard login credentials
Do not use a username such as admin. It is strongly recommended that you change your admin username to something else.
The easiest way to set up a login when you install WordPress. But if you already have it installed – create a new administrator account with different data.
- Log in to your WordPress control panel
- Find the “Users” section and click “Add New”.
- Create a new user and give him administrator rights.
- Re-enter WordPress with your new data.
- Go back to “Users” and delete the default Admin account.
I recommend using specialized tools to create and securely store passwords.
Step 4 – Back up your data as often as possible
Even the biggest sites get hacked every day, despite the fact that their owners spend thousands to improve WordPress security.
Not all attacks can be prevented, but just one successful attack can destroy all efforts to work on your site. We recommend that you make regular backups of your site.
There are several ways to create backups. You can manually download the site files and export the database, or as I wrote above, use the tools offered by your hosting plan(I did not use the word tariff for nothing – hello to the marketers). Another way, use WordPress plugins. The most popular ones are:
- or find the plugin at the link https://wordpress.org/plugins/tags/backup/
- WordPress Database Backup – plugin settings allow you to set the option to send a daily database backup to your contact mailbox.
Step 5 – Disable WP JSON
WP JSON is short for WordPress JSON REST API. WP JSON is used to write applications on different platforms and in different languages that can manage your site: add, change and delete content, customize themes, menus, widgets and more. As you have already guessed it allows you to do unsafe things!
Search engines often index /wp-json/ as a subsection of the site. From the point of view of SEO in the index should be only pages that bring traffic, not technical (garbage) pages /wp-json/.
When disabling WordPress REST API, keep in mind that some popular plugins use it, such as Contact Form 7. So if your feedback form suddenly stops working, see if the REST API is disabled.
We have at least two reasons to disable wp-json – security and SEO. To disable wp-json I use Clearfy Pro pluginor you can use the code below.
// Disable REST API add_filter('rest_enabled', '__return_false'); // Disable REST API Filters remove_action( 'xmlrpc_rsd_apis', 'rest_output_rsd' ); remove_action( 'wp_head', 'rest_output_link_wp_head', 10, 0 ); remove_action( 'template_redirect', 'rest_output_link_header', 11, 0 ); remove_action( 'auth_cookie_malformed', 'rest_cookie_collect_status' ); remove_action( 'auth_cookie_expired', 'rest_cookie_collect_status' ); remove_action( 'auth_cookie_bad_username', 'rest_cookie_collect_status' ); remove_action( 'auth_cookie_bad_hash', 'rest_cookie_collect_status' ); remove_action( 'auth_cookie_valid', 'rest_cookie_collect_status' ); remove_filter( 'rest_authentication_errors', 'rest_cookie_check_errors', 100 ); // Disable REST API Events remove_action( 'init', 'rest_api_init' ); remove_action( 'rest_api_init', 'rest_api_default_filters', 10, 1 ); remove_action( 'parse_request', 'rest_api_loaded' ); // Disable Embeds related REST API remove_action( 'rest_api_init', 'wp_oembed_register_route'); remove_filter( 'rest_pre_serve_request', '_oembed_rest_pre_serve_request', 10, 4 ); remove_action( 'wp_head', 'wp_oembed_add_discovery_links' );
Insert this code in functions.php of your topic, if the last line is ?>, then insert the code before it.