How to secure WordPress (Part 1 of 3)

Wiliam

How to secure wordpress

All WordPress sites get regularly attacked, if we don’t see something that doesn’t mean it isn’t happening. This issue will be dealt with over three posts where we’ll get into how to make a WordPress site secure.. Step-by-step we’ll show you the keys to being able to survive after an attack on your website.

We’re going to see how WordPress sites are attacked andhow to secure them. The first thing we’re going to do to secure WordPress is to identify the different attacks. We’re going to start by first seeing the most common and easy to be dealt with attacks. They are dictionary or brute force attacks.

Identify the type of attack

The first thing we’re going to do to secure WordPress is to identify the different attacks. We’re going to start by first seeing the most common and easy to be dealt with attacks.

Dictionary (or brute force) attack

The attack consists of identifying WordPress users and then trying to login with their names attempting using password dictionaries. In case they don’t manage to extract the names of the users, by default they’ll try for the user admin.

To extract the list of users, it’s as easy as adding? author=1 to the URL of our WordPress installation. If that works, we’ll start increasing the ID to find more users.

author-request

author-result
As a result we’ll be redirected to the author’s page and we’ll see the login in the URL. Now we can go to the login page for WordPress and start to try passwords until we gain access.

author-login

Solution

The solution for protecting ourselves from this type of attack involves installing the Better WP Security plugin.

Better-WP-Security

This plugin will mainly do the following among other functions:

  • Blocking the robots that find security breachesand thus many times end up calling 404 pages.
  • Blocking all the known malicious robots through UserAgent whenever it’s available.
  • Detecting brute force attacks and blocking the attacker if they attempt to enter the password too many times.
  • Changing the URL of the panel, in such a way that wp-admin and wp-login.php show a 404 error.
  • Blocking access to the internal directories of WordPress.

Configuration of Better WP Security

We recommend that each time you put up a WordPress site on the internet, you install this plugin and configure it in general as follows:

First we’ll allow the plugin to modify the wp-config.php file and .htaccess to let us add the protection.

seguridad-wordpress-01

Detection of 404 errors

A lot of robots are dedicated to continuously attempting known security flaws in our WordPress installation in case one of them works. If the security flaw can’t be exploited, they end up on a 404 page, and as such we can say that if someone ends up generating more than a hundred 404 errors in less than 5 minutes, we’ll block them for a while. After being blocked numerous times, we block them indefinitely.

seguridad-wordpress-02

Blocking known robots

Some robots identify themselves with signatures we can use to directly block them before they’re able to do anything.

seguridad-wordpress-03

Once we activate this option, Better WP Security will add it to .htaccess.

better-wp-security-default-blacklist

Blocking brute force attacks

Better WP Security will identify attackers that unsuccessfully try to gain access too many times and will block them. If we subscribeby email to the network iThemes Brute Force Protection, we can share the list of attackers with other WordPress sites on the network and vice-versa.

seguridad-wordpress-04

Hide the control panel

Without a doubt, the most important measure for protecting against brute force attacks is to change the URL of the login for our WordPress site, so that only those who know the URL address can login. We recommend entering a unique name that you’re comfortable with.

Once this is done all the users we have will be notified that there’s new URL via email.

seguridad-wordpress-06

Other security measures

To finish up the configuration of the plugin, we’ll enabled other security measures which are just as important, such as avoiding files being listed in our directories, blocking suspicious URLs, not executing PHP in the uploads directory of WordPress, etc.

seguridad-wordpress-07

seguridad-wordpress-08

seguridad-wordpress-09

In conclusion

It’s important for us to take these security measures whenever we install a WordPress site that is exposed to the internet.

In the following articles we’ll see:

  • How to avoid users being listed using?author=1.
  • How to make effective backups and minimize the data loss for shops and blogs.
  • How to fully hide the fact that we’re using a WordPress installation protecting us against 99% of robot attacks.

I’ll answer any questions in the comments section

  • Blog, SEO

    Cómo hacer SEO en Tik Tok para ganar visibilidad

    Bego Ontiveros/
    22 de octubre de 2025
  • Blog, SEO

    Qué es el error 500 en WordPress y cómo solucionarlo

    Natalia Salgueiro/
    20 de agosto de 2025
  • Diseño – UX

    La Paradoja de la Hamburguesa: así influye la estructura del precio en la percepción del valor y la experiencia del usuario

    Paula Martínez/
    6 de agosto de 2025
  • SEO

    El impacto de los AI Overviews de Google en el SEO y el tráfico orgánico

    Catarina Girao/
    30 de junio de 2025
  • SEO

    Estrategia SEO en 2025 y su evolución en los últimos años

    Álvaro González/
    4 de junio de 2025
  • Blog, SEO

    SEO en medios de comunicación: estrategia de contenidos para Google Discover

    Alonso Gallego/
    20 de mayo de 2025