WordPress powers millions of websites, making it a prime target for hackers. Security hardening involves implementing SSL, setting correct file permissions, and applying best practices to reduce vulnerabilities. This guide covers advanced techniques for securing WordPress on cPanel hosting.
Step 1: Enable SSL and Force HTTPS
- Log in to cPanel.
- Navigate to Security → SSL/TLS.
- Install AutoSSL or upload a purchased SSL certificate.
- Force HTTPS using
.htaccess:
Tip: Test SSL with https://www.ssllabs.com/ssltest/.
Step 2: Set Correct File Permissions
- Files:
644 - Folders:
755 wp-config.php:600for maximum security. Change permissions via File Manager or SSH:
Step 3: Disable File Editing
Prevent attackers from editing theme/plugin files via the dashboard: Add to wp-config.php:
Step 4: Secure wp-config.php
- Move
wp-config.phpone level abovepublic_htmlif supported. - Add
.htaccessrule to block access:
Step 5: Limit Login Attempts
- Install Limit Login Attempts Reloaded or enable via Wordfence.
- Configure lockout after 3 failed attempts.
Step 6: Enable Two-Factor Authentication
- Use plugins like Two Factor Authentication or Wordfence.
- Require 2FA for all admin accounts.
Step 7: Harden wp-admin and wp-login
- Restrict access by IP:
- Rename login URL using WPS Hide Login plugin.
Step 8: Regular Malware Scans
- Use ImunifyAV in cPanel or plugins like Wordfence.
- Schedule weekly scans for files and database.
Step 9: Keep Everything Updated
- Enable Auto Updates for WordPress core and plugins in Softaculous.
- Remove unused themes and plugins.
Advanced Security Tips
- Enable HSTS for strict HTTPS:
- Disable XML-RPC if not needed:
Troubleshooting
- SSL Not Working: Check DNS propagation and certificate chain.
- Permission Errors: Ensure correct ownership (
user:user) for files. - Login Lockouts: Whitelist your IP in
.htaccess.
