Beginner’s Guide to Troubleshooting WordPress Errors (Step by Step)

Are you encountering a common WordPress error on your site? Do you want to troubleshoot these WordPress errors on your own? Most of these errors can be solved by following easy troubleshooting steps. In this beginner’s guide, we will show you how to troubleshoot WordPress errors one step at a time.

1. Create a Complete Backup of Your WordPress Site

First thing you should do is to create a complete backup of your WordPress site. If you were already using a WordPress backup plugin, then make sure that you have a recent backup safely stored somewhere.

If you were not using a backup plugin, then you should start using one immediately. However, in case you don’t have access to the admin area of your WordPress site, then you will need to manually backup your database and files.

Backups allow you to restore your WordPress site easily when something goes wrong. They are your first and most important defence against security threats, hacking, and data loss.

2. Deactivate All Plugins Installed on Your Website

Most of the times errors are caused by a plugins conflicting with each other, your theme, or the WordPress core. Deactivating all WordPress plugins on your site will most likely solve the problem. You can then find out which plugin was causing the issue by activating plugins one by one on your site.

If you have access to the admin area of your WordPress site, then simply head over to the plugins page.

First you need to select all plugins, and then select ‘Deactivate’ from ‘Bulk Actions’ drop down menu. Click on the Apply button to deactivate all selected plugins.

If you do not have access to the admin area, then you will need to use FTP or phpMyAdmin to deactivate all plugins.

Simply connect to your website using an FTP client. If you haven’t used FTP before, then you may want to see our how to use FTP to upload files to WordPress.

Navigate to the wp-content folder and rename plugins folder to “plugin.deactivate”.

For more detailed instructions, see our article on how to deactivate all plugins when not able to access wp-admin.

3. Switch to a Default WordPress Theme

Sometimes your WordPress theme can cause issues on your site. You can easily find out if your theme is causing an issue by switching to a default WordPress theme like Twenty Sixteen or Twenty Fifteen.

Head over to Appearance » Themes page and then click on the Activate button next to a default theme.

However, if you don’t have access to the admin area of your WordPress site, then you will need to use FTP to switch theme.

Connect to your website using an FTP client and then navigate to /wp-content/themes/ folder. Download your current active theme as a backup to your Desktop.

After that you need to delete all themes except a default WordPress theme like TwentySixteen. Since your active theme will no longer be available, WordPress will now automatically switch to using the default theme available.

If your theme was causing the issue, then you should be able to log in to your WordPress site now.

4. Refresh Permalinks

WordPress uses SEO friendly URL structure or Permalinks. Sometimes the permalink structure is not updated or configured properly, which may result in unexpected 404 errors on your site.

You can easily refresh permalinks without changing anything on your WordPress site. Visit Settings » Permalinks page and click on ‘Save Changes’ button without changing anything.

5. Backup and Delete .htaccess File

A corrupt .htaccess file is often the cause of the internal server error.

First you need to connect to your website using an FTP client. The .htaccess file is located in your site’s root directory.

Since it is a hidden file, you may need to force your FTP client to show hidden files. See our article on why you can’t find .htaccess file on your WordPress site

You need to download the .htaccess file to your computer as a backup, and then delete it from your web server.

You can now try to login to your WordPress site and go to Settings » Permalinks page. Click on the Save Changes button to refresh your permalinks and to regenerate a new .htaccess file for your site.

6. Fix WordPress Site URL

Having incorrect settings for WordPress URL and Site URL options can also cause redirect issues, 404 errors, and some other common issues.

WordPress URL and Site URL options can be changed from admin area by visiting Settings » General page.

Make sure that both URLs are exactly the same.

If you do not have access to the admin area of your WordPress site, then you can change these URLs using FTP. There are two ways to do that using FTP:

Update WordPress URL and Site URL Settings in wp-config.php File

Once connected to your website using an FTP client, locate wp-config.php file. Now you need to edit this file in a text editor like Notepad.

Go to the line that says /* That's all, stop editing! Happy blogging. */, and just before it, add this code:

define('WP_HOME','http://example.com');
define('WP_SITEURL','http://example.com');

Don’t forget to replace example.com with your own domain name. Now save your changes and upload the file back to your server.

Update URLs Using functions.php File

You can also update URLs using your theme’s functions.php file.

Open your FTP client and navigate to /wp-content/themes/ folder. Open your current active theme’s folder and locate functions.php file inside it. Now you will need to edit the functions.php file in a text editor like Notepad.

Simply add these lines at the bottom of the functions file:

update_option( 'siteurl', 'http://example.com' );
update_option( 'home', 'http://example.com' );

Don’t forget to change WordPress URLs from the settings page after you login to your site. Once you have added them on the settings page, you need to delete these lines from your theme’s functions file.

7. Check Reading Settings

If your newly created WordPress site is not indexed by search engines, then this is the first thing that you should do.

Login to your WordPress site and go to Settings » Reading page. Scroll down to the bottom of the page and make sure that the box next to ‘Search Engine Visibility’ is unchecked.

This option allows you to discourage search engines from showing your website in search. It is used by webmasters when they are working on a website which is not ready to be live. Sometimes you can accidentally check this setting and forget about it.

Make sure that this option is unchecked when your website is ready to go live.

8. Troubleshooting Email Issues

Many WordPress hosting providers do not have mail settings properly configured. This stops you and your users to receive emails from WordPress.

If you are using a contact form plugin, then you will not be able to receive those emails as well. You will also not receive any WordPress notifications.

See our complete step by step instructions in our article on how to fix WordPress not sending email issue.

9. Scanning for Malware and Backdoors

If you suspect that your WordPress site is affected with malware, then you should scan your website with Sucuri. It is the best website security monitoring service for WordPress site owners.

See our case study of how Sucuri helped us block 450,000 WordPress attacks in 3 months.

For more detailed instructions, see our guide on how to scan your WordPress site for potentially malicious code.

Getting Better Support

After following the above mentioned troubleshooting steps, you would be able to fix many of the most common WordPress errors. However, if the problem persists, then you can seek further support.

WordPress is a community software, so you can get help from the community by posting in WordPress support forums. Here is how to write a better support request:

• Be polite and nice. No matter how upset or frustrated you are, do not use harsh language.


• Mention your problem briefly.


• Describe troubleshooting steps you have taken so far.


• Uplaod screenshots on a cloud image sharing service, and then add the links in your support thread.

For more on this topic, take a look at our guide on how to properly ask for WordPress support and get it.

We hope this article helped you learn how to troubleshoot WordPress errors. You may also want to see our list of 14 most common WordPress errors and how to fix them.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

The post Beginner’s Guide to Troubleshooting WordPress Errors (Step by Step) appeared first on WPBeginner.

How to Connect Constant Contact to WordPress (Step by Step)

Are you using ConstantContact for your email marketing? Want to connect ConstantContact with your WordPress site? In this ultimate guide, we will show you how to connect ConstantContact with WordPress.

Why Building an Email List is so Important?

Have you ever wondered that why every website on the internet wants to have your email address? Whether you are creating an account on Facebook, Twitter, or New York Times, they all want your email address.

The answer is dead simple. Email is the best way to reach your customers.

A recent study showed that small businesses get back for every dollar spent on email marketing. It is the most effective way to convert visitors into customers.

You can learn more on this topic by reading our article on why you should start building your email list right away.

Now that you know the importance of building an email list, let’s see how to get started with Constant Contact to build an email list for your WordPress site.

What is Constant Contact?

Constant Contact is one of the most popular email marketing service providers in the world. They specialize in sending mass emails to your customers, manage your email lists, and run effective email marketing campaigns.

It can be quite overwhelming for small businesses to start their own email list. Constant Contact makes sure that even absolute beginners can run their email campaigns like a pro.

It is a paid service with free 2 month trial. After the trial period, pricing starts as low as per month.

How to Set up Constant Contact

First, you need to visit Constant Contact website and sign up for an account.

Upon sign up, you will land on the Constant Contact dashboard. You will see three simple steps to help you get started.

Step 1: Setting up your first email list

First, you need to click on ‘Set up your first list’ link. This will bring up a popup where you need to provide a name for your email list and some email addresses to add into it.

Next, click on the save list button to continue.

Step 2: Add your organization info

The CAN-SPAM act requires a valid postal address in all outgoing marketing emails. Constant Contact makes it easy for you to comply with this law by providing your organization info. Constant Contact will then automatically add this information in the footer of your emails.

You need to click on ‘Add your organization info’ link. It will take you to a form where you need to provide your business information.

You will need to provide your website address and postal address. You will also be asked to select an industry for your business and upload an image logo.

Don’t forget to click on the save button to store your settings and continue to the next step.

Step 3: Send your first email

Lastly, you need to click on ‘Send your first email’ link. Constant Contact will show you a number of beautiful email templates to choose from.

This will open the template in Constant Contact’s live WYSIWYG email composer. This drag and drop design tool allows you to easily design your email.

First you need to provide a title for your campaign. After that you can replace the images used in template with your own, add your own text and branding.

Click on the continue button when you are satisfied with the result.

Now you will reach the email options page. This is where you need to select which email list to use, when to send an email, or change sender name and reply-to email address.

Once you are done, click on the Send Now or Schedule button to continue.

That’s all, you have successfully finished setting up your Constant Contact account.

Adding Constant Contact Signup Forms in WordPress

Now that you have set up your Constant Contact account, the next step is to collect email addresses by asking users to join your email list.

There are multiple ways to do this. You can copy and paste the signup form code from your Constant Contact account to your WordPress site.

You can also use OptinMonster to add highly optimized signup forms to your WordPress site. It will help you get many more email subscribers faster. See our case study of how we increased our email subscribers by 600% using OptinMonster.

We will show you both of these methods in this guide. Let’s get started.

Adding Default Constant Contact Signup Forms in WordPress

Constant Contact comes with built-in tools to create your email signup forms. You can then embed these forms into your WordPress site.

First you need to login to your Constant Contact account and then click on ‘Contacts Growth Tools’ from the navigation menu on top.

On the next page, you need to click on create a signup form button.

This will bring you to the form builder wizard.

First, you need to provide the form name. This name will be used internally, so that you can identify a form in Constant Contact dashboard.

Next, you need to provide a title, and taglin for your form. Both of them will be visible on your form.

Lastly, you need to select at least one email list. Users signing up using this form will be added to these lists.

Click on the continue button for the next step.

Now you need to add the fields you want to display on your signup form. The email address field is required. You can click on ‘Additional fields’ to add more fields to your signup form.

After adding the form fields, click on the continue button.

In the last step, you can choose your font color, background color, and add a logo.

You can click on the preview button to see how your form looks. Once you are satisfied, click on the ‘Finish’ button.

You will be redirected back to the contacts growth tools page. You will notice the form you just created under ‘Additional Web Sign-Up Forms’ section.

You need to click on the actions drop down menu and then select ‘Embed Code’.

This will bring up a popup with the embed code to add your form anywhere. You need to copy this code and paste it in a text editor like Notepad.

Now visit your WordPress admin area and click on Appearance » Widgets.

From the list of available widgets, drag and drop the Text widget to a sidebar where you want to display your signup form.

Paste the code you copied from Constant Contact website in the widget’s text area. Once you are done, click on the save button to store your widget settings.

That’s all, you can now visit your website to see the signup form in action.

Adding Constant Contact Signup Forms with OptinMonster

While the basic forms are relatively easy to add, they are not ideal for high conversions.

An average users visiting your website spends very little time looking at non-content element. You need email signup forms that grabs your user’s attention.

This is where OptinMonster comes in. It is the most popular lead generation tool in the market. You can create beautiful sign up forms that are optimized for conversions and A/B test them without hiring a developer.

OptinMonster comes with different kinds of signup forms such as exit-intent popups, floating bars, after post forms, sidebar forms, slide-in forms, full screen welcome gates, and more.

You also get powerful features like MonsterLinks (2-step optins), Scroll detection, A/B testing, page level targeting, and more.

OptinMonster works great with WordPress and all popular email service providers including Constant Contact.

Send WordPress Posts to Your Constant Contact Email List

Constant Contact makes it super simple to add your WordPress content into your email campaigns.

Note: Constant Contact does not currently offer automatic sending of blog posts to email list.

First, login to your Constant Contact account and visit the Campaigns page. You need to click on the create button and then select send a new email.

You will be asked to select a template for your email. After that you will reach the email builder screen.

From the left pane drag and drop the “Read More” block into your email preview. Next, click on the read more block in the email preview to edit it.

This will bring up a popup window. You need to provide the URL of your WordPress blog post and click on the preview button.

Constant Contact will automatically fetch an image from your article and an article summary. You can click on the Insert button to add it to your email.

Repeat the process to add more content from your WordPress blog into your email. Once you are done, go ahead and click on the continue button.

You will then reach the last step of creating your email. This is where you can select whether you want to send the email right away or schedule it.

That’s all, Constant Contact will now send your email with your blog content to your subscribers.

We hope this article helped you learn how to connect Constant Contact to WordPress. You may also want to see our list of 19 actionable tips to drive traffic to your WordPress site.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

The post How to Connect Constant Contact to WordPress (Step by Step) appeared first on WPBeginner.

Ultimate Guide: How to Start a WordPress Blog (Step by Step)

Do you want to start a WordPress blog the right way? We know that starting a blog can be a terrifying thought specially when you are not geeky. Guess what – you are not alone. Having helped over 130,000+ users start a blog, we have decided to create the most comprehensive guide on how to start a WordPress blog without any technical knowledge.

The process is easy to follow whether you are 20 years old or 60 years old. However if you need help, our expert team will help you setup your blog for free. → Click Here to Get Your Free WordPress Blog Setup! ←

What do you need to start a WordPress blog?

There are three things you need to start a WordPress blog:

1. A domain name idea (this will be the name of your blog i.e wpbeginner.com)


2. A web hosting account (this is where your website live on the internet)


3. Your undivided attention for 30 minutes.

Yes, you read it right. You can start a blog from scratch in less than 30 minutes, and we will walk you through the whole process, step by step.

In this tutorial, we will cover:

• How to Register a Domain Name for Free


• How to Choose the Best Web Hosting


• How to Install WordPress


• How to Change Your Theme


• How to Write Your First Blog Post


• How to Customize WordPress with Plugins


• Resources to Learn WordPress

Ready? Let’s get started.

Step 1. Setup

The biggest mistake beginners make when starting a blog is choosing the wrong blogging platform. Thankfully you’re here, so you won’t be making that mistake.

For 95% of users, it makes more sense to use WordPress.org also known as self-hosted WordPress. Why? Because it is free to use, you can install plugins, customize your site design, and most importantly make money from your site without any restrictions (see the difference between WordPress.com vs WordPress.org).

Now you have probably heard that WordPress is free.

You might be wondering why is it free? What’s the catch?

There’s no catch. It’s free because you have to do the setup and host it yourself.

In other words, you need a domain name and web hosting.

A domain name is what people type to get to your website. It’s your website’s address on the internet. Think google.com or wpbeginner.com

Web hosting is where your website live. It’s your website’s house on the internet. Every website needs web hosting.

A domain name typically costs .99 / year, and web hosting normally costs .99 / month.

That’s a lot for beginners who are just starting out.

Thankfully, Bluehost, an official WordPress recommended hosting provider, has agreed to offer our users a free domain name and over 60% off on web hosting.

→ Click here to Claim this Exclusive Bluehost offer ←

Bluehost is one of the oldest web hosting companies, started in 1996 (that’s before Google). They are also the largest brand name when it comes to WordPress hosting because they host millions of websites including our own.

On top of all this, Bluehost has been working with WordPress since 2005, and they are committed to giving back. That’s why they have promised us that if you cannot get your blog online within 30 minutes by following this tutorial, then our expert team will complete the process for you without any cost. They will compensate us, so you don’t have to. Contact us for free blog setup help.

NOTE: At WPBeginner we believe in transparency. If you sign up with Bluehost using our referral link, we will earn a small commission at no extra cost to you (in fact, you will save money and get a free domain). We would get this commission for recommending just about any WordPress hosting company, but we only recommend products that we use personally use and believe will add value to our readers.

Let’s go ahead and purchase your domain + hosting.

Open up Bluehost in a new window and follow along.

First thing you need to do is click on the green Get Started Now button to get started.

On the next screen, select the plan that you need (basic and plus are the most popular).

After that, you will be asked to enter the domain name for your website.

Lastly, you will need to add your account information and finalize the package info to complete the process. On this screen, you will see optional extras that you can purchase. It’s entirely up to you whether or not you purchase these, but we generally don’t recommend purchasing these. You can always add them later on, if you decide that you need them.

Once completed, you will receive an email with details on how to login to your web hosting control panel (cPanel). This is where you manage everything from support, emails, among other things. But most importantly, this is where you install WordPress.

Step 2. Install WordPress

In the cPanel, you will see dozens of small icons for different services and features. This can be a bit overwhelming, so ignore 95% of them because you will never need to use them.

Scroll down to the website section and click on the WordPress icon.

You will be redirected to the Bluehost Marketplace Quick Install screen for WordPress. Click on the Get Started button.

On the next screen, you will be asked to select your domain name. Choose the domain from the dropdown and then click Next.

After that, you need to enter your Site Name, username, and a password for your site. You also need to check all the checkboxes and then click Install.

The QuickInstall will start installing WordPress. The marketplace will prompt you to browse WordPress themes, while WordPress is being installed.

No need to do that right now. We’ll show you how to get free WordPress themes in the next step.

Once WordPress is finished installing, you will see the success notice in the top header bar.

Click on the Installation Complete link, and it will take you to the screen with your WordPress login URL and password.

Congratulations, you have created your WordPress site. That wasn’t too bad right.

Your WordPress login URL will look like this:

http://yoursite.com/wp-admin

Click on the WordPress login link to login to your dashboard.

Now we’re ready to customize your site’s appearance and start blogging.

Step 3. Selecting your WordPress Theme

The visual appearance of your WordPress blog is controlled by themes. When you first visit your blog, it will look something like this:

This is not very appealing to most people.

Customizing the look and feel of your blog is by far one of the most exciting and rewarding part in the journey of creating your WordPress site.

There are thousands of pre-made WordPress themes that you can install on your site. Some of them are free, while others are paid.

You can change your theme by going to your WordPress dashboard and clicking on Appearance » Themes.

Go ahead and click on the Add New button.

On the next screen, you will able to search from the 4100 free WordPress themes that are available in the official WordPress.org themes directory. You can sort by popular, latest, featured, as well as other feature filters (i.e industry, layout, etc).

When you have found the theme that you like, simply bring your mouse on it, and it will show the Install button. Click on it and wait for the theme to be installed. After that, the install button will be replaced with an Activate button. You need to click on it to Activate the theme.

Once you have installed your theme, you can customize it by clicking on the Customize link under the Appearance menu.

If you need help selecting a theme, then please refer to our guide on 9 things you should consider when selecting a perfect WordPress theme.

Once you have selected your WordPress theme, you are now ready to create your first blog post.

Step 4. Creating Your First Blog Post

To write your first blog post, click on the Posts » Add New menu in your WordPress dashboard.

You will see an editor area where you can write your first blog post.

Once you’re done writing, go ahead and click on the Publish button on the right to publish your first blog post to the world.

On the posts screen, you will notice several other sections such as Categories and Tags. You can use these to organize your blog posts. We have a great writeup on the difference between categories vs tags, which we highly recommend that you read.

To utilize all the features on the posts screen, you should read our article on how to add a new post in WordPress (video included).

Often beginners are confused between posts and pages menu in the WordPress dashboard. That’s why we have written a complete guide on the difference between posts vs pages in WordPress.

Step 5. Plugins & Customizations

Once you have written your first blog post, you probably want to get started with adding other usual elements on your website such as a contact form, about page, and more.

To further customize WordPress and add features like contact forms, galleries, sliders, etc, you need to use WordPress plugins.

WordPress plugins are apps that allow you to add new features to your website.

There are over 46,000 WordPress plugins available. At WPBeginner, we feature the best WordPress plugins to help you add the functionality that you need.

We have a step by step guide on how to install a WordPress plugin.

Often readers ask us which plugins do you use on your website. You can check out our Blueprint to see the list of plugins and tools that we use.

Here’s a list of 24 must have WordPress plugins for business websites.

Step 6. Mastering WordPress

WPBeginner is the largest free WordPress resource site for beginners.

At WPBeginner, our main goal is to provide cutting-edge helpful WordPress tutorials that are easy to understand for small businesses, bloggers, and non-techy WordPress website owners (see more about us).

To expand your WordPress knowledge, you should check out:

• WPBeginner Dictionary – The best place for beginners to start and familiarize themselves with the WordPress lingo
  
• WPBeginner Videos – New to WordPress? Watch these 23 videos to master WordPress.


• WPBeginner Blog – The central place for all our WordPress tutorials.

You can also subscribe to WPBeginner’s YouTube Channel where we regularly share video tutorials to help you learn WordPress.

Lastly, you can use Google to type your question and add WPBeginner in front of it. Our users find this very helpful because you’ll likely find an answer to any WordPress questions that you have.

In case you don’t find an answer to your question, simply use our contact form to send us a message. We love helping users get started with WordPress.

We hope that you found our tutorial on how to start a WordPress blog to be helpful. You may also want to check out our article on 19 actionable tips to drive traffic to your new WordPress site.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

The post Ultimate Guide: How to Start a WordPress Blog (Step by Step) appeared first on WPBeginner.

The Ultimate WordPress Security Guide (Step by Step)

WordPress security is a topic of huge importance for every website owner. Each week, Google blacklists around 20,000 websites for malware and around 50,000 for phishing. If you are serious about your website, then you need to pay attention to the WordPress security best practices. In this guide, we will share all the top WordPress security tips to help you protect your website against hackers and malware.

While WordPress core software is very secure, and it’s audited regularly by hundreds of developers, there is a lot that can be done to harden your WordPress website.

At WPBeginner, we believe that security is not just about risk elimination. It’s also about risk reduction. As a website owner, there’s a lot that you can do to improve your WordPress security (even if you’re not tech savvy).

We have a number of actionable steps that you can take to improve your WordPress security.

To make it easy, we have created a table of content to help you easily navigate through our ultimate WordPress security guide.

Table of Contents

Basics of WordPress Security

• Why WordPress Security is Important?


• Keeping WordPress Updated


• Passwords and User Permissions


• The Role of Web Hosting

WordPress Security in Easy Steps (No Coding)

• Install a WordPress Backup Solution


• Best WordPress Security Plugin


• Enable Web Application Firewall (WAF)

WordPress Security for DIY Users

• Change the Default “admin” username


• Disable File Editing


• Disable PHP File Execution


• Limit Login Attempts


• Change WordPress Database Prefix


• Password Protect WP-Admin and Login


• Disable Directory Indexing and Browsing


• Disable XML-RPC in WordPress


• Automatically log out Idle Users


• Add Security Questions to WordPress Login


• Fixing a Hacked WordPress Site

Ready? Let’s get started.

Why Website Security is Important?

A hacked WordPress site can cause serious damage to your business revenue and reputation. Hackers can steal user information, passwords, install malicious software, and can even distribute malware to your users.

Worst, you may find yourself paying ransomware to hackers just to regain access to your website.

In March 2016, Google reported that more than 50 million website users have been warned about a website they’re visiting may contain malware or steal information.

Furthermore, Google blacklists around 20,000 websites for malware and around 50,000 for phishing each week.

If your website is a business, then you need to pay extra attention to your WordPress security.

Similar to how it’s the business owners responsibility to protect their physical store building, as an online business owner it is your responsibility to protect your business website.

[Back to Top ↑]

Keeping WordPress Updated

WordPress is an open source software which is regularly maintained and updated. By default, WordPress automatically installs minor updates. For major releases, you need to manually initiate the update.

WordPress also comes with thousands of plugins and themes that you can install on your website. These plugins and themes are maintained by third-party developers which regularly release updates as well.

These WordPress updates are crucial for the security and stability of your WordPress site. You need to make sure that your WordPress core, plugins, and theme are up to date.

[Back to Top ↑]

Strong Passwords and User Permissions

The most common WordPress hacking attempts use stolen passwords. You can make that difficult by using stronger passwords that are unique for your website. Not just for WordPress admin area, but also for FTP accounts, database, WordPress hosting account, and your professional email address.

The top reason why beginners don’t like using strong passwords is because they’re hard to remember. The good thing is you don’t need to remember passwords anymore. You can use a password manager. See our guide on how to manage WordPress passwords.

Another way to reduce the risk is to not give any one access to your WordPress admin account unless you absolutely have to. If you have a large team or guest authors, then make sure that you understand user roles and capabilities in WordPress before you add new user and authors to your WordPress site.

[Back to Top ↑]

The Role of WordPress Hosting

Your WordPress hosting service plays the most important role in the security of your WordPress site. A good shared hosting provider like BlueHost or Siteground take the extra measures to protect their servers against common threats.

However, on shared hosting you share the server resources with many other customers. This opens the risk of cross-site contamination where a hacker can use a neighboring site to attack your website.

Using a managed WordPress hosting service provides a more secure platform for your website. Managed WordPress hosting companies offer automatic backups, automatic WordPress updates, and more advanced security configurations to protect your website

We recommend WPEngine as our preferred managed WordPress hosting provider. They’re also the most popular one in the industry. (See our special WPEngine coupon).

[Back to Top ↑]

WordPress Security in Easy Steps (No Coding)

We know that improving WordPress security can be a terrifying thought for beginners. Specially if you’re not techy. Guess what – you’re not alone.

We have helped thousands of WordPress users in hardening their WordPress security.

We will show you how you can improve your WordPress security with just a few clicks (no coding required).

If you can point-and-click, you can do this!

Install a WordPress Backup Solution

Backups are your first defense against any WordPress attack. Remember, nothing is 100% secure. If government websites can be hacked, then so can yours.

Backups allow you to quickly restore your WordPress site in case something bad was to happen.

There are many free and paid WordPress backup plugins that you can use. The most important thing you need to know when it comes to backups is that you must regularly save full-site backups to a remote location (not your hosting account).

We recommend storing it on a cloud service like Amazon, Dropbox, or private clouds like Stash.

Based on how frequently you update your website, the ideal setting might be either once a day or real-time backups.

Thankfully this can be easily done by using plugins like VaultPress or BackupBuddy. They are both reliable and most importantly easy to use (no coding needed).

[Back to Top ↑]

Best WordPress Security Plugin

After backups, the next thing we need to do is setup an auditing and monitoring system that keeps track of everything that happens on your website.

This includes file integrity monitoring, failed login attempts, malware scanning, etc.

Thankfully, this can be all taken care by the best free WordPress security plugin, Sucuri Scanner.

You need to install and activate the free Sucuri Security plugin. For more details, please see our step by step guide on how to install a WordPress plugin.

Upon activation, you need to go to the Sucuri menu in your WordPress admin.

The first thing you will be asked to do is Generate a free API key. This enables audit logging, integrity checking, email alerts, and other important features.

The next thing, you need to do is click on the Hardening tab from the Sucuri Menu. Go through every option and click on the “Harden” button.

These options help you lock down the key areas that hackers often use in their attacks. The only hardening option that’s a paid upgrade is the Web Application Firewall which we will explain in the next step, so skip it for now.

We have also covered a lot of these “Hardening” options later in this article for those who want to do it without using a plugin or the ones that require additional steps such as “Database Prefix change” or “Changing the Admin Username”.

After the hardening part, most default settings of this plugin are good and doesn’t need changing. The only thing we recommend customizing is the Email Alerts.

The default alert settings can clutter your inbox with emails. We recommend receiving alerts for key actions like changes in plugins, new user registration, etc. You can configure the alerts by going to Sucuri Settings » Alerts.

This WordPress security plugin is very powerful, so browse through all the tabs and settings to see all that it does such as Malware scanning, Audit logs, Failed Login Attempt tracking, etc.

Enable Web Application Firewall (WAF)

The easiest way to protect your website and be confident about your WordPress security is by using a web application firewall (WAF). The firewall blocks all malicious traffic before it even reaches your website.

We use and recommend Sucuri as the best web-application firewall for WordPress. You can read about how Sucuri helped us block 450,000 WordPress attacks in a month.

The best part about Sucuri’s firewall is that it also comes with a malware cleanup and blacklist removal guarantee. Basically if you were to be hacked under their watch, they guarantee that they will fix your website (no matter how many pages you have).

This is a pretty strong warranty because repairing hacked websites is expensive. Security experts normally charge 0 per hour. Whereas you can get the entire Sucuri security stack for 9 per year.

Improve your WordPress Security with the Sucuri Firewall »

Sucuri is not the only firewall provider out there. The other popular competitor is Cloudflare. See our comparison of Sucuri vs Cloudflare (Pros and Cons).

[Back to Top ↑]

WordPress Security for DIY Users

If you do everything that we have mentioned thus far, then you’re in a pretty good shape.

But as always, there’s more that you can do to harden your WordPress security.

Some of these steps may require coding knowledge.

Change the Default “admin” username

In the old days, the default WordPress admin username was “admin”. Since usernames make up half of login credentials, this made it easier for hackers to do brute-force attacks.

Thankfully, WordPress has since changed this and now requires you to select a custom username at the time of installing WordPress.

However, some 1-click WordPress installers, still set the default admin username to “admin”. If you notice that to be the case, then it’s probably a good idea to switch your web hosting.

Since WordPress doesn’t allow you to change usernames by default, there are three methods you can use to change the username.

1. Create a new admin username and delete the old one.


2. Use the Username Changer plugin


3. Update username from phpMyAdmin

We have covered all three of these in our detailed guide on how to properly change your WordPress username (step by step).

Note: We’re talking about the username called “admin”, not the administrator role.

[Back to Top ↑]

Disable File Editing

WordPress comes with a built-in code editor which allows you to edit your theme and plugin files right from your WordPress admin area. In the wrong hands, this feature can be a security risk which is why we recommend turning it off.

You can easily do this by adding the following code in your wp-config.php file.

// Disallow file edit
define( 'DISALLOW_FILE_EDIT', true );

Alternatively, you can do this with 1-click using the Hardening feature in the free Sucuri plugin that we mentioned above.

[Back to Top ↑]

Disable PHP File Execution in Certain WordPress Directories

Another way to harden your WordPress security is by disabling PHP file execution in directories where it’s not needed such as /wp-content/uploads/.

You can do this by opening a text editor like Notepad and paste this code:

<Files *.php>
deny from all
</Files>

Next, you need to save this file as .htaccess and upload it to /wp-content/uploads/ folders on your website using an FTP client.

For more detailed explanation, see our guide on how to disable PHP execution in certain WordPress directories

Alternatively, you can do this with 1-click using the Hardening feature in the free Sucuri plugin that we mentioned above.

[Back to Top ↑]

Limit Login Attempts

By default, WordPress allows users to try to login as many time as they want. This leaves your WordPress site vulnerable to brute force attacks. Hackers try to crack passwords by trying to login with different combinations.

This can be easily fixed by limiting the failed login attempts a user can make. If you’re using the web application firewall mentioned earlier, then this is automatically take care of.

However, if you don’t have the firewall setup, then proceed with the steps below.

First, you need to install and activate the Login LockDown plugin. For more details, see our step by step guide on how to install a WordPress plugin.

Upon activation, visit Settings » Login LockDown page to setup the plugin.

For detailed instructions, take a look at our guide on how and why you should limit login attempts in WordPress.

[Back to Top ↑]

Change WordPress Database Prefix

By default, WordPress uses wp_ as the prefix for all tables in your WordPress database. If your WordPress site is using the default database prefix, then it makes it easier for hackers to guess what your table name is. This is why we recommend changing it.

You can change your database prefix by following our step by step tutorial on how to change WordPress database prefix to improve security.

Note: This can break your site if it’s not done properly. Only proceed, if you feel comfortable with your coding skills.

[Back to Top ↑]

Password Protect WordPress Admin and Login Page

Normally, hackers can request your wp-admin folder and login page without any restriction. This allows hackers to try their hacking tricks or run DDoS attacks.

You can add additional password protection on a server side which will effectively block those requests.

Follow our step-by-step instructions on how to password protect your WordPress admin (wp-admin) directory.

[Back to Top ↑]

Disable Directory Indexing and Browsing

Directory browsing can be used by hackers to find out if you have any files with known vulnerabilities, so they can take advantage of these files to gain access.

Directory browsing can also be used by other people to look into your files, copy images, find out your directory structure, and other information. This is why it is highly recommended that you turn off directory indexing and browsing.

You need to connect to your website using FTP or cPanel’s file manager. Next, locate the .htaccess file in your website’s root directory. If you cannot see it there, then refer to our guide on why you can’t see .htaccess file in WordPress.

After that, you need to add the following line at the end of the .htaccess file:

Options -Indexes

Don’t forget to save and upload .htaccess file back to your site. For more on this topic, see our article on how to disable directory browsing in WordPress.

[Back to Top ↑]

Disable XML-RPC in WordPress

XML-RPC was enabled by default in WordPress 3.5 because it helps connecting your WordPress site with web and mobile apps.

However because of it’s powerful nature, XML-RPC can significantly amplify the brute-force attacks.

For example, traditionally if a hacker wanted to try 500 different passwords on your website, they would have to make 500 separate login attempts which will be caught and blocked by the login lockdown plugin.

But with XML-RPC, a hacker can use the system.multicall function to try thousands of password with say 20 or 50 requests.

This is why if you’re not using XML-RPC, we recommend that you disable it.

There are 3 ways to disable XML-RPC in WordPress, and we have covered all of them in our step by step tutorial on how to disable XML-RPC in WordPress.

Tip: The .htaccess method is the best one because it’s the least resource intensive.

If you’re using the web-application firewall mentioned earlier, then this can be taken care of by the firewall.

[Back to Top ↑]

Automatically log out Idle Users in WordPress

Logged in users can sometimes wander away from screen, and this poses a security risk. Someone can hijack their session, change passwords, or make changes to their account.

This is why many banking and financial sites automatically log out an inactive user. You can implement similar functionality on your WordPress site as well.

You will need to install and activate the Idle User Logout plugin. Upon activation, visit Settings » Idle User Logout page to configure plugin settings.

Simply set the time duration and uncheck the box next to ‘Disable in wp admin’ option for better security. Don’t forget to click on the save changes button to store your settings.

For more detailed instructions, see our guide on how to automatically log out idle users in WordPress.

[Back to Top ↑]

Add Security Questions to WordPress Login Screen

Adding a security question to your WordPress login screen makes it even harder for someone to get unauthorized access.

You can add security questions by installing the WP Security Questions plugin. Upon activation, you need to visit Settings » Security Questions page to configure the plugin settings.

For more detailed instructions, see our tutorial on how to add security questions to WordPress login screen.

[Back to Top ↑]

Fixing a Hacked WordPress Site

Many WordPress users don’t realize the importance of backups and website security until their website is hacked.

Cleaning up a WordPress site can be very difficult and time consuming. Our first advice would be to let a professional take care of it.

Hackers install backdoors on affected sites, and if these backdoors are not fixed properly, then your website will likely get hacked again.

Allowing a professional security company like Sucuri to fix your website will ensure that your site is safe to use again. It will also protect you against any future attacks.

For the adventurous and DIY users, we have compiled a step by step guide on fixing a hacked WordPress site.

[Back to Top ↑]

That’s all, we hope this article helped you learn the top WordPress security best practices as well as discover the best WordPress security plugins for your website.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

The post The Ultimate WordPress Security Guide (Step by Step) appeared first on WPBeginner.