Fixing Common WordPress Security Issues

Trying to fix WordPress security issues? Here’s a guide to fix common issues and concerns you might be having about your WordPress website.

Getting an SSL certificate

WordPress website showing as “not secure”?

Is your WordPress website showing as “not secure” in browsers such as Google Chrome? This is because you need an SSL certificate.

An SSL certificate encrypts the session between the user’s browser and your website’s server. We especially recommend getting an SSL certificate for websites that require inputs of data by the user, directly into the website. This would include having data-captures, contact forms, login forms and e-commerce transactions, etc. on your website.

Enabling your free Let’s Encrypt SSL certificate in cPanel

To fix this common WordPress security issue you should check with your server if it offers an SSL certificate. Most servers that host websites on Linux-based servers provide SSL certificates for free through Let’s Encrypt inside your cPanel — you just have to enable them using the guide below.

  1. On your Linux-based server, sign into your cPanel account.
  2. Navigate to the shortcut titled Let’s Encrypt [if your server hasn’t disabled this].
  3. Issue the SSL certificate to your chosen domain under this account.
  4. Follow this guide on enabling your SSL on your WordPress website.

Free Let’s Encrypt SSL hosting providers list

We’ve compiled a list of the free SSL hosting providers that let you use Let’s Encrypt’s SSL service for free on your hosting server.

  1. 1&1 Hosting
  2. Dreamhost
  3. SiteGround
  4. Krystal
  5. WP Engine

Please note: by purchasing any service from the above list of hosting providers does not guarantee that you’ll receive an SSL certificate for free. Please be sure to check with them first.

HTTPS shows but it’s not green

If your website’s HTTPS symbol is showing but it’s not showing the green padlock, there’s possibly some insecure content on the current page.

To fix this, you can either install a plugin to fix this as shown in this guide or manually change the HTTP links into HTTPS.

Allow automatic core updates for security

WordPress often releases updates to its core files. These minor updates generally contain bug fixes that cover WordPress security issues.

You can allow these automatic updates by following the steps below:

  1. Use an FTP to access your WordPress server.
  2. Navigate to your WordPress installation path and find the file called wp-config.php.
  3. Search this file for WP_AUTO_UPDATE_CORE. and make sure that the value is set to true, which will then enable this security feature of automatic updates.

If WP_AUTO_UPDATE_CORE is not set at all, then you can copy and paste the code below into your wp-config.php file:

define( 'WP_AUTO_UPDATE_CORE', true );

Disable the file editor

The file editor which is located under Appearance > Editor and Plugin > Editor allow your logged-in administrator level accounts to edit theme and plugin files located directly on your server.

One wrong line of code can often disable the full website from working, so it’s best if you disable this functionality and only access files directly by using an FTP client.

You can disable the editor by following the steps below:

  1. Use an FTP to access your WordPress server.
  2. Navigate to your WordPress installation path and find the file called wp-config.php.
  3. Copy and paste the code below into your wp-config.php file.
define( 'DISALLOW_FILE_EDIT',true );

Changing the default database prefix from "wp_"

WordPress as default uses database prefixes such as wp_, which can easily be guessed by a hacker trying to send SQL queries in order to target databases names as the suffixes of all WordPress installations share the same names.

You can set this at the start of your WordPress installation so that your WordPress website is more secure. However, if you’re looking to fix your current WordPress installation, you can do this manually by using the steps below:

  1. Use an FTP to access your WordPress server.
  2. Navigate to your WordPress installation path and find the file called wp-config.php.
  3. Find the $table_prefix variable and replace its value to something more secure than wp_.
  4. Sign into your cPanel hosting account and navigate to phpMyAdmin.
  5. From the left sidebar, click your database and select the first table.
  6. Click Operations.
  7. Type a new name under the Rename table field, using your new secure database prefix and the same table suffix (e.g. newPrefix_sameSuffix).
  8. Click Go and repeat these steps for each table under this WordPress database.

Please note: It’s important to first back up your files and database in case something goes wrong!