TL;DR: To keep your WordPress site secure, keep your core, themes, and plugins up to date, use strong passwords, and enable two-factor authentication. Conduct regular backups, restrict user permissions, and employ a reputable security plugin. Monitor and limit login attempts, implement a reliable firewall, and consider using a Content Delivery Network (CDN).
Over 60,000 plugins are available in the WordPress repository as you read this.
That’s the beauty of WordPress!
But also, potentially — every site owner’s worst nightmare. In fact, a whopping 56% of WordPress vulnerabilities are associated with plugins and over 86 billion password attacks were blocked by the security plugin WordFence in 2021 alone.
Whether you’ve been hacked or simply want to safeguard against malicious intent, this security checklist will help you fend off any cyberattack.
Why WordPress Security Matters to Your Online Business
With a 64.2% market share, it’s safe to say WordPress security is essential for 810 million websites globally – no matter the industry, size, and reputation. Here’s why.
- Data Protection: Your website contains sensitive data, including customer information, payment details, and business-related content. Ensuring its security is crucial to prevent data breaches and protect your reputation.
- Maintaining Customer Trust: A secure website fosters trust among your visitors and customers. When people know their data is safe, they are more likely to engage with your site and make purchases.
- Preventing Downtime: Security breaches, hacks, or malware infections can lead to website downtime. This not only disrupts your business operations but also damages your online presence and bottom line.
- Avoiding Legal Consequences: Data breaches and security issues can lead to legal liabilities, including fines and lawsuits, especially if customer data is compromised.
- Enhancing SEO: Search engines like Google prioritize secure websites in their rankings. A secure site with an SSL certificate and robust security measures can improve your search engine visibility.
What Are Some Common WordPress Security Issues?
Although the WordPress platform is considered generally safe, its open-source technology can introduce various vulnerabilities via plugins and themes, SQL, CSRF, file exploits, insecure hosting, and more.
Some popular WordPress security concerns include:
- Outdated Software: Failing to update WordPress core, themes, and plugins regularly can leave your site vulnerable to known security vulnerabilities.
- Weak Passwords: Using weak or easily guessable passwords makes it easier for attackers to gain unauthorized access to your site.
- Plugin Vulnerabilities: Choosing to add unsafe plugins to your tech stack introduces malicious attackers with opportunities to hack your website.
- Brute Force Attacks: Attackers attempt to gain access by repeatedly trying different username and password combinations until they find the right one.
- SQL Injection: This occurs when an attacker inserts malicious SQL code into your site's input fields, potentially gaining access to your database and sensitive information.
- Cross-Site Scripting (XSS): Attackers inject malicious scripts into web pages viewed by other users, which can lead to data theft or site defacement.
- Cross-Site Request Forgery (CSRF): This involves tricking authenticated users into executing malicious actions without their knowledge.
- File Inclusion Exploits: Attackers exploit poorly sanitized user inputs to include malicious files on your server.
- Spam and Malware: Failure to protect against comment spam and malware can lead to a compromised site.
- Phishing: Attackers may use fake login pages or emails to trick users into revealing login credentials or other sensitive information.
- Data Leaks: Poorly configured sites or third-party services can lead to data breaches or leaks of user information.
- DDoS Attacks: Distributed Denial of Service attacks can disrupt site availability by overwhelming it with traffic.
LiteSpeed Cache Plugin Vulnerabilities and the Importance of Safe WordPress Plugins
A recent scripting vulnerability in the popular LiteSpeed Cache plugin affected over 4 million websites.
It enabled threat actors with contributor-level permissions or higher to inject malicious web scripts into pages using the plugin’s shortcode. Thankfully, the breach was caught and reported in a timely manner by the WordFence team.
Here’s what to do to ensure your tech stack won't harm your website:
- Check the plugin’s history and reputation: a large number of active installations and positive reviews will help you assess the plugin’s reliability.
- Analyze the update frequency: Ensure the plugin is regularly updated, with the last update being no more than a few months old.
- Review the developer’s support responses: Check the support forums for the plugin to see how responsive and helpful the developers are. Good support can be indicative of a dedication to the plugin’s quality and security.
- Verify compatibility with your version of WordPress: Incompatible plugins may introduce security vulnerabilities or cause functionality issues.
- Assess the plugin’s features and permissions: Be wary of plugins that require unnecessary permissions or offer a bloated feature set that is not needed. More code can mean more opportunities for security vulnerabilities.
- Perform security checks: Use tools like WPScan to identify any known vulnerabilities of a plugin. Look for any security advisories or discussions related to the plugin.
- Start with a test environment: Before installing a new plugin on your live site, test it on a staging site to monitor its behavior and ensure it doesn’t introduce vulnerabilities.
- Look for security endorsements or certifications: Some plugins may have security audits or certifications from reputable third-party companies, which can add to their credibility.
- Be cautious with free plugins: While many free plugins are secure and well-maintained, always exercise due diligence, as free plugins may not always offer continuous support and updates.
- Back up your site regularly: Even with all precautions, it's essential to have regular backups of your site. This doesn’t prevent issues but ensures you can recover quickly if something goes wrong.
How to Check If Your WordPress Site Is Secure?
When in doubt, you can start off by running your website through an online website security scanner like Qualys, SiteLock, or VirusTotal. These tools can check for malware, vulnerabilities, and other security issues.
Additionally, you can pick from several reputable WordPress security plugins like Wordfence Security, Sucuri Security, iThemes Security, NinjaScanner, and WPScan. Jump straight to the Best WordPress Security Plugins for more details and features to make the choice for your website.
WordPress Security Essentials
Your first step in safeguarding your website is to perform a full WordPress security audit. Follow the steps below:
1. Update Your WordPress Core, Themes, and Plugins
Keeping your software up-to-date is one of the most effective security measures. Simply visit your WP admin and check for available updates. WordPress provides an easy way to update your plugins in bulk. Just make sure you do a backup and audit your website once they are updated.
Pro tip: Completely remove unused plugins from your tech stack.
2. Ensure You and Users Use Strong, Unique Passwords
Consider using a reputable password manager like LastPass, Dashlane, or 1Password. These tools can generate, store, and autofill complex passwords for you. Strong passwords have 10+ characters, use both uppercase and lowercase letters, and don’t skip special symbols.
3. Enable Two-Factor Authentication (2FA)
Add an extra layer of protection by setting up 2FA with a plugin like WP 2FA, which requires users to provide a second form of verification in addition to their password. Another extra measure here is to limit the login attempts and set a time-out for users who show suspicious behavior.
4. Backup your website's database and files
If you feel confident in your tech skills:
Access your website's files via FTP (File Transfer Protocol) or a file manager provided by your hosting provider. Download all the files from your WordPress root directory (usually the public_html or www folder) to your local computer. Then, access your website's database using phpMyAdmin, which is often available in your hosting control panel. Select your WordPress database and export the entire database. Save the exported database as an SQL file on your local computer.
Alternatively, use a plugin like Updraft Plus to set automated backups at a desired interval.
5. Use Web Application Firewall (WAF)
A website firewall blocks all malicious traffic before it even reaches your website. There are two methods to do this:
- DNS Level Website Firewall: Allows sending genuine traffic to your web server only by routing the traffic through their cloud proxy servers.
- Application Level Firewall: Analyzes traffic once it reaches your server and before loading most WordPress scripts. However, it’s not as efficient as it tends to add to the server load.
Check the best WordPress Firewall plugins.
6. Switch To a Reputable Hosting Provider
A reputable hosting provider for WordPress should offer robust security features, proactive monitoring, and responsive support to keep your website safe and secure.
Features to look for include (and are not limited to):
- Strong Infrastructure Security
- SSL Certificate Inclusion
- Regular Backups
- 24/7 Network Monitoring
- DDoS Protection
- Malware Scanning and Removal
- Automatic WordPress updates
- Server-level caching configured specifically for WordPress
- Support for Secure File Transfer Protocol (SFTP)
- Isolation Between Accounts on Shared Hosting
Check our comprehensive guide on how to choose the right web hosting provider for your website.
Advanced Techniques to Improve WordPress Security
The techniques below require admin access to WordPress and a sufficient level of technical knowledge. Before attempting to follow the steps, always back up your website and take the time to consider contacting a WordPress security expert.
Move Your WordPress Site to SSL/HTTPS
SSL (Secure Sockets Layer) encrypts data transferred between the user's browser and your web server, enhancing your site's security.
Instructions:
- Purchase an SSL certificate from your hosting provider or use a free one
- Install and activate the certificate through your hosting account
- Update your WordPress URL by going to Settings > General and updating your WordPress Address (URL) and Site Address (URL) from http:// to https://
- Force SSL by adding the following code to your .htaccess file:
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.yourdomain.com/$1 [R,L]
Change the WordPress Login Page URL
By default, WordPress login pages are easily accessible via wp-login.php or wp-admin. Changing this can help protect against unauthorized login attempts.
Instructions:
- Edit the .htaccess file in your WordPress root directory and add:
RewriteRule ^mylogin$ https://%{SERVER_NAME}/wp-login.php?key=123&redirect_to=https://%{SERVER_NAME}/wp-admin [L]
- Replace mylogin with the new login URL slug and 123 with a random string.
Change the Default “admin” Username
The default “admin” username is a target for hackers, so it's better to change it.
Instructions:
- Create a new user in WordPress by going to Users > Add New.
- Assign the new user the role of Administrator.
- Log out and log in with the new Administrator account.
- Delete the old “admin” user and attribute all content to the new user.
Disable File Editing
WordPress allows administrators to edit PHP files of plugins and themes. Disabling this feature enhances security.
Instructions:
- Add the following line to your wp-config.php file:
define('DISALLOW_FILE_EDIT', true);
Disable PHP File Execution in Certain WordPress Directories
Preventing PHP execution in directories like wp-content/uploads can help prevent malicious scripts from running.
Instructions:
- Create a .htaccess file in the directory you want to protect and add:
deny from all
Change the default WordPress Database Prefix
The default wp_ database prefix is well-known, so changing it can help protect your database from SQL injection attacks.
Instructions:
- Back up your database.
- Go to phpMyAdmin, select your database, and choose the "Operations" tab.
- Under "Table prefix," change wp_ to your new prefix (e.g., wpnew_) and click "Go."
Disable Directory Indexing and Browsing
This prevents hackers from seeing the files in your directories.
Instructions:
- Add the following line to your .htaccess file:
Options -Indexes
Disable XML-RPC in WordPress
XML-RPC can be exploited for brute force attacks. Disabling it can enhance security.
Instructions:
- Add the following code to your .htaccess file:
# Block WordPress xmlrpc.php requests
order deny,allow
deny from all
Automatically Log Out Idle Users in WordPress:
This can prevent unauthorized use of idle sessions.
Instructions:
- Add this code to your theme’s functions.php file:
add_action('wp_enqueue_scripts', 'idle_logout');
function idle_logout() {
if (is_user_logged_in()) {
wp_enqueue_script('idle_logout', '/path-to-your-script/idle-logout.js', array('jquery'), '1.0.0', true);
}
}
- Then, create a idle-logout.js file with JavaScript to track idle time and log out users.
Hide the WordPress Version
Revealing the WordPress version can provide hackers with valuable information to search for security loopholes.
Instructions:
- Add the following line to your theme’s functions.php file:
remove_action('wp_head', 'wp_generator');
Block Hotlinking
Hotlinking can steal bandwidth by linking directly to your site’s files from other websites.
Instructions:
- Add the following code to your .htaccess file:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ – [NC,F,L]
Check User Roles, and Set File Permissions
Limit access to sensitive areas only to those who need it and set appropriate file permissions for directories and files on your server. Restrict access to critical files and folders.
WordPress files and directories use a three-digit numeric code to represent permissions. Each digit corresponds to a specific permission level:
4: Read (r)
2: Write (w)
1: Execute (x)
The recommended permissions for various WordPress files and directories are as follows:
- Files (e.g., .php, .html): 644 (Owner can read and write; others can read)
- Directories: 755 (Owner can read, write, and execute; others can read and execute)
- wp-config.php (important configuration file): 600 (Owner can read and write; others have no access)
- .htaccess (server configuration): 644 (Owner can read and write; others can read)
- Uploads directory (e.g., wp-content/uploads): 755 (Owner can read, write, and execute; others can read and execute)
5 Best WordPress Security Plugins
There are several WordPress security plugins available that can help check and safeguard your website:
Wordfence is a comprehensive security plugin for WordPress. It includes features such as firewall protection, malware scanning, login attempt monitoring, and more. The free version offers valuable security checks, while the premium version provides advanced features.
Number of installations: 4+ million
Rating: 4.7/5
Sucuri is a web security platform that offers a free website scanner tool. It checks your website for malware, security issues, and vulnerabilities. They also offer a paid security service for real-time protection and monitoring.
Number of installations: 900,000+
Rating: 4.2/5
Solid Security is a cutting-edge WordPress security plugin designed to fortify your website. Packed with essential features like real-time firewall protection, malware scanning, and secure login mechanisms, it offers an all-in-one solution to secure your online presence. With its intuitive interface and automated security checks, Solid Security ensures peace of mind by safeguarding your site against the latest threats.
Number of installations: 900,000+
Rating: 4.6/5
Security Ninja is a comprehensive security plugin tailored for WordPress websites. With its robust set of tools, including core scanner, malware detection, and auto fixer, it ensures your site's integrity and resilience. The plugin's proactive security checks and one-click fixes empower website owners to protect their websites. Whether you're a novice or a tech-savvy individual, Security Ninja is a great tool against cyber threats.
Number of installations: 10,000+
Rating: 4.8/5
Jetpack Protect specializes in safeguarding WordPress sites against unwanted intrusions. It features robust brute force attack protection and downtime monitoring to keep your site secure and operational. With its streamlined setup, Jetpack Protect seamlessly integrates real-time backups and spam defence, ensuring your site's data remains intact and your interactions genuine.
Number of installations: 100,000+
Rating: 4.8/5
What To Do If Your WordPress Website Is Hacked
Discovering that your WordPress website has been hacked can be a distressing experience, but it's important to act quickly to mitigate the damage and restore your site's security.
- Isolate the Website: If you have multiple websites hosted on the same server, isolate the hacked website to prevent the infection from spreading to others. This may involve temporarily taking the affected site offline.
- Restore the Last Backup of Your Website: To quickly resolve the issue, revert back to an earlier version of your website. If you haven’t backed up your website recently, consider developing a backup strategy after you finish with the steps below.
- Change Passwords: Change the passwords for all user accounts on your WordPress site, including administrators, editors, and contributors. Ensure that strong, unique passwords are used.
- Scan for Malware: Use a security plugin or a third-party malware scanning tool to scan your website for malicious code and malware. If you already have one activated, reach out to the developers to resolve the issue with professional help.
- Identify and Remove Suspicious Files: Review your website's files and directories for any unfamiliar or suspicious files. Hackers often inject malicious code into core files, themes, or plugins. Remove any files that you suspect are compromised.
- Clean the Database: Check your WordPress database for unauthorized changes or suspicious content. Restore any modified tables or entries to their original state.
- Review User Accounts: Audit your list of registered users and remove any unfamiliar or unauthorized accounts. Ensure that there are no unauthorized administrators.
- Change Security Keys and Salts: In your wp-config.php file, change your security keys and salts. This step can help invalidate any stolen login credentials.
- Notify Visitors: If the hack potentially exposed sensitive user data, comply with data breach notification laws and inform affected users of the breach.
How to Improve WordPress Security FAQ
Is WordPress safe enough?
WordPress is a reputable content management system (CMS), and because it’s so popular, it often becomes a target for attackers. However, whether WordPress is "safe enough" depends on several factors, including how you configure, maintain, and use it. Following the best practices outlined in this guide, you can ensure a safe environment for your online business.
Is WordPress the most hacked CMS?
The annual report of Sucuri in 2022, highlighted WordPress as the most frequently hacked CMS with 96.2% of attacks focused on the platform. Due to its widespread use, WordPress is a common target and does have a high number of reported hacks, but this does not necessarily mean it's less secure than other CMS platforms.
What is the most vulnerable part of a WordPress website?
The most vulnerable parts are often themes and plugins, as well as weak admin passwords.
How do I secure my WordPress site for free?
Implement strong passwords, keep WordPress updated, and use free security plugins like Wordfence or Security Ninja to enhance your site's security.
Are older versions of WordPress easier to hack?
Yes, older versions of WordPress are easier to hack as they often contain unpatched security vulnerabilities. Always check for the latest updates to keep your website protected.
How do I prevent malware on WordPress?
Keep WordPress updated, use reputable themes and plugins, and install security plugins that offer malware scanning and firewall protection.
Do I really need a security plugin for WordPress?
A security plugin is highly recommended as it provides comprehensive security measures and can automate many of the tasks required to keep a WordPress site secure.
