Over 60,000 plugins are available in the WordPress repository as you read this.
That’s the beauty of WordPress!
But also, potentially — every site owner’s worst nightmare. In fact, a whopping 56% of WordPress vulnerabilities are associated with plugins and over 86 billion password attacks were blocked by the security plugin WordFence in 2021 alone.
Whether you’ve been hacked or simply want to safeguard against malicious intent, this security checklist will help you fend off any cyberattack.
With a 64.2% market share, it’s safe to say WordPress security is essential for 810 million websites globally – no matter the industry, size, and reputation. Here’s why.
Although the WordPress platform is considered generally safe, its open-source technology can introduce various vulnerabilities via plugins and themes, SQL, CSRF, file exploits, insecure hosting, and more.
Some popular WordPress security concerns include:
A recent scripting vulnerability in the popular LiteSpeed Cache plugin affected over 4 million websites.
It enabled threat actors with contributor-level permissions or higher to inject malicious web scripts into pages using the plugin’s shortcode. Thankfully, the breach was caught and reported in a timely manner by the WordFence team.
Here’s what to do to ensure your tech stack won't harm your website:
When in doubt, you can start off by running your website through an online website security scanner like Qualys, SiteLock, or VirusTotal. These tools can check for malware, vulnerabilities, and other security issues.
Additionally, you can pick from several reputable WordPress security plugins like Wordfence Security, Sucuri Security, iThemes Security, NinjaScanner, and WPScan. Jump straight to the Best WordPress Security Plugins for more details and features to make the choice for your website.
Your first step in safeguarding your website is to perform a full WordPress security audit. Follow the steps below:
Keeping your software up-to-date is one of the most effective security measures. Simply visit your WP admin and check for available updates. WordPress provides an easy way to update your plugins in bulk. Just make sure you do a backup and audit your website once they are updated.
Pro tip: Completely remove unused plugins from your tech stack.
Consider using a reputable password manager like LastPass, Dashlane, or 1Password. These tools can generate, store, and autofill complex passwords for you. Strong passwords have 10+ characters, use both uppercase and lowercase letters, and don’t skip special symbols.
Add an extra layer of protection by setting up 2FA with a plugin like WP 2FA, which requires users to provide a second form of verification in addition to their password. Another extra measure here is to limit the login attempts and set a time-out for users who show suspicious behavior.
If you feel confident in your tech skills:
Access your website's files via FTP (File Transfer Protocol) or a file manager provided by your hosting provider. Download all the files from your WordPress root directory (usually the public_html or www folder) to your local computer. Then, access your website's database using phpMyAdmin, which is often available in your hosting control panel. Select your WordPress database and export the entire database. Save the exported database as an SQL file on your local computer.
Alternatively, use a WordPress management tool to set automated backups (and others, like vulnerability or security checks) at a desired interval on your websites.
A website firewall blocks all malicious traffic before it even reaches your website. There are two methods to do this:
Check the best WordPress Firewall plugins.
A reputable hosting provider for WordPress should offer robust security features, proactive monitoring, and responsive support to keep your website safe and secure.
Features to look for include (and are not limited to):
Check our comprehensive guide on how to choose the right web hosting provider for your website.
The techniques below require admin access to WordPress and a sufficient level of technical knowledge. Before attempting to follow the steps, always back up your website and take the time to consider contacting a WordPress security expert.
SSL (Secure Sockets Layer) encrypts data transferred between the user's browser and your web server, enhancing your site's security.
Instructions:
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.yourdomain.com/$1 [R,L]
By default, WordPress login pages are easily accessible via wp-login.php or wp-admin. Changing this can help protect against unauthorized login attempts.
Instructions:
RewriteRule ^mylogin$ https://%{SERVER_NAME}/wp-login.php?key=123&redirect_to=https://%{SERVER_NAME}/wp-admin [L]
The default “admin” username is a target for hackers, so it's better to change it.
Instructions:
WordPress allows administrators to edit PHP files of plugins and themes. Disabling this feature enhances security.
Instructions:
define('DISALLOW_FILE_EDIT', true);
Preventing PHP execution in directories like wp-content/uploads can help prevent malicious scripts from running.
Instructions:
deny from all
The default wp_ database prefix is well-known, so changing it can help protect your database from SQL injection attacks.
Instructions:
This prevents hackers from seeing the files in your directories.
Instructions:
Options -Indexes
XML-RPC can be exploited for brute force attacks. Disabling it can enhance security.
Instructions:
# Block WordPress xmlrpc.php requests
order deny,allow
deny from all
This can prevent unauthorized use of idle sessions.
Instructions:
add_action('wp_enqueue_scripts', 'idle_logout');
function idle_logout() {
if (is_user_logged_in()) {
wp_enqueue_script('idle_logout', '/path-to-your-script/idle-logout.js', array('jquery'), '1.0.0', true);
}
}
Revealing the WordPress version can provide hackers with valuable information to search for security loopholes.
Instructions:
remove_action('wp_head', 'wp_generator');
Hotlinking can steal bandwidth by linking directly to your site’s files from other websites.
Instructions:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ – [NC,F,L]
Limit access to sensitive areas only to those who need it and set appropriate file permissions for directories and files on your server. Restrict access to critical files and folders.
WordPress files and directories use a three-digit numeric code to represent permissions. Each digit corresponds to a specific permission level:
4: Read (r)
2: Write (w)
1: Execute (x)
The recommended permissions for various WordPress files and directories are as follows:
There are several WordPress security plugins available that can help check and safeguard your website:
Wordfence is a comprehensive security plugin for WordPress. It includes features such as firewall protection, malware scanning, login attempt monitoring, and more. The free version offers valuable security checks, while the premium version provides advanced features.
Number of installations: 4+ million
Rating: 4.7/5
Sucuri is a web security platform that offers a free website scanner tool. It checks your website for malware, security issues, and vulnerabilities. They also offer a paid security service for real-time protection and monitoring.
Number of installations: 900,000+
Rating: 4.2/5
Solid Security is a cutting-edge WordPress security plugin designed to fortify your website. Packed with essential features like real-time firewall protection, malware scanning, and secure login mechanisms, it offers an all-in-one solution to secure your online presence. With its intuitive interface and automated security checks, Solid Security ensures peace of mind by safeguarding your site against the latest threats.
Number of installations: 900,000+
Rating: 4.6/5
Security Ninja is a comprehensive security plugin tailored for WordPress websites. With its robust set of tools, including core scanner, malware detection, and auto fixer, it ensures your site's integrity and resilience. The plugin's proactive security checks and one-click fixes empower website owners to protect their websites. Whether you're a novice or a tech-savvy individual, Security Ninja is a great tool against cyber threats.
Number of installations: 10,000+
Rating: 4.8/5
Jetpack Protect specializes in safeguarding WordPress sites against unwanted intrusions. It features robust brute force attack protection and downtime monitoring to keep your site secure and operational. With its streamlined setup, Jetpack Protect seamlessly integrates real-time backups and spam defence, ensuring your site's data remains intact and your interactions genuine.
Number of installations: 100,000+
Rating: 4.8/5
Discovering that your WordPress website has been hacked can be a distressing experience, but it's important to act quickly to mitigate the damage and restore your site's security.
WordPress is a reputable content management system (CMS), and because it’s so popular, it often becomes a target for attackers. However, whether WordPress is "safe enough" depends on several factors, including how you configure, maintain, and use it. Following the best practices outlined in this guide, you can ensure a safe environment for your online business.
The annual report of Sucuri in 2022, highlighted WordPress as the most frequently hacked CMS with 96.2% of attacks focused on the platform. Due to its widespread use, WordPress is a common target and does have a high number of reported hacks, but this does not necessarily mean it's less secure than other CMS platforms.
The most vulnerable parts are often themes and plugins, as well as weak admin passwords.
Implement strong passwords, keep WordPress updated, and use free security plugins like Wordfence or Security Ninja to enhance your site's security.
Yes, older versions of WordPress are easier to hack as they often contain unpatched security vulnerabilities. Always check for the latest updates to keep your website protected.
Keep WordPress updated, use reputable themes and plugins, and install security plugins that offer malware scanning and firewall protection.
A security plugin is highly recommended as it provides comprehensive security measures and can automate many of the tasks required to keep a WordPress site secure.
Lora has spent the last 8 years developing content strategies that drive better user experiences for SaaS companies in the CEE region. In collaboration with WordPress subject-matter experts and the 2024 Web Almanac, she helps site owners close the gap between web performance optimization and real-life business results.