This guide featuressimple security measures you can implement to secure your WordPress site, prevent hacking attacks and keep your content safe. I’ll include the best WordPress security solutions and precautions in this post. If you follow them, you’ll be sleeping safely.
WordPress security checklist
WordPress: Is an Open Source Product Really Secure? WordPress is open source, which means that the code that runs your website is free to be examined by anyone who wants to. This includes hackers searching for vulnerabilities to exploit. With that in mind, is it safe to use open source platforms? Secure WordPress hosting Server hardening is the key to maintaining a thoroughly-secure WordPress environment. It takes multiple layers of hardware and software level security measures to ensure the IT infrastructure hosting WordPress sites is capable of defending against sophisticated threats, both physical and virtual. Change the Default “admin” username. Create a new admin username and delete the old one. Use the Username Changer plugin. Update username from phpMyAdmin.
There are many WordPress security guides with 20-30 or even more steps on how to protect your WordPress site. Many of those steps are completely unnecessary for the average user.
Here are quick and simple steps you should take to keep your WordPress site safe and secure:
While no content management system is 100% secure, WordPress has a quality security apparatus in place for the core software and most of the hacks are a direct result of webmasters not following basic security best practices. If you do things like Keep your core WordPress software, plugins, and themes updated.
- Use a unique username with a strong password on all administrative accounts.
- Turn on and require 2-Step Verification on all administrative accounts.
- Don’t install themes and plugins from untrusted sources.
- Set WordPress, themes and plugins to be updated automatically.
- Set WordPress to backup automatically.
- Use a host with a container-based isolation which protects your site from being contaminated by other insecure sites on the same server.
These six steps will take you few minutes to implement and you won’t need to worry about WordPress security after that. You’ll be able to focus on building a great website instead.
Why is WordPress so vulnerable and insecure?
WordPress is very serious about its security and is very secure software. WordPress security team is made of 50 security experts and developers. Being open source software, there are many eyes on it and it keeps the whole content management system safe and secure.
So why is it that you hear about WordPress being vulnerable and insecure? WordPress is the most widely used CMS and blogging platform with a market share of more than 35% of the entire web.
The popularity of WordPress websites makes it a regular target of brute force login attacks which attempt to discover sites that use the default username and/or a weak password. This is sensitive information and the key to keeping your blog safe and secure.
A brute-force is when an attacker logs in with many passwords in the hope of guessing correctly. The attacker systematically checks all possible options until the correct one is found.
Use two-factor authentication for your WordPress admin dashboard login as an effective brute force protection.
The second most common attack is on outdated WordPress software, obsolete versions of PHP, outdated themes and plugins. This is why it’s key to always update everything.
Both of these types of attacks are automated across all the hosting platforms, so they don’t specifically target your blog only.
If they do succeed to infect a blog that’s not adequately secured, they may even cross-contaminate all the other blogs hosted on the same server. Don’t let any of this happen to you.
Best WordPress security plugins: Identify any existing vulnerability
There are several WordPress security plugins and other tools you can use to figure out if your blog has a current weakness.
They scan for malware, malicious codes and scripts, out of date software and other known security issues. These WordPress security plugins can help keep your blog safe. Here are some of the best options that all include free versions:
- Sucuri SiteCheck: There is a Sucuri plugin too but this is a browser-based tool for a quick scan and check.
- Search Console: “Security & Manual Actions” section notifies you when Google detects malware or other security issues with your WordPress website.
- Wordfence Security: The most popular WordPress security plugin used by more than 3 million sites. Features login security, firewall and a malware scanner.
- iThemes Security Plugin: This plugin is used on more than 900,000 WordPress sites.
- All In One WP Security & Firewall: Activated on more than 800,000 WordPress sites. All the features on this plugin are entirely free to use.
Host your blog with a secure hosting company
One vulnerability is cross-contamination. If your site is hosted on an unprotected shared server and an exploitable site gets attacked, other sites on that server can be infected too.
This has happened to my blog a few times while being hosted on GoDaddy. Initially, I blamed the hacks on my own inexperience or not using the best practices.
Since I’ve learned how these hacks happen, it has made me wary of using hosts that are not well protected. The best protection from cross-contamination is to use a secure WordPress host. Ask your host what security precautions they take about cross-contamination.
My site is reader-supported. If you make a purchase through some of the links on my site, I may earn an affiliate commission. This helps keep my site advertising and tracking-free. It does not change the price you pay. I only recommend products that I truly believe are valuable. Learn more.
Right now, my blog is hosted on GreenGeeks and I’m happy to report that I haven’t had any security issues yet. Fingers crossed it continues!
I’m a happy paying customer of GreenGeeks services as they have several security measures, server configurations and additional features in place that you can take advantage of using your WordPress installation:
- All the WordPress blogs are automatically updated as soon as there is a new release. I don’t have to take any action.
- There is a nightly backup of all the data in case of an emergency. Fortunately, I haven’t had to deal with backups yet.
- They have container-based isolation, which means that your blog is kept separated from other blogs and cannot be infected by cross-contamination.
- In-built spam protection and real-time malware and virus monitoring.
- You also get a free domain name and a free SSL certificate from Let’s Encrypt. This will prevent your site from being labeled as “not secure” on the different browsers.
- 24/7 customer support via live chat, email or phone just in case it’s necessary.
Turn on 2-Step Verification
Two-factor verification adds an extra layer of security to your WordPress login URL and completely prevents all the brute force attacks.
Without having access to your phone, it’s simply impossible to break through the login page even if the attacker knows username and password.
Turn on Secure Sign On in Jetpack for one of the easiest ways to enable two factor authentication in WordPress. This lets you log in to your self-hosted site with your WordPress.com logins. And WordPress.com allows you to require two-factor authentication.
- Enable two-step on your WordPress.com account under “Two-Step Authentication” within “Security”.
- Install and activate Jetpack plugin in your self-hosted WordPress admin area.
- Turn on the “Single Sign On” option.
- Tick the box to “Require Two-Step Authentication“.
- Insert this code to your theme’s functions.php file to disable the default WordPress login form:
Now you can only log in to your self-hosted blog using your WordPress.com login details. And these require a two-factor authentication from your phone. The default login has been disabled.
Two step authentication is by far the best way to stop people trying to brute force their way into your wp-admin dashboard. I highly recommend it.
In the past, I used several different hacks to prevent these attacks such as changing the URL of the default WordPress login page and blocking all IP addresses except my own from trying to login but the two step authentication is a much more elegant solution.
Block unwanted, brute force login attempts
If you for whatever reason cannot turn on the two-step authentication, this is a decent alternative.
Jetpack’s Protect is like a web application firewall for your WordPress. It monitors all failed login attempts on the network of sites hosted by WordPress. It then automatically blocks all these unwanted tries from these bad IP addresses from the rest of the network.
Another of the common ways hackers try to brute force your site is through XML-RPC. Jetpack Protect also blocks all the XML-RPC attacks so you do not need to do anything further to disable XML-RPC if you’re using Jetpack.
Activate the Jetpack plugin and enable the Protect add-on to turn this on.
The alternative to this is the WP Limit Login Attempts plugin.
Automate updates to WordPress and plugins
Main reason developers release new versions frequently is caused by security vulnerabilities found in older versions. A vast majority of security compromises happen through outdated plugins.
Automatic updates work to keep you safe. Always upgrade to the latest version of WordPress. Do the same for the newest version of your blog design theme and plugins you use.
Upgrading is simple, automated, one-click processes within the WordPress admin interface. When there is a new update available, WordPress will give you notice on top of your dashboard.
Secure Wordpress Plugin
The most recent versions feature automatic background updates. You may find that your secure host updates you to the latest version automatically while you sleep. Mine does.
Themes and plugins automatic updates are possible too since WordPress 5.5 release in August 2020.
Limit the number of plugins and themes installed
Keep the entry points of attacks down to a minimum. Only install themes and plugins that you actively use and that are necessary to run your blog. Remove anything that’s not used.
The average blogger users more than 20 plugins. There’s a plugin for a contact form, a plugin for the email newsletter subscribers, a plugin for live chat, a plugin for analytics and so much more. Minimize the number of plugins you use. Jetpack, for instance, replaces several different plugins.
Don’t download themes and plugins from unknown sources. Use only the official plugins and themes and the official websites of trusted sources such as premium themes and plugins.
These are the quality signs to look for in a plugin or a theme:
- A high number of downloads and active WordPress users.
- Regular updates and a recent last update.
- Good reviews and rating.
Create a new user account and limit unauthorized access
It’s harder for a hacker to break into your WordPress account when both username and password have to be cracked. Username “admin” is the most frequent target of brute force attacks. It’s an easy target and should be deleted and not used.
Reduce the number of people who have admin access to your blog to a minimum. Anyone who doesn’t need admin access shouldn’t have it. This is easy to do with roles and capabilities.
Here’s how to create a new user and delete the default “admin” user:
- You create a user by going into “Users” then “Add New” in the WordPress menu.
- When creating the new user, make sure to give it the role of an “Administrator”. That will ensure that you have the full authority over your WordPress website security.
- Now log out from your default “admin” account and log in with the new user details.
- In “Users” delete the default admin username.
- Make sure to choose the option to transfer your old posts to your new username when deleting the “admin” account.
Use strong and secure passwords
Don’t use simple passwords on your WordPress account. Simple passwords might make it easy for you to remember, but they are also more accessible for a hacker to crack.
Use strong and secure passwords instead. Your passwords should be:
- At least twelve characters long.
- Include numbers, special characters, upper and lowercase letters.
Here’s a free tool by Norton that helps you create a strong password.
Set a new nickname
You don’t want your new username to be the author name that’s shown on all posts. This way, the hackers will have an easy way of finding your new username.
Set the nickname of your account to something different from your username. Here’s how:
- Go to “Users” under “Your Profile”.
- Choose a new nickname in the Nickname field.
- Set “Display name publicly as” to your new nickname.
Do not allow guest user registrations
You don’t have a membership site? Then there is no reason to allow visitors to register for a guest account.
Check that you’ve got registration turned off. Click “Settings” and make sure that “Anyone can register” option is unticked.
Do not allow pings
WordPress with pingback option enabled can be used in DDOS attacks against other sites. This option is enabled by default, so it’s important to disable it.
In “Settings” go into “Discussion” and in “Default Article Settings” tick off “Allow link notifications (pingbacks and trackbacks)”.
Take regular automatic backups
Taking daily or weekly automatic backups of your content and database is essential. Good hosting providers execute their system backups on their part. Mine does.
At the time you set up a WordPress site on GreenGeeks you can select automatic updated and automatic backup:
You can still take personal responsibility in doing regular backups yourself. WordPress consists of two parts:
- Database: a place where all settings, pages, posts, and comments are stored.
- Files: which include media, attachments, themes, and plugins.
It’s recommended to perform a regular, full backup of the entire site. There are a plethora of options. The best free plugin is UpdraftPlus, which is used on more than 2 million blogs.
In case your site does get hacked or infected by a virus or malware, you’ll be able to restore a fully functioning backup.
These simple steps can be executed relatively quickly to improve your WordPress security and will make your site so much harder to break into.
You probably won’t have a hacking problem. You’ll feel safer. You’ll be able to focus your time on writing exciting content and building an audience.
WordPress Security is very important when it comes to having a WordPress website. Here are eight common-sense steps on how to secure your WordPress website including some WordPress security plugins which every WordPress website owner can use to make their WordPress site much more secure.
WordPress Security Tips
Here are few things to do to secure your WordPress Website. And I will list the best WordPress security plugin that you can also install to secure your WordPress website the more.
WordPress Security Tip 1. Don’t use the default administrator user account
Every hacker knows this account is named “administrator” so changing this means one less thing that they know about your site. This will greatly reduce the likelihood of a brute force attack is successful.
Create a new user with administrator privileges; it’s this new user you will then use to administer your WordPress website.
WordPress Security Tip 2. Use a Secure Password
This should go without saying. Modern password crackers use software that can attempt billions of passwords per second and need no technical expertise to use them. Using a free password manager such as LastPass you can generate extremely complex passwords and have them presented just when you need them.
Alternatively, you can use a passphrase instead of a password. This simply means remembering a string of words and adding extra characters to make it more secure, for example, nonsen$e PeanUt 1ndicaTors would be quite easy to remember but quite difficult to crack (at least at the time of writing).
A variation of this technique is to take letters from a memorable phrase. For example, a phrase like “my important website is now much more secure” could become the password “MiWiNmM$” by taking the first letter of each word.
You should also force all users to have a minimum level of password strength with a plugin like Force Strong Passwords.
Finally, two-factor authentication massively increases site security. If you use online banking then you’re familiar with the one-time password (OTP) sent via SMS or another method.
This means a hacker needs to know your password AND steal your phone to gain access. Use a plugin such as Two Factor Authentication. (Incidentally, looking at the active install statistics for two-factor authentication plugins will tell you how few people are using this secure method of website access.)
WordPress Security Tip 3. Limit Login Attempts
Brute Force Attacks rely on the fact that WordPress by default allows as many login attempts as you like so passwords can be tried again and again until one works.
This can be stopped by limiting the number of login attempts and then blocking or causing a delay before allowing the next attempt. Accomplish this with a simple plugin or use a general security plugin like Wordfence which has this feature.
A side benefit of this method is that you can identify repeated attempts from the same IP address and perhaps consider blocking that address, although this method of blocking is not very effective as IP addresses can change frequently.
WordPress Security Tip 4. Change The Login Page
Secure Wordpress Installation
As with the default admin account, every hacker also knows the place to log in to your website is http://www.yoursite.com/wp-login.php.
Changing this address will mean the attacker cannot find your login page and will greatly reduce the incidence of brute force attacks that even make it to your door. If they can’t find it, they can’t exploit it.
Use a general WordPress security plugin that lets you do this, like the one from iThemes Security.
WordPress Security Tip 5. Control User Access
If you have other users who log on to your site then be very careful about how much access you give them. Many site owners automatically make everyone an admin so that they can do whatever they need to without disturbing the administrator. This is a dangerous policy as you cannot control how these users access the website.
Also, be very careful about who you give your password to and how you do it. Instead of sending passwords via email, use something like BurnNote or PrivNote to securely pass credentials to developers and others who need access.
Remember that if you have multiple users on your system you are also responsible for what those users do on your system.
WordPress Security Tip 6. Choose a Reliable Web Hosting Provider
Whether you’re using shared hosting, a VPS, or a dedicated server you need to make sure the company has a great reputation for making customers’ security a priority.
- Read reviews from past users.
- Check that SFTP and FTPS are available – this will let you know the company at least takes security seriously.
- Make sure a backup policy is included and clear to understand.
- Make sure they have clear server maintenance and update policy so you know they regularly apply the latest security measures to their infrastructure.
WordPress Security Tip 7. Keep WordPress up to Date
Here are few reasons why you should regularly update your WordPress website
WordPress Security Tip 8. Use a WordPress Security Plugin
Nowadays, there are some terrific free plugins that do a good job of securing your WordPress website. A couple of really good examples that I’ve used include iThemes Security and the Sucuri security plugin.
Note, however, that to make good use of these plugins you do need to understand something about the security problems they attempt to protect you from so that you can configure them appropriately.
A great, free and easy-to-use option is WordFence. Wordfence is simple enough for non-technical users and includes features to cover most of the security recommendations above.
In addition to the above tips you should consider employing a website firewall and installing some basic monitoring and alerting if problems arise. Installing a software firewall will allow you to set rules about who is allowed to enter your side and from where.
Sucuri firewall is considered among the most trusted of website firewalls and is a paid plugin providing very good protection. On their website they also offer a free website malware scanner.
The Wordfence plugin mentioned above also includes a free website firewall.
Also Read: 3 Things to Do to Keep Your WordPress Website Active
WordPress Security Plugins
There are around 18.5 Million websites infected with malware at any given time each week. An average website is attacked 44 times every day, which includes both WordPress and non-WordPress websites.
A security breach on your website can cause some serious damage to your business.
Let’s take a look at some of the best WordPress security plugins, and how they help you protect your website.
SUCURI
Sucuri is the industry leader in WordPress security. It is one of the best WordPress security plugins on the market. They offer a basic free Sucuri Security plugin that helps you harden WordPress security and scan your website for common threats.
But the real value is in the paid plans, which come with the best WordPress firewall protection. A firewall helps you block brute force and malicious attacks from accessing WordPress.
Sucuri website firewall filters out bad traffic even before it reaches your server. They also serve static content from their own CDN servers.
Apart from security, their DNS level firewall with CDN gives you a tremendous performance boost and speeds up your website.
Most importantly, they offer to clean up your WordPress site if it gets affected by malware at no additional cost. You can even take a website already affected by malware, and they will clean it up for you.
WORDFENCE
Wordfence is another popular WordPress security plugin. They offer a free version of their plugin which comes complete with a powerful malware scanner, exploit detection, and threat assessment features.
The plugin will automatically scan your website for common threats, but you can also launch a full scan at any time. You will be alerted if any signs of a security breach are detected with the instructions to fix them.
Wordfence also comes with a built-in WordPress firewall. However, this firewall runs on your server just before loading WordPress. This makes it a little less effective than a DNS-level firewall like Sucuri.
ITHEMES SECURITY
iThemes Security is a WordPress security plugin from the folks behind the popular BackupBuddy plugin. Like all their products, iThemes Security offers a nice clean user interface with tons of options.
It comes with file integrity checks, security hardening, limit login attempts, strong password enforcement, 404 detections, brute force protection, and more.
iThemes Security does not include a website firewall. It also does not include its own malware scanner and uses Sucuri’s Sitecheck malware scanner.
ALL IN ONE WP SECURITY
All in One WordPress Security plugin is a powerful WordPress security auditing, monitoring, and firewall plugin. It enables you to easily apply basic WordPress security best practices on your website.
It comes with features like login lockdown to prevent brute force attacks, IP filtering, file integrity monitoring, user account monitoring, scan for suspicious patterns of database injection, and more.
It also comes with a basic website-level firewall that can detect some common patterns and block them for you. However, it is not very efficient and often you will be required to manually blacklist suspicious IPs.
WP SCAN
WPScan is a unique WordPress security plugin because it uses its own manually curated WordPress vulnerability database that is updated daily by dedicated WordPress security specialists and community members.
They scan your site for over 21,000 known security vulnerabilities in WordPress plugins, themes, and core software.
You can schedule automated daily scans and get email notifications of the results. They have a free security API which is suitable for most websites, but you can upgrade to the paid plan if you have a larger site and use a lot of plugins.
Also Read: How to Maintain WordPress Website
Make Wordpress Secure
WordPress security issues
You only need to use one plugin from this list. Having multiple plugins active from this list can lead to bugs.
Conclusion
If you don’t feel comfortable handling all of these security tasks by yourself then it is certainly worthwhile to consider a service like we provide at Realjossy.
The reasons to pay someone else to handle your WordPress security for you are the same reasons for paying any professional in any field – to save you time so you can focus on more important things and because that person knows more about it than you do.