WordPress security is a topic of great importance for every website owner. Google blacklists over 10,000 websites every day for malware and about 50,000 phishing websites every week.
If you are serious about your website, you need to pay attention to WordPress security best practices. In this guide, we will share all the WordPress security tips to help you protect your website from hackers and malware..
Although the basic WordPress software is very secure, and is regularly audited by hundreds of developers, there is a lot that can be done to keep your site safe.
At WPBeginner, we believe that security is not just about eliminating risk. It’s also about risk reduction. As a website owner, there is a lot you can do to improve the security of your WordPress (even if you are not a tech savvy).
We have a number of actionable steps you can take to protect your website from security vulnerabilities.
Are you ready Let’s get started.
Why site security is important?
A hacked WordPress site can cause serious damage to your business revenue and reputation. Hackers can steal user information, passwords, install malware, and can even distribute malware to users.
Worse, you may find yourself paying ransomware to hackers just to regain access to your website.
In March 2016, Google reported that more than 50 million website users had been warned that the website they were visiting might contain malware or steal information.
Moreover, Google blacklists about 20,000 malware sites and about 50,000 phishing sites every week.
If your website is a company, then you need to pay extra attention to the security of your WordPress.
Similar to the responsibility of business owners to protect their physical store building, as an online business owner, it is your responsibility to protect your company’s website.
Constantly update WordPress
WordPress is an open source software that is maintained and updated regularly. By default, WordPress automatically installs minor updates. For major versions, you need to start the update manually.
WordPress also comes with thousands of plugins and themes that you can install on your website. These plugins and themes are maintained by third-party developers who also regularly release updates.
These WordPress updates are essential for the security and stability of your WordPress site. You need to make sure that your WordPress core, plugins and templates are updated.
Strong passwords and user permissions
The most common WordPress hacking attempts use stolen passwords. You can make this difficult by using stronger passwords that are unique to your website. Not only for the WordPress management area, but also for your FTP accounts, database, WordPress hosting account and your custom email addresses that use your site domain name.
Many beginners do not like to use strong passwords because they are difficult to remember. The good thing is that you don’t need to remember passwords anymore. You can use a password manager.
Another way to minimize the risk is not to give anyone access to your WordPress admin account unless you absolutely have to . If you have a large team or guest authors, make sure you understand the roles and capabilities of users in WordPress before adding new user accounts and authors to your WordPress site.
WordPress hosting roles
Your WordPress hosting service plays the most important role in the security of your WordPress site. A good shared hosting provider such as Bluehost or Citeground takes additional measures to protect its servers from common threats.
Here’s how a good web hosting company works in the background to protect your websites and data.
- They are constantly monitoring their network for suspicious activity.
- All good hosting companies have tools to prevent large-scale DDOS attacks
- They keep their server software, php versions and hardware up-to-date to prevent hackers from exploiting a known vulnerability in an outdated version.
- They are ready to publish disaster and accident recovery plans that allow them to protect your data in the event of a major accident.
In a shared hosting plan, you share server resources with many other clients. This opens up the risk of cross-site contamination as a hacker can use a neighboring site to attack your website.
Using a Managed WordPress hosting service provides a more secure platform for your website. Managed WordPress hosting companies offer automatic backups, automatic WordPress updates, and more advanced security configurations to protect your website
We recommend using WPEngine as our preferred Managed WordPress hosting provider. She is also the most famous in the industry.
WordPress security in easy steps (without encryption)
We know that improving WordPress security can be a terrifying idea for beginners. Especially if you are not technically. Guess what – you’re not alone.
We have helped thousands of WordPress users enhance their WordPress security.
We’ll show you how you can improve the security of your WordPress with just a few clicks (no coding required).
If you can point and click, you can do it!
Install the WordPress Backup Solution program
Backups are your first defense against any WordPress attack. Remember that nothing is 100% safe. If government websites can be hacked, yours can be hacked too.
Backups allow you to quickly restore your WordPress site in case something bad happens.
There are many free and paid plugins for backup in WordPress that you can use. The most important thing you need to know when it comes to backups is that you should regularly save Full Site Backups to a remote location (not your hosting account).
We recommend storing it on a cloud service like Amazon, Dropbox or private clouds like Stash.
Depending on how often you update your website, the ideal setup might be either once a day or a real-time backup.
The best WordPress security plugin
After the backups, the next thing we have to do is set up an audit and monitoring system that keeps track of everything that happens on your website.
This includes file integrity monitoring, failed login attempts, malware scanning, etc.
Fortunately, all this can be taken care of by the best WordPress security plugin, namely Sucuri Scanner .
You need to install and activate the free plugin Sucuri Security . For more details, please see our step-by-step guide on how to install the WordPress plugin .
Upon activation, you should go to the Sucuri menu in your WordPress administrator. The first thing you will be asked to do is create a free API key. This enables audit logging, integrity checking, email alerts and other important features.
The next thing, what you need to do is click on the “relay” tab from the settings menu.
Go through each option and click on the “Apply relay”button.
These options help you secure key domains that hackers often use in their attacks. The only option that is a paid upgrade is the web application firewall that we will explain in the next step, so skip it for now.
We’ve also covered a lot of these “strengthening” options later in this article for those who want to do it without using a plugin or those that require additional steps like “change database prefix” or “change admin username”.
After the hardened part, the default plugin settings are good enough for most websites and don’t need any changes. The only thing we recommend customizing is “email alerts”.
The default alarm settings can clutter up your inbox with emails. We recommend receiving alerts for basic actions such as changes in plugins, registration of a new user, etc. You can configure alerts by going to the settings of Sucuri “alerts.
This WordPress security plugin is very powerful, so browse through all the tabs and settings to see everything it does like malware scanning, audit logs, tracking failed login attempt, etc.
Enable Web Application Firewall (WAF)
The easiest way to protect your site and ensure the security of your WordPress is by using a web application firewall (WAF).
The website firewall blocks all malicious traffic even before it reaches your website.
DNS level website firewall-this firewall routes your website traffic through their cloud proxy servers. This only allows them to send real traffic to your web server.
Application-level firewall-these firewall plugins scan traffic as soon as it arrives on your server but before most WordPress scripts load. This method is not as effective as a DNS-level firewall in reducing server load.
We use Sucuri and recommend it as the best web application firewall for WordPress.
The best part about the Sucuri firewall is that it also comes with a malware cleanup and blacklist removal guarantee. Basically, if you are hacked under their watch, they guarantee that they will fix your website (no matter how many pages you have).
This is a very strong guarantee because repairing hacked sites is expensive. Security experts usually charge 250 dollars per hour. While you can get the entire Sucuri security stack for 199 dollars a year.
Improve the security of your WordPress using the Sucuri firewall ”
Sucuri is not the only DNS-level firewall provider out there. Another famous competitor is Cloudflare.
Transfer your WordPress site to SSL / HTTPS
SSL (Secure Sockets Layer) is a protocol that encrypts the transfer of data between your website and the users browser. This encryption makes it difficult for anyone to sniff out information and steal information.
Once SSL is enabled, your website will use HTTPS instead of HTTP, and you will also see a lock tag next to your website address in the browser.
SSL certificates are usually issued by certification bodies, and their prices start from 80 dollars to hundreds of dollars every year. Due to the added cost, most website owners have chosen to continue using the insecure protocol.
To fix this, a non-profit organization called Let’s Encrypt decided to offer free SSL certificates to website owners. Their project is supported by Google Chrome, Facebook, Mozilla and many other companies.
Now, getting started using SSL for all your WordPress sites has never been easier. Many hosting companies now offer a free SSL certificate for your website on WordPress .
If your hosting company doesn’t offer one, you can buy one from Domain.com . They have the best and most reliable SSL deal on the market. It comes with a USD 10,000 security guarantee and a TrustLogo security seal.
WordPress security for DIY users
If you have done everything we have mentioned so far, you are in very good shape.
But as always, there is more you can do to enhance the security of your WordPress.
Some of these steps may require knowledge of coding.
Change the default username “administrator”
In the past, the default username for a WordPress admin was “admin”. Since usernames make up half of the login credentials, this made it easier for hackers to carry out brute force attacks.
Fortunately, WordPress has since changed this and now asks you to select a custom userName at the time of WordPress installation .
However, some one-click WordPress installers still set the default administrator username to “admin”. If you notice that this is the case, it is better to switch your web hosting .
Since WordPress does not allow you to change usernames by default, there are three ways you can use to change the username.
- Create a new administrator username and delete the old one.
- Use the Username Changer plugin
- Updating the username of phpMyAdmin
we are talking about the username called “admin”, not the administrator role.
Disable file editing
WordPress comes with a built-in code editor that allows you to edit template files and plugins directly from your WordPress Management Area. In the wrong hands, this feature can be a security risk and that’s why we recommend turning it off.
You can easily do this by adding the following code in the wp-config file your php .
// Disallow file edit define
( 'DISALLOW_FILE_EDIT', true );
Alternatively, you can do this in one click using the Hardening feature of the free Sucuri plugin that we mentioned above.
Disable PHP file execution in specific WordPress directories
Another way to enhance the security of your WordPress is to disable the execution of the PHP file in directories where it is not needed such as / wp-content / uploads /.
You can do this by opening a text editor like Notepad and pasting this code:
deny from all
Next ,you need to save this file as.htaccess and upload it to / wp-content / uploads / folders on your website using the FTP client .
For a more detailed explanation, see our guide on how to disable PHP execution in specific WordPress directories
Alternatively, you can do this in one click using the Hardening feature of the free Sucuri plugin that we mentioned above.
Limit login attempts
By default, WordPress allows users to try to log in as much as they want. This leaves your WordPress site vulnerable to brute force attacks. Hackers are trying to crack passwords by trying to log in with different combinations.
This can be easily fixed by limiting the failed login attempts that the user can make. If you use the previously mentioned web application firewall, this will be taken care of automatically.
However, if you don’t have a firewall setup, continue with the steps below.
First, you need to install and activate the login LockDown plugin . For more details, see our step-by-step guide on how to install the WordPress plugin .
When activated, visit the settings ” login lock page for setting up the plugin.
Adding two-factor authentication
Two-factor authentication technology requires users to log in using a two-step authentication method. The first is a username and password, the second step requires you to authenticate using a separate device or application.
Most major websites like Google, Facebook and Twitter allow you to enable it for your accounts. You can also add the same functionality to your WordPress site.
First, you need to install and activate the two Factor Authentication plugin . When activated, you need to click on the “Two Factor Auth” link in the sidebar of the WordPress administrator.
Next, you need to install and open the authentication application on your phone. Many of them are available such as Google Authenticator, Authy and LastPass Authenticator.
We recommend using LastPass Authenticator or Authy because both allow you to back up your accounts on the cloud. This is very useful in case you lose your phone, reset it, or buy a new one. All logins to your account will be easily restored.
We will use LastPass Authenticator in the tutorial. However, the instructions are similar for all authentication applications. Open your authentication application, and then click the “Add”button.
You will be asked if you want to scan a site manually or scan the barcode. Select the Scan barcode option and then point your phone’s camera to the QRcode shown on the plugin settings page.
That’s all, the authentication application will save it now. The next time you log in to your website, you will be asked for a two-factor authentication code after entering your password.
Just open the authentication app on your phone and enter the code you see on it.
Changing the WordPress database prefix
By default, WordPress uses wp_ as a prefix for all tables in your WordPress database . If your WordPress site uses the default database prefix, it makes it easier for hackers to guess the name of your table. That is why we recommend changing it.
You can change the prefix of your database by following the step-by-step tutorial on how to change the prefix of a WordPress database to improve security .
This can disable your site if not done correctly. Only proceed , if you feel comfortable with your coding skills.
WordPress manager password protection and login page
Usually, hackers can request a wp-admin folder and a login page without any restrictions. This allows them to try hacking tricks or run DDoS attacks.
You can add additional password protection at the server-side level, effectively blocking such requests.
Disable directory indexing and browsing
Hackers can use directory browsing to see if you have any files with known vulnerabilities, so they can take advantage of these files to access them.
Directory browsing can also be used by other people to search your files, copy photos, find out the structure of your directory and other information. That is why it is highly recommended to turn off directory indexing and browsing.
You need to connect to your website using the FTP or cPanel file manager. Next, select a file location .htaccess is in the root directory of your website. E
Next, you need to add the following line at the end of the file .htaccess:
Do not forget to save and upload the htaccess file back to your site. For more information on this topic ،
Disable XML-RPC in WordPress
XML-RPC is enabled by default in WordPress 3.5 because it helps to connect your WordPress site to web and mobile applications.
Due to its powerful nature, XML-RPC can greatly amplify brute-force attacks.
For example, if a hacker usually wants to try 500 different passwords on your website, they will have to make 500 separate login attempts which will be detected and blocked by the login lock plugin.
But with XML-RPC, a hacker can use the system function.multicall to try thousands of passwords with 20 or 50 requests.
That’s why if you don’t use XML-RPC, we recommend that you disable it.
There are 3 ways to disable XML-RPC in WordPress
a method .htaccess is the best because it is the least resource intensive.
If you are using the previously mentioned web application firewall, then this firewall can take over.
Automatically log out of Idle Users in WordPress
Logged-in users can sometimes move away from the screen, and this poses a security risk. Anyone can hijack his session, change passwords or make changes to his account.
That is why many banking and financial sites automatically log out the inactive user. You can implement similar functions on your WordPress site as well.
You will need to install and activate the inactive Logout plugin . When activated, visit the settings ” inactive logout page to configure the plugin settings.
Just set the time duration and add the logout message. Don’t forget to click on the Save Changes button to store your settings.
Add security questions to the WordPress login screen
Adding a security question to the WordPress login screen makes it more difficult for someone to gain unauthorized access.
You can add security questions by installing the WP Security Questions plugin . When activated, you need to visit the Settings ” Security Questions page to configure the plugin settings.
Checking WordPress for malware and security vulnerabilities
If you have a WordPress security plugin installed, these plugins will routinely check for malware and signs of security breaches.
However, if you see a sudden drop in website traffic or search rankings, you may want to do a check manually. You can use the WordPress security plugin, or use one of these malware and security scanners .
Performing such online scans is quite straightforward, you just enter the عناوين addresses of your website and their crawlers go to your website to search for malware and known malicious code.
Now keep in mind that most WordPress security scanners can only scan your website. They cannot remove malware or clean up a hijacked WordPress site.
This brings us to the next section, which is cleaning up malware and hacked WordPress sites.
Fixing a hacked WordPress site
Many WordPress users don’t realize the importance of backups and website security until their website is hacked.
Cleaning a WordPress site can be very difficult and time-consuming. Our first tip is to let the professional take care of her.
Hackers install backdoors on the affected sites, and if these backdoors are not fixed correctly, it is likely that your website will be hacked again.
Allowing a professional security company like Sucuri to fix your website will ensure that your site is safe to use again. It will also protect you from any future attacks.
Additional advice :
identity theft and network protection
As small business owners, it is crucial that we protect our digital and financial identity because not doing so can lead to significant losses. Hackers and criminals can use your identity to steal your website domain name, hack your bank accounts, and even commit a crime for which you can be held responsible.
4.7 million incidents of identity theft and credit card fraud were reported to the Federal Trade Commission (FTC) in 2020.
That is why we recommend using an identity theft protection service like Aura (we use Aura ourselves).
It provides device and wifi network protection through a free VPN (virtual private network) that secures your internet connection with military-grade encryption wherever you are. This is great when traveling or contacting your WordPress administrator from a public place like Starbucks, so you can work online safely and in privacy.
Their dark web monitoring service constantly monitors the dark web using artificial intelligence and alerts you if passwords, Social Security number and bank accounts have been hacked.
This allows you to act faster and better protect your digital identity.
That’s all, we hope this article helped you learn WordPress security best practices as well as discover the best WordPress security plugins for your website.
You may also want to check out our Ultimate WordPress SEO Guide to improve your SEO rankings .