How to Secure Your WordPress Site: The Complete Guide

WordPress is very beginner-friendly and easy to learn, but many users often forget one factor — security. In this article, we'll go over the pros and cons of WordPress security in detail, and give you tips for making your website safer.

Creating your own WordPress site is both exciting and overwhelming. There’s a lot you need to do to set everything up, from picking out a theme to writing your first blog post. Yet, the one factor many people neglect is security.

WordPress is very beginner-friendly and easy to learn, but that comes with some caveats. Hackers like to take advantage of relatively inexperienced users and breach new websites. They do so to get access to sensitive information or use the site to spread malware to unsuspecting visitors.

After all, WordPress powers almost 35% of the web. That means more than a third of all sites share similar vulnerabilities, making it a lucrative target for hackers. So is WordPress still really worth using? Aren’t we just opening ourselves up to being hijacked?

The truth is, with the right knowledge, using WordPress is arguably just as safe, if not safer, than making your own website. It’s impossible to develop an impregnable website that will never ever be breached. Even if you’re trying to create your own site from scratch, remember that you’re on your own.

WordPress users have access to hundreds of resources, like this one that can help patch security holes, making it all but impenetrable. Let’s go over the pros and cons of WordPress security in detail, and give some tips for making your website safer.

WordPress: Is an Open Source Product Really Secure?

WordPress is open source, which means that the code that runs your website is free to be examined by anyone who wants to. This includes hackers searching for vulnerabilities to exploit. With that in mind, is it safe to use open source platforms?

As it happens, using open source platforms can be much safer than making your own site, especially if you have no idea what you’re doing. Many programmers will have an understanding of how to make a secure system, but you’ll often need to hire a security engineer to be fully protected. And even then, you’ll have to maintain your own code and keep it updated, and that’s expensive.

WordPress’ code isn’t only scoured by hackers. It’s also maintained by the WordPress security team, volunteer developers, ethical white hat hackers, and other interested parties with good intentions. So even if something slips through, there’s a good chance it’ll be caught fast.

Most security breaches aren’t even caused by a vulnerability in an up-to-date WordPress installation. They happen because people don’t keep WordPress and its plugins up to date, they may install malicious software accidentally, or use insecure passwords. If you follow good practices, chances are you’ll be perfectly safe.

That said, let’s dive into some of the things you can do to protect your WordPress site.

Choose Secure Hosting

One major factor behind these security vulnerabilities is low-quality hosting

Invest in a host that places high value on security. You aren’t doing yourself any favors if you feel that cheaper hosting costs outweighs security. Part of your market research must include looking into the hosting company’s security record. Are they security-conscious? Do they rely on latest technology and standards? 

This is also true for shared hosting. While it is a cheaper option, it also means that you’re sharing server space with other customers. Unfortunately, all it takes is for one website to get infected, and the malware to spread across every site on the network. 

This is why we should consider upgrading to cloud, VPS, or dedicated hosting when we can afford it.

In addition, we should be looking for a host that offers the following services:

    • Up to date server software – Too many hosts still run on PHP 5, which has long lost support. At this point in time, servers should at least use PHP 7.0+. The same goes for other software like cPanel, MySQL or other database programs, and the operating system.

    • Malware monitoring and removal – Pick a host that actively makes an effort to detect and prevent malware infections, and possibly offers malware scanning and removal for when you do get breached. Not all web hosts have a policy for removing malware from an infected site, and among those that do, some will charge extra for this service.

    • Firewalls and other security measures – There are many ways that hosting providers can increase their server security. Possibly, the most effective among them is to rely on a firewall as it prevents unauthorized outside access to the server. It might be a good idea to check whether a provider has this and other means of prevention in place before making a choice.

Install an SSL Certificate

A Secure Sockets Layer (SSL) certificate encrypts the data served between the user and your website. This is something that is perhaps crucial to sites where users exchange payment info, and less relevant to informational blogging websites. 

SSL grants you an HTTPS URL and a certificate to go with it, without which users will receive a red “Not secured” notification in the address bar when visiting our site. Tech-savvy visitors will know that this does not pose a risk if they’re merely browsing, but it will definitely scare off many others.

Over the years SSL certificates have built trust among users, and practically tells them that our identity is verified and authenticated by a trusted provider. It won’t directly prevent us from getting hacked, but it’s still good to have. If your website does collect info through forms, for payments, etc, you absolutely must get one.

IdenTrust and Comodo are currently the most popular providers of SSL certification. Plugins like Really Simple SSL can help you set up the certificate and get HTTPS running.

Back-Up Your Website

Before you even begin making changes to your site, before updating WordPress or installing a plugin, the very first thing you should do is set up your backups. This way, no matter what the worst case scenario is, an accidental change to the code, WordPress glitch, a corrupted database – we have a solution.

Even if our site gets hacked, and the damage is irreparable, we won’t have to build it all over again from scratch.

Manual backups, copying files and transferring them manually to hard-drive or cloud, are the free but time-consuming. True, we can do this as often (once a day) or as rarely as we want. Although a backup done once every 6-months might be a little risky.

Check to see if your host offers weekly, monthly, or daily automated backups. This service is usually commercial, but occasionally free. If this is the case, and your host backs up both your files and database, you don’t need to do anything else. Though it may be a good idea to keep a few manual backups just in case.

WordPress Backup Plugins

If our host doesn’t offer website backups, or if the backup provided by our host excludes files or our database, we can also rely on plugins.

It’s a good idea to have at least a solid solution for each website you own or administer, and WordPress backup plugins can provide that extra layer of protection.

iThemes is one good example. This security plugin offers free database backups, along with its suite of tools and patches. Their related plugin BackupBuddy allows you to do a full site backup as well.

Free or freemium plugins like UpdraftPlus, BackUpWordPress, and VaultPress also do the job efficiently and are worth checking out. 

Remember that even if you decide to rely on a backup plugin, you will still need a security plugin, such as Wordfence, if you want to stay safe.

Don’t wait till it’s too late. Setting up your security at the last minute is as effective as fixing the holes in your roof during a rainstorm. 

Spending an hour or so to set up your backups and security will save you months, perhaps even years of work.

Keep Your Plugins and Theme Secure

If you’ve chosen a good host, and your backups are set up, you have a fairly good security infrastructure in place. But there are still a few more things that you should do to fully secure your site. 

An outdated plugin or an insecure theme is the huge gateway for infiltrating your website. Keeping them updated helps to patch up potential holes, preventing this from happening.

Updating your site components is as simple as going to your WP admin dashboard and checking for update notifications under Dashboard > Updates.

Mark any themes or plugins you want to update by ticking the boxes, then click the button at the top/bottom to start updating them. If you have a habit of ignoring these alerts, it’s time to stop. 

As you know, plugins and themes can be updated through the Plugins and the Themes tabs. Also, not all premium third-party themes push automatic updates, so you might want to check their websites every now and then.

More importantly than updating your plugins and themes is keeping WordPress up to date.

39% of hacked WordPress sites were outdated. Sometimes you may need to push off an update because it may interfere with a plugin you’re using, but eventually you may have to lose the plugin to save your site. Leaving WordPress outdated for months is possibly the worst thing you can do.

(Pro tip: Always back-up your site before introducing updates. Just in case there is a hiccup.)

While you’re at it, you should remove the version number from your source code.

By default, WordPress websites carry a meta tag containing the WordPress version number that the site is using. We have to agree with security specialists that this just makes life too easy for hackers. 

You can manually remove WordPress’ version number by placing some simple code into your functions.php file. If, as we’ve suggested, you are using a WordPress security plugin, many of them hide your WP version automatically. If you’re considering using a performance plugin, the Perfmatters plugin also includes an option to hide WP version.

Install Plugins and Themes From Reliable Sources

Another big mistake WordPress users make is getting their plugins and themes from unreliable vendors. A bad theme or plugin can corrupt, deface, or inject malware into your pages. 

Third-party websites and developers are not endorsed by WordPress, and as such, you never know what you’re getting. It would be best to avoid anything coming from unknown websites. If the plugin in question has many positive reviews and seems to be popular, it should be safe enough to install. 

Bad plugins can slip through the cracks.

Even if a plugin is in the official directory, it is not guaranteed to be safe. Before downloading anything from the repository, take a look at the stats listed in the sidebar on the right of the page. Avoid downloading plugins that haven’t been updated over the last year or more, have less than a few hundred installations, or receive low ratings. 

The same is true for themes. WordPress offers a some themes in the theme repository (including our own Hello theme). If, like many users, you’re looking for more variety, be sure to only purchase your themes from vendors and creators who are trusted and well-known in the community.

You should avoid “nulled” WordPress plugins and themes. Nulled software is a term used for premium plugins distributed for free, and without permission.

Besides being questionable and possibly illegal, nulled themes and plugins are a huge security risk. By relying on a developer already acting unethically to not include malware in the code, is about as sensible as asking a mouse to guard your cheese.

Some nulled distributors include code that causes excessive ads to appear on your site, distribute malware, or outright corrupt your database. Plus, you won’t have access to any updates, and that can leave you vulnerable to attack when the software becomes outdated.

All in all, it’s well within our best interest to avoid nulled plugins all together, and only install software from the WordPress repository or trusted vendors.

Disable File Editing

WordPress comes with a set of easy-to-reach theme and plugin editors. You can find them under Appearance > Theme Editor and Plugins > Plugin Editor. These allow direct access to your site’s code.

While these tools are useful to some, many WordPress users aren’t programmers and will never need to touch anything here. Playing around with this code without knowing what you’re doing is a sure way to break things. If you are such a user, it’s best to just disable file editing, as hackers can use the file editor to quickly execute malicious code or delete entire parts of your website. Disabling this slows them down.

You could also turn off the theme and plugin editors with one line of code in wp-config.php. If you end up needing to edit your site or plugins, just temporarily turn them back on. Alternatively, you can edit them via an FTP client.

Disabling file editing won’t necessarily prevent attackers from doing damage, but it can confuse less experienced hackers and stop them in their tracks. At the very least, it’ll make it a little more difficult for them and give us more time to realize something is wrong.

Strengthen Your Login Process

When someone figures out your password without resorting to exploiting the site’s code, it’s most likely a result of brute force attacks. This involves forcibly trying various combinations of letters and numbers until they get the password right.

Sometimes a potential attacker will try common combinations, before moving on to using programs run an automated process that tries several random password combinations per second.

If you’re beginning to feel as though you might as well give up all hope of keeping your sites secure, don’t. There are tons of ways to slow down hackers, deter, and even prevent attackers from doing things like brute force attacks.

WordPress’ default installation relies on a similar login path each time. Making this a prime and easy target for hackers trying common or easily guessable passwords.

The reason that so many people continue to use WordPress is that many of these issues are easily fixed.

Create a Strong Login Combination

The first and most important step is to choose a proper username and password. We could hide the login page under a different URL, but if you’re login is something as mundane as admin/password, it wouldn’t make any difference once hackers find it. 

Here’s a list of usernames you should definitely avoid.

  • Admin – This used to be the default username for WordPress and is, therefore, one that will definitely be tried in a brute force attack.
  • Your real name or nickname – This is both public information and as easy to guess as “admin”. In addition, it can make sense to create a separate profile without administrator right to publish content. That way, the username of the main login does not appear on the website.
  • Any personal information – Including birthday, etc. Only use a personal detail if it’s something no one could ever know.
  • The title of your site, or something obviously related to it  – “Kittens” for a cat adoption agency, etc.

You also need to choose a secure password. The general gist of this is the same: avoid personal info, obvious choices like “password”, or anything clearly related to your website.

A good password is 10+ characters, uses a variety of characters, and avoids common words and phrases. The best passwords are a long series of completely random letters, numbers, and symbols that no one could ever possibly guess. Services like Secure Password Generator can help you create them.

If you have a hard time remembering your login information, consider using a service like LastPass.

Lock Down Your Login Page

By default, anyone can log into your website by going to yoursite.com/wp-admin. You can stop them in their tracks by changing the URL entirely. WPS Hide Login allows you to switch it to whatever you want. Just install it and go to the plugin settings to change it.

You should use a login path that isn’t obvious. It might deter them a little if you change it to something like /login or /new-login, but if they’re determined, they’ll figure that out pretty quickly. Therefore, it’s better to choose something very hard to guess like /jacksparrowshideout.

Next, install a plugin to limit login attempts. Any person can spam your server with hundreds of requests until they guess it right. A plugin that limits login attempts will give them only a few chances before they’re locked out. It can also detect and redirect bots away from your login page.

Alternatively, you could activate a CAPTCHA to slow them down even further.

At this point, most hackers will search for easier targets. They can keep trying once their time is up, but in that time we could check our audit logs, notice their attempts to get in, and issue an IP ban. 

You could also try Cloudflare Rate Limiting. This automatically detects brute force as well as DDoS attacks and blocks the offending IP address.

The last step is to set up two-step authentication using a plugin. Besides requiring a username and password to get in, it asks the visitor for a third authenticator. The most common is a text verification of a message sent to your phone. A hacker might be able to gain access to your email,but it’s very unlikely they could steal your phone.

Keep WordPress Safe

An untouched installation of WordPress is open to attackers. Neglecting security leaves you vulnerable to hackers looking to defaced, deleted, or even injected your site with malware. 

However, a day spent installing and setting up the right security plugins and filling in all those little holes could make all the difference.

By following the advice we’ve provided, your site will be far safer from attackers. The great part is, many of these methods are “set-it-and-forget-it” actions. Simply changing one setting and you won’t need to think about it for a long time.

In summary: Pick a trustworthy host with secure servers, install an SSL certificate if you’re collecting user data, keep your website backed up and your installation and themes up to date, and make sure you have a secure login. Do all this and hackers, especially amateur hackers, will be stopped at the gate.

Has your WordPress site ever been hacked? How did you manage to reclaim your website and clean it up? We’d love to hear your story in the comments.

About the Author

Nick Schäferhoff
Nick Schäferhoff
Nick Schäferhoff is an entrepreneur, online marketer, and professional blogger from Germany. When not building websites, creating content or helping his clients improve their online business, he can most often be found at the gym, the dojo or traveling the world with his wife.

Share on

Share on facebook
Share on twitter
Share on linkedin
Share on whatsapp

you might also like

Liked This Article?

We have a lot more where that came from! Join 885,286 subscribers who stay ahead of the pack.
By entering your email, you agree to our Terms of Service and Privacy Policy.

Comments

22 Responses

  1. Almost all shared hosting nowadays works with containerized accounts, so your remark about 1 website being hacked can takeover all websites on the server is not applicable anymore.

    1. Yep that would apply to high density shared hosting. Which in this day and age and at the price point go get your own VPS for site hosting.

    2. Incorrect. Before I knew about having to set security on WordPress my blogs were hacked (a few momths ago) and so were my websites made in Adobe software. The websites had never been hacked before and I’ve been creating in this software and Adobe’s other apps prior to this one for many years without ever having a security problem,

    3. Your not quite right. We had to deal with it on Hostgator, on of the largest hosting companies, not so long ago. That’s why we moved to Siteground. With the new interface on Siteground it’s imposslible from now on.

  2. Great stuff. This is all WordPress 101 but so surprising how many people don’t do this stuff or think about. I’d like to see a more advanced post many on steps to take if you’re site has been compromised.

  3. Glad to see Wordfence mentioned. My default installation includes Wordfence and Bulletproof Security Pro. The two types of security blocks all of the incoming hacking attempts. BPS Pro also allows me to add in a captcha question that only I know, like “What’s in that bottle?” (example answer: Cthulhu’s mother-in-law)

    Also good to see a discussion of account names. Too many folks go with their first name as the admin account or leave it at “admin”, “root”, or “administrator”. I always make it something unique like UglyMastadon. Always make sure to change the default account so it displays your normal name on all posts else you’ll be broadcasting your “secret” identity.

  4. Very good! I love LastPass because there’s no way I could remember my hundreds of software logins, and there’s no way I’d want to make them all the same.

    I like using Math Captcha plugin and add to the WP admin login screen and blog comments too. It’s very effective in cutting down the amount of spam and hacking attempts.

  5. When it comes to plugin updates, I recommend that users read the change log and don’t update immediately unless the update contains security fixes. New updates can include new vulnerabilities, so let others be the guinea pigs for plugin developers. After a few weeks, either the plugin will include new minor releases fixing those bugs or it will be tested well enough by others that it is probably safe to install.

    1. Automattic’s Jetpack has crashed my website on numerous occasions, enough that I avoid installing major updates like 1.2 and wait for the inevitable 1.21 to roll out to fix what they broke. I agree that folks should always read the change log before updating. Sometimes they take away features that you need or switch them to their paid version.

  6. One technique… or I’m not sure if I should call it that, anyway, one of the things I like to do, is narrow down my go-to Plugins. What I mean by this, is I only install no more than 5, 6 tops, plugins on ANY of my (or client’s) websites. I’ll add them below in case anyone is curious to know which ones;

    1) Elementor
    2) Elementor Pro
    3) WP Rocket
    4) The SEO Framework
    5) Head, Footer and Post Injections

    The 6th depends if the sites run any kind of ads. Those are it. I try to do everything else manually, as much as possible (i.e. modify the htacess file, keep analytics in Google, have good secured hosting, pay for auto backups, etc).

    ..oh, one other thing I am obsessed about, is updates! I literally check ALL my sites for plugin updates every other day (habit). And finally, I started using Elementor’s Hello Theme a couple of months ago – so far so good!

  7. Currently building a hosting solution using WPMU and the only thing my clients can do is post to a blog. Since we will be developing and maintaining the sites, all else is locked down.

    Anyone know how to manage individual site traffic or how to tell which site is pulling the most traffic?

    I am using Azure, and I can tell what is happening disk and vm traffic, but not from an individual site.

    1. Pictures with an own mark in it. Because everything which is been showed on a screen can be copied easily. PDF files can be secured by
      a password but you need to have Adobe Acrobat Pro or a similar software solution. But even then, there is software to crack them. So don’t rely on these techniques. Stealing content is something you have to deal with but most people are honest in my opinion. Remember that it’s hard to protect all content because you have to spread the word. At least to Google 😉

  8. (1)
    LetsEncrypt.org
    is a free, automated, and open certificate authority (CA), run for the public’s benefit, and widely used.
    LetsEncrypt.org provides free SSL certificates and tools to install them. LetsEncrypt is widely used.
    The other 2 SSL providers charge about $100 PER YEAR!
    (2)
    define(‘DISALLOW_FILE_EDIT’, true);
    is the one line of code to disable theme and plugin editors.

Leave a Reply

Your email address will not be published. Required fields are marked *

Want to learn how to build better websites?

Join 885,286 Elementors, and get a weekly roundup of our best skill-enhancing content.

By entering your email, you agree to our Terms of Service and Privacy Policy.