WordPress is by far the most popular content management system, powering over 43% of all websites on the internet. But this widespread adoption also makes WordPress a prime target for hackers and malicious actors.
According to a recent report, 73.2% of the most popular WordPress installations are vulnerable to attack. Website security firm Sucuri found that WordPress sites were the target in over 90% of all hacking attempts in 2018.
The consequences of a hacked WordPress site can be severe – defacement, stolen data, crashed servers, loss of search rankings, and a ruined reputation. But by taking some proactive steps and following security best practices, you can greatly reduce the risk of your site becoming compromised.
In this comprehensive guide, we‘ll cover 16 essential WordPress security tips that every website owner should implement, from basic measures to more advanced techniques. Whether you‘re running a small personal blog or managing a large business site, these tips will help keep your WordPress installation safe and secure.
8 Basic WordPress Security Tips All Site Owners Should Follow
Let‘s start with some fundamental security measures that every WordPress user needs to know. These tips require minimal technical knowledge to implement but can make a big difference in protecting your site.
1. Keep WordPress Core, Themes and Plugins Updated
One of the simplest yet most crucial security practices is to always keep your WordPress software up-to-date. This includes the WordPress core, as well as any themes and plugins you have installed.
Hackers are constantly looking for known vulnerabilities in outdated versions of WordPress to exploit. Updates often include security patches to fix these flaws. So by running the latest versions, you eliminate potential entry points for attackers.
To update WordPress core, simply log into your WordPress dashboard. If an update is available, you‘ll see a notification at the top of the screen. Be sure to backup your site before initiating the update.
You can update your themes and plugins from the same dashboard under the "Updates" menu. It‘s good practice to remove any unused themes or plugins to minimize potential security holes. Only install extensions from reputable sources to avoid malware-laced files.
2. Use Strong Usernames and Passwords
Weak login credentials are one of the easiest targets for brute force attacks, where hackers use automated scripts to repeatedly guess username/password combinations.
Avoid using generic usernames like "admin" or "administrator" that are easy to predict. Instead, choose something unique that can‘t be easily guessed. For passwords, make them long and complex, using a mix of uppercase and lowercase letters, numbers, and symbols. Avoid dictionary words or personal information.
You can use a tool like LastPass or 1Password to generate and store strong passwords. Enable two-factor authentication for an additional layer of login security (more on this in a bit).
3. Limit Login Attempts
By default, WordPress allows unlimited login attempts, which leaves your site vulnerable to brute force attacks. After a few failed logins, WordPress should lock out the user‘s IP address to prevent further guesses.
You can implement login attempt limiting with a plugin like Login LockDown or Cerber Security. These tools track failed login attempts and automatically ban suspicious IP addresses.
Some security plugins like Wordfence and iThemes Security have this feature built-in too. Choose a reasonable limit, such as 3-5 failed attempts within 15-60 minutes, before the lockout is triggered.
4. Enable Two-Factor Authentication
Two-factor authentication adds an extra step to the login process, requiring users to enter a code from their mobile device in addition to the username and password. This makes it much harder for attackers to gain unauthorized access, even if they manage to crack the password.
You can enable two-factor authentication with a plugin like Google Authenticator, Duo Two-Factor Authentication, or Rublon. Users will need to install the authenticator app on their phone to generate the codes.
While it adds a small extra step, two-factor authentication is a highly effective security measure that all WordPress sites should employ, especially those dealing with sensitive data or e-commerce.
5. Use SSL/HTTPS Encryption
SSL (Secure Sockets Layer) creates an encrypted link between the web server and browser to protect data transmitted between the two. You can tell a site is using SSL if the URL starts with "https" instead of "http".
Not only does SSL improve security, it‘s also a ranking factor for SEO. Google has stated that HTTPS is a "lightweight signal" in their search algorithms. SSL certificates are fairly cheap and easy to install through your web host. Let‘s Encrypt offers free SSL as well.
Once SSL is set up, install a plugin like Really Simple SSL to force a sitewide redirect to HTTPS. This ensures all traffic to your site is encrypted.
6. Be Cautious with Plugins and Themes
The huge variety of plugins and themes is one of the best things about WordPress. But installing extensions from untrusted sources can expose your site to malware, backdoors, and other malicious code.
Only download plugins and themes from reputable marketplaces and developers. Check reviews, ratings and support threads to gauge the author‘s credibility before installing. Codecanyon, ThemeForest, MOJO Marketplace and the official WordPress.org directories are some of the safest sources.
Be wary of "nulled" or pirated premium themes and plugins floating around the web. These may be infected with malware and lack important security updates. Plus, using licensed software without permission is unethical.
Finally, delete any plugins or themes you‘re no longer actively using. Unused extensions can still contain vulnerabilities that put your site at risk.
7. Understand User Roles and Permissions
WordPress has six default user roles controlling what actions each user can take – Administrator, Editor, Author, Contributor and Subscriber.
The Administrator role has the most control with access to all functions. Be very selective about who you grant admin privileges to.
Editors can publish and edit any posts, while Authors can only publish and edit their own posts. Contributors can write and edit their own posts but not publish them.
Subscribers have the least access – they can only manage their user profile.
Assign users the lowest level role they need to do their job. Don‘t give someone admin access if editor will suffice, for example. If a user account is compromised, this minimizes the potential damage. You can further customize roles and permissions with a plugin like User Role Editor.
8. Backup Your Site Regularly
Even with the best security measures in place, there‘s no guarantee your site won‘t be compromised. Having frequent, reliable backups is your safety net to restore your site if something does go wrong.
At the very least, you should run full backups on a weekly basis, with more frequent incremental backups if your site is updated regularly. Store at least one copy of the backups off-site, such as on a remote backup service like VaultPress, BackupBuddy, or UpdraftPlus.
With an up-to-date backup, you can always revert your site to a clean version if it gets hacked or corrupted. Some WordPress backup plugins can even scan for malware and automatically remove infections.
8 Advanced WordPress Security Tips for More Robust Protection
Once you‘ve implemented the basic security configurations, consider adding some of these more advanced measures for an extra line of defense. These tips may require a bit more technical know-how to set up.
9. Change the Default Database Prefix
By default, WordPress uses wp_ as the prefix for all tables in the database. Hackers know this and can use SQL injection techniques to manipulate the database.
Changing the default prefix to something unique makes it much harder for hackers to guess the table names. You can either edit the prefix directly in the wp-config.php file, or use a plugin like WP-DBManager to change it through a graphical interface.
10. Disable File Editing
WordPress has a built-in theme and plugin file editor in the admin dashboard that allows users to modify the code directly on the server.
This is convenient, but also poses a risk if hackers gain access to an admin account. They could inject malicious code straight into your theme or plugin files.
It‘s safer to disable this feature entirely. You can do so by adding the following line to your wp-config.php file:
define(‘DISALLOW_FILE_EDIT‘, true);
You‘ll have to edit your files with FTP or through cPanel moving forward but your site will be more secure.
11. Move wp-config.php and Secure It
The wp-config.php file is one of the most important in your WordPress installation. It contains your database login credentials and security keys and salts.
You can move the file one directory above the root directory for your site, preventing it from being accessed directly. Make sure the file permissions are set to 400 or 440 to restrict access. You may need to adjust the include path of the wp-settings.php file in the index.php file.
12. Disable PHP Execution in Untrusted Folders
PHP is the programming language WordPress is built on. Unfortunately, it‘s also a common target for hackers to execute malicious code on your server.
You can disable PHP execution in directories where it‘s not needed, like the /uploads/ folder. Paste this code in your .htaccess file:
<Files *.php>
deny from all
This prevents any PHP files from running in the specified folder. You can repeat the process for wp-includes, wp-content/plugins, and wp-content/themes.
13. Disable Directory Browsing
Directory browsing lets users see a list of files in a directory on your site if there‘s no index file present. This can give hackers valuable information about your site‘s structure to find vulnerabilities.
You can turn off directory browsing in your .htaccess file by adding the following line:
Options All -Indexes
14. Change the WordPress Login URL
By default, the WordPress login page is located at yourdomain.com/wp-login.php or yourdomain.com/wp-admin. Hackers know this and can easily fire off brute force login attempts.
You can change the default login URL to something less predictable with a plugin like WPS Hide Login. You could set a custom slug like /mysecretlogin for example. Remember to bookmark the new URL so you don‘t get locked out.
15. Add Security Questions to WordPress Login
Adding security questions provides an additional challenge for hackers to get through. A plugin like WP Security Questions allows you to set up custom security questions users must answer to log in, even if they enter the correct username and password.
16. Implement a Web Application Firewall (WAF)
A web application firewall filters and monitors HTTP traffic between the web application and the Internet. It operates on a set of rules to detect and block common web attacks like SQL injection, cross-site scripting, and file inclusion.
Services like Sucuri and Cloudflare offer cloud-based WAF that can be easily integrated with WordPress. Wordfence, a popular WordPress security plugin, has a built-in WAF as well. A WAF provides robust protection against a range of potential threats.
What to Do If Your WordPress Site Gets Hacked
Even with the most rigorous security configurations, there‘s still a slim chance your site may get compromised. If you suspect your WordPress site has been hacked, here are the steps you should take:
-
Scan for Malware: Run a deep scan with a malware removal tool like Sucuri SiteCheck or Wordfence. These will identify any malicious code or files on your server. Remove the infected files or restore from a clean backup.
-
Change All Passwords: Assume all passwords have been compromised. Change the passwords for your hosting account, FTP, WordPress admin, and database. Use strong, unique passwords for each account.
-
Update Everything: Update WordPress core, themes, and plugins to the latest versions to patch any known vulnerabilities. Remove any unused themes or plugins.
-
Check User Accounts: Review all user accounts and remove any suspicious ones. Change the passwords for all legitimate accounts.
-
Reinstall WordPress Core: To ensure no infected files remain, delete the old WordPress files and do a fresh install. Don‘t overwrite the wp-config.php file or .htaccess file if they weren‘t infected.
-
Prevent Future Attacks: Carefully review how the hackers gained access and take steps to prevent it from happening again. Implement as many of the security configurations from this guide as possible. Monitor your site closely and consider signing up for a security monitoring service for added peace of mind.
Conclusion
Website security is an ongoing process that requires constant vigilance. But by following the tips outlined in this guide, you can fortify your WordPress site against the most common threats.
Remember, your site is only as secure as its weakest point. Stay on top of updates, use strong authentication methods, lock down the admin dashboard, and always keep a clean backup on hand.
No system is completely bulletproof, but implementing these WordPress security best practices will minimize the risk and protect your site from the majority of potential attacks. Stay safe out there!