Every person who owns a website understands the importance of WordPress security. Over 10 thousand websites get blocked by Google each day because of malware, and nearly 50 thousand websites are blocked by them every week for phishing.
Anyone serious about their website should take care of WordPress security. They need to follow the best practices required for their safety. Here, through this guide, you will learn about the best tips related to WordPress security. These will help you in protecting your site against malware and hackers.
Though the core software of WordPress is secure, and it gets audited regularly by many developers, there’s much more that you could do for securing your website.
When we talk about security, we do not just mean eliminating the risks. But, we also mean about reducing the risks. If you own a website, you could do so much more to help improve the security of your WordPress. You do not have to be tech-savvy to do this.
Your website could be protected from security vulnerabilities if you take the actionable steps mentioned by us in this article.
Why is it essential to Secure your Website?
A WordPress website that is hacked can badly affect your business reputation and revenue. Your passwords and user information can get stolen by hackers. They can even get malicious software installed and spread malware to the users of your site.
And the worst could be ransomware, because of which you may be forced to pay the hackers a heavy amount to regain your site’s access.
In 2016, as per Google, over 50,000,000 website users were cautioned about a site containing malware or stealing information that they had been visiting.
Usually, WordPress has had a bad reputation for being susceptible to security issues and not being a secure platform inherently to be used for business purposes. This happens most of the time mainly because users continue following the worst security practices that are proven by the industry.
The use of outdated WordPress software, bad system administration, management of credentials, nulled plugins, and less or no security and web knowledge among WordPress non-tech savvy users help hackers be up in their game of cybercrime.
Industry leaders also do not necessarily follow the required best practices consistently. For example, Reuters was once hacked. This happened because the WordPress version being used by them was an outdated one.
Security is just not about perfectly secure systems. It may not be possible or practical to find or maintain a perfect security system. Security is actually about risk reduction than risk elimination. It is more about having all the needed controls to help you improve your whole posture by reducing the chances of becoming a target, thus saving yourself from getting hacked– WP Security Codex.
Vulnerabilities do exist. As per the 2017 study done by Sucuri, a security company for multiple platforms, WordPress tops when it comes to the infected sites they have worked on (nearly 83 per cent). This has increased from 74 per cent in 2016.
Security Vulnerabilities of WordPress
Nearly 40 per cent of sites present on the net today are powered by WordPress. With so many plugin and theme combinations available, it should not be a surprise to know that vulnerabilities exist. They are being discovered constantly. But, at the same time, the platform of WordPress has a large community that ensures that such things get tackled immediately.
Today in 2021, the security team of WordPress comprises nearly 50 experts. These experts include security researchers and lead developers. Half of them are Automattic’s employees, and a few are from the online security industry.
A few of the security vulnerabilities of WordPress are:
This vulnerability fittingly named as backdoor helps hackers by providing them hidden passages that bypass security encryption. This lets them access WordPress websites using unorthodox methods – SFTP, Admin, FTP, etc.
After it is exploited, backdoors let hackers create havoc on host servers. Multiple websites running on the similar server are vulnerable to these attacks.
In 2017 as per Sucuri’s report, backdoors continued to be among the several post hack actions that attackers took. Nearly 71 per cent of the sites that were infected had some type of backdoor injection.
Backdoors are encrypted often so that they look like WP system files that are legitimate. They enter WP databases by using the bugs and weaknesses present in the platform’s outdated versions. The TimThumb failure was the best example of the backdoor vulnerability that exploited outdated software and shady scripts compromising websites numbering in millions.
Luckily, avoiding and treating this issue is pretty simple. Blocking IPs, 2-factor identification, stopping unauthorized PHP files execution easily handles the common threats of backdoor. Common backdoors can be detected by you quickly when you get your WordPress website scanned using SiteCheck. We will discuss more this in detail below.
This hack is used to inject malicious code in WordPress plugins and websites whose versions are outdated. This makes the search engines return ads related to pharmaceutical products if a compromised website is looked for. The vulnerability here is more like a spam threat than regular malware. However, it provides search engines with a good reason for blocking the website by accusing it of distributing spam.
Pharma hack’s moving parts consist of backdoors in databases and plugins that one can clean up by following the Sucuri blog’s instructions. But, these exploits are most often savage variants of malicious injections that are encrypted. These hide in databases. They need an in-depth process of clean-up for fixing the vulnerability.
Nonetheless, you can easily prevent Pharma hacks by using recommended WP hosts with modern servers and by getting your WP themes, installations, and plugins regularly updated. Kinsta is a host that allows hack fixes for free.
Login Attempts that are Brute-force
Automated scripts are used for Brute-force login attempts for exploiting weak passwords to get your website’s accessibility. Restricting login attempts, getting unauthorized logins monitored, using strong passwords, blocking IPs, and 2 step authentication are a few of the simple and effective methods that help prevent brute-force attacks.
However, sadly, many owners of WordPress sites do not follow these securities as mentioned earlier practices. Hackers efficiently manage to break into around 30 thousand websites daily through brute-force attacks.
Backdoors are created in WP installations using wp-admin, SFTP, FTP and different other protocols by malicious redirects. These redirects are primarily placed in encoded forms in the .htaccess file and other WP core files, directing traffic to malicious websites. And redirection codes are injected by them on the sites. We have mentioned some ways to help you prevent these from happening in the WP security steps discussed hereunder.
This happens when a trusted application or website is infected with a malicious script. This way, the attacker sends the malicious code, usually browser-side scripts, to the site’s end-user. The end-user does not get to know about this. The reason for doing this is for grabbing session data or cookies or even for rewriting HTML on a web page.
As per Wordfence, these kinds of vulnerabilities are prevalent in WP plugins.
Denial of Service (Dos)
The most threatening of these all is DoS vulnerability. It exploits bugs and errors in codes to flood the website’s operating system’s memory. Millions of sites have been attacked by hackers. They have collected millions by exploiting buggy and outdated WordPress software versions using DoS attacks. Though financially motivated cyber criminals may rarely aim for smaller companies, they still attack vulnerable obsolete websites. They do this so that they can create botnet chains that will help in attacking larger businesses.
The WordPress software’s latest version also is unable to defend itself against DoS attacks that are high-profile. But, at least it can help you avoid getting captured in this crossfire between complex cybercriminals and financial institutions. I hope you remember 21st October 2016. On this day, a DNS DoS attack made the internet go down. You have to give extra attention to WordPress security if your site is your business.
Just how a physical store owner is responsible for its safety, the same way, a business owner online also has to protect their business site.
How to Protect Your WordPress Website?
WordPress, which is an open-source program, is updated and maintained regularly. WP automatically installs minor updates by default. For massive releases, you will have to start the updates manually.
WP also has many themes and plugins that you can install on your site. Third-party developers maintain these themes and plugins. They also release updates regularly.
Updates of WordPress are essential when it comes to the stability and security of your WP site. You have to ensure that your WP core, themes, and plugins are updated.
Strong Passwords & User Permissions
Stolen passwords are used in the majority of WP hacking attempts. By making use of stronger unique passwords for your site, you could make this problematic.
This does not just apply for the admin area of WordPress, but it also applies for FTP accounts, WP hosting account, database, and even your customized email address that uses your website’s domain name.
Most beginners do not prefer having solid passwords. This is because they find it challenging to memorize. But, the best part is that you no longer have to remember your passwords. You can use a password manager.
One other way for reducing the threat is by not letting anyone else have access to your WP admin account unless it is essential. If your team is extensive or you have guest authors, then try and understand the user capabilities and roles in WordPress and add new accounts of users and authors to the WordPress website.
Your WP website’s security depends more on the WP hosting service. SiteGround or Bluehost is great shared hosting providers. Extra measures are taken by them when it comes to protecting their servers from common threats.
So how do you know if the hosting company is a good one for your site? How to check if it can protect your site and data?
Read further to get the answers.
A good web-hosting company keeps a check on their network to see if there is any suspicious activity.
Good web-hosting companies, mostly all of them, have the tools required to avoid DDoS attacks that happen on a large scale.
They make sure the PHP versions, hardware, and software of the server are updated. This helps in preventing attackers from exploiting any security vulnerability known in the previous version.
They’ve plans ready to be used in case of accidents and for disaster recovery. These help them in protecting your data if any significant accident happens.
When using the services of a shared host, the server’s resources have to be shared by you with few other customers. Hence there is a cross-site contamination risk. A hacker could make use of a neighbouring website for attacking your site.
When using the managed WordPress web-hosting service, your website gets provided with a more secure platform. These managed WP web-hosting companies provide automatic WP updates, automatic backups, and security configurations that are more advanced to safeguard your site.
The most straightforward way of keeping your website secure is by going with the web hosting provider that offers many security layers.
A cheaper web-hosting company may sound and look tempting. It will help you save money. You could use this saved money to help your site in some other way. But, this temptation will do no good. Try and avoid it as it will give you nightmares. You could end up erasing all your data, and your site URL could get redirected to another place.
It is okay if you have to spend a little more. Investing in a good quality web-hosting company will let your site have extra security layers. And also, your WordPress website speed gets improved or increased when you use good WP hosting.
Although there are a lot of web hosting companies in the market, we suggest WP Engine. The security features are many, including malware scans daily and support offered 24/7 for the entire year. And all this is being provided at a reasonable price.
Avoid Using Nulled Themes
The premium themes of WordPress seem to be more professional. They have many customizable options as compared to free articles. Highly skilled developers have coded the premium themes. These themes are thoroughly tested to ensure that they pass multiple WP checks. No restrictions are placed on getting your theme customized. You are provided with complete support if anything goes wrong with your website. Regular updates of themes will be provided to you.
However, few websites do offer cracked or nulled themes. Such types of themes are the hacked copy of the premium theme. These are made available through illegal ways, and they are not safe for your website. These types of themes have malicious codes hidden in them. Your database and website could get destroyed by these codes.
Easy Steps for WordPress Security (No Coding)
Beginners may think that WordPress security is complex. Especially the ones that are not tech-savvy will get worried with the thought of it. But, there is nothing to worry about.
Have a WP backup solution Installed
In the event of any WP attacks, backups will help you a lot. Nothing is secure 100 per cent. Government websites get hacked too. So even yours can get hacked.
When you do a backup, you can get your WP website restored quickly. This comes in very handy in case anything wrong happens.
Many paid and free WP plugins for backup are available on the market. Saving backups of the entire site regularly to a secure location is essential when you do backups. Please remember not to keep this to your web hosting account.
According to us, you should save it on Cloud services. Few examples of these are Dropbox, Amazon, or Stash.
Depending on how often you update your website, the perfect setting could be once a day, or it could be real-time backups.
Fortunately, you can do this easily if you use plugins like BlogVault or UpdraftPlus.
Both of them can be used easily and are reliable. You do not need to know to code for this.
Top WP Security Plugin
After doing the backups, what needs to be done next is to get a monitoring and auditing system setup. This will help track everything happening on your site, including failed attempts of login, monitoring file integrity, scanning malware, and so on.
Luckily, you can do all this with the help of Sucuri Scanner, which is the best WP plugin for security. Also, it is free.
This free plugin will need to be installed and activated by you. After you activate the plugin, you will have to reach the menu of Sucuri that you will find on your WP admin. You’ll be first asked to get the free API key generated. This will get audit logging, email alerts, integrity checking, and other prominent features enabled.
Generation of Sucuri API Key
After the above step, you will need to click the tab ‘Hardening’. You will find this in the settings menu. Click the button ‘Apply Hardening’ after you go through all the options. You can lock the main areas often used by hackers for making the attacks through these options.
Web Application Firewall is the single hardening option which is an upgrade that needs to be paid. We cover many ‘Hardening’ options in this write-up. This information will help those who do not want to use plugins or require extra steps like ‘Changing the Admin Username’ or ‘Database Prefix Change’.
Once you are done with the hardening options, the default plugin settings are adequate for many sites and require no changes. We only suggest you customize ‘Email Alerts’.
Default alert settings could mess up the inbox. We suggest you receive alerts for important actions like plugin changes, registration of a new user, and so on. You could get the alerts configured by going to the Sucuri Settings for Alerts.
Set Up Email Security Alerts
The security plugin of WP is potent. You should check all the settings and tabs, so you understand what all it does in terms of scanning malware, auditing logs, tracking failed attempts of login, and so on.
Enabling WAF (Web Application Firewall)
Using WAF is the simplest way for protecting your website and remaining assured about your WP security. The website firewall blocks malicious traffic before it can reach your site.
DNS Level Firewall: It routes the traffic from your site traffic using their servers of cloud proxy. Your web server will receive only legitimate traffic.
Application Level Firewall: This plugin helps examine traffic that has reached your web server before getting most of the WP scripts loaded. This is not a very efficient method for minimizing the server load compared to the DLF (DNS Level Firewall).
Moving Your WP Website to HTTPS/SSL
SSL is a protocol that encrypts the transfer of data between users’ browsers and your site. Because of this encryption, it becomes difficult for sniffing around and stealing information from someone.
How does SSL work?
After enabling SSL, HTTPS will be used by your site instead of using HTTP. Also, you will find the padlock sign near the address of your site in the web browser.
Certificate authorities typically issued SSL certificates. Their prices begin from USD 80 and go till 100s of dollars per annum. Because of the additional cost, many website owners chose to continue using an insecure protocol.
To get this issue fixed, Let’s Encrypt offered SSL certificates for free to owners of websites. It is a non-profit organization. Many companies, including Facebook, Google Chrome, and Mozilla, support their project.
Today, it is really easy to use SSL for your WordPress sites. Most web hosting companies now offer an SSL certificate for free for your WP website.
In case your web hosting doesn’t do this, you can buy it from Domain.com. The most reliable and best SSL deal will be found there. They come with a security warranty of USD 10,000 and also a security seal of TrustLogo.
WordPress Security apt for DIY Users
If you’re doing all the things mentioned above, then you are doing well. But, there’s always more that you can do to strengthen your WP security. You may need to know to code for few steps.
Changing username of the Default “admin.”
Previously, ‘admin’ was the WP admin username by default. Usernames are almost half of the credentials used for login. This makes it simpler for hackers to have brute-force attacks done.
Fortunately, WP has changed since then. Today, you need a customized username to be selected if you wish to install WordPress.
But, few WordPress one-click installers still keep ‘admin’ as the default username. If you come across this scenario, you better change your hosting provider.
WP, by default, doesn’t permit you to make changes to the usernames. There are three steps involved in doing this change.
Erase the old username after creating the new username.
Use the plugin for Username changer.
Update the phpMyAdmin username.
Please note: Here, we are not talking about the role of the administrator but the “admin” username.
Disabling File Editing
WP has a built-in editor. It lets you edit your plugin files and themes from your WP admin area. If this gets in the hands of the wrong people, this feature could become a security risk. Hence we suggest putting it off.
On the other hand, you could get this done by clicking on the feature of hardening. You will find this in the Sucuri plugin, which is free.
Disabling Execution of PHP File in Particular WordPress Directories
One more way of strengthening the security of your WordPress is by getting the execution of PHP file disabled in directories where it isn’t required, like /wp-content/uploads/.
To get more explanation in detail, check our guide that explains: how to stop the execution of PHP in WordPress directories.
You could also do this by just clicking once, the feature ‘Hardening’. This could be found in Sucuri’s free plugin.
Limit Attempts of Login
By default, WP allows its users to keep trying to log in how many times they wish. This makes your WP website vulnerable. It could get attacked easily using brute-force attacks. Attackers attempt to decode passwords by keeping on logging in with different password combinations. They keep trying till they crack the password.
You can get this fixed quickly. You just have to reduce the number of attempts of login an individual can make upon failing to login with the correct password the first few times. This problem gets handled automatically if you are using the firewall.
But, in case there is no firewall setup, please follow the below-mentioned steps:
Firstly, have the LockDown plugin installed and activated. If you need information on this, please check our detailed guide. It will tell you how to get a WP plugin installed.
After activating this plugin, go to Settings, then log in on the LockDown page so you can have the plugin set up.
Login LockDown Options
Check out our post on why and how to limit login attempts in WP for more detailed information.
Add 2-Factor Authentication
The technique of 2-factor authentication demands users to use a 2 step authentication process to log in. The first step involves the user id and the password, while the second one needs you to use a separate app or device to authenticate. Many best online sites like Facebook, Google, Twitter lets you get this enabled for your account. This same functionality can also be added to your WP site.
You have to first get the plugin for 2-factor authentication installed and activated. After the plugin is activated, you have to click the link ‘Two Factor Auth’. You will find this in the WP admin sidebar.
Settings for 2-Factor Authenticator
After this, you are required to get an authenticator app installed and opened on your device. There are many authenticator apps available on the market. Some of these are Authy, LastPass Authenticator, and Google Authenticator.
We suggest you use Authy or LastPass Authenticator. We recommend these two because both allow your accounts to be backed up on the cloud. This comes in very handy, especially if you lose your phone, reset it, or purchase a new one. It will help restore each account login of yours quickly.
In the tutorial, we will use the LastPass Authenticator. But, for all authenticator apps, the instructions are the same. Go to the authenticator app and open it. Then click the button ‘Add’ and add the website.
It will ask you if you wish to get the website scanned manually or if you would like to get the bar code checked. Choose the option for scanning the bar code. Then, point your phone camera to the QR CODE that is seen on the settings page of the plugin.
That’s it. The authenticator app will save it now. When you log into your site the next time, it will ask you to enter the 2-factor authentication code after you feed in your password.
Enter your 2-factor auth code
Just get the authenticator app opened on the phone and then feed in the code seen on it.
Changing Prefix of WordPress Database
By default, wp_ is used as the prefix by WordPress for all the tables present in your WP database. If your WP website uses the default prefix database, hackers find it easier to guess the name of your table. Hence we suggest changing it.
You can change the database prefix by going through our detailed guide. It will tell you how you could change your WP database prefix to get your security improved.
Please note that this could lead to harming your website if you do not do it properly. Proceed further only if you are comfortable with coding.
Protecting WP-Admin & Login Page through Password
Usually, hackers could request your login page and wp-admin folder without restriction. This lets them try their tricks of hacking or run DDoS attacks.
On the server-side level, you could add extra password protection. This will help in blocking those requests effectively.
Follow our detailed instructions that tell you how to get your WordPress admin directory password protected.
Disabling Directory Indexing & Browsing
Hackers could use directory browsing to know if you own any files that have known vulnerabilities. This will help them get access by using the vulnerable files.
Other users could also use the directory browsing for checking your files, copying images, finding out the structure of your directory, and much additional information. Hence, it is very much needed to switch off the directory browsing and indexing.
You have to get connected to your site using cPanel or FTP File Manager. After that, go to your site’s root directory to search the .htaccess file. If you cannot find it there, please check our guide that explains why you are unable to see it in WordPress.
Next, in the .htaccess file, in the end, add the following:
Please remember to save the .htaccess file and upload it again on your website. If you need more information, check our article that explains disabling directory browsing in WP.
Disabling XML-RPC in WP
WordPress 3.5 has XML-RPC by default enabled in it. This is because it facilitates the integration of your WP site with web & mobile applications.
Being powerful, XML-RPC can amplify brute-force attacks significantly. Say, for example, is traditionally a hacker wants to attempt 50 non-identical passwords on the site, they would need to make 50 login attempts separately. These attempts could get caught, and thus the plugin for login lockdown would then block it.
However, with XML-RPC, by using the ‘system.multicall’ function, a hacker could attempt passwords amounting to thousands with around 20-50 requests.
Hence, if you are not using XML-RPC, then we suggest you disable it.
You can disable XML-RPC in three ways in WordPress. We have covered these steps in our detailed tutorial that explains how to get an XML-RPC disabled in WP.
Tip: The best technique is the .htaccess one. This is because it is bare resources intensive. If using the previously mentioned web-application firewall, then this will be handled by the firewall.
Logout Automatically Idle Users in WP
Users that are logged in could wander away sometimes from their screen. This could be seen as a type of security risk. Their session could get hijacked by someone, or someone could change their passwords or make changes to their account.
Due to this, many financial and banking websites make sure to log out a user automatically who is inactive. Similar functionality could be implemented on your WP website also. For this to happen, you will have to get the plugin for Inactive Logout installed and activated.
After the activation is done, you will need to go to Settings, then the Inactive Logout page. This will help you in configuring the plugin settings.
You just need to have the duration of the time set and make sure to get the logout message added. Do remember to click and save the changes by clicking the save button. By doing so, you will be able to have your settings stored.
Adding Security Questions to WP Login Screen
When a security question is added to your WP login screen, it makes it even more challenging for anyone to gain unauthorized access.
You can add the security question by installing the plugin for WordPress security questions. After activating it, you will need to go to Settings, then the Security Questions page. By doing so, you will be able to have the settings of the plugin configured.
If you are looking for more in-depth instructions, check our tutorial that explains how you could have security questions added to your WP login screen.
Scanning WP to Check for Malware & Vulnerabilities
If the plugin for WordPress security has been installed, these plugins will regularly check for any malware and signs related to security breaches.
But, if there is a drop in the site traffic all of a sudden, or if there is a drop in search rankings, running the scan manually would be the right thing for you to do. You could use your WP security plugin or use any one of the security and malware scanners.
It is effortless to run online scans. You need to enter the URL of your site. After that, their crawlers will scan your site to search for any known malicious code and malware.
Remember that many security scanners of WordPress can only help in scanning your site. They cannot do away with the malicious files or clean the WordPress site that has been hacked.
This gets us to our next section, which is cleaning malware and hacked WP websites.
DDoS is a kind of DOS attack. When such an attack happens, a single system is targeted using multiple systems. This leads to a DoS (Denial of Service) attack. Attacks like DDoS have been around for a very long time. Britannica stated that the first case documented was around the beginning of 2000. Attacks of these kinds do not harm your website usually. But, they will get your website down for few days, if not for few hours.
How can you protect yourself from such attacks? We recommend that you try using the security service of a reputed third party like Sucuri or Cloudflare. Investing in the premium plans of these security service providers will make sense if you own a business.
If Kinsta is what you are hosted on, you will not have to bother about getting the DDoS protection setup by yourself. All their plans come with a Cloudflare integration that is free and built-in DDoS protection.
Sucuri and Cloudflare DDoS Protection
The DDoS protection provided by them is advanced. It comes in handy for mitigating all kinds and sizes of DDoS attacks, including those targeting the ICMP and UDP protocols and the SYN/ACK, Layer 7 and DNS amplification attacks. Some of their other benefits are putting you at the back of a proxy that helps hide your source IP (Internet Protocol) address, although it isn’t bulletproof.
Make time to go through the case study on how you could try stopping a DDoS attack. One of our client’s small size ecommerce websites ran Easy Digital Downloads that received more than 5 million requests within seven days on a single page.
Typically this website generated only around 30 to 40 MB per day in terms of bandwidth and a few hundred visitors each day. However, suddenly, the website in no time went to around 15 to 19 GB data transfers per day. It increased by about 4,660 per cent. There was no extra traffic as per Google Analytics. This means it is terrible.
This client got the web application firewall of Sucuri implemented on their website. After that, all the requests and bandwidth on the website dropped. And, ever since, there has been no more such issues faced by them. Hence from this example’s point of view, investing in such third-party security service providers is value for money and time.
Hotlinking is quite simple. Say you come across a picture somewhere on the net, and you use its URL on your website directly. This image or photo will be visible on your site. However, it’ll be served or provided from its original location. In reality, this is a kind of theft as the bandwidth of the hotlinked site is being used here. You may think this is a minor issue and may try to ignore it. But this could lead to extra costs.
Getting a Hacked WP Website Fixed
Most WordPress users are not aware of the significance of website security and backups until their site gets hacked.
It can get tricky to clean a WP website. Also, it would consume a lot of your time in doing so. Our initial advice to you is to allow a professional to handle this for you.
Hackers install backdoors on affected websites. And, if you do not fix these backdoors properly, your site will indeed get hacked once again.
When you let a security company like Sucuri fix your site, they will make sure that your website is safe to use again. You will also be protected by it from any attacks in the future.
An essential part of a website that cannot be ignored is WordPress security. If you fail to protect your WordPress site, then get ready to be attacked by hackers. Your website’s security maintenance is not rocket science. You can do it without even spending a single penny from your pocket.