WordPress powers over 35 percent of the internet, so it’s not surprising hackers regularly try to compromise the platform. As a website owner, it’s your responsibility to protect your data from such activities. However, WordPress security can often be overwhelming as new vulnerabilities might arise any day.
Fortunately, you can future-proof your website and protect it from many attacks by following the practices below. In this article, we’ll show you how to secure WordPress with 16 best practices. We’ll also discuss the most common threats the platform faces. Let’s dive right in!
An Introduction to WordPress Security
In general, WordPress is considered a secure platform. Since it’s open-source, users benefit from a community of developers committed to patching vulnerabilities and continually improving its security and functionality.
However, WordPress sites still face the security risks that are common to all websites, such as:
- Brute-force attacks
- Distributed Denial of Service (DDoS) attacks
- File inclusion exploits
- SQL injections
- Cross-site scripting (XSS)
This list might look scary, but there’s some good news. Research suggests that most of these attacks occur due to user negligence and not because of the core platform’s vulnerabilities. Therefore, you can protect your WordPress site by following security best practices such as those outlined below.
16 Actions to Keep Your WordPress Site Safe from Hackers
Now that we’ve discussed WordPress security issues, let’s look at 16 ways to mitigate these risks.
- Use SSL Certificates
- Enable 2FA or MFA Authentication
- Update WordPress Regularly
- Upgrade Your PHP Version
- Conduct a Plugin Audit
- Install Akismet
- Configure Your Firewall Properly
- Create a Custom Login URL
- Implement a reCAPTCHA
- Enable Security Headers
- Hide Your WordPress Version
- Prevent User Enumeration
- Remove ‘admin’ as a User Account
- Back Up Your Site Regularly
- Maintain an Activity Log
- Enforce Security Practices
1. Use Secure Sockets Layer (SSL) Certificates
Contrary to popular belief, SSL certificates are not just for online stores. Installing one can considerably boost your WordPress security, even if you don’t take any credit card payments on your site.
Using an SSL certificate on your website, along with having a properly-configured server, helps to ensure that any personal information which your website visitors enter to your site - such as credit cards, e-mail addresses and order details - is transferred to your website securely. Your visitors will feel safer seeing a padlock icon in their browsers’ address bars. Plus, this could be a ranking factor in your Search Engine Optimization (SEO) efforts.
We support both options if you've signed up for any of our Website Support plans.
2. Enable Two-Factor (2FA) or Multi-Factor Authentication (MFA)
Picking a secure password is a must for any online activity. However, there is always a chance someone might hack users’ login credentials using brute force tactics. A 2FA or MFA process can mitigate that risk. When you enable this feature in WordPress, your users will be able to set up a method of verifying their logins, such as with a time-based code generated through an authentication app, a temporary link sent via email, or other methods of verification supported by the plug-in you choose.
This method can boost your WordPress security. The easiest way to add it is with a plugin such as Two-Factor, a free tool that supports multiple authentication methods and integrates well with other plugins such as WooCommerce.
3. Update WordPress Regularly
Using an outdated WordPress version could make your site vulnerable to many threats, so it’s essential to update it regularly. Even large organizations such as Reuters have been hacked because of an outdated WordPress installation, so don’t underestimate the importance of this task.
WordPress updates usually include security patches. Therefore, it’s crucial to review and install new versions as soon as they’re available. You can usually do this via the Updates screen in your dashboard:
If your site isn’t running the latest version of WordPress, make sure you take a full backup of your site first.
If you’re worried about an update affecting your site’s functionality, you can typically defer installation for 30 days while you work out solutions for any conflicts.
Note that apart from WordPress core, you should also keep your themes and plugins up to date. Using obsolete tools that haven’t been tested with the latest WordPress version could cause potential security loopholes or break your site.
4. Upgrade Your PHP Version
Using an outdated PHP version can also make your site vulnerable to attacks due to unpatched security holes. Therefore, it’s smart to use the latest release and benefit from active PHP security support.
You can usually switch between PHP versions via your hosting account, or contact your provider for assistance. If features on your site require an older version of PHP, make sure it’s still supported for critical issues.
5. Conduct a Plugin Audit
The more plugins you have installed, the more potential entry points hackers have into your site, so it’s smart to review them periodically. Besides, installing questionable tools with bugs and vulnerabilities could severely compromise your WordPress security.
Make sure you only keep well-coded plugins that you actively use. For instance, a migration tool has limited functionality, so it’s best to deactivate and delete it once you’re finished using it.
Also, don’t use outdated plugins that are no longer supported. You can find this information in the WordPress Plugin Directory or on the plugin developer’s site:
Finally, ensure that all your plugins are compatible with your WordPress version to avoid security loopholes.
6. Install Akismet
Comments sections and submission forms can be easy targets for spammers, so it’s wise to use a plugin such as Akismet to filter submissions. This tool can help prevent your site from publishing malicious content by weeding out suspicious entries.
Spam content can compromise your WordPress security by injecting malicious code into your site. This may also negatively affect your search engine rankings. On top of that, spam comments on your blog may drive visitors away.
7. Configure Your Firewall Properly
Using a firewall can help prevent DDoS attacks. These can cause your website to go down. It may even lead to an account suspension if you’re on a shared hosting plan. This can be extremely frustrating and costly as your bandwidth suffers abnormal traffic spikes.
Setting up your firewall will depend on the solution you choose. For instance, you can use Sucuri or Cloudflare, or opt for a hosting package with firewall services included. In any case, make sure you configure it correctly so that your site is fully protected. If you’re in doubt, consult relevant documentation or customer support for the service you’re using.
8. Create a Custom Login URL
By default, every WordPress site has two URLs that bring you to the login page – yourdomain.com/wp-login.php and yourdomain.com/wp-admin which redirects to it. Unfortunately, this makes it easier for hackers to break into your site, especially if you choose a weak username and password.
You can change your login page URL with a plugin such as WPS Hide Login. This tool enables you to pick a custom address that suits your branding, making the wp-admin directory and wp-login.php page inaccessible to outsiders.
9. Implement a reCAPTCHA
These days, hackers use bots to multiply attacks. That’s where a Completely Automated Turing test to tell Computers and Humans Apart (CAPTCHA) can come in handy. Incorporating this tool helps keep bots and spammers at bay by requiring simple challenges that most humans should be able to complete.
Google’s reCAPTCHA is the most user-friendly solution. Instead of having to identify fragments of images or text that some find too difficult, you can simply ask visitors to click on an I’m not a robot checkbox:
You can implement this solution via a plugin such as Advanced noCaptcha & Invisible Captcha. A reCAPTCHA can also help you minimize password reset spam, fake customer orders, and spam form submissions.
10. Enable Security Headers
Using HTTP security headers can add an extra layer of protection from various attacks. In essence, security headers tell browsers how to behave when handling your site’s content. For instance, one of the more popular is Content-Security-Policy, which helps prevent attacks such as XSS by defining approved content sources.
Configuring HTTP security headers is possible at the webserver level, so it’s worth asking your hosting provider for help. Alternatively, you can try our website management and support services, and we’ll be happy to configure them for you.
11. Hide Your WordPress Version
Most WordPress sites display their version number in their header code. Regardless of what version you're using, this could potentially encourage hackers to invade your site, since it provides information which can help them target attacks to that specific WordPress version.
It’s possible to manually hide your WordPress version by adding a code snippet to your theme’s functions.php file. However, we recommend simply updating WordPress. Plus, you’ll benefit from the most recent security upgrades.
12. Prevent User Enumeration
Brute force attacks are one of the most common WordPress attacks. This type of activity typically involves bots that attempt to access your site by testing random login credentials until they find a set that works.
For instance, hackers might come across some of your credentials through login error messages such as The password you entered for the username ‘admin’ is incorrect:
In this case, the attacker now knows that there is an account with the username ‘admin,’ and only needs to guess the password to gain access.
Intruders might also figure out usernames when you allow user enumeration via the author archives. Therefore, it’s smart to reduce user enumeration risks by implementing 2FA, limiting login attempts, or using a plugin such as Stop User Enumeration. Another preventive measure to take is to hide the login page as recommended above. Bots can't attempt to login to determine valid usernames if they can't find the login page.
13. Remove ‘admin’ as a User Account
Using ‘admin’ as your username makes your site wide open to brute force attacks such as those described above. Therefore, you should ensure that your login credentials are secure and follow best practices for choosing a strong password and username.
If you already have an account with an ‘admin’ username, it’s wise to remove it altogether to minimize risks. First, head to your dashboard, create a new user via Users > Add New, and assign it the Administrator role:
Then, select the original ‘admin’ account from the users list, choose Delete from the dropdown menu, and click on Apply. If there was content published under the admin username, you may need to take further action to reassign those posts to a new author.
14. Back Up Your Site Regularly
While you’re busy boosting your WordPress security, don’t forget to back up your site for the worst-case scenario. An effective backup policy will help you restore your website with minimal data loss, so it’s crucial to carry out this task regularly.
Ensure that your backup policy includes clear instructions on how, when, and where your backups are stored. If done incorrectly, you could risk compromising your site or losing data.
Managed web hosting services such as Kinsta often offer automated backups so that you don’t have to create them manually. Otherwise, you can use a plugin such as VaultPress or Pronto’s website maintenance services, which include daily backups.
15. Maintain an Activity Log
Another essential practice is to maintain an activity log. This can be particularly useful for larger sites with multiple members and contributors. Tracking user activity can help you monitor changes to your content, incorrect login attempts, new and deleted user profiles, and more.
This way, you can identify the source of potential security issues and detect hacking attempts early. Plugins such as WP Activity Log can help you track user activity so that you can keep an eye on what’s happening on your website.
16. Enforce Security Practices Across Your Organization
Finally, if you’re part of a large company, it’s smart to create strong security policies and enforce relevant procedures. No matter how effective your practices are, human error and negligence are often the weakest links in WordPress security. Therefore, don’t rely on technical solutions alone.
Make sure you educate your team about unsafe practices such as sending passwords via insecure methods. Also, do your best to limit social engineering and instruct your employees to never disclose sensitive information to unauthorized users without verifying their identity.
Securing your WordPress site should be a top priority. If you don’t follow best practices, such as choosing a strong username and password, you might become an easy target for potential hackers. Therefore, it’s worth learning about WordPress security and what you can do to protect your website.
In this article, we’ve discussed 16 tips and techniques to secure your WordPress site. If you need help at any stage, Pronto Marketing offers website maintenance and support. Our team of experts will optimize your site for security so that you can focus on your other vital business needs instead.
25 Website "Must Haves" for Driving Traffic, Leads & Sales
Discover the essence of how to make your business website successful