WordPress powers over 35% of the internet. It’s not surprising that hackers constantly try to compromise the platform. As a website owner, it’s your responsibility to make sure those efforts don’t impact your site. But that’s no easy task considering how often new vulnerabilities are discovered.
The best way to start future-proofing your website and protect it from attacks is by implementing all of the updates in this article. Let’s dive right in!
An Introduction to WordPress Security
WordPress is a stable and secure platform. Since it’s open-source, users benefit from a community of developers committed to patching vulnerabilities and continually improving its security and functionality.
However, WordPress sites face the same security risks that all websites face, such as:
- Brute-force attacks
- Distributed Denial of Service (DDoS) attacks
- File inclusion exploits
- SQL injections
- Cross-site scripting (XSS)
If this list of risks seems long and intimidating, we have good news. Research suggests that most website attacks are due to user negligence and not because of the core platform’s vulnerabilities. Implement the tips we suggest and you should be above average in terms of security.
1. Use Secure Sockets Layer (SSL) Certificates
Contrary to popular belief, SSL certificates are not solely for online stores. Installing one can considerably boost your WordPress security, even if you don’t accept credit card payments through your website.
Installing an SSL certificate on your website and having a properly-configured server helps to ensure that any visitor information that is collected – such as credit cards, e-mail addresses and order details – is transferred to your website securely. Your visitors will feel safer seeing a padlock icon in their browsers’ address bars. Plus, this could be a ranking factor in your Search Engine Optimization (SEO) efforts.
If you purchase your web hosting from a provider such as Kinsta, your package will typically include an SSL certificate. Otherwise, we recommend Cloudflare’s free SSL solution.
We support both options if you’ve signed up for any of our Website Support plans.
2. Enable Two-Factor (2FA) or Multi-Factor Authentication (MFA)
Picking a secure password is a must for any online activity. However, there is always a chance someone might hack a user’s login credentials using brute force tactics. A 2FA or MFA process can mitigate that risk.
When you enable MFA or 2FA in WordPress, your users will be able to set up a secondary method of verifying their logins, such as with a time-based code generated through an authentication app, a temporary link sent via email, or some other method of authentication.
The easiest way to turn on MFA or 2FA is with a plugin such as Two-Factor, a free tool that supports multiple authentication methods and integrates well with other plugins such as WooCommerce.
3. Update WordPress Regularly
Using an outdated version of WordPress could make your site vulnerable to several threats, so it’s essential to update it regularly. Even large organizations such as Reuters have been hacked because of an outdated WordPress installation. Don’t underestimate the importance of this task.
WordPress updates usually include security patches, which is why it’s essential that you review and install new versions as soon as they’re available. You can usually do this via the Updates screen in your dashboard:
If your site isn’t running the latest version of WordPress, make sure to make a full backup of your site before installing the update.
If you’re worried about an update affecting your site’s functionality, you can typically defer installation for 30 days while you work out solutions for any conflicts.
Note that apart from the core WordPress platform, you also need to keep your themes and plugins up to date. Using obsolete tools and add-ons that haven’t been tested with the latest WordPress version could cause security loopholes or break your site.
4. Upgrade Your PHP Version
Using an outdated PHP version can also make your site vulnerable to attacks. You should always try to use the latest release and benefit from active PHP security support.
Website owners can usually switch between PHP versions via their hosting account or by getting assistance from their provider. If features on your site require an older version of PHP, make sure it’s still supported for critical issues.
5. Conduct a Plugin Audit
The more plugins you have installed, the more potential entry points hackers have into your site. Try to reevaluate all of your plugins as often as possible. Installing questionable tools with bugs and vulnerabilities could severely compromise your WordPress security.
When evaluating your plugins, keep only respected plugins that you actively use. For instance, a migration tool is usually single-use, so it’s best to deactivate and delete it once its task is completed.
Also, don’t use outdated plugins that are no longer supported. You can find this information in the WordPress Plugin Directory or on the plugin developer’s site:
Finally, ensure that all your plugins are compatible with your WordPress version to avoid security loopholes.
6. Install Akismet
Comments sections and submission forms are easy targets for spammers, which is why we recommend installing Akismet to filter out unwanted submissions. This tool also prevents your site from storing malicious content by weeding out suspicious entries.
What looks like spam could actually be malicious software working its way into your site’s inner workings. Both spam and malicious content can also hurt your search engine rankings. All this on top of simply driving visitors away.
7. Configure Your Firewall Properly
Using a firewall can prevent DDoS attacks, which cause your website to go down. A DDoS attack may even lead to an account suspension if you’re on a shared web hosting plan. Beyond being extremely frustrating, your hosting costs may go through the roof as your site’s traffic spikes.
Setting up your firewall depends on several factors. For instance, you’ll need it to sync with Sucuri or Cloudflare, or opt for a hosting package with firewall services included. When in doubt, consult relevant documentation or a company that specializes in WordPress security.
8. Create a Custom Login URL
By default, every WordPress site has two URLs that bring you to the login page – yourdomain.com/wp-login.php and yourdomain.com/wp-admin. Since these are widely known default settings, they’re the first URLs that hackers visit when trying to break into your site. If you use a weak username and password you’re extremely vulnerable.
You can change your login page URL with a plugin such as WPS Hide Login. This tool allows you to pick a custom address, making the wp-admin directory and wp-login.php page inaccessible to outsiders.
9. Implement a reCAPTCHA
Hackers often use bots to strengthen their attacks. That’s when CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) comes in handy. Incorporating this tool keeps bots and spammers at bay by requiring simple challenges that require human logic.
Google’s reCAPTCHA is the most user-friendly solution. Instead of having to identify fragments of images or text that many people find tedious, you can simply ask visitors to click on an I’m not a robot checkbox:
You can implement this solution with a plugin such as Advanced noCaptcha & Invisible Captcha. A reCAPTCHA can also help you minimize password reset spam, fake customer orders, and spam form submissions.
10. Enable Security Headers
Using HTTP security headers adds an extra layer of protection from various attacks by telling web browsers how to behave when handling your site’s content. For instance, one of the more popular rulesets is Content-Security-Policy, which prevents certain attacks by defining approved content sources.
Configuring HTTP security headers happens at the webserver level, so it’s worth asking your hosting provider for help. Alternatively, you can try our website management and support services, and we’ll configure them for you.
11. Hide Your WordPress Version
Most WordPress sites display their version number in their header code. Regardless of what version you’re using, this helps hackers choose attacks that best match your WordPress version.
It’s possible to manually hide your WordPress version by adding a code snippet to your theme’s functions.php file. However, we recommend simply updating WordPress. Plus, you’ll benefit from the most recent security upgrades.
12. Prevent User Enumeration
Brute force attacks are some of the most common WordPress attacks. This approach involves using bots to try random username/password combinations until they find a set that works.
For instance, hackers might come across some of your credentials through login error messages such as The password you entered for the username ‘admin’ is incorrect:
In this case, the attacker now knows that there is an account with the username ‘admin,’ and only needs to guess the password to gain access.
Intruders might also figure out usernames when you allow user enumeration via the author archives. That’s why you should limit login attempts or use a plugin such as Stop User Enumeration.
13. Remove ‘admin’ as a User Account
Using ‘admin’ as your username makes your site wide open to brute force attacks. Although you can hamper these efforts by choosing a strong username and password, you should also remove the ‘admin’ username, since it is a widely known default setting.
First, head to your dashboard, create a new user via Users > Add New, and assign it the Administrator role:
Then, select the original ‘admin’ account from the users list, choose Delete from the dropdown menu, and click on Apply. If there was any content previously published under the ‘admin’ username, you may need to reassign those posts to a new author.
14. Back Up Your Site Regularly
While you’re busy boosting your WordPress security, don’t forget to back up your site’s data to prepare for an unavoidable disaster. An effective backup policy will help you restore your website with minimal data loss, which is why we recommend daily backups.
Your backup policy should include clear instructions on how, when, and where your backups are stored.
Managed web hosting services such as Kinsta often offer automated backups so that you don’t have to create them manually. Otherwise, you can use a plugin such as VaultPress or Pronto’s website maintenance services, which include daily backups.
15. Maintain an Activity Log
Another essential practice is to maintain an activity log. This is particularly useful for larger sites with multiple users and contributors. Tracking user activity lets you monitor changes to your content, incorrect login attempts, new and deleted user profiles, and more.
This way, you can identify the source of potential security issues and detect hacking attempts early. Plugins such as WP Activity Log let you track user activity so that you can keep an eye on what’s happening on your website.
16. Enforce Security Practices Across Your Organization
Finally, if you’re part of a large company, it’s smart to formalize your site’s security policies and procedures. No matter how thorough your practices are, human error and negligence are often the weakest links in WordPress security. Don’t rely on technical solutions alone.
Your team should receive training to avoid unsafe practices such as sharing passwords via insecure methods. Also, teach employees about social engineering and how hackers try to dupe users into giving up sensitive information.
Securing your WordPress site should be a top priority. If you don’t follow best practices, you are an easy target for potential cyberattacks.
Pronto Marketing offers website maintenance and support that goes far beyond the tips in this article. Message us today about having our experts optimize your site for security so you can focus on other projects.