WordPress is, at the time of writing, by far the most popular way to make a website. However, this also makes it a juicy target for hackers, meaning WordPress security should be at the front of your mind if you own a website. The last thing you want is to wake up to your site advertising weird pharmaceuticals or redirecting visitors to a malicious website.
However, if you're not a developer, the idea of securing your website can feel intimidating, made even more so by the fact that a lot of the advice you see deals with technical tasks with marginal security benefit at best, such as hiding your WordPress version number or changing the WordPress database prefix.
There's nothing wrong with implementing all those tips, but most regular users would be better served by focusing on a few key areas with the biggest return on investment for WordPress security.
That's our focus in this post – learning the high-level WordPress security tips that, if done well, will protect your site from all of the common WordPress security threats.
To do that, we'll share some data on how sites get hacked and then cut through the fluff to cover some practical tips to improve your WordPress site's security.
Why Do WordPress Sites Get Hacked?
First off, it's important to note that the core WordPress software is very secure. The WordPress core has a team of professionals looking after it and in the unlikely event that there's an issue, it's usually patched quickly before it can be exploited.
There's a reason that everyone from the US White House to Facebook feels safe with WordPress – these big enterprises and government institutions certainly wouldn't trust WordPress if it were vulnerable.
So if the WordPress core is so secure, why do so many WordPress sites get hacked?
There are two main reasons:
- User error, such as using a weak password or not promptly applying updates.
- Vulnerabilities in WordPress themes or plugins (mainly plugins), typically exacerbated by not quickly applying updates.
There is some data here. For example, in Sucuri's 2019 hacked website report, 56% of sites in their sample were running out-of-date core software when they got infected and 44% of the hacked websites had an out-of-date plugin with a known vulnerability. There's certainly some overlap between those groups, but those two numbers alone get you close to 100%.
Going back a little further, Wordfence surveyed over 1,000 webmasters of hacked websites in 2016 and found that, of webmasters who knew how their sites got hacked:
- Plugin and theme vulnerabilities accounted for 60%+ of the attack vectors.
- Brute force attacks and password theft accounted for 20%+ of the attack vectors.
The Five Most Important WordPress Security Tips
So if we know that most sites get hacked because of out-of-date software or stolen credentials, that means that fixing those problems will yield the biggest bang for your buck when it comes to WordPress security.
So here's what you need to do:
1. Keep Everything Updated. Always. (Seriously).
The biggest thing that you can do to keep WordPress secure is to promptly apply updates to the WordPress core, plugins and themes.
It's not very exciting and it sounds like such a basic thing, but doing this alone is more valuable than pretty much any other security tweak you can make.
There are two types of WordPress updates:
- Major updates – these add new features (rather than security fixes) and have a single decimal. E.g. WordPress 5.0, 5.1, 5.7, etc.
- Minor updates – these add security and maintenance fixes and have two decimals. E.g. WordPress 5.0.1, 5.1.2, 5.7.3, etc.
Most WordPress plugins and themes follow this same formula, though not all do.
In general, you should apply all minor updates right away, while you can wait a little longer for major updates (because major updates are focused on features and not security fixes).
WordPress will automatically notify you of new updates via red markers and you can also track them by going to Dashboard → Updates:
Here are some other tips to more easily stay on top of updates:
- If you're worried about compatibility issues, you can test updates on a staging site before pushing them live. We include built-in staging sites on our Onyx hosting.
- You can use a plugin like WP Updates Notifier to receive email notifications when new core, theme or plugin updates are available so that you can quickly apply them.
2. Lock Down the WordPress Login Page
It doesn't matter how secure your WordPress site is if a malicious actor gets the key to your front door – AKA your WordPress username and password.
Typically, malicious actors will attack your login page with brute force attacks, which is basically them repeatedly guessing different username/password combinations until they find one that works.
Here's how to protect your login page:
Use Strong Passwords
To start, make sure you're always using strong passwords. If you edit your account's password, WordPress includes a built-in password generator, which is a great option to use:
It's easy to ensure strong passwords if you're the only user on your site. However, if you allow other users to have backend access, you can't guarantee that they won't use a weak password that exposes your site.
To fix this, you can use a plugin like the free miniOrange Password Policy Manager to force other users to use strong passwords.
Use HTTPS and an SSL Certificate
Using SSL/HTTPS ensures that the data that moves between visitors' browsers and your server is encrypted so that malicious actors can't get their hands on it (like your username and password when you log in to WordPress).
Most hosts, including us here at Krystal, now offer free SSL certificates. All you need to do is install the free SSL certificate and force HTTPS use on your WordPress site (here are instructions for cPanel or Onyx).
Limit Login Attempts
Brute force attacks work by repeatedly guessing thousands of different combinations, so one way to stop them in their tracks is to limit failed login attempts (much like banks do). If someone enters an incorrect password more than X times, they'll be blocked from trying again for a certain time period.
To set this up, you can use the free Limit Login Attempts Reloaded plugin:
Consider Two-Factor Authentication
For mission-critical sites, a great way to further lock down the login page is with two-factor authentication, which is the technology that banks and other security-conscious services use.
With two-factor authentication, you'll need to enter both your WordPress username/password as well as a security code, like a code from an authenticator app or something sent to your email.
You can set this up with the free Two Factor Authentication plugin.
Change the Login URL
If you've done everything so far, changing the WordPress login URL won't really add much extra security to your site. However, it is still useful because it can cut down on a lot of bot traffic, in addition to adding a small level of "security by obscurity".
You can easily change the login URL using the free WPS Hide Login plugin.
3. Only Use Plugins and Themes from Reputable Developers
As we mentioned earlier, plugins and themes can be a big attack vector for malicious actors. One fix is to always keep them updated, but the other is to be more discerning in which plugins and themes you install on your site.
If you're not a developer, it can be tough to assess the quality of an extension's code by yourself. Some good proxies here are to:
- Read the reviews.
- Check WPScan to see if a plugin has a known and unpatched vulnerability. Most plugins will have vulnerabilities at some point, so you shouldn't necessarily hold that against them as long as the developer promptly fixed the issue. Having a developer quickly fix issues and publicly disclose them is actually a positive when it comes to WordPress security.
- Browse the support forum to see how responsive developers are to issues.
- See what other plugins/themes a developer has and how they're rated.
- Check the last update date and update history to see how much attention the extension receives.
Additionally, be wary of GPL clubs or nulled software sites. While the GPL does legally allow for these types of distributions, it's easy for malicious actors to add malicious code to the files they distribute, which can get your site in trouble. Saving money is great, but not at the expense of your site's security.
4. Consider a Web Application Firewall or WordPress Security Plugin
If you've done everything above, your site should be pretty secure. However, for added peace of mind, you can consider using a Web Application Firewall (WAF) on your site.
A WAF is able to proactively block threats against your site before malicious actors can get their hooks in. Essentially, it filters traffic so that regular users can experience your site like normal while malicious actors get blocked.
There are two main options here…
5. Take Regular Backups
Backups won't secure your site itself, but they are an important part of WordPress security because they lessen the impact of any security events. Backups change a security event from "Oh no, my site is gone" to "I guess I have to spend a few minutes restoring a backup".
Four Smaller Tweaks for WordPress Security
If you follow the ideas above, your site should already be pretty secure. But there are also some smaller tweaks that you can make to further boost security. We'll go through them quickly in this section.
If you don't want to implement these tweaks yourself, comprehensive WordPress security plugins like Wordfence or Cerber can implement a lot of these smaller security tweaks for you.
1. Use the Latest Version of PHP
WordPress runs on PHP and there are different versions of PHP. Older versions no longer receive security updates, which makes them a vulnerability vector. They're also much slower than newer versions of PHP, which slows down your site.
2. Disable XML-RPC
XML-RPC allows data to be transmitted to/from your site and it's important for some tools like the WordPress mobile and desktop apps, as well as the Jetpack plugin. However, it's also an attack vector, so unless you absolutely need those tools, you should disable it.
It also attracts a lot of bot traffic, which consumes server resources.
You can disable or restrict XML-RPC with the free Disable XML-RPC-API plugin.
3. Check and Fix WordPress File Permissions
File permissions control what users on your server can do to files/folders.
In general, all WordPress files should be 644 and all folders should be 755. You might want to further harden certain files like the wp-config.php or .htaccess to 444 depending on your server's configuration. More tips here.
You can check file permissions using the free iThemes Security plugin and change them using FTP or cPanel File Manager.
4. Always Use Secure Connections
One overlooked backdoor to your WordPress site is FTP. If hackers get their hands on your FTP credentials, they have a way into your site.
To stop this, you should always use secure FTP connections - ideally SFTP, though FTPS is also acceptable.
Also, we advise being careful about storing FTP credentials in your FTP client. If you're going to do so, use an FTP client that lets you encrypt stored credentials behind a master password (e.g. FileZilla).
Improve Your WordPress Security Today
The two biggest things you can do to secure your WordPress site are quite simple:
- Keep everything updated (and ideally only use extensions from reputable developers).
- Lock down your login process with strong passwords, HTTPS, and limited login attempts at a bare minimum (with two-factor authentication for mission-critical sites).
Doing those two things alone will already eliminate how most WordPress sites get hacked. For more peace of mind, consider a web application firewall (WAF) and take regular backups.
Do you still have questions about WordPress security? Drop us a message in the comment section below. If you want to find out more about the personalised help that our Onyx Managed WordPress customers receive, just get in touch via Live Chat.