Have you ever wondered how do you secure a WordPress site? The WordPress core is very secure. It is audited by hundreds of developers frequently to ensure that there are no security loopholes. However, that doesn’t ensure the safety of your WordPress site.
Your site isn’t just made of the WordPress core! There are many other things. You will have plugins, themes, shortcodes, and more. They can make your website insecure.
In case you are not aware, most of the WordPress site hacks are caused by poorly coded plugins or outdated plugins. Even themes are culprits. Another major problem is that users often ignore the fact that weak passwords can be the troublemakers.
So, how do you secure a WordPress site?
In this guide, I will give you three broad groups. Each group will talk about specific things that you can implement to secure your website. Are you ready?
Group 1: Get the Basics Right
Believe it or not, the commonest cause for WordPress websites getting hacked is that the webmasters do not get the basics right! It is needless to say that a hacked website can cause immense damage. It can mean loss of revenue, damage of online reputation, etc.
If your website is hacked and injected with malware, it may very well distribute malware to the computers of your website visitors. Google is quick to find this out, and it should not come out as a surprise to see Google blocking your website.
Did you know that Google blacklists nearly 20,000 websites every week for malware distribution? Another 50,000 are blocked each week by Google for phishing attempts.
You don’t want to be one of those blacklisted websites, do you? If not, you need to start by taking care of the basic.
Wisely Choose Host
The first and foremost thing you need to take care of is the hosting provider. Settling for a very cheap hosting provider or going for a hosting company that has history of repeated server breaches will anyway put your website at risk.
So, make sure that you are finding a web hosting company that proactively protects its servers from hackers and other malicious actors online.
A good hosting company should perform the following tasks:
- It should continuously monitor its network to identify and block suspicious activities.
- It should have a mechanism in place to thwart off large-scale DDoS attacks.
- It should keep server software up-to-date. This includes the operating system, web server, PHP versions, etc.
- It should also keep its hardware up-to-date, which means replacing old and outdate hardware with new and more secured ones.
- It should have some form of disaster recovery system in place so that in the event of a natural disaster, all data can be recovered.
- It should have physical security systems in place at all data centers to prevent physical theft of servers or to prevent unauthorized access to the physical servers. Yes, data can be stolen or tampered with directly from the physical location.
If you happen to be on a shared hosting server, you will be sharing the server storage, RAM, and CPU with other websites. This opens your site to the risk of cross-contamination. What does that mean? It means that another site on the same server can be infected and the infection can then spill over to the other sites sitting on the same server.
Another problem is that a hacker can actually use a neighboring site and attack your website instead of directly attacking your site.
If your hosting provider proactively prevents hackers from getting into their servers, such events can be prevented.
In case you are wondering which hosting companies offer such security, I will recommend you check out GreenGeeks and SiteGround for shared hosting. For managed WordPress hosting, Liquid Web and WPX Hosting are great choices.
Keep Everything Up-to-Date
Your WordPress site consists of three major components, which are:
- The WordPress core.
- The theme you are using.
- The plugins you are using.
All these components receive periodic updates. While some of the updates are meant to be feature updates (where new features are added), other updates are security patches and other important updates to close vulnerabilities in plugins, themes, and WordPress core.
It is absolutely essential that you update these components whenever there is a new update available. Many people don’t take this seriously.
Truth be told, most of the WordPress site hacks happen through plugins – plugins that are poorly coded, plugins that are not update, and plugins that are no longer in active development.
Don’t be foolish. Update everything!
Strong Passwords & User Permissions
Did you know, one of the simplest ways of hacking a WordPress site is to guess or steal the passwords. One of the commonest methods of getting a password is to use what is known as dictionary attack. A dictionary attack can quickly guess any easy password.
You need to make the lives of these hackers difficult by using very strong passwords. For instance, I personally use a password (for my primary site) that has 95 characters including letters, numbers, and special characters.
Well, you must be wondering how I remember it. I don’t! I keep the passwords offline in an external storage. Whenever I need the password, I connect the storage to my computer, copy it and use it. Once I have used the password, I disconnect my external storage.
It might seem a little too much, but hey, what can be better than staying safe? This ‘little too much’ has ensured for years that my passwords have never been hacked or stolen.
Also, guess such a long password is nearly impossible!
So, you must use strong passwords for everything including:
- Your WordPress site admin password.
- Your hosting account password.
- Your FTP account password.
- Your professional email password.
- Your database password.
Also, keep changing your passwords every two or three months. That is a good practice that everyone suggests. Pick up some good habits.
Also, if your WordPress site has multiple authors and you need to provide access to your WordPress site to them, make sure that you are assigning user permissions accordingly. They should have restricted access and you should never give them full admin access. They should only be able to post articles. They should not have the permission to edit existing published articles, delete published articles, change or edit or delete themes and plugins, remove other users, etc.
You can restrict user permissions using a simple WordPress plugin known as Capability Manager Enhanced. Don’t worry, it is a free plugin. You don’t have to pay a dime to use it on your website or websites.
Group 2: Enhance Your WordPress Security Without Coding
Okay, you might not be a coder. You don’t have to be one to use WordPress. You don’t have to be a coder to even enhance the security of your website. There are many plugins available that can do that for you with a few clicks.
Hardening your website security can help in the scenarios where a hacker may possibly hack your website by accessing a neighboring site on a shared hosting service. It can also help to prevent direct hacking and malware injection attempts and an assortment of other online threats like DDoS attacks, XMLRCP exploits, and more.
So, what can you do?
Let’s find out!
Backup Your Website
One simple reason why people often fail to retrieve their website after a hack is that they do not keep backups. Did you ever imagine what happens when a hacker hacks your website and deletes it complete?
If you have a backup of your site, you can quickly restore it. This is a basic thing that most webmasters (newbies) fail to implement. They just take it lightly. You should not!
One easy way to take backups is to use a plugin such as UpdraftPlus. It will allow you to not only backup your website files and folders, but also backup your database.
Don’t forget, your WordPress site’s database is the spinal cord of your site. If that is gone, your website files and folders are good for nothing.
UpdraftPlus will allow you to store your backups in remote locations like Google Drive, Dropbox, etc. You can even store the backups on your hosting server or download it to your local computer.
I will always recommend that you keep multiple copies of the backups you take. While it is okay to store your backups online using storage services like Google Drive or Dropbox, the wisest thing you can do is to download a copy to your computer and then save it on an external hard drive not attached to any network.
This will ensure that even if you lose access to your online storage account or to your hosting server, you can always get a copy stored safely on your external hard disk.
In case you don’t know how to backup your website, you can read my full guide here. Also, if you don’t like UpdraftPlus for some reason, you can use other plugins. In case you want, you can always backup your website manually.
No matter which route you take, make sure that you are keeping backups as they are always the first line of defense against hacks and malware injections.
Switch to HTTPS Protocol
Use an SSL certificate. This will ensure that the data transfer that happens between your website’s server and a user’s browser is encrypted. This encryption will make it difficult for malicious actors to sniff around and steal information.
When you use an SSL certificate, your website will use the HTTPS protocol instead of the HTTP protocol and your website’s URL will get a padlock icon signifying that it is secured using SSL.
Previously, you had to purchase an SSL certificate that could cost you hundreds of dollars month. As a result, majority of the new website with budget restrictions never used it.
To get around this problem, a non-profit organization backed by Google and Facebook came into existence. It is known as Let’s Encrypt. Let’s Encrypt offers free SSL certificates to everyone who wants to use it.
Don’t worry, just because it is free doesn’t mean that it is bad. Don’t forget that both Google and Facebook are behind this initiative. If the whole idea was a crappy one and the free certificates weren’t good, Let’s Encrypt wouldn’t have existed in the first place.
Another advantage of using an SSL certificate is in the SEO field. Google prefers websites that have an SSL certificate installed. It doesn’t matter whether that SSL is a premium one or a free one.
In fact, you can understand the impact of SSL on SEO simply by the fact that it is a ranking factor! If you are not using an SSL certificate, your website is not going to rank well on Google search results.
Wondering how SSL works?
In a simple language (without going into the details), when a browser requests your website the server where your website sits sends a public key. The browser then checks the validity of the key and uses it to encrypt data. The encrypted data then reaches the server where server decrypts the data using a private key.
Essentially, a validation take place to ensure that all the data transfer taking place between a browser and the server remains encrypted.
Almost every hosting company today offers a free SSL from Let’s Encrypt. In case your web hosting company doesn’t offer that, it is better you move to a different hosting company that offers it for free, unless of course, you want to use a premium SSL certificate. In a scenario like that, you can buy an SSL certificate from any of the many vendors you can find using a quick Google search.
Use a Security Plugin – Sucuri is Recommended
A security plugin can do wonders. There are dozens of these security plugins available, and almost all of them are fantastic plugins. However, the most popular of all is Sucuri Security. It is lightweight and does a great job in hardening your WordPress website’s security.
The plugin can do a lot of things including:
- Performing file integrity checks.
- Scanning your site for malware.
- Logging all failed login attempts, and much more.
I will deliberately skip the details of this plugin, because you can read everything in this dedicated review.
The plugin will allow you to log down the key areas of your WordPress site that hackers mostly target. Almost all the hardening options that you get with the plugin are free except for one – the Web Application Firewall. That hardening feature is available only on a paid upgrade.
Enabling only the default options of this plugin are mostly good enough for majority of the websites.
If you don’t want to use Sucuri, you can use options like WordFence, iThemes Security, All In One WP Security & Firewall, Bulletproof Security, etc. There are many options to work with.
Enable a Web Application Firewall
Your natural tendency will be to enable the Web Application Firewall through Sucuri’s free WordPress plugin. But that is not going to work unless you go for a paid upgrade.
Unfortunately, a paid upgrade to Sucuri will cost you heavily. You need to shell out a whopping $199 a year. Well, that’s peanuts for websites that make a lot of money. For new website or smaller sites with small income, paying that kind of price might not be an ideal option.
What is your way out?
Well, you can always opt for Cloudflare. By paying merely $20 a month you can get WAF or Web Application Firewall and various other features including a CDN and DDoS protection.
Now, you may argue that paying $20 a month amounts to $240 a year, which is more that what Sucuri charges! True! But paying $20 a month hurts less compared to a one-time payment of $199.
As I said, the choice is yours. You don’t have to take my words. You can always go for Sucuri if you can afford that one-time payment.
As far as efficacy is concerned, both have strengths and weaknesses. For instance, with Sucuri, you will get a complete suite of threat prevention and removal that includes DDoS protection as well.
CloudFlare mostly earned its fame as a CDN provider, but offers a very effective DDoS protection and Web Application Firewall. It doesn’t do well when it comes to removal of malwares.
You can always combine the free Sucuri Security plugin with CloudFlare’s Pro plan to get a very effective protection shield.
As far as Web Application Firewall is concerned, both are equally effective. So, you can use whichever you want.
Now, coming to the Web Application Firewall, what is it?
The WAF blocks all malicious traffic even before it reaches your website. There are two methods of doing this.
DNS-level firewall: In this method, the firewall provider routes all traffic through their cloud proxy servers. The bad traffic is weeded out on those proxy servers and only the genuine traffic is sent to your website.
Application-level firewall: In this method all traffic reaches your server. This is where the firewall plugin will first examine all the traffic before loading the WordPress scripts and block the bad traffic and allow the rest.
The problem with the application-level firewall is that it increases server load. The DNS-level firewall, on the other hand, reduces server load. So, if you have a weak or under-powered server, it is better that you use a DNS-level web application firewall.
Both Sucuri and CloudFlare offer DNS-level firewall.
Group 3: WordPress Security for Advanced Users and DIY Freaks
If you are like me who doesn’t like using too many plugins on the website, this segment is for you. You can always harden your website’s security using simple tricks. Let’s check them out one at a time.
Change Your Default ‘Admin’ Username
Those who have used WordPress for a long time will know that there was a time when WordPress used to provide the default administrator username as ‘admin.’ This made the lives of hackers easy as they could easily launch a brute force attack.
Things have now changed. WordPress actually asks you to provide a unique admin username during the installation process.
Unfortunately, there are many web hosting companies providing 1-click WordPress installation that still give the same default username as before, that is, ‘admin.’ If that’s the case with your website, you should consider changing your admin username.
Unfortunately, WordPress will not allow you to change usernames from inside WordPress dashboard.
But that shouldn’t be stopping you. There are ways in which you can change the default ‘admin’ name into something of your choice. Here are three different methods that you can use:
Create a new admin user
In your WordPress admin dashboard, create a new user and assign the role of administrator. Now, once you have created a new user, log out of your site and login using the new username and password.
Once you have logged in, delete the old default ‘admin’ user. If there are existing posts under the older user, WordPress will ask what to do with those posts. You can either delete the posts or assign them to another user. Simply assign the posts to the new admin user you created.
Use a plugin
There is a plugin called Username Changer. It is a free plugin available in WordPress plugins repository. Install it and activate it. Once you do that, you need to visit Users >> Username Changer through WordPress dashboard.
Now select the username you want to change and give a new username and hit the Save Changes button. That’s all! You can now go ahead and delete this extra plugin. The change you make gets saved in the database. So, removing the plugin will not impact the changes you made using the plugin.
Change username from database
If you are brave enough, you can go to your database through phpMyAdmin and change the username directly in the database.
The easiest way to access your phpMyAdmin area is to type in the URL of your website on a browser’s address bar and suffix it with phpMyAdmin.
This is what it will look like:
Enter the username and the password to login. You should have access to the username and password through your web server’s control panel (cPanel for example). If you don’t have a control panel and you need to work with the command-line interface (as in the case of cloud hosting), you can find the necessary details running a simple command.
The command you need to run will be easily available from their support forum. Once you get the details, login into the phpMyAdmin area.
Locate your WordPress installation’s database and click on it. It will expand and show you all the tables on the left. Find the option which reads wp_users.
Click on it and on the right, you can see the list of all users.
Click on the Edit option corresponding to the user you want to change. On the next page that opens, change the value in the user_login field.
Once you have entered your preferred username scroll down a bit and click on the Go button you see on the right side of the screen. That’s all! Your default ‘admin’ username has been changed to a different one.
Once you change the default admin username, the hackers need to guess even the username (not just the password). This increases their work load.
Disable File Editing
By default, WordPress will give you the ability to edit theme and plugin files right inside the WordPress dashboard. That’s a risky thing if others have access to your admin dashboard. So, it is better that you turn off the ability to edit files.
How do you prevent people from editing?
You need to add some code in one of your core WordPress files. That file is none other than wp-config.php.
You can access the file using a file manager. If you don’t have a file manager with your hosting provider, you can always install a file manager plugin. Alternatively, you can always use FTP to remotely access your website’s files. The best FTP application is FileZilla.
Here is the code that you need to use is:
// Disallow file edit
define( ‘DISALLOW_FILE_EDIT’, true );
Once you add the code, save it and put the file back in place. If you don’t know where to place the code, just scroll all the way down to the bottom and add it. That all! The code will disable the ability to edit files from within the WordPress dashboard.
Disable PHP Execution in Certain WP Directories
Two of the most vulnerable WordPress directories are wp-includes and wp-content/uploads/.
Hackers can execute PHP files in these folders and damage your website. So, you need to make sure that you are preventing that from happening.
One of the easiest ways of doing that is to apply hardening measures using some security plugin like Sucuri Security.
If you don’t want to use a plugin, you need to add a particular file with a particular code in those folders.
Open a notepad on your computer and type in the following code:
deny from all
Now save that file as .htaccess file. Yes, you should name the file as .htaccess.
Once you have the file ready, upload it to both wp-includes and wp-content/uploads/ folders.
To upload the file, you can either use a file manager or you can use FileZilla or any other FTP client.
Be careful though! Adding the file to the wp-includes folder can break your site. In that case, just remove the file, but keep it in the wp-content/uploads/ folder.
Add a Two-Factor Authentication
Since one of the easiest ways of hacking a WordPress site is to go ahead and try out different username and password combinations, it is essential that you add a second layer of security to your website’s login page.
Using the famous two-factor authentication can help to prevent unauthorized access to your site’s admin area, because the hacker needs to provide a second authentication that will be available only and only to you.
To enable this security measure, you will need two things:
- A plugin.
- Your smartphone with an authenticator app installed.
For the plugin part, you can login to your WordPress dashboard and search for a new plugin with the search term ‘two factor authentication.’ You will see many plugins on the list. Select any!
I prefer using miniOrange 2-Factor. You can select any other. This plugin that I allow supports various types of two-factor authentication including Google Authenticator, Authy Authenticator, etc.
On my phone, I have Authy installed.
Once you install the plugin and start configuring, you will receive a scannable QR code. Open your Authy or Google Authenticator app and scan the code. It will immediately save the website. Now everytime you try to login, you need to provide a code from your authenticator app.
If you are thinking that installing a plugin will impact your website speed, you are wrong! The miniOrange 2-Factor plugin that I use has absolutely no impact on the website speed. It is a very lightweight plugin and works brilliantly to safeguard your website.
Limit Login Attempts
The default WordPress setting is to allow users to try login attempts as many times as they want. This is one of the many things that makes WordPress quite vulnerable, especially to brute force attacks. Hackers will continuously try to login using various combinations of username and passwords.
While using a very uncommon username and a very strong password will definitely make their lives difficult, you can take the whole security thing to the next level by limiting the login attempts.
Some web hosting providers allow you to set a limit to the login attempts during one-click installation. If your web hosting company didn’t offer that, you can achieve that with a simple plugin. All you need is a plugin named Login Lockdown.
This plugin will give you simple settings.
You can set the following parameters:
- Maximum number of login retries that a user can make. The default is set to 3, which is just fine.
- Retry Time Period Restriction – This determines the amount of time between two subsequent failed login attempts. The default is set to 5 minutes.
- Lockout Length – If the person fails to login in three attempts within the retry time period restriction, the IP address of the user will be locked out for a certain amount of time before he or she can retry again. You can set the time as per your wish, but the default is set to 60 minutes. Once the person is locked out, he or she cannot access the login form for 60 minutes straight.
- You can even lockout anyone who fails to give a valid username. This means that a person can be locked out at the very first try if he or she doesn’t provide the right username.
It is a very effective plugin. However, in case you have already implemented a Web Application Firewall (either from Sucuri or from CloudFlare), login limit is already taken care of. You don’t need to install this plugin.
XML-RPC exploits are terrible. XML-RPC allows WordPress to connect with mobile apps and web. That’s a great thing, but did you know that the XML-RPC can magnify the brute force attacks?
The login lockdown plugin can quickly block login attempts by hackers. For instance, if a hacker starts making hundreds of login attempts in quick successions, the plugin will kick in and lockout the user.
However, with XML-RPC the person can use a function called system.multicall and try out several thousand username and password combinations using only 20 to 50 requests, allowing the hackers to bypass the login lockdown plugin if you have not configured it properly.
In case you are not using XML-RPC, you can disable it completely. The best and the least resource-intensive way to do that is to use the .htaccess file. You can open the .htaccess file and add the following code in it:
# Block WordPress xmlrpc.php requests
deny from all
allow from 188.8.131.52
Once you add the code, save the .htaccess file. That’s all! Now all xmlrpc.php requests will be blocked by default and none of them will be passed on the WordPress.
You should take this route if and only if you don’t have any mobile app for your website and if you are not using a remote method for publishing posts on your website.
In case you don’t want to fool around with the .htaccess file, you can download and install a plugin called Disable XML-RPC.
If you have a Web Application Firewall, it can take care of this XML-RPC.
Disable Directory Indexing and Browsing
Have you ever seen something like the image above? That’s called directory listing. This is a great way for hackers to find out if there are any files with known vulnerabilities or not. Once they can identify such files, they can quickly try to exploit them.
You should always disable directory indexing and browsing. How do you do that? For that you will need to add something to your .htaccess file that you can find in the root folder of your website.
Just open the file and add the following at the very end of the file:
That’s all! Once you have added the line, save the file and upload it back to the directory and replace the old file. Once you do this, directory indexing and browsing will be disabled.
Add a Security Question
Instead of adding a two-factor authentication, you can add a security question on the login page. You can use the same miniOrange 2-Factor plugin to do that. If you don’t like that plugin, you can use a simpler plugin named WP Security Questions.
You can use the plugin to add security questions to login screen, registration screen and even the forgot password screen. It is also a nice way to deter hackers from gaining unauthorized access to your WordPress site.
Scan for Malware & Vulnerabilities
You should periodically scan your website for malware infections and various other vulnerabilities. The plugins you have installed or the themes present on your website may have vulnerabilities.
A simple security plugin that you use for hardening your website can do this for you. The plugin I recommend is Sucuri, but there are many other plugins. You can set the plugins to notify you of vulnerabilities in plugins and themes whenever they are found.
If you do not want to use a plugin, you can use various online services that can scan your website for malware infections and vulnerabilities.
Here is a quick list of some of the most famous online services:
- Google Safe Browsing
- IsItWP Security Scanner
- Sucuri SiteCheck
- Web Inspector
- WordPress Vulnerability Scanner
- UpGuard Cloud Scanner
- Norton Safe Web
I will repeat what I said at the beginning of this article. You need to secure your WordPress site. It is always vulnerable to various online threats including XML-RPC exploits, DDoS attacks, malware injections, hacking, etc.
Building a site and earning a good online reputation takes months and years of effort. All it takes is a few moments for a hacker to destroy all your hard work. There is no point thinking that your site doesn’t have anything great that hackers will go after you.
They will! Sometimes such disruptive activities can be a result of vengeance. Sometimes they can stem out from business rivalry. In the worst-case scenarios, a hacker may just want to have fun and test out his or her skills. Yes, it sucks, but trust me, that happens!
Taking proactive steps to protect your site is not going to harm you. It will rather give you peace of mind and you can rest assured that your hard work will not be wiped out by someone mischief or vengeance or a sheer act of rivalry.