Ensuring the security of your WordPress site is crucial in protecting your online presence from potential threats and vulnerabilities. With WordPress being one of the most popular content management systems (CMS) in the world, it has also become a prime target for hackers and malicious attacks.
A compromised website can lead to data breaches, loss of customer trust, and significant downtime, impacting your business and reputation.
This checklist provides you with essential steps and best practices to boost your WordPress security. From updating your software to implementing strong passwords and two-factor authentication, each measure is designed to fortify your website against common threats.
Whether you’re a seasoned developer or a beginner, following these guidelines will help you create a secure and resilient WordPress environment.
Let’s dive into the comprehensive checklist to safeguard your WordPress site and ensure it remains a reliable and trusted platform for your audience.
Why You Need WordPress Safety And Security
Discuss why every successful internet site built with WordPress focuses on security. These put on organizations of all dimensions, credibilities, and industries.
It protects your information as well as your reputation
If aggressors attain personal details about you or your website visitors, there’s no end to what they could do with the details. Safety and security breaches open you as much as public data leaks, identification theft, ransomware, web servers collapsing, and the listing, regrettably, goes on. Any of these events is much from ideal for the development and credibility of your business and are typically a significant wild-goose chase, cash, and power.
Your site visitors expect it
As your company expands, the number of issues you’ll need to resolve and your customers’ expectations for resolving those issues will undoubtedly enhance. Among those problems is maintaining your clients’ details protected. If you can give this essential service from the get-go, you will undoubtedly uphold your client’s reliance on you.
There’s a dilemma below: If your security gauges work, your customers will certainly never need to understand. If they ever do see news about your website’s safety, chances are it’s a problem, and most won’t come back. Your clients need to rely upon that their information will be utilized and saved safely, whether it be getting in touch with details, settlement details (which needs PCI conformity), or a fundamental response to a survey.
Google searches as safe internet sites
Keeping your WordPress site safe and secure is a cornerstone of preserving a high-ranking internet site.
Safety and security are among the simplest ways to enhance your search ranking. Why? Because a secure internet site is a searchable one. Web site protection directly affects presence from a search on Google (and other internet search engine), and has for a while. You can review what other factors impact precisely how Google ranks your website in our Ultimate Overview of Google Ranking Factors.
Securing your online residential or commercial properties ought to be a vital issue. Every website requires specific safety and security for its visitors and users; we’ll review the actions to do this. However, you might be wondering: Is WordPress secure?
Let’s take a look below.
how secure is WordPress?
WordPress is a safe web content monitoring system. Nevertheless, it can be vulnerable to strikes– similar to any CMS.
There’s no chance around it: Internet sites that use WordPress are a preferred target for cyberattacks. In its WordPress security report, a firewall software service named Wordfence obstructed a whooping 18.5 billion password strike requests on WordPress websites. That’s almost 20 billion attacks on WordPress sites alone.
This may be less shocking, recognizing that 42.7% of all sites use WordPress. Twenty billion attacks are still relatively high when considering WordPress’s market share.
The trouble proceeds: 8 out of 10 WordPress safety risks come under the “Tool” or “High” seriousness rating according to the Common Susceptibility Rating System.
However, before you hard-delete your WordPress account, you should understand that these numbers aren’t entirely WordPress’s fault. Or, at least, not the fault of the WordPress product itself.
WordPress employs a huge protection group of world-class scientists and designers searching for susceptibilities in its system and consistently launches safety updates to its software program. As for WordPress core goes, we’re covered. The problem lies with just how WordPress is provided to its users.
WordPress is an open-source software program, suggesting that the resource code is readily available for anyone to modify and disperse. Because WordPress is open-source, the software is considerably personalized and optimizable. There are thousands of plugin themes and programmers with the skills to modify the backend code themselves. This adaptability is a defining feature of WordPress and a substantial part of what makes it so effective and widely used.
WordPress offers a lot of power to its customers, and with great power comes fantastic duty. The drawback to all this freedom is that an incorrectly configured or preserved WordPress website is prone to many protection issues. The responsibility that many are shrugging off. Hackers know this and target WordPress websites accordingly.
You can rest easy knowing the following: Perfect security doesn’t exist, primarily online. As WordPress states:
” [S] security … is risk reduction, not risk elimination. It’s about employing all the appropriate controls available to you, within reason, that allow you to improve your overall posture reducing the odds of making yourself a target, subsequently getting hacked.”
You can never guarantee complete immunity to online threats, but you can take steps to make them much less likely to occur. The fact that you’re reading this means you probably care about security and are willing to go the extra mile to keep you and your visitors safe. To sum up, WordPress is secure, but only if its users take security seriously and follow best practices.
WordPress Security Issues
So, what could happen if one chooses to push all these numbers aside and do nothing to secure their WordPress site? As it turns out, a lot. The most common types of cyberattacks on WordPress websites are:
Brute-Force Login Attempts
This is one of the simplest types of attacks. A brute-force login occurs when attackers use automation to enter many username-password combinations very quickly, eventually guessing the proper credentials. Brute-force hacking can access any password-protected information, not just logins.
Cross-Site Scripting (XSS)
XSS occurs when an attacker “injects” malicious code into the backend of the target website to extract information and wreak havoc on the site’s functionality. This code could be introduced in the backend by more complex means or submitted simply as a response in a user-facing form.
Database Injections
Also known as a SQL injection, an attacker submits a string of harmful code to a website through some user input, like a contact form. The website then stores the code in its database. Similarly to an XSS attack, the harmful code runs on the website to fetch or compromise confidential information stored in the database.
Backdoors
A backdoor is a file containing code that lets an attacker bypass the standard WordPress login and accesses your site at any time. Attackers tend to place backdoors among other WordPress source files, making them challenging to find inexperienced users. Even when removed, attackers can write variants of this backdoor and continue using them to bypass your login.
Though WordPress restricts what file types users can upload to reduce the chance of backdoors, it’s still very much a problem to be aware of.
Denial-of-Service (DoS) Attacks
These attacks prevent authorized users from accessing their websites. DoS attacks are most frequently carried out by overloading a server with traffic and causing crashes. The effects are worsened in the case of a distributed denial-of-service attack (DDoS), a DoS attack conducted by many machines at once.
Phishing
This is known as phishing when an attacker contacts a target posing as a legitimate company or service. Phishing attempts typically prompt the target to give up personal information, download malware or visit a dangerous website. If an attacker accesses your WordPress account, they could even coordinate phishing attacks on your customers while posing as you.
Hotlinking
Hotlinking occurs when another website shows embedded content (usually an image) hosted on your website without permission, so the content appears like it’s theirs. While more akin to stealing than a full-blown attack, hotlinking is usually illegal and gives the victim severe issues since they have to pay every time content is retrieved from their server when displayed on another website.
For these crimes to occur, hackers must discover a site’s security holes. Common vulnerabilities that hackers look for when targeting WordPress websites include:
Plugins: Third-party plugins account for the majority of WordPress security breaches. Since plugins are created by third parties and have access to the backend of your website, they’re a common channel for hackers to disrupt your site’s functionality.
Outdated WordPress versions: WordPress sometimes releases new versions of its software to patch security vulnerabilities. When fixes come out, the vulnerabilities become public knowledge, and hackers often target problems with old versions of WordPress.
The login page: The backend login page for any WordPress website by default is the site’s main URL with “/ wp-admin” or “/ wp-login. PHP” added to the end. Attackers can easily find this page and attempt a brute-force entry.
Themes: Yes, even your WordPress theme can open your site to cyberattacks. Outdated themes may be incompatible with the most recent version of WordPress, allowing easy access to your source files. Also, many third-party themes do not follow WordPress’ standards for code, causing compatibility issues and similar vulnerabilities.
For a deeper look at WordPress security issues, see our article on WordPress security issues you should know about.
How to Secure Your WordPress Site.
- Secure your login procedures.
- Use secure WordPress hosting.
- Update your version of WordPress.
- Update to the latest version of PHP.
- Install one or more security plugins.
- Use a secure WordPress theme.
- Enable SSL/HTTPS.
- Install a firewall.
- Back up your website.
- Conduct regular WordPress security scans.
- Filter out special characters from user input.
- Limit WordPress user permissions.
- Use WordPress monitoring.
- Log user activity.
- Change the default WordPress login URL.
- Disable file editing in the WordPress dashboard.
- Change your database file prefix.
- Disable your xmlrpc.php file.
- Consider deleting the default WordPress admin account.
- Consider hiding your WordPress version.
Now that we’re past the scary part let’s discuss what you can do to reduce the threat of a cyberattack on your WordPress website.
Website security, and by extension WordPress website security, comes down to following a set of best practices. Some of these apply to all websites (e.g., strong passwords, two-factor authentication, SSL, and firewalls). In contrast, others apply specifically to WordPress websites (e.g., using secure plugins and a secure WordPress theme).
To keep your site at its safest, we recommend adhering to as many of these best practices as possible. First, we’ll cover the basic best practices. Then we’ll add additional steps you can take if your site is particularly at risk or if you want to go even further.
WordPress Security Best Practices
1. Secure your login procedures
The most fundamental step to securing your website is keeping your accounts safe from malicious login attempts. To do this:
- Use strong passwords: We used to think there would be flying cars in the future, but as of this year, people are still using “123456” as a password. Ensure all users with accounts on your WordPress backend use strong passwords to log in. You can use one of our recommended password managers to generate strong passwords and keep track of them.
- Enable two-factor authentication: Two-factor authentication (2FA) requires users to verify their sign-on with a second device. This is one of the simplest yet most effective tools to secure your login. Here’s how to add two-factor authentication in WordPress.
- Don’t make any account username “admin”: Chances are, this will be the first username attackers will plug in during a brute force login attempt. If you’ve already created a user with this name, create a new administrator account with a different username.
- Limit login attempts: Placing a cap on the number of times a user enters the wrong credentials in a certain amount of time will prevent hackers from brute-forcing a login. Some hosting services and firewalls might take care of this, but you can also install a plugin like Limit Login Attempts.
- Add a captcha: You’ve likely seen this security feature on many other websites. They add an extra layer of security to your login by verifying that you are indeed a living person. You can use plugins to add a captcha to your site. Recaptcha by BestWebSoft is one we recommend– see our guide to enabling Google reCaptcha in WordPress.
- Enable auto-logout: While you should remember to log out of your WP account when finished, auto-logout prevents strangers from snooping in your account if you forget. To enable auto-logout on your WordPress account, try the Inactive Logout plugin.
2. Use secure WordPress hosting
When choosing the service that hosts your website, there are many factors to consider, but security should be a top priority. Consider services that have taken steps to protect your information and promptly recover if an attack occurs. See our list of recommended WordPress hosting providers.
3. Update your version of WordPress
Outdated versions of WordPress software are a widespread target for hackers. Ensure you regularly check for and install WordPress updates as soon as possible to eliminate vulnerabilities in older versions.
To update WordPress to the latest version, back up your site and check that your plugins are compatible with the latest version of WordPress, updating plugins accordingly. You can reference our guide for how to update your WordPress plugins.
After updating your plugins, follow the update instructions on the WordPress website.
4. Update to the latest version of PHP
Upgrading to the latest version of PHP is one of the most important steps you can take to keep your WordPress website secure. When an upgrade is ready, WordPress will notify you on your dashboard. It will prompt you to head to your hosting account to upgrade to the latest PHP version. If you need access to your hosting account, get in touch with your web developer to upgrade.
5. Install one or more security plugins
We highly recommend installing one or more reputable security plugins on your website. These plugins do much of the security-related manual work for you, including scanning your website for infiltration attempts, altering source files that might leave your site susceptible, resetting and restoring the WordPress site, and preventing content theft like hotlinking. Some reputable plugins cover almost everything on this list. This step is unnecessary if you use HubSpot’s Content Management System, which provides malware scanning and threat detection within the platform.
Whichever plugin( s) you decide to install, security-related or not, ensure they’re well-established and legitimate. See our list of recommended WordPress security plugins.
6. Use a secure WordPress theme
Just like you shouldn’t install a sketchy plugin on your site, resist the urge to use just any WordPress theme that looks good. Choose one that is compliant with WordPress standards to prevent vulnerabilities caused by a WordPress theme.
To check whether your current theme meets WordPress requirements, copy your website URL (or the URL of any WordPress site or theme’s live demo) into W3C’s validator. If your theme isn’t compliant, search for a new theme in the official WordPress directory. All themes in this directory are safely compatible with WordPress software. Alternatively, see HubSpot’s list of recommended WordPress themes, or search for another credible theme marketplace.
7. Enable SSL/HTTPS
SSL (Secure Sockets Layer) is the technology that encrypts connections between your website and visitors’ web browsers, ensuring that the traffic between your site and your visitors’ computers is safe from unwelcome interceptions.
Your WordPress site needs SSL enabled. Depending on your use case, you may do this manually or use a dedicated SSL plugin if you are using WordPress. If you’re a CMS Hub user, SSL is free and built into the platform, so you’re good to go. Not only will it boost SEO, but it also plays directly into your visitors’ first impression of your website. Google Chrome will even warn users if the site they’re visiting doesn’t follow the SSL protocol, which directly reduces website traffic.
To see whether your WordPress site follows the SSL protocol, visit your WordPress site’s homepage. If the homepage URL begins with “HTTPS://” (the “s” stands for “secure”), your connection is secured with SSL. If the URL begins with “HTTP://,” you’ll need to obtain an SSL certificate for your website.
8. Install a firewall
A firewall sits between the network that hosts your WordPress site and all other networks and automatically prevents unauthorized traffic from entering your network or system from the outside. Firewalls keep out malicious activity from your site by eliminating a direct connection between your network and other networks.
We recommend installing a Web Application Firewall (WAF) plugin to protect your WordPress site. With the CMS Hub, your site will come with WAF within the platform. As with everything else on this list, carefully deliberate which type of firewall and plugin works best for your needs before making your choice.
9. Back up your website
Being hacked is terrible. Losing all your information is even worse. Ensure you have your website information backed up by WordPress and your host in case of an attack (or any other incident) that causes data loss. We recommend backups be automatic as well. See our list of the best WordPress backup plugins available.
10. Conduct regular WordPress security scans
It’s a good idea to run routine check-ups on your site. Aim for at least once a month. Multiple plugins can scan your site for you. Here are the seven WordPress scanner plugins we recommend.
Once you’ve taken these basic steps, you can move to more advanced measures to secure your WordPress website.
Advanced WordPress Safety And Security Best Practices
1. Strain unique personalities from customer input
If any part of your site accepts a reaction from visitors, be it a repayment type, a contact kind, or perhaps a remark section on a post, this is an opportunity for an XSS or database injection strike. Enemies might go into harmful code into any of these text fields and also disrupt your website’s backend.
To avoid this problem, make sure you strain unique characters from customer input before it is processed by your website and keep them in a data source. Conversely, a WordPress form plugin can instantly remove these characters. You can also use a plugin to find harmful code.
2. Limitation WordPress customer permissions
WordPress has six functions to pick for each customer. If your WordPress site has several customer accounts, we suggest altering the duties of each customer to restrict their access to only what they require. By limiting the variety of individuals with manager permissions, you lower the opportunity of an assaulter brute-forcing their method into an admin account and also restrict the damages that can be done if an enemy correctly guesses a customer’s credentials. See our guide on just how to alter WordPress user authorizations.
3. Use WordPress surveillance
Having a surveillance system in position for your website will signal you of any suspicious activity that happens on your website. Preferably, your various other measures would have avoided such a task. However, it’s better to figure it out faster instead of later. You can use a WordPress tracking plugin to get sharp in case there’s a violation.
4. Log individual tasks
Below’s another method to get ahead of problems before they occur: Produce a log of all tasks that customers take on your website, and check this log occasionally for suspicious activity. In this manner, you’ll see if an additional individual is acting suspiciously (e.g., trying to change passwords, modifying motif or plugin files, installing or shutting down plugins without permission). Logs are also helpful for cleaning after a hack, revealing to you what failed and when.
This isn’t to state that all password changes or document alterations are constant indicators of a hacker in your group. Nevertheless, if you’re employing many external factors and providing accessibility permissions, it’s always a good suggestion to keep an eye on things.
Numerous WordPress plugins develop task logs, and numerous committed logging plugins for WordPress, like WP Task Log or the totally free Task Log plugin.
5. Adjustment the default WordPress login link
As I’ve stated, the default URL for the WordPress login page for any WordPress website is easy to locate. Plugins like WPS Hide Login alter this login page link for you.
6. Disable data editing and enhancing in the WordPress dashboard
By default, WordPress lets administrators modify the code of their data straight with the code editor. This gives attackers an easy means to change your documents if they gain access to your account. If a plugin hasn’t already impaired this feature, you can do light coding to disable it yourself. Include the code listed below throughout the file wp-config. PHP:
7. Adjustment your data source documents prefix
The names of the documents that comprise your WordPress data source start with “wp _” by default. Hackers utilize this readying to situate your data source documents by name and conduct SQL injections.
A basic fix? Adjust the prefix to something different, like “wpdb _” or “portable _.” It is possible to establish this when setting up the WordPress CMS. You can rename these files if your website is live with this setting. In this instance, we advise using a plugin to manage this procedure, given that your data source shops all your web content, and a misconfiguration will undoubtedly damage your site. Try to find the capacity to transform table prefixes amongst the features of your favored safety and security plugin.
8. Disable your xmlrpc.php documents
XML-RPC is an interaction protocol that allows the WordPress CMS to engage with outside internet and mobile applications. Considering the WordPress Remainder API’s unification, the XML-RPC is used much less regularly than it once was. Nevertheless, some still use it to release powerful strikes on WordPress sites.
This is because XML-RPC innovation lets attackers send demands containing hundreds of commands, making it simpler to commit strength login strikes. XML-RPC is much less safe than REST because its demands contain authentication qualifications that can be used.
Initially, examine whether your website is taking advantage of the documents. Connect your URL to this XML-RPC validator to examine whether your site is currently using the method. If you’re not utilizing XML-RPC, you can disable the xmlrpc.php file. Otherwise, the simplest method to disable this data is with a plugin like Disable XML-RPC-API. Your WordPress protection plugin can also do this for you.
9. Think about deleting the default WordPress admin account
We have reviewed altering the “admin” username for the default WordPress admin account, yet if you intend to take points a step further, remove this default account entirely, and make a brand-new account with the same administrator approvals. This is a significant step if you believe your initial admin username and password have been uncovered.
10. Take into consideration hiding your WordPress version
Concealing your WordPress variation will guarantee that hackers do not know your site is at risk. As covered previously, you should constantly update to the current version of WordPress. However, if you still need to get the possibility, it’s essential to conceal the prospective vulnerability. Here’s a tutorial on just how to hide your WordPress version.
What To Do If You’re Hacked
So, you’ve carried out some or all of the actions over, and also, currently, you wish to be extra prepared in case something fails. Or something has failed. In either case, here’s what to do:
1. Continue to be tranquil
It’s all natural to worry in these circumstances. Remember that a protection breach can happen to any person. It’s essential to maintain a clear head to find the resource of the violation and fix it.
2. Switch on upkeep mode on your website
Limiting accessibility to your website maintains visitors away from your side and secure from the assault. Just open your internet site when you’re positive the scenario is under control.
3. Begin developing an incident record
Tape all pertinent details that can help solve the issue. These consist, however, are not restricted to:
- When you find the issue
- What led you to think you were assaulted.
- Your current motif, active plugins, hosting carrier, and network carrier.
- Any recent changes you made to your WordPress site before the event.
- A log of your activities while searching for and repairing the problem.
- Update this file as even more details appear.
4. Reset gain access to and also authorizations
Adjust all account passwords on your WordPress website to stop any internet site adjustments. Next, force-logout any type of customer still visited.
All account owners must also highly consider updating passwords on their work and individual gadgets, along with personal accounts, since you can’t know for sure what the attackers could gain access to past your WordPress website.
5. Detect the problem
Either search for the trouble yourself with a safety plugin or, depending on the attack range, work with an expert to detect the problem and fix your website. No matter what method you pick, run a protection check on your website and regional documents to eliminate any remaining unsafe data or code the aggressors could have left and bring back any missing documents.
6. Review related sites and also networks
If you have made up any other online system linked to your internet sites, such as a social media account or one more WordPress site, check these platforms to see if they were affected. Modify your passwords for these networks, also.
7. Reinstall backup themes and plugins
Reinstall your style and plugins (double-check that they’re safe). If you have a backup in place, bring back one of the most current backups before the occurrence.
8. Change your website passwords once more
Yes, you reset all WordPress passwords before, but these qualifications might have been endangered while you were fixing the problem. You can never be also cautious.
9. Alert your customers and stakeholders
After your site runs again, consider contacting your clients and notifying them of the attack, mainly if individual details were accessed and leaked. It’s the best point to do and be prepared for adverse actions from customers.
10. Inspect that your website is allowed by Google
If Google blocked your site as a result of the attack, Google would not-so-subtly caution individuals concerning entering your site:
Google Chrome red warning page signaling individuals that a site is risky
While blocklisting is required to maintain customers far from unsafe sites, it will also scare much website traffic from your legit website. Sucuri has a free tool to scan your website for Google blocklist conditions.
11. Adhere to the best practices above
Taking all feasible safety measures to limit the possibility of another strike will offer you some comfort. Let’s hope something like this does not happen again. However, if it does, you’ll be in far better shape.
Refrain from taking security for provided
Cybercriminals are constantly advancing brand-new ways to leverage firms’ online presence versus them, and security designers are constantly creating new techniques to stop them. This is the ever-turning safety cycle online, and we’re all captured in the center. Constantly keep your client’s security in mind, so they have one much less point to worry about.
For even more protection, check out Fix Hacked Site. This website security checker scans your site for malware, removing it automatically and protecting your site from attack.