How to secure your WordPress site: The definitive guide

Make your WordPress blog more secure and help prevent hacking attacks.

This guide features simple security measures you can implement to secure your WordPress site, prevent hacking attacks and keep your content safe. I’ll include the best WordPress security solutions and precautions in this post. If you follow them, you’ll be sleeping safely.

WordPress security checklist

There are many WordPress security guides with 20-30 or even more steps on how to protect your WordPress site. Many of those steps are completely unnecessary for the average user.

Here are quick and simple steps you should take to keep your WordPress site safe and secure:

  • Use a unique username with a strong password on all administrative accounts.
  • Turn on and require 2-Step Verification on all administrative accounts.
  • Don’t install themes and plugins from untrusted sources.
  • Set WordPress, themes and plugins to be updated automatically.
  • Set WordPress to backup automatically.
  • Use a host with a container-based isolation which protects your site from being contaminated by other insecure sites on the same server.

These six steps will take you few minutes to implement and you won’t need to worry about WordPress security after that. You’ll be able to focus on building a great website instead.

Why is WordPress so vulnerable and insecure?

WordPress is very serious about its security and is very secure software. WordPress security team is made of 50 security experts and developers. Being open source software, there are many eyes on it and it keeps the whole content management system safe and secure.

So why is it that you hear about WordPress being vulnerable and insecure? WordPress is the most widely used CMS and blogging platform with a market share of more than 35% of the entire web.

The popularity of WordPress websites makes it a regular target of brute force login attacks which attempt to discover sites that use the default username and/or a weak password. This is sensitive information and the key to keeping your blog safe and secure.

A brute-force is when an attacker logs in with many passwords in the hope of guessing correctly. The attacker systematically checks all possible options until the correct one is found.

Use two-factor authentication for your WordPress admin dashboard login as an effective brute force protection.

The second most common attack is on outdated WordPress software, obsolete versions of PHP, outdated themes and plugins. This is why it’s key to always update everything.

Both of these types of attacks are automated across all the hosting platforms, so they don’t specifically target your blog only.

If they do succeed to infect a blog that’s not adequately secured, they may even cross-contaminate all the other blogs hosted on the same server. Don’t let any of this happen to you.

Best WordPress security plugins: Identify any existing vulnerability

There are several WordPress security plugins and other tools you can use to figure out if your blog has a current weakness.

They scan for malware, malicious codes and scripts, out of date software and other known security issues. These WordPress security plugins can help keep your blog safe. Here are some of the best options that all include free versions:

  • Sucuri SiteCheck: There is a Sucuri plugin too but this is a browser-based tool for a quick scan and check.
  • Search Console: “Security & Manual Actions” section notifies you when Google detects malware or other security issues with your WordPress website.
  • Wordfence Security: The most popular WordPress security plugin used by more than 3 million sites. Features login security, firewall and a malware scanner.

Host your blog with a secure hosting company

One vulnerability is cross-contamination. If your site is hosted on an unprotected shared server and an exploitable site gets attacked, other sites on that server can be infected too.

This has happened to my blog a few times while being hosted on GoDaddy. Initially, I blamed the hacks on my own inexperience or not using the best practices.

Since I’ve learned how these hacks happen, it has made me wary of using hosts that are not well protected. The best protection from cross-contamination is to use a secure WordPress host. Ask your host what security precautions they take about cross-contamination.

Turn on 2-Step Verification

Two-factor verification adds an extra layer of security to your WordPress login URL and completely prevents all the brute force attacks.

Without having access to your phone, it’s simply impossible to break through the login page even if the attacker knows username and password.

Turn on Secure Sign On in Jetpack for one of the easiest ways to enable two factor authentication in WordPress. This lets you log in to your self-hosted site with your logins. And allows you to require two-factor authentication.

  • Enable two-step on your account under “Two-Step Authentication” within “Security”.
  • Install and activate Jetpack plugin in your self-hosted WordPress admin area.
  • Turn on the “Single Sign On” option.
  • Tick the box to “Require Two-Step Authentication“.
  • Insert this code to your theme’s functions.php file to disable the default WordPress login form:
add_filter( 'jetpack_remove_login_form', '__return_true' );

Now you can only log in to your self-hosted blog using your login details. And these require a two-factor authentication from your phone. The default login has been disabled.

Two step authentication is by far the best way to stop people trying to brute force their way into your wp-admin dashboard. I highly recommend it.

In the past, I used several different hacks to prevent these attacks such as changing the URL of the default WordPress login page and blocking all IP addresses except my own from trying to login but the two step authentication is a much more elegant solution.

Block unwanted, brute force login attempts

If you for whatever reason cannot turn on the two-step authentication, this is a decent alternative.

Jetpack’s Protect is like a web application firewall for your WordPress. It monitors all failed login attempts on the network of sites hosted by WordPress. It then automatically blocks all these unwanted tries from these bad IP addresses from the rest of the network.

Another of the common ways hackers try to brute force your site is through XML-RPC. Jetpack Protect also blocks all the XML-RPC attacks so you do not need to do anything further to disable XML-RPC if you’re using Jetpack.

Activate the Jetpack plugin and enable the Protect add-on to turn this on.

The alternative to this is the WP Limit Login Attempts plugin.

Automate updates to WordPress and plugins

Main reason developers release new versions frequently is caused by security vulnerabilities found in older versions. A vast majority of security compromises happen through outdated plugins.

Automatic updates work to keep you safe. Always upgrade to the latest version of WordPress. Do the same for the newest version of your blog design theme and plugins you use.

Upgrading is simple, automated, one-click processes within the WordPress admin interface. When there is a new update available, WordPress will give you notice on top of your dashboard.

The most recent versions feature automatic background updates. You may find that your secure host updates you to the latest version automatically while you sleep. Mine does.

Themes and plugins automatic updates are possible too since WordPress 5.5 release in August 2020.

Limit the number of plugins and themes installed

Keep the entry points of attacks down to a minimum. Only install themes and plugins that you actively use and that are necessary to run your blog. Remove anything that’s not used.

The average blogger users more than 20 plugins. There’s a plugin for a contact form, a plugin for the email newsletter subscribers, a plugin for live chat, a plugin for analytics and so much more. Minimize the number of plugins you use. Jetpack, for instance, replaces several different plugins.

Don’t download themes and plugins from unknown sources. Use only the official plugins and themes and the official websites of trusted sources such as premium themes and plugins.

These are the quality signs to look for in a plugin or a theme:

  • A high number of downloads and active WordPress users.
  • Regular updates and a recent last update.
  • Good reviews and rating.

Create a new user account and limit unauthorized access

It’s harder for a hacker to break into your WordPress account when both username and password have to be cracked. Username “admin” is the most frequent target of brute force attacks. It’s an easy target and should be deleted and not used.

Reduce the number of people who have admin access to your blog to a minimum. Anyone who doesn’t need admin access shouldn’t have it. This is easy to do with roles and capabilities.

Here’s how to create a new user and delete the default “admin” user:

  • You create a user by going into “Users” then “Add New” in the WordPress menu.
  • When creating the new user, make sure to give it the role of an “Administrator”. That will ensure that you have the full authority over your WordPress website security.
  • Now log out from your default “admin” account and log in with the new user details.
  • In “Users” delete the default admin username.
  • Make sure to choose the option to transfer your old posts to your new username when deleting the “admin” account.

Use strong and secure passwords

Don’t use simple passwords on your WordPress account. Simple passwords might make it easy for you to remember, but they are also more accessible for a hacker to crack.

Use strong and secure passwords instead. Your passwords should be:

  • At least twelve characters long.
  • Include numbers, special characters, upper and lowercase letters.

Here’s a free tool by Norton that helps you create a strong password.

Set a new nickname

You don’t want your new username to be the author name that’s shown on all posts. This way, the hackers will have an easy way of finding your new username.

Set the nickname of your account to something different from your username. Here’s how:

  • Go to “Users” under “Your Profile”.
  • Choose a new nickname in the Nickname field.
  • Set “Display name publicly as” to your new nickname.

Do not allow guest user registrations

You don’t have a membership site? Then there is no reason to allow visitors to register for a guest account.

Check that you’ve got registration turned off. Click “Settings” and make sure that “Anyone can register” option is unticked.

Do not allow pings

WordPress with pingback option enabled can be used in DDOS attacks against other sites. This option is enabled by default, so it’s important to disable it.

In “Settings” go into “Discussion” and in “Default Article Settings” tick off “Allow link notifications (pingbacks and trackbacks)”.

Take regular automatic backups

Taking daily or weekly automatic backups of your content and database is essential. Good hosting providers execute their system backups on their part. Mine does.

Choose to auto upgrade and auto backup

You can still take personal responsibility in doing regular backups yourself. WordPress consists of two parts:

  • Database: a place where all settings, pages, posts, and comments are stored.
  • Files: which include media, attachments, themes, and plugins.

It’s recommended to perform a regular, full backup of the entire site. There are a plethora of options. The best free plugin is UpdraftPlus, which is used on more than 2 million blogs.

In case your site does get hacked or infected by a virus or malware, you’ll be able to restore a fully functioning backup.

These simple steps can be executed relatively quickly to improve your WordPress security and will make your site so much harder to break into.

You probably won’t have a hacking problem. You’ll feel safer. You’ll be able to focus your time on writing exciting content and building an audience.

Categorized as Posts

By Marko Saric

I’m on a mission to help you share what you love, get discovered by people who love the same things too and make the web a better place at the same time. Find me on Twitter and Mastodon too.