This guide features simple WordPress security measures you can implement to secure a WordPress blog, prevent hacking and keep content safe.
Let’s get started with my guide on how to secure your WordPress site.
Why is WordPress so vulnerable and insecure? Popularity makes it a target
WordPress is very serious about its security and is a very secure software to use. I’ll include some of the best practices and certain precautions in this post. If you follow them, you’ll be sleeping safely.
WordPress is the most widely used CMS and blogging platform with a market share of more than 34% of the entire web.
The popularity of WordPress makes sites on it a regular target of brute force login attacks which attempt to discover sites that use the default username and/or a weak password.
A brute-force is when an attacker logs in with many passwords in the hope of guessing correctly. The attacker systematically checks all possible options until the correct one is found.
Enabling two-step verification for your login is an effective stop to these brute force attacks.
The second most common attack is on outdated WordPress software, obsolete versions of PHP, outdated themes and plugins. This is why it’s key to always update everything.
Both of these types of attacks are automated across all the hosting platforms, so they don’t specifically target your blog only.
If they do succeed to infect a blog that’s not adequately secured, they may even cross-contaminate all the other blogs hosted on the same server. Don’t let any of this happen to you.
WordPress security plugins: Identify any existing vulnerability
There are several WordPress security plugins and other tools you can use to figure out if your blog has a current weakness.
They scan for malware, malicious scripts, out of date software and other known security issues. These can help keep your blog safe. Here are some of the best options:
- Sucuri SiteCheck: A browser-based tool for a quick scan and check.
- Search Console: “Security & Manual Actions” section notifies you when Google detects malware or other security issues with your site.
- Wordfence Security: The most popular WordPress security plugin used by more than 3 million sites. Features login security, firewall and a malware scanner.
- iThemes Security: This plugin is used on more than 900,000 WordPress sites.
- All In One WP Security & Firewall: Activated on more than 800,000 WordPress sites. All the features on this plugin are entirely free to use.
Host your blog with a secure hosting company
One vulnerability is cross-contamination. If your site is hosted on an unprotected shared server and an exploitable site gets attacked, other sites on that server can be infected too.
This has happened to my blog a few times while being hosted on GoDaddy. Initially, I blamed the hacks on my own inexperience or bad practices.
Since I’ve learned how these hacks happen, it has made me wary of using hosts that are not well protected. The best protection from cross-contamination is to use a secure hosting company.
Right now, my blog is hosted on GreenGeeks and I’m happy to report that I haven’t had any security issues yet. Fingers crossed it continues!
I’m a happy paying customer of GreenGeeks services as they have several security measures in place:
- All the WordPress blogs are automatically updated as soon as there is a new release. I don’t have to take any action.
- There is a nightly backup of all the data in case of an emergency. Fortunately, I haven’t had to deal with backups yet.
- They have container-based isolation, which means that your blog is kept separated from other blogs and cannot be infected by cross-contamination.
- In-built spam protection and real-time malware and virus monitoring.
- 24/7 customer support via live chat, email or phone just in case it’s necessary.
Disclosure: This article contains affiliate links. This helps support my blog and allows me to continue making guides like this. If you click my link and make a purchase, I earn a commission at no additional cost to you. I only promote products that I truly believe will be valuable to you.
Turn on 2-Step Verification
Two-step verification adds an extra layer of security to your WordPress login and completely prevents all the brute force attacks.
Without having access to your phone, it’s simply impossible to break through the login page even if the attacker knows username and password.
Turn on Secure Sign On in Jetpack. This lets you log in to your self-hosted site with your WordPress.com logins. And WordPress.com allows you to require two-step authentication.
- Enable two-step on your WordPress.com account under “Two-Step Authentication” within “Security”.
- Install and activate Jetpack plugin in your self-hosted WordPress.org admin.
- Turn on the “Single Sign On” option.
- Tick the box to “Require Two-Step Authentication“.
- Insert this code to your theme’s functions.php file to disable the default WordPress login form:
add_filter( 'jetpack_remove_login_form', '__return_true' );
Now you can only log in to your self-hosted blog using your WordPress.com login details. And these require a two-step authentication from your phone. The default login has been disabled.
Block unwanted, brute force login attempts
If you for whatever reason cannot turn on the two-step authentication, this is a decent alternative.
Jetpack’s Protect monitors all failed login attempts on the network of sites hosted by WordPress. It then automatically blocks all these unwanted tries from the rest of the network.
Activate the Jetpack plugin and enable the Protect add-on to turn this on. This is a screenshot from one of my blogs:
Automate updates to WordPress and plugins
Main reason developers release new versions frequently is caused by security vulnerability found in older versions. A vast majority of security compromises happen through outdated plugins.
Always upgrade to the latest version of WordPress. Do the same for the newest version of your blog design theme and plugins you use.
Upgrading is simple, automated, one-click processes within the WordPress interface. When there is a new update available, WordPress will give you notice on top of your dashboard.
The most recent versions feature automatic background updates. You may find that your secure host updates you to the latest version automatically while you sleep. Mine does.
Jetpack allows you to set all your plugins to be updated automatically too. Even for your self-hosted sites. Here’s how:
- Login to your WordPress.com account.
- Find “Plugins” in the “Tools” section.
- Click on “Manage Plugins” in the top right.
- Simply switch on “Autoupdates” on all plugins.
Limit the number of plugins and themes installed
Keep the entry points of attacks down to a minimum. Only install themes and plugins that you actively use and that are necessary to run your blog. Remove anything that’s not used.
Minimize the number of plugins you use. Jetpack, for instance, replaces several different plugins.
These are the quality signs to look for in a plugin or a theme:
- A high number of downloads and active users.
- Regular updates and a recent last update.
- Good reviews and rating.
Create a new user account and limit access
It’s harder for a hacker to break into your WordPress account when both username and password have to be cracked.
Username “admin” is the most frequent target of brute force attacks. It should be deleted and not used.
Reduce the number of people who have admin access to your blog to a minimum. Anyone who doesn’t need admin access shouldn’t have it. This is easy to do with roles and capabilities.
Here’s how to create a new user and delete the default “admin” user:
- You create a user by going into “Users” then “Add New” in the WordPress menu.
- When creating the new user, make sure to give it the role of an “Administrator”. That will ensure that you have the full authority over your site.
- Now log out from your default “admin” account and log in with the new user details.
- In “Users” delete the default admin username.
- Make sure to choose the option to transfer your old posts to your new username when deleting the “admin” account.
Use a strong password
Don’t use simple passwords on your WordPress account. Simple passwords might make it easy for you to remember, but they are also more accessible for a hacker to crack.
Use a strong and more secure password instead. Your password should be:
- At least twelve characters long.
- Include numbers, special characters, upper and lowercase letters.
Here’s a free tool by Norton that helps you create a strong password.
Set a new nickname
You don’t want your new username to be the author name that’s shown on all posts. This way, the hackers will have an easy way of finding your new username.
Set the nickname of your account to something different from your username. Here’s how:
- Go to “Users” under “Your Profile”.
- Choose a new nickname in the Nickname field.
- Set “Display name publicly as” to your new nickname.
Do not allow guest user registrations
You don’t have a membership site? Then there is no reason to allow visitors to register for a guest account.
Check that you’ve got registration turned off. Click “Settings” and make sure that “Anyone can register” option is unticked.
Do not allow pings
WordPress with pingback option enabled can be used in DDOS attacks against other sites. This option is enabled by default, so it’s important to disable it.
In “Settings” go into “Discussion” and in “Default Article Settings” tick off “Allow link notifications (pingbacks and trackbacks)”.
Take regular backups automatically
Taking daily or weekly backups of your content and database is essential. Good hosting providers execute their system backups on their part. Mine does.
You can still take personal responsibility in doing regular backups yourself. WordPress consists of two parts:
- Database: a place where all settings, pages, posts, and comments are stored.
- Files: which include media, attachments, themes, and plugins.
It’s recommended to perform a regular, full backup of the entire site. There are a plethora of options. The best free plugin is UpdraftPlus, which is used on more than 2 million blogs.
WordPress security 101: The infographic
Here’s a quick WordPress security checklist of tips you should do to keep your blog safe and secure:
These simple steps can be executed relatively quickly to improve your WordPress security and will make your site so much harder to break into.
You probably won’t have a hacking problem. You’ll feel safer. You’ll be able to focus your time on writing exciting content and building an audience.