This guide features simple security measures you can implement to secure your WordPress site, prevent hacking attacks and keep your content safe. I’ll include the best WordPress security solutions and precautions in this post. If you follow them, you’ll be sleeping safely.
In this WordPress security guide, I’ll address the following questions:
- Is WordPress secure and can it be hacked?
- How can I improve my WordPress security?
- How do I protect my WordPress site from malware?
- What makes a WordPress site not secure?
- Why does my site show as “not secure”?
- How can I give someone a secure access to my WordPress site?
- What is the best security plugin for WordPress?
- How can I check to see if my site is safe?
- How do I remove a virus from WordPress?
And many more. Let’s get started.
Table of contents
- WordPress security checklist
- Is WordPress secure and can it be hacked?
- Best WordPress security plugins
- Host your site with a secure hosting company
- Turn on 2-Step Verification
- Block unwanted, brute force login attempts
- Automate updates to WordPress and plugins
- Create a new user account and limit unauthorized access
- Take regular automated backups
WordPress security checklist
There are many WordPress security guides with 20-30 or even more steps on how to protect your WordPress site. Many of those steps are completely unnecessary for the average user.
Here are quick and simple steps you should take to keep your WordPress site safe and secure:
- Use a unique username with a strong password on all administrative accounts.
- Turn on and require 2-Step Verification on all administrative accounts.
- Don’t install themes and plugins from untrusted sources.
- Set WordPress, themes and plugins to be updated automatically.
- Set WordPress to backup automatically.
- Use a host with a container-based isolation which protects your site from being contaminated by other insecure sites on the same server.
These six steps will take you few minutes to implement and you won’t need to worry about WordPress security after that. You’ll be able to focus on building a great website instead.
Why is WordPress so vulnerable and insecure?
WordPress is very serious about its security and is very secure software. WordPress security team is made of 50 security experts and developers. Being open source software, there are many eyes on it and it keeps the whole content management system safe and secure.
So why is it that you hear about WordPress being vulnerable and insecure? WordPress is the most widely used CMS and blogging platform with a market share of more than 35% of the entire web.
The popularity of WordPress websites makes it a regular target of brute force login attacks which attempt to discover sites that use the default username and/or a weak password. This is sensitive information and the key to keeping your blog safe and secure.
A brute-force is when an attacker logs in with many passwords in the hope of guessing correctly. The attacker systematically checks all possible options until the correct one is found.
Use two-factor authentication for your WordPress admin dashboard login as an effective brute force protection.
The second most common attack is on outdated WordPress software, obsolete versions of PHP, outdated themes and plugins. This is why it’s key to always update everything.
Both of these types of attacks are automated across all the hosting platforms, so they don’t specifically target your blog only.
If they do succeed to infect a blog that’s not adequately secured, they may even cross-contaminate all the other blogs hosted on the same server. Don’t let any of this happen to you.
Best WordPress security plugins: Identify any existing vulnerability
There are several WordPress security plugins and other tools you can use to figure out if your blog has a current weakness.
They scan for malware, malicious codes and scripts, out of date software and other known security issues. These WordPress security plugins can help keep your blog safe. Here are some of the best options that all include free versions:
- Sucuri SiteCheck: There is a Sucuri plugin too but this is a browser-based tool for a quick scan and check.
- Search Console: “Security & Manual Actions” section notifies you when Google detects malware or other security issues with your WordPress website.
- Wordfence Security: The most popular WordPress security plugin used by more than 3 million sites. Features login security, firewall and a malware scanner.
- iThemes Security Plugin: This plugin is used on more than 900,000 WordPress sites.
- All In One WP Security & Firewall: Activated on more than 800,000 WordPress sites. All the features on this plugin are entirely free to use.
Host your blog with a secure hosting company
One vulnerability is cross-contamination. If your site is hosted on an unprotected shared server and an exploitable site gets attacked, other sites on that server can be infected too.
This has happened to my blog a few times while being hosted on GoDaddy. Initially, I blamed the hacks on my own inexperience or not using the best practices.
Since I’ve learned how these hacks happen, it has made me wary of using hosts that are not well protected. The best protection from cross-contamination is to use a secure WordPress host. Ask your host what security precautions they take about cross-contamination.
My site is reader-supported. If you make a purchase through some of the links on my site, I may earn an affiliate commission. This helps keep my site advertising and tracking-free. It does not change the price you pay. I only recommend products that I truly believe are valuable. Learn more.
Right now, my blog is hosted on GreenGeeks and I’m happy to report that I haven’t had any security issues yet. Fingers crossed it continues!
I’m a happy paying customer of GreenGeeks services as they have several security measures, server configurations and additional features in place that you can take advantage of using your WordPress installation:
- All the WordPress blogs are automatically updated as soon as there is a new release. I don’t have to take any action.
- There is a nightly backup of all the data in case of an emergency. Fortunately, I haven’t had to deal with backups yet.
- They have container-based isolation, which means that your blog is kept separated from other blogs and cannot be infected by cross-contamination.
- In-built spam protection and real-time malware and virus monitoring.
- You also get a free domain name and a free SSL certificate from Let’s Encrypt. This will prevent your site from being labeled as “not secure” on the different browsers.
- 24/7 customer support via live chat, email or phone just in case it’s necessary.
Turn on 2-Step Verification
Two-factor verification adds an extra layer of security to your WordPress login URL and completely prevents all the brute force attacks.
Without having access to your phone, it’s simply impossible to break through the login page even if the attacker knows username and password.
Turn on Secure Sign On in Jetpack for one of the easiest ways to enable two factor authentication in WordPress. This lets you log in to your self-hosted site with your WordPress.com logins. And WordPress.com allows you to require two-factor authentication.
- Enable two-step on your WordPress.com account under “Two-Step Authentication” within “Security”.
- Install and activate Jetpack plugin in your self-hosted WordPress admin area.
- Turn on the “Single Sign On” option.
- Tick the box to “Require Two-Step Authentication“.
- Insert this code to your theme’s functions.php file to disable the default WordPress login form:
add_filter( 'jetpack_remove_login_form', '__return_true' );
Now you can only log in to your self-hosted blog using your WordPress.com login details. And these require a two-factor authentication from your phone. The default login has been disabled.
Two step authentication is by far the best way to stop people trying to brute force their way into your wp-admin dashboard. I highly recommend it.
In the past, I used several different hacks to prevent these attacks such as changing the URL of the default WordPress login page and blocking all IP addresses except my own from trying to login but the two step authentication is a much more elegant solution.
Block unwanted, brute force login attempts
If you for whatever reason cannot turn on the two-step authentication, this is a decent alternative.
Jetpack’s Protect is like a web application firewall for your WordPress. It monitors all failed login attempts on the network of sites hosted by WordPress. It then automatically blocks all these unwanted tries from these bad IP addresses from the rest of the network.
Another of the common ways hackers try to brute force your site is through XML-RPC. Jetpack Protect also blocks all the XML-RPC attacks so you do not need to do anything further to disable XML-RPC if you’re using Jetpack.
Activate the Jetpack plugin and enable the Protect add-on to turn this on. This is a screenshot from one of my blogs:
The alternative to this is the WP Limit Login Attempts plugin.
Automate updates to WordPress and plugins
Main reason developers release new versions frequently is caused by security vulnerabilities found in older versions. A vast majority of security compromises happen through outdated plugins.
Automatic updates work to keep you safe. Always upgrade to the latest version of WordPress. Do the same for the newest version of your blog design theme and plugins you use.
Upgrading is simple, automated, one-click processes within the WordPress admin interface. When there is a new update available, WordPress will give you notice on top of your dashboard.
The most recent versions feature automatic background updates. You may find that your secure host updates you to the latest version automatically while you sleep. Mine does.
Themes and plugins automatic updates is coming to the WordPress 5.5 release in August 2020. It’s possible to beta test this feature now. You can also auto-update your themes and plugins using these options:
Jetpack allows you to set all your plugins to be updated automatically. Even for your self-hosted sites. Here’s how:
- Login to your WordPress.com account.
- Find “Plugins” in the “Tools” section.
- Click on “Manage Plugins” in the top right.
- Simply switch on “Autoupdates” on all plugins.
If your web hosts don’t update WordPress and its plugins automatically and you don’t want to use the Jetpack plugin, here’s a more technical solution.
In your WordPress folder on your web server you can edit the wp-config.php file to make WordPress update automatically. Here’s the code you need to insert into your wp-config.php file:
define( 'WP_AUTO_UPDATE_CORE', true ); add_filter( 'auto_update_plugin', '__return_true' ); add_filter( 'auto_update_theme', '__return_true' );
This will automatically update the WordPress software itself but also your themes and plugins.
Limit the number of plugins and themes installed
Keep the entry points of attacks down to a minimum. Only install themes and plugins that you actively use and that are necessary to run your blog. Remove anything that’s not used.
Minimize the number of plugins you use. Jetpack, for instance, replaces several different plugins.
These are the quality signs to look for in a plugin or a theme:
- A high number of downloads and active WordPress users.
- Regular updates and a recent last update.
- Good reviews and rating.
Create a new user account and limit unauthorized access
It’s harder for a hacker to break into your WordPress account when both username and password have to be cracked. Username “admin” is the most frequent target of brute force attacks. It’s an easy target and should be deleted and not used.
Reduce the number of people who have admin access to your blog to a minimum. Anyone who doesn’t need admin access shouldn’t have it. This is easy to do with roles and capabilities.
Here’s how to create a new user and delete the default “admin” user:
- You create a user by going into “Users” then “Add New” in the WordPress menu.
- When creating the new user, make sure to give it the role of an “Administrator”. That will ensure that you have the full authority over your WordPress website security.
- Now log out from your default “admin” account and log in with the new user details.
- In “Users” delete the default admin username.
- Make sure to choose the option to transfer your old posts to your new username when deleting the “admin” account.
Use strong and secure passwords
Don’t use simple passwords on your WordPress account. Simple passwords might make it easy for you to remember, but they are also more accessible for a hacker to crack.
Use strong and secure passwords instead. Your passwords should be:
- At least twelve characters long.
- Include numbers, special characters, upper and lowercase letters.
Here’s a free tool by Norton that helps you create a strong password.
Set a new nickname
You don’t want your new username to be the author name that’s shown on all posts. This way, the hackers will have an easy way of finding your new username.
Set the nickname of your account to something different from your username. Here’s how:
- Go to “Users” under “Your Profile”.
- Choose a new nickname in the Nickname field.
- Set “Display name publicly as” to your new nickname.
Do not allow guest user registrations
You don’t have a membership site? Then there is no reason to allow visitors to register for a guest account.
Check that you’ve got registration turned off. Click “Settings” and make sure that “Anyone can register” option is unticked.
Do not allow pings
WordPress with pingback option enabled can be used in DDOS attacks against other sites. This option is enabled by default, so it’s important to disable it.
In “Settings” go into “Discussion” and in “Default Article Settings” tick off “Allow link notifications (pingbacks and trackbacks)”.
Take regular automatic backups
Taking daily or weekly automatic backups of your content and database is essential. Good hosting providers execute their system backups on their part. Mine does.
At the time you set up a WordPress site on GreenGeeks you can select automatic updated and automatic backup:
You can still take personal responsibility in doing regular backups yourself. WordPress consists of two parts:
- Database: a place where all settings, pages, posts, and comments are stored.
- Files: which include media, attachments, themes, and plugins.
It’s recommended to perform a regular, full backup of the entire site. There are a plethora of options. The best free plugin is UpdraftPlus, which is used on more than 2 million blogs.
In case your site does get hacked or infected by a virus or malware, you’ll be able to restore a fully functioning backup.
These simple steps can be executed relatively quickly to improve your WordPress security and will make your site so much harder to break into.
You probably won’t have a hacking problem. You’ll feel safer. You’ll be able to focus your time on writing exciting content and building an audience.