Are you looking for the ultimate WordPress security guide? Keeping your WordPress website safe is important. You want to take all of the necessary precautions to protect your site from malicious hackers, spammers, and intruders. Protecting your website may seem like a complicated task, especially for beginners, but it’s actually not.
In this article, we’ll share our ultimate WordPress security guide so that you can easily protect your website. Since this article’s a lengthy one, here’s a table of contents to help you navigate the steps we’ll be going over:
Table of Contents: WordPress Security Guide
- Is Your WordPress Website at Risk?
- The Easiest Way to Protect Your Site? Use the Best WordPress Security Plugin
- Choose Secure WordPress Hosting
- Use Strong and Unique Passwords
- Choose a Strong Username for WordPress Admin
- Follow WordPress Plugins & Themes Best Practices
- Keep Your WordPress Site Updated
- Install a WordPress Backup Plugin
- Limit Login Attempts
- Add Security Questions to WordPress Login
- Log Out Idle Users Automatically
- Disable File Editing on Your Site
- Signs Your WordPress Site Has Been Hacked
- What to Do if Your Site Has Been Hacked
Now, let’s get started.
Is Your WordPress Website at Risk?
If you run a small business website or you want to start a personal WordPress blog, you might think that your website isn’t at risk. But it is. Every website is at risk of being hacked, from giant eCommerce websites to small, personal websites.
You might also think that since WordPress is the most popular platform for building websites, your site is totally secure. But that’s not completely true either. While the WordPress core software is very secure, there are still other steps you need to take to further protect your website. Plus, the sheer popularity of WordPress is partly what attracts these cybercriminals to your website.
Just take a look at some of these WordPress statistics that show how important it is to protect your WordPress website:
- 83% of all CMS based websites that were hacked recently were running WordPress, which makes sense since WordPress holds 60% of the CMS market share. (WPBeginner)
- Hackers attack WordPress sites both big and small, with over 90,978 attacks happening per minute. (WPPlugins)
- The four most common WordPress malware infections are Backdoors, Drive-by downloads, Pharma hacks, and Malicious redirects. (Smashing Magazine)
- Google blacklists around 20,000 websites for malware, and around 50,000 for phishing, every single week. (WPBeginner)
- Wordfence blocked 9,495,478,648 attacks on WordPress sites. (Wordfence)
As you can see from these statistics, anyone with a WordPress site is at risk of an attack, making it extremely important to beef up the security of your WordPress site.
A hacked website can cost you a ton of money and damage the reputation of your business. If you’re selling products online or collecting online payments and sensitive information from your customers, protecting your website should be a top priority. Hackers can steal your customers’ private information, passwords, credit card info, and more.
You don’t just have to worry about sensitive information being stolen either. Hackers also commonly take over your website and its content to install malicious software and can even distribute malware to your users too. They might even ask you for ransom money in order to regain access to your own website.
Some hackers don’t even need a reason to attack your website, some of them do it just for the “fun” of it.
Protecting your WordPress website is not something you want to ignore. There are a number of easy steps you can take, even if you’re not tech savvy, to hack-proof your WordPress website. So, let’s dive into the 1st easy step in our WordPress security guide.
The Easiest Way to Protect Your Site? Use the Best WordPress Security Plugin
The #1 easiest and most effective way to protect your WordPress website is to install a WordPress security plugin. A WordPress security plugin will protect your site from harm and put your mind at ease knowing your site is hack-proof, without you needing to get into anything technical.
The best WordPress security plugins should come with the following features:
- Scan – A good security plugin will scan your website on a regular basis to find malware and other potential threats.
- Firewall – Firewalls monitor all of the traffic to your site and keep out vulnerable bots that are trying to reach your website server.
- Removal & Fixes – Your security plugin should guarantee the removal of malware and fixes on your site in the case you do get attacked.
Since there are so many WordPress security plugins available, it’s difficult to figure out which of them will offer your website the most protection. So, to help you choose the best security plugin for your WordPress site, here are a few of our picks for the best WordPress security plugins.
Sucuri is our top pick for the best WordPress security plugin. We use it on our own website and we love it. Sucuri is a complete, cloud-based website security solution that will protect your site from malware, brute force attacks, and any other potential threats.
When you use Sucuri, all of your website traffic goes through their CloudProxy servers and every request is scanned in order to filter out malicious requests. This not only protects your website, but it also reduces server load and improves your site’s performance and speed.
Sucuri also reports potential security threats to the WordPress core team and to third-party plugins, boasts an antivirus package that monitors your site every 4 hours for threats, keeps track of everything that happens on your website, and more.
Their cloud-based technology deploys and protects your site in minutes, so it works super-fast to find, fix, and prevent vulnerabilities. Everyday SiteLock scans your WordPress themes, plugins, and files for potential vulnerabilities that could cause your site to get blacklisted.
Plus, when SiteLock finds and automatically fixes any vulnerabilities, they provide you with an easy-to-understand report so you can learn more about security.
Wordfence offers a free plugin that includes important features such as web application firewall, malware scanner, and protection from brute force attacks. Which is perfect if you’re just starting out and need a cost-effective protection solution.
With Wordfence Premium you get access to even more powerful features like real-time IP blacklist, real-time firewall rule and malware signature updates, 2-factor authentication, country blocking, and more.
The only downside to Wordfence is that it runs on your own server, instead of being cloud-based like the other security plugins.
Now that you’ve got some great options for WordPress security plugins that will protect your website and put your mind at ease, let’s look at some other ways you can easily boost the security of your WordPress site.
Choose Secure WordPress Hosting
Choosing secure WordPress hosting is another important step to ensuring the security of your website. A good shared hosting solution will always take the necessary steps to protect their servers from threats. Shared hosting providers like Bluehost, Hostinger, and Siteground are always monitoring their network for suspicious activity, so that’s one less thing for you to worry about.
Hosting providers like these will also keep their server software and hardware up to date, have tools in place to prevent DDoS attacks, and have plans in place to protect your data in the case an incident does occur.
Another key security feature that should come with WordPress hosting is an SSL certificate. An SSL certificate helps secure the connection between your website and your visitors which helps keep personal information, eCommerce transactions, and other sensitive data safe.
We recommend using Bluehost for hosting your WordPress site.
Not only is Bluehost one of the most secure hosting solutions for your WordPress site, but they also have worked out a great deal for IsItWP readers.
When you sign up with Bluehost you get a free domain, free SSL certificate to protect your website, and over 72% off of web hosting. So, you can start your website and make sure it’s secure for only $2.75/month.
On the other hand, if you want an even more secure hosting provider, you can also choose a managed WordPress hosting service. The only downside to a shared hosting solution like Bluehost is that you have to share the server resources with all of the other customers. This means there’s a risk that a hacker can use a neighboring website to attack your own website.
With a managed WordPress hosting service like WPEngine, it’s like getting a security concierge for your WordPress website. Managed WordPress hosting providers do all the work for you. They offer automatic WordPress updates, automatic backups, and more advanced security measures that make it a more secure platform for your site.
Use Strong and Unique Passwords
Another super easy way to better protect your website is by using strong and unique passwords. 8% of WordPress security breaches happen as the result of a weak password. Choosing a strong and secure password is a simple change you can make that will protect your website from intruders.
So, if you’ve got a password like “ilovesdogs” or even the dreaded “12345678”, change it now. Take a look at the tips below for how to choose a secure password:
- Make it Longer – It only takes 15 minutes for a code-breaking program to figure out an 8-character password. Make your password at least 10 characters long.
- Make it Unique – Don’t choose common phrases or a word chosen straight out of the dictionary, make your password unique.
- Mix it Up – Add special characters, numbers, and a mix of uppercase and lowercase letters.
- Don’t Use Personal Details – Avoid using personal details in your password like your date of birth, Social Security number, or address.
Don’t want to try to come up with a secure password on your own? Try out IsItWp’s Free Strong Password Generator Tool.
With our password generator tool, you can instantly get a highly secure password for your WordPress admin that no hacker will be able to figure out. You can decide how long you want your password to be, whether you want to include uppercase letters, numbers, or special characters and whether you want a password that’s easier to remember.
Simply click on the blue circle to generate a strong password. If you don’t like the password that’s generated, click again to get another strong password instantly.
With this tool, you can easily come up with a password for your WordPress admin that would take hackers more than a lifetime to figure out.
Don’t forget, once you’ve got a secure password for your WordPress admin, don’t use that password for any other account.
Choose a Strong Username for WordPress Admin
While we’re on the topic of creating a strong password, you should also choose a strong username for your WordPress admin as well. A strong username is just as important as choosing a strong password. Because of course, if a hacker is trying to break into your website, they need to figure out your password and username.
A common username WordPress users choose is “admin” or their name. If you have a simple username, you’re making it that much easier for hackers to gain entry to your site. So, you need to create a stronger username.
Choose a username that’s not related to the content of your website, don’t include personal information or details, and make it something that’s unique to you and would be difficult for other people to guess.
You can also hide your username from being shown on your website so that hackers can’t see it. In your WordPress dashboard, go to Users, then to Your Profile. Go to the Display name publicly as field and choose the option to display a nickname instead of your username.
Important Tip: Don’t make your username too obscure though. It has to be something you can easily remember because if you forget your password, you’ll need your username to retrieve it.
Follow WordPress Plugins & Themes Best Practices
One of the perks of using WordPress is having access to thousands of free plugins and free WordPress themes. But some of these plugins and themes can actually threaten the security of your website. In fact, almost 50% of WordPress sites are affected by a security vulnerability caused by an outdated or poorly coded WordPress plugin or theme.
For this reason, you need to be careful about which themes and plugins you choose to download and install on your WordPress site.
Generally, the best way to choose secure WordPress plugins and themes is to choose the most popular plugins from the WordPress Official Plugin Directory. There’s safety in numbers. If a lot of people are using a plugin or theme and it has lots of great reviews, it’s most likely a great plugin that will not open you up to any vulnerabilities.
If a plugin or theme is rarely updated, has many poor customer reviews, or is lacking support, it’s probably not a plugin or theme you want to use on your site.
To easily find out when a plugin was last updated, just go to the plugin’s page in the WordPress Official Directory. On the top right corner of the page, you can see when the plugin was last updated.
Don’t download any plugin without first doing your research. Make sure the plugins and themes you choose are trusted and secure.
Keep Your WordPress Site Updated
The next step in this WordPress security guide is to keep your WordPress site updated. Keeping your WordPress site updated is important to protect yourself against vulnerabilities. In fact, 39% of hacked WordPress websites were using an outdated version of the software. The reason these plugins and WordPress get regular updates are typically to add security improvements and bug fixes, so you need to stay up-to-date.
Since WordPress is an open source software, it’s regularly maintained and updated. While WordPress automatically installs minor updates, for major updates you need to manually initiate the update. You can read on our guide to updating WordPress.
You also need to keep all of the plugins you’ve installed along with your WordPress them updated as well.
Luckily, WordPress makes it easy to keep your site, plugins, and themes updated. In your WordPress dashboard, you’ll see an Updates section. Any time one of your third-party plugins needs an update, you’ll get a notification for it. Simply click on Updates and you’ll see which plugins need to be updated. You can select each plugin and click on the Update Plugins button to instantly update.
In this area, you can also make sure you’ve installed all the latest WordPress updates as well.
Install a WordPress Backup Plugin
In the instance that your website gets infected with viruses or malware or your site becomes compromised by a hacker, it’s important that your site is backed up. Ideally, you’ll want a complete backup of your entire website including your database and all of your WordPress files. This might seem like a time-consuming and tricky project but luckily, there are a number of awesome WordPress backup plugins that will do all of the work for you.
Here are a few of our picks for the best backup plugins to secure and back up your WordPress website:
Duplicator is the best backup and migration plugin for WordPress. It makes it easy to keep an up-to-date backup of your entire site with scheduled backups of all your WordPress content.
You can send your backup to multiple cloud locations to ensure you always have a copy of your site to restore when you need it. Duplicator lets you connect to Dropbox, FTP, Google Drive, OneDrive, or Amazon S3 for safe storage.
Restoring your backups is simple too, all you have to do is click a few buttons and the plugin will do the rest for you. See our full Duplicator Review »
With over 1 million active installs, UpdraftPlus is one of the most popular backup plugins out there. UpdraftPlus offers a free and paid version of their plugin and with both, you can easily setup full, manual, or scheduled backups of all your website files. That includes your database, plugins, and themes.
You can back up into the cloud directly to Dropbox, Google Drive, Amazon S3, and more. Plus, you can restore your files with 1 click — no need to be a computer whiz.
BackupBuddy has been protecting half a million websites since 2010, so it’s another popular choice in backup plugins. With just a few clicks, BackupBuddy will backup your entire WordPress website right from your WordPress dashboard.
Once you backup your website pages, posts, themes, plugins, media library uploads, and more, BackupBuddy will provide you with a downloadable zip file of your entire WordPress site. So, if you ever do get hacked, all of your hard work will be saved.
Limit Login Attempts
Protect hackers from entering your WordPress site by limiting login attempts. By default, WordPress allows users to attempt to log in as many times as they want. This isn’t ideal if you want to prevent hackers from trying to figure out your password and entering your website. So, limit login attempts to prevent brute force password discovery.
If you’re using a security plugin with a web app firewall as we recommended above, this is covered for you by your security plugin. But if not, you’re going to want to download a plugin like Login LockDown.
Login LockDown records the IP address and timestamp of every failed login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that IP range.
In the settings for the plugin, you can choose the max login retries, retry time period restriction, the lockout length, and more.
Add Security Questions to WordPress Login
Another way to beef up the security of your WordPress Login is to add security questions. Security questions act like extra passwords for your WordPress login, making it even harder for intruders to gain access to your site.
You can add security questions to your WordPress login by using a plugin like WP Security Question. With this plugin, you can set a security question of your choice for WordPress login, forgot password screens, and registrations.
It’s also important to protect the other forms on your website as well. For instance, if you want to create contact forms, guest post submission forms, order forms, and more for your website, you need to make sure those forms are secure too. Hackers can use your forms to expose vulnerabilities and gain access to your website, so it’s important to use secure forms.
When using a secure form builder such as WPForms, your forms will already be secure, but you can add extra layers of security to your forms as well.
With WPForms, you can customize your form field inputs. This way a hacker can’t enter random letters and numbers to try and get access to your website, they can only enter the data you want to be entered.
You can also enable reCAPTCHA on your forms. This forces all site visitor submitting a form on your site to click the “I’m not a robot” checkbox before submitting. This feature will help fight form spam and it can also prevent your site’s comments and forums from being broken into and hit with tons of spam comments.
WPForms also offers a Custom CAPTCHA addon that allows you to customize the questions and answers as CAPTCHA on your forms.
Log Out Idle Users Automatically
Did you know that when users leave their screens unattended (like leaving your website open and walking away from their computer) it’s actually a security risk for your website? When a user wanders away from their screen, intruders can take over their session, change their password, or change other sensitive account information. To prevent this from happening, install a plugin like Inactive Logout.
Once you’ve installed and activated the plugin, you can head to Settings to configure the plugin settings. Here you can decide how long in minutes users are allowed to idle before they get logged out and you can choose what message they’ll see upon logout as well.
Disable File Editing on Your Site
If an intruder happens to get access to your website, they can easily edit the PHP files of plugins and themes inside of the WordPress admin interface. Because of the security risk this poses, we suggest that you turn this feature off.
If you’ve downloaded the security plugin Sucuri that we recommended earlier, you can do this easily with their Hardening feature.
Alternatively, you can turn this feature off by adding a small piece of code to your site. In the wp-config.php file add the following code:
// Disallow file edit
define( 'DISALLOW_FILE_EDIT', true );
Click here for for detailed instructions on how to edit wp-config.phph file in WordPress.
Signs Your WordPress Site Has Been Hacked
If you’re new to WordPress and building websites, you might be wondering how you can even tell that your WordPress site has been hacked. It’s important to recognize that your site has been hacked as soon as possible. Because the longer the hackers have access to your site without you noticing, the more damage they can do.
So, be on the lookout and check out this list of signs that your WordPress site has been hacked:
- Unable to Login to WordPress Admin – If you’re unable to log into your WordPress admin, and you know it’s not because you forgot your password, it’s a sign that an intruder has gained access to your site and changed your login details.
- Website Slow or Unresponsive – If your website is taking longer than usual to load or it’s unresponsive, it’s a good possibility your website has been hacked. This can happen when a hacker adds a piece of code to your website or an attack known as Denial of Service.
- Defaced Homepage – If your website homepage changes in appearance or displays a message from the hacker, it’s a clear sign you’ve been hacked.
- Sudden Drop in Traffic – Hackers can redirect traffic away from your website, so if you see a sudden, drastic dip in your website traffic, you may have been hacked.
- Unwanted Popups or Ads – If you see unwanted popups or ads on your website that you haven’t placed there, you’ve been hacked by intruders who’re trying to send your website traffic to a spammy or illegal website.
- Suspicious User Accounts – Seeing suspicious user accounts in WordPress is another sign you’ve been hacked. If your site has open registration and no spam protection, many spam accounts can be created, which is not a big deal. But if you don’t have open registration and you find suspicious user accounts with administrator privileges, it’s a sign you’ve been hacked.
- Unusual Activity in Server Logs – Server logs are simple text files that keep a log of the various activities that are taking place on your website. You can check these logs in your WordPress dashboards under Statistics. If you find unusual activity in your logs, it could be because you’ve been hacked.
If you don’t have a security plugin that will watch out for suspicious activity for you, you need to be vigilant when looking out for the signs of being hacked. The sooner you catch an intruder, the sooner you can make your website safe again.
Alternatively, you can use our Free WordPress Website Security Scanner to check your website for any known malware or website errors. Also, check out our article on best WordPress books including the books on security.
With our free tool that’s powered by Sucuri, all you have to do is enter the URL of your website and the tool instantly scans your site for any potential vulnerabilities. When the scanning is finished, you’ll get a complete report on the health and safety of your website.
What to Do if Your Site Has Been Hacked
If you see any of the signs above on your WordPress website, you’ll probably start to panic. If your website has never been hacked before, it’s hard to know what the next step you should take is. But don’t worry, you can get your website back.
The first step to fixing a hacked website is to identify the problem area. Use the criteria in the previous section to figure out where the hack is coming from. For instance, are you unable to login to the WordPress admin? Or is your site redirecting users to a different website? You’ll need to know what the problem is in order to fix it.
Next, contact your hosting company. Most hosting companies have experience in dealing with this type of situation, so they should be able to help guide you in fixing the issue. They may even be able to give you some extra information about how the hacker gained access to your site so you can prevent it from happening again in the future. Your hosting company should be able to help solve the issue altogether as well, but if not, you have other places you can turn to as well.
Now, if your hosting company can fix your hacked website, that doesn’t mean you’re all alone. You can turn to a service that offers to fix hacked websites like Sucuri, the plugin we mentioned earlier. Not only does Sucuri protect your website from potential attacks, but if your site gets hacked they can fix it too.
You can choose your pricing plan based on how fast you want their response time to be, the fasted guaranteed response time being 4 hours. Once your website is fixed, you’ll receive a full report. Follow our step by step tutorial: How to Repair a Hacked WordPress Site & Prevent Future Hacks
We hope this ultimate WordPress security guide helped you learn how to protect your website from all types of attackers and intruders. WordPress security doesn’t have to be difficult, just implement these tips and your site will be secure. If you enjoyed this article, check out our other post on How to Properly Upgrade WordPress.