Security threats are not unique to WordPress.
Every platform, whether it’s private or open source, is under attack 24/7.
Fortunately, the WordPress community provides many solutions to make the job easier.
The following are a few key steps to take to protect a WordPress site from security threats.
How To Protect A WordPress Site
There are eight fundamental actions that all WordPress publishers should consider in order to mitigate malicious activities and vulnerabilities.
Following these best practices will help ensure that a WordPress site is ready to meet the onslaught of hackers that are probing websites every day:
- Use HTTPS.
- Don’t use the word “admin” as your admin username.
- Enforce the use of strong passwords.
- Update plugins and themes.
- Website backup plan.
- Minimize the use of plugins.
- Two-factor authentication.
- Install a WordPress Firewall and Vulnerability Scanner.
Let’s go over each of these in a little more detail.
1. Add HTTPS/SSL
By now, most sites are using HTTPS. But if your site is not using HTTPS, check with your web host about adding a free SSL certificate.
Just set the WordPress address and the site address using https://. This can be accomplished at the General Settings tab.
If the site is upgrading from an insecure to a secure state, then the Really Simple SSL plugin (used by over 5 million websites) is worth looking into, as it truly does simplify the conversion to HTTPS by handling redirects and other related tasks.
Really Simple SSL also helps mitigate security threats such as clickjacking and cross-site-forgery attacks by providing the option to add security headers.
These days, installing an SSL certificate is an easy task.
Many web hosts offer free SSL certificates – plus, it’s a known ranking factor at Google.
After converting to HTTPS, it’s a good idea to check that no pages request HTTP links or content.
Checking for mixed content is a must.
Mixed content is when insecure website assets (scripts, images, videos, etc.) are linked to from HTTPS pages.
Crawl your site with Missing Padlock to quickly identify instances of mixed content, and then fix the errors by linking to HTTPS assets.
2. Use A Secure Admin User Name
An overwhelming number of security attacks against the WordPress login screen are done with the username “Admin”.
There are two main kinds of attacks that try to crack the login password:
- Brute force.
- Dictionary attack.
The brute force attack is when automated hacking software tries guessing the admin password using different combinations of words, letters, and numbers.
A dictionary attack is when the hacking software uses common passwords to try to guess the admin login.
In many cases, the admin username these software use is “Admin”.
Not using the word “Admin” as a username is a simple step that will help secure a WordPress site.
To take that one step further, you can create a firewall rule with the Wordfence security plugin to automatically block any human or bot that tries to log in with the username Admin.
3. Enforce Strong Passwords
Don’t allow anyone, especially users with admin-level privileges, to create a password that isn’t strong.
Even users with low website privileges, like the subscriber level, can become an attack vector. So, it’s important to enforce strong passwords for everyone who can log into the WordPress site.
The popular iThemes Security WordPress plugin, with over 1 million users, offers login password strength enforcement, as well as two-factor authentication.
A password security policy that enforces strong passwords can also be enabled using the Wordfence WordPress security plugin.
4. Update Plugins And Themes
Sometimes, updates to plugins, themes, and the core WordPress installation itself are to fix (patch) vulnerabilities.
Failure to update the software can lead to the site becoming vulnerable.
Most updates work fine. On rare occasions, an update might change something in the software that begins clashing with another plugin or theme, causing the site to crash.
If that happens, it’s easy to roll back the site to a previous state if the site has been backed up.
The best way to update plugins and themes is to stage the site and check if the site functions as expected with the updated software.
But if you’re not staging the site, the second option is to back up the site and then update it.
Test the site to make sure everything works. If the site malfunctions, then roll it back with the backup.
The third option is to set all the plugins to auto-update, so you don’t have to think about it. If something breaks, roll it back to its previous state.
5. Backup Your WordPress Website
Backing up a website on a daily basis is critical.
There are many things that can go wrong, and a backup will save the day when something catastrophic happens to the site.
UpdraftPlus WordPress Backup Plugin, with over 3 million users, is a popular and trusted solution.
It has saved me on the occasion of a website redesign that didn’t go so well, allowing me to easily restore the site to a previous version.
Another popular solution is called WP Rollback.
WP Rollback has over 200,000 installations, and the developers are trusted WordPress experts.
It works well with themes and plugins that are downloaded from the WordPress repository.
6. Minimize The Use Of Plugins
Every plugin that is installed increases the chance that one of them will expose the site to a vulnerability.
Aside from security reasons, using too many plugins can impact site performance and increase the chance that the code between two or more plugins will conflict and crash the site.
Plan ahead and choose the plugins you need to accomplish specific tasks.
Some plugins can perform multiple tasks, eliminating the need to install standalone plugins for individual functions.
7. Implement Two-Factor Authentication
Two-factor authentication requires two forms of identification to log into a WordPress site with this feature turned on.
The first factor is the username and password.
The second factor is a form of authentication, usually through an app like Authy or Google Authenticator on the user’s cell phone.
So, even if a hacker gains access to the username and password, they won’t be able to log in without the second authentication.
There are many WordPress plugins to add this feature, including:
WP 2FA
WP 2FA is a popular choice for adding two-factor authentication.
It supports multiple two-factor authentication methods, including Google Authenticator, Authy, email link, email OTP, and push notification.
Additional methods such as voice and WhatsApp authentication are available with the Pro version.
Wordfence Login Security
Wordfence is a trustworthy brand. Its standalone two-factor authentication plugin supports Authenticator, Authy, 1Password, and FreeOTP.
Additionally, security plugins like Wordfence and iThemes Security also offer options for turning on two-factor authentication.
8. Install A WordPress Security Plugin
Security plugins are useful because they can close up any security holes and block hackers from exploiting vulnerabilities.
There are two kinds of WordPress security plugins:
- Security hardening and scanning.
- Firewall.
Here are some tools I would recommend.
Sucuri Security
Sucuri is a trusted choice for a security plugin. It is owned by GoDaddy.
Sucuri scans a site for malware and offers options for hardening the site against exploits.
The paid version includes a firewall.
Jetpack Protect
Jetpack Protect performs a daily malware scan of the WordPress core, plugins, and themes.
This free plugin is relatively new – it was spun off into a standalone plugin in 2022.
Wordfence Security – Firewall, Malware Scan, And Login Security
Wordfence is a popular choice for WordPress security, with over 4 million active installations.
Wordfence acts as a firewall to protect a website against hacking attacks and can ban automated hacking bots and actual hackers in real-time if the activity fits the pattern of a hacker.
Users can configure the Wordfence firewall with rules to block hackers immediately.
Wordfence also helps to harden a site against hacking by providing two-factor authentication and disabling PHP execution in folders where PHP should not run.
Another benefit of Wordfence is that the plugin sends email reminders when a plugin needs an update.
The paid version of Wordfence receives firewall rules to protect against the newest exploits as soon as Wordfence knows about them.
iThemes Security
iThemes Security is an all-in-one plugin that scans and hardens a website while blocking bad bots as a firewall. There are over a million active installations.
iThemes handles many security-related activities, making it a popular choice for those who prefer a single plugin to manage everything.
Take Additional WordPress Security Steps
These are the additional steps for creating a strong security posture:
Check Your PHP Version
PHP is the software that WordPress runs on.
Outdated PHP versions can expose a site to security vulnerabilities.
Ensure the PHP version used has not reached end-of-life status (EOL).
Scan For Online Vulnerabilities
Here are three online tools that scan for vulnerabilities or indicate if a site has been hacked:
- Sucuri Malware and Security Checker: Scans a website to check for vulnerabilities.
- Google Safe Browsing Site Status: Shows if Google has encountered a vulnerability on a website.
- JavaScript Vulnerability Scanner: Tests if a site is using vulnerable JavaScript.
The Future Of WordPress Security
Hackers are attacking all sites, regardless of what content management system (CMS) is used.
WordPress is the most popular CMS in the world, which makes it a frequent target of hackers.
Fortunately, WordPress has a massive community working to keep it secure, which is an advantage that other platforms do not have.
All WordPress website owners should consider taking the time to ensure that measures are in place to keep their WordPress sites fully secure.
More resources:
- Advisories To Increase Website Security After Russian Attack
- 7 Tips To Keep Pop-Ups From Harming Your SEO
- HTTP or HTTPS? Why You Need a Secure Site
Featured image: Shutterstock/fizkes
