WordPress security isn’t something to take lightly. WordPress usage is at 29% (at the time this article was written), and over 500 WordPress-based sites are added to W3Techs’ list of the top 10 million sites on a daily basis. As of this writing, the WPScan Vulnerability Database has cataloged over 10,000 vulnerabilities. What do these numbers mean for you? A lot if you power any of your sites with a self-hosted WordPress installation.
Hackers may be shady individuals, but they aren’t foolish. They know WordPress is the most popular content management system in the industry, and they’re opportunists. They know they have much better chances at achieving whatever goals they have planned when they target the CMS that claims 60% of the market share. As a result, WordPress is among the most, if not the most, hacked CMSs on the web.
WordPress vulnerabilities aren’t a sign that the CMS is weak or somehow natively insecure. The more popular a platform is, the more likely it is to be a target of bad actors. Security vulnerabilities can be found in all three code pillars of the CMS – the core files themselves, WordPress plugins, and also WordPress themes. Let’s take a look at a few WordPress hacking statistics so you can see where you need to focus your efforts when it comes to WordPress security. We’ll then go over several techniques you can use to secure your WordPress site.
- WordPress security overview
- Enhancing WordPress security through theme and plugin best practices
- Enhancing WordPress security with login security
- Amplify WordPress security with security plugins
- Miscellaneous ways to enhance WordPress security
- More ways to actively increase WordPress security
WordPress security overview
If you weren’t aware of how widely used WordPress is or that hackers tend to target the web’s most widely used applications, you may be wondering a few things right now. First, is WordPress secure at all, and second, how do you go about securing a WordPress website? Let’s touch base on both of these topics.
Is WordPress secure?
WordPress core is very secure, and the WordPress core team is quick to release a new version of WordPress to fix bugs and security holes when it isn’t. It’s older versions of WordPress and all of the other things (WordPress themes and plugins) you add to it that make it less secure. You’d think the importance of keeping your site up to date would be a given, but data published by W3Techs revealed a couple of troubling facts:
- Only 27.2% of websites are updated to Version 4 of WordPress.
- Of the 27.2% of websites that use Version 4, only 8% are up to date to the latest version of WordPress (4.9 at the time this article was written).
These numbers give WordPress a bad reputation for being easy to hack. Too many site owners use outdated versions of WordPress, and too many aren’t diligent enough about installing WordPress security updates in a timely manner. The most important thing you can do for your site is keep WordPress core up to date.
Take advantage of automatic core updates or consider switching to a managed WordPress host that updates your site for you if you find site management a difficult task to squeeze into your schedule. Use one of the following code snippets in your wp-config.php file if you want to enable automatic WordPress updates on your site:
define( 'WP_AUTO_UPDATE_CORE', true ); // Enables automatic major and minor updates. define( 'WP_AUTO_UPDATE_CORE', minor ); // Enables automatic minor updates only.
Consider enabling minor updates at the very least as these are more likely to feature security fixes. The good thing is that by default, every site usually has already automatic updates enabled for minor core releases and translation files.
How do WordPress sites get hacked?
The team behind the popular WordPress security plugin Wordfence conducted a survey in 2016. They were asking those who had their sites hacked if they discovered how their sites were hacked. 1,032 people took the survey, but 61.5% of that number did not know how their sites were hacked. Here are the statistics for the 38.5% of individuals who did discover how their sites were hacked:
- 55.9% of respondents said their sites were hacked through WordPress plugins.
- 16.1% of respondents said their sites were hacked through brute force attacks.
- Less than 10% of respondents said their sites were hacked through WordPress core.
- Smaller percentages of respondents said their sites were hacked through WordPress themes, poor hosting, incorrect file permissions and old files.
This may be a small amount of data, but it gives you insight into WordPress security. It says you can do a lot to secure your site by simply updating WordPress core, following safe theme and plugin protocols, and protecting your login page. You can do this in many ways, and that’s what we’re going to go over throughout the rest of this article.
Enhancing WordPress security through theme and plugin best practices
Securing WordPress isn’t rocket science. In fact, if you want to make your site more secure, follow three simple security protocols when it comes to WordPress themes and plugins. Let’s elaborate:
- Only download WordPress themes and plugins from trusted sources
- Keep your WordPress themes and plugins up to date
- Keep your WordPress theme and plugin libraries clean
Download from trusted sources only
Premium WordPress themes usually are not expensive. You typically need to spend at least $49 for a decent one, in addition to a domain name and hosting for your site. However, especially new WordPress users often tend to use free themes, but this can sometimes lead to problems. The biggest problem that may occur is poor security from faulty or malicious code. It’s recommended you only download free WordPress themes and plugins from the repositories at WordPress.org. These free WordPress themes at least have been checked for major issues and security vulnerabilities.
If you want to purchase a premium WordPress theme, you can choose from several marketplaces. However, many premium themes are available exclusively through developer websites. In these cases, look for reviews outside of the developer’s site, and check their social media profiles to ensure there are no serious complaints from customers.
Keep WordPress themes and plugins up to date
If you want to improve WordPress security, keep your themes and plugins up to date. You don’t need to update them as quickly as you do core updates, but you should at least install updates for them within a month of their releases. However, WordPress theme and plugin updates can possibly break your site if there are major changes. It’s recommended to test these updates in a controlled environment before installing them on your live site.
See if your host offers a staging feature, or use plugins like Duplicator or All-in-One WP Migration to install your site on a separate server (a different hosting account or a local server) and test the updates there. It’s recommended you set aside a day every week, every 2 weeks or every month (whatever you can manage) to test and install theme and plugin updates. That way you can ensure that you don’t introduce issues on your site through 3rd party updates.
Keep your WordPress theme and plugin libraries clean
This is a task you should consider adding to your maintenance schedule. After you’ve had your site for a while, you may find yourself with several unused WordPress themes and plugins. These can become security risks, especially if you aren’t keeping them up to date. You can avoid this by deleting unused items through your WordPress dashboard.
Go through your WordPress theme and plugin libraries every six months or so, and delete any theme or plugin you’re no longer using. It’s recommended you keep the most recent default WordPress theme (Twenty Sixteen, Twenty Seventeen, etc.) installed since deactivating your main theme is a common troubleshooting solution used when there’s an issue with your site that doesn’t have an obvious cause. Let’s move onto login security.
Enhancing WordPress security with login security
One entry point hackers use to insert malicious code or content on your site is your administrative account. Admin accounts come with full WordPress permissions, allowing the hacker to do anything they want. Fortunately, there’s a lot you can do to enhance your login security.
- Use unique usernames for admin accounts
- Enhancing WordPress password security
- Use two factor authentication
- Limit login attempts
- Disable login hints
- Protect WordPress login page
Use unique usernames for admin accounts
It’s fine if your editors, authors, contributors and subscribers use their own names for their accounts, but it’s not recommended for admin accounts. This is because it’s essentially telling a hacker what your username is. All they have to do is find a way to guess or reveal your password. You should use something unique but memorable as unsername instead. You should also definitely avoid using “admin” as your username.
Enhancing WordPress password security
All of your accounts should use strong passwords. A strong password uses a series of random uppercase letters, lowercase letters, numbers and symbols. The password should have more than 8 characters. If you need help generating a strong and unique password, use a password generator. It also would be recommended to change your admin account’s password several times throughout the year.
Use two factor authentication
Two factor authentication, also known as “two step authentication”, is a great way to keep hackers out even if they know your password. You may have heard of this security measure. You may even already use it on your Google account. The way it works is simple, but effective.
Instead of allowing you to sign in after you’ve entered your password, a code will be sent to your phone or email address. You must enter that code to access your account. It does this every time you want to log in, adding an extra layer of security to your site. You can enable two factor authentication on your WordPress site with a few simple plugins, including WordPress 2-Step Verification and Two Factor Authentication.
Limit login attempts
Wordfence’s hacking data revealed that the second largest point of entry for hackers was brute force attacks. A brute force attack is a trial-and-error method in which the hacker attempts to enter a series of passwords over and over again in hopes that one of them is correct. The hacker typically uses an automated application that generates these attempts. Brute force attacks are one of the reasons why you should always choose a secure password.
You can stop this type of attack in its tracks by limiting the number of login attempts users are able to perform before their IP address is blocked. WordPress security plugins like Sucuri and Wordfence include this security feature in their products, but you can also use a plugin called Limit Login Attempts. You should also consider adding a captcha to your login page. This keeps most bots from attempting to log into your site.
Disable login hints
When you attempt to log into a WordPress site and use the correct username but an incorrect password (or vice versa), you’ll get a message telling you the username is correct but the password isn’t. This can be an issue if a hacker actually finds out what your username or password is. You can change the message that displays with the following code snippet. You can replace the “Wrong! Try again.” text with anything you want:
function disable_wordpress_login_errors() { return 'Wrong! Try again.'; } add_filter( 'login_errors', 'disable_wordpress_login_errors' );
Protect WordPress login page
All WordPress sites use the same login URL slug by default. You can “hide” your login page by changing this slug with a simple plugin called WPS Hide Login.
Amplify WordPress security with security plugins
A decent way to enhance and even amplify WordPress security is to hand the task over to professionals. You can do this with a couple WordPress security plugins. We’ll be going over Wordfence and Sucuri in this section, but let’s talk about what security plugins have to offer first.
What security components do WordPress security plugins have to offer?
Security plugins offer a lot of advanced WordPress security components to your site, components you’d typically need a developer to implement. Here’s a simple list of these components:
- WordPress Firewall – You probably use a firewall on your computer to block hackers and malicious applications. A firewall for your website works in the same way. It blocks hackers and malicious code in their tracks. The firewall can even protect your site from brute force attacks and serve as DDoS attack mitigation.
- WordPress Security Scan – Again, you keep your PC safe with scans that detect malware in real time. Security scans for websites work in the same way. The firewall does everything it can to block malicious code from entering your site. The scan detects it when it does.
- Malware Removal – Can be automatic, but you typically need to pay a premium price for this.
- Limit Login Attempts – Protects your site from brute force attacks.
- Blocking – Block individual IP addresses automatically or block entire countries.
- Track Live Traffic – Some tools allow you to track live traffic. It breaks traffic reports into real visitors, intrusion attempts, Google crawl activity, bots and even login/out activity.
- Two Factor Authentication – Additional layer of security in addition to your username and password.
- File Repair – Repair of infected or malicious files on your website.
- Password Audits – This is helpful to ensure that you’ve chosen a strong and secure password.
- Spam Filter for Comments – Stop comment spam on your website with an effective spam filter.
- Security Alerts – Send alerts to your phone or inbox.
It’s better than nothing, right? The downside of security plugins is that because you’re relying on a 3rd party plugin, that plugin itself can be a source of vulnerability. However, you can mitigate the risk by keeping the plugin updated. It’s also recommended to take the time to conquer the learning curve and install/configure the plugin correctly the first time. Let’s take a look at some of the most popular security solutions you can use on your WordPress site.
Wordfence
Wordfence is a WordPress security service. Over 2 million WordPress sites actively use its plugin. Here are its main features, all of which are available in the free version: WordPress Firewall, Security Scan, Login Security Features, File Monitoring, Custom Security Alerts, Traffic and Hack Attempt Data.
Other features include the ability to repair WordPress core, theme and plugin files as well as two factor authentication. Wordfence also offers a site cleaning service to assist you if your site gets hacked and you’re unsure of how to clean things up outside of the plugin’s capabilities.
Sucuri
Sucuri isn’t exclusive to WordPress, but it does support it with a free WordPress plugin. It’s a popular solution for malware detection and removal. Here are the features its plugin offers: Site Activity Monitoring, File Monitoring, Security Scan, Security Alerts. Again, Sucuri is not a dedicated WordPress product. If you want advanced security features, such as a firewall or malware removal, you can pay for a premium account.
Other WordPress security plugins
There are a number of additional security options for WordPress. You can view a more complete list in our article on the best security plugins to use for WordPress.
Miscellaneous ways to enhance WordPress security
There are a number of additional techniques you can use to enhance WordPress security. They all fit into their own individual categories, so we’re going to go over them in this section.
- Hardening WordPress security with your hosting provider
- Change your site’s database prefix
- Use correct file permissions
- Limit user access
- Disable PHP error reporting
- Hide your wp-config.php file
Hardening WordPress security with your hosting provider
Secure WordPress hosting is a crucial component in the system that keeps your site clear of malware, bugs and security flaws. You can do everything you’re supposed to do to keep your WordPress installation secure, but all of that will mean nothing if your server isn’t secure. This is why it’s important for you to choose a quality hosting provider rather than going with whatever you can afford.
If you’re feeling overwhelmed by everything involved in WordPress security, consider choosing a managed WordPress host, as mentioned before. Aside from setting up strong usernames and passwords for admin accounts, these hosts handle security for you. Most won’t even allow you to install a plugin like Wordfence as it would simply interfere with their own security components.
Change your site’s database prefix
This one’s a bit of an advanced WordPress security trick. It involves accessing your site’s database and changing the database prefixes from “wp” to something less known. Hackers are experienced with WordPress. They know “wp” is the default database prefix the CMS uses. That means it’s a potential security vulnerability.
Changing the database prefix to something like “wp7xy” or something random creates one more hoop hackers need to jump through to successfully hack your site. Fortunately, many managed WordPress hosts don’t use “wp” as database prefix when they install WordPress for you. If you’re not sure, you’ll need to access your database through phpMyAdmin or contact your host for more information.
Use correct file permissions
This is another advanced WordPress security trick. WordPress files and folders have assigned permission codes you can use to change the way users are allowed to use them. The codes or file permissions you use determine whether you can read, write, modify or delete files and folders. Let’s make this simple:
- Never use 777
- WordPress file permissions – use 640 or 644
- WordPress folder permissions – use 755 or 750
- wp-config.php – use 600
Limit user access
Part of this post has been focused on keeping hackers out of your admin accounts, but what about the users you actively allow to create accounts on your site? You can do even more to protect it by limiting the number of users who have access to the backend of your site as well as limiting the level of access they have.
Only give full admin privileges to higher-ups in the company who are on the payroll. Everyone else should use the Editor user role and lower. If you want to enhance WordPress security by strengthening user roles, use a plugin like User Role Editor to control who has access to what. It’s also possible to only temporarily allow access to the WordPress dashboard. This is especially helpful if you’re working with guest authors or else.
Disable PHP error reporting
This is yet another advanced WordPress security trick. PHP error reports often include your server path, which gives hackers one less hoop to jump through to gain access to your site. Fortunately there are ways to avoid this potential security risk. Add the code snippet below to your wp-config.php file to disable PHP error reports. You can always delete this snippet whenever you need to enable PHP error reporting.
error_reporting(0); @ini_set('display_errors', 0);
Hide your wp-config.php file
Your WordPress installation contains many files that you wouldn’t want to give hackers access to. Your wp-config.php file isn’t one you need to access very often. Add this code snippet to your .htaccess file to hide this file from hackers:
<files wp-config.php> order allow,deny deny from all </files>
Many of the WordPress security issues and solutions mentioned throughout this article use a “set it and forget it” method. Let’s go over a few methods you can use to actively protect your site before and after attacks.
More ways to actively increase WordPress security
There’s a lot you can do to actively protect your WordPress site, but we’re going to focus on the following:
- Relying on services that detect and remove malware for you
- Creating regular backups of your WordPress site
- Using vulnerability scanners to secure your website
Using WordPress security services
When it comes to the removal of malware, Sucuri is definitely the service to use. Their premium Website Security Platform plans include automatic malware removal that fixes your site within six hours of it being infected. Wordfence also offers an extensive tutorial on how to use its plugin to clean your site if it gets hacked. If you want help removing malware, you can pay a fee. There’s a third service we haven’t mentioned, yet, and that’s SiteLock.
SiteLock offers a number of different security features and many of the same features you’ll find in the previous two services. It covers several security services, like malware scans, regular backups, DDoS mitigation, and spam removal and cleanup. SiteLock also offers automatic malware removal in its packages.
Creating regular backups of your WordPress site
Learning your site has been hacked is devastating. Learning a significant number of files were deleted along the way is heartbreaking. That’s why it’s important for you to create regular backups of your site and database in case a hacker pulls a double whammy on you. Many hosts create and store up to 30 days of backups for you, but you can also take matters into your own hands by using a backup service or plugin. Here some recommendations:
CodeGuard
A good option to choose for site security and backups is CodeGuard. Not only does this service create regular backups of your site, it monitors it on a daily basis and detects changes as they occur. This can alert you to unauthorized changes made by hackers. This is a great website security check to add to your site.
VaultPress
VaultPress is another backup service you can use to protect your site from WordPress security vulnerabilities. It creates automatic backups and stores them in a location separate from your server. It also offers automatic file repair and restore points for your site in the event that it’s hacked.
Using a WordPress vulnerability scanner
You may be wondering if your site is truly safe and secure. There’s so much that goes into WordPress security, and if you haven’t implemented any of the mentioned security plugins, how can you know if you’re safe? A WordPress vulnerability scanner may provide the answers. These scanners scan your site for malware and pinpoint flaws that may be leaving your site open to attacks. We recommend the following vulnerability scanners for WordPress:
Sucuri SiteCheck
Sucuri SiteCheck is a free security scanner you can use to test your site for vulnerabilities. It’ll tell you whether or not your site is infected with malware, if it’s been blacklisted anywhere, if it’s been injected with spam and even if its risk level. The SiteCheck can help you identify potential security threats – you can try and scan your website for free.
Final thoughts on securing WordPress sites
Finding the right security solution for your WordPress website can be a tough job. You may never know just how well you did the job, or how important it was to you and your site’s success. Hackers can be like skilled thiefs in the middle of the night. The unsuccessful intruders may leave no trace behind that they were ever there.
But that’s the nature of website security. You make it as strong as humanly possible, plus keep it well maintained, and hope that it will never be needed. However, not securing WordPress sites at all usually isn’t a good idea, especially not when you keep in mind that WordPress is a popular target for hackers. All in all, securing your site can be as simple as following this WordPress security checklist:
- Keep WordPress core up to date.
- Download and purchase WordPress themes and plugins from trusted sources only.
- Keep your WordPress themes and plugins up to date.
- Use unique usernames and strong passwords.
- Secure the login page with two factor authentication, limits on login attempts and captchas.
- Use security plugins and services to enable a firewall on your site and detect/remove malware.
This article on protecting your WordPress site listed more security techniques than this. However, these are the most important ones you should implement. Now, it’s your turn. Do you have any been there, done that advice for beginning or moderately experienced WordPress users who want to shore up security? What WordPress security methods did we miss, and which services do you prefer? Let us know in the comments below!