This guide will help you to keep your website or blog safe and ensure your WordPress security is well optimized.
WordPress is the most popular content management system for websites and blogs and while this comes with many benefits like better support, and having a wide range of themes and plugins to choose from it can lead to a few issues.
The biggest is that as a result of being so popular it has become a bigger target for hackers.
Have you already been hacked? If so head over to our guide on how to fix a hacked WordPress website and remove malware.
Did you know Google blacklists more than 10,000 websites each and every day for having malware on their sites and around 50,000 per week for phishing?
As you can imagine with WordPress powering as much as 34% of the internet, that means hackers invest a lot of energy on one piece of software – WordPress!
The more shocking statistic is that in 2018 and 2019 it has been reported that 70-90% of all hacked sites used WordPress!
These hackers are obviously spending a lot of time and resources trying to find backdoors and poor code they can exploit to gain access to WordPress websites, they can also create bots to sniff around the web looking for sites that have a specific vulnerability.
It could be an issue in an old version of WordPress and so the bot looks for only websites using the version it knows have backdoors to exploit, it could be an issue in a theme or outdated plugin, in which case it will look for sites running those 3rd party extensions.
These bots are sophisticated enough to not only find websites with a backdoor but can also run the scripts and functions required to break in and then fill your website with malware and other malicious code.
I have even seen malware that actively updates all of your plugins to ensure the website it has infected remains 100% functional so that the owner doesn’t notice anything and the hacker still gets whatever they want, whether it’s spam pages, redirects or hidden backlinks.
Over the last few years, I have helped lots of WordPress site owners with cleaning their hacked sites, malware removal and then making sure they are secure moving forward so they don’t end up being hacked again.
Don’t worry, this doesn’t have to be a difficult or scary process, I have helped hundreds of beginners harden their WordPress installs and most find it pretty straight forward.
You just have to follow the steps.
Why it’s Important to Keep Your WordPress Site Secure
If your website is infected with malware it can be very harmful to your business.
In some cases you will get an email notification from Google to let you know your website contains malware and needs to be cleaned, they will also blacklist your website from Google’s search results pages until they can rescan your site and verify it’s clean.
If this happens to you then you could miss out on a lot of traffic and worse still, you might not recover the search rankings you once had because your domain is not as trustworthy as it was before.
When this happens you must first remove the problem and then request a review from Google to get reindexed.
In some cases Google won’t even detect the malware, meanwhile, your traffic might be getting highjacked.
I have seen local hairdressers with websites ranking for X-rated content and viagra with lots of impressions and traffic showing in Google Search Console. In this case, the hackers were likely trying to rank pages on the owner’s website and then point people to their own web properties to try and sell something.
In this case, it was porn and viagra, hardly something you want your brand to be associated with unless of course, you’re in that business.
It took this client several months to properly recover as this issue had been going on for some time and they had attempted to clean the viruses and malware only to end up reinfected.
If your website contains sensitive customer or user data and you have a breach then you will likely have to notify the authorities and your users within 72 hours, an example of this is businesses in the EU.
This can hurt your reputation and will surely be embarrassing.
As a business, you have a responsibility to protect your users’ data and abide by the laws in your place of business in terms of what to do after you have been hacked as this differs from place to place.
How to Secure Your WordPress Website
Here are the steps you should take if you want to secure your WordPress site and not get hacked.
If you would prefer to have somebody else optimize the security of your WordPress website then get in touch with us and ask about our WP site care maintenance service which includes the security recommendations made in this article.
Install Wordfence – The Best WordPress Security Plugin
The first thing I recommend you do when setting up a new WordPress website or if you have an existing instance is to install the Wordfence plugin which is free and can be found on the WordPress plugin repository.
Wordfence gives you a suite of security tools for WordPress, the main two are the firewall feature and the security scan tool.
If you are just setting up your website you might want to keep it turned off until your website goes live or at least put the firewall in learning mode so it doesn’t prevent you from completing certain actions in the WordPress dashboard.
It can occasionally display some false-positives where changes could be malicious but if you are making changes to plugins then it’s not an issue.
Once the plugin is installed and active it will help you to make sure your WordPress settings are configured to be as secure as possible.
Wordfence continues to improve and add new features to help you stay up to date with the latest threats and WordPress vulnerabilities.
You will get an email when any issues are detected on your website and an email when a new and major WordPress vulnerability or zero-day has been discovered so you can act quickly to ensure you aren’t affected.
There are other WordPress Security plugins you can use as alternatives to Wordfence like Sucuri Security and iThemes Security (formerly Better WP Security) but I have found Wordfence to be the most intuitive of the three when I last tested them all.
All three of these plugins offer a free version and a premium upgrade with additional pro features.
You only really need one WordPress security plugin so I’m sticking with Wordfence for now and currently satisfied with the free plan.
Run a WordPress Security Scan
If you have an existing WordPress site, once you have installed Wordfence you will want to run a scan on your site from the plugin settings so you can be sure your website is clean and doesn’t contain any malware or issues that could lead to your site getting infected.
The scan is pretty thorough and looks through your entire file directory and will notify you of any unusual files or edits to files in all of your WordPress directories.
It will also notify you of themes and plugins that are out of date or if they have been abandoned and make other recommendations on how to change your security settings.
If Wordfence finds any issues, follow the advice given and rectify them to ensure your site is as secure as possible.
The next thing to do with Wordfence is to activate the firewall. In some cases you may want to keep it in learning mode, this allows Wordfence to record actions you are taking inside the dashboard like saving specific theme settings so it doesn’t inadvertently block you.
You can turn the firewall on and then if you hit any issues saving anything you can go back to the firewall settings, put it in learning mode, make your changes and then put it back into full protection mode again.
It should record the action you made and avoid blocking you in the future.
The firewall requires you to follow some steps when configuring it and you will need to download a backup of your .htaccess file so you can restore it if you run into any issues.
That should be all you need to do and you will have Wordfence protecting you from bad actors and IP’s that are on the blacklist. It will also block people who try and repeatedly log in or perform other suspicious actions on your site.
Having a firewall is a WordPress security 101 essential, so make sure you don’t skip this step or forget to turn it on.
Use Secure Passwords
Please, PLEASE use a secure password for your WordPress accounts.
The ideal password is long, unique (not a password you use elsewhere), features uppercase and lowercase letters of the alphabet and special characters like @ #, etc.
If you use Google Chrome then you can let Google suggest passwords or allow WordPress to create a strong password for you.
When you have your Google Chrome connected to your Google account then you can save your passwords and it will remember them across all of your devices where you are logged in.
The bottom line is, don’t worry about remembering your password, you shouldn’t have to.
You could also use another password manager system like LastPass if you prefer.
Change the Default Username
Using the default “admin” username on WordPress reduces your security as bots will test different passwords and this username first when attempting to login to your site via brute force.
Here are some examples of usernames you should avoid:
You might also want to consider using a different email address to the one publicly available and visible on your website as this email address is the equivalent of your WordPress username and can also be used to login to your site. So either avoid publishing a publicly visible email address on your site and contact page or create a unique email address in your CPanel.
As WordPress doesn’t allow you to easily change usernames you will need to do this by going to PHPMyAdmin via your hosting CPanel. Make sure to take a backup of your database first and then find the wp_users table.
You could also use a plugin to change the username with Username Changer or create a new user and delete your old user making sure to assign all content you have created over to the new account.
If you are giving other people access to your WordPress website so they can add and edit content then you want to make sure you are using the appropriate user permissions. In this case, you likely want to use “contributor” or “author” and in some cases, you may go for “editor” if you trust them and they know what they are doing.
Don’t make everyone an admin by default, it’s highly unlikely they will all need this level unless they are your developer or a business partner.
If your WordPress install is set to allow new people to register the default option should be “subscriber” which gives them very limited access.
Make sure this remains at that level or consider turning the option off altogether if you don’t want users creating their own accounts on your site if it serves no meaningful purpose anyway, which is in most cases.
I have seen a hacked site before where the default option had been changed to “administrator”. This meant that even after cleaning up the site and removing any malicious files, they could essentially just create a new account through the normal process and become an admin again, allowing them to take control of the WordPress dashboard.
This is always something I check when performing a WordPress security audit to make sure it’s set appropriately or turned off entirely.
Only Use Trusted Plugins
There are tens of thousands of WordPress plugins you can download from the WordPress plugin repository and even more that you can download from third-party sources but this only goes to increase the attack surface area for hackers.
When you are looking for a new plugin you want to always check that the plugin passes the following test:
- Positive Reviews
- Updated fairly recently / Not abandoned
- No history of hacks and vulnerabilities (Ideally)
As you can see in the above screenshot it’s easy to see the version of the plugin to make sure it’s not brand new, when it was last updated, which versions of WordPress it has been tested with and you can look at the reviews to see how many other people can vouch for this plugin.
You can also Google search the plugin name followed by the word “hack” or “malware” to see if anything comes up.
The more plugins you have installed the more opportunity there is for a vulnerability to creep in and for hackers to exploit it, so it’s also good to use as few plugins as you can.
It should go without saying that if you download cracked WordPress plugins from third-party websites to avoid paying the premium prices there’s a much higher chance of you finding yourself with malware on your site.
You can take all of the WordPress security steps in this list but if you pick plugins with major issues then you are asking for trouble.
Keep Plugins Updated
One of the number one ways hackers get into WordPress websites is through vulnerabilities in WordPress plugins that have already been patched and fixed. The problem? Not everybody has updated to the latest version and these bots that go around sniffing for sites using this plugin are smart enough to detect the version that’s in use too.
If you followed the step of installing Wordfence and made sure to use your main email address when registering, you will get an email notice when Wordfence scans your site if it finds a plugin is out of date.
So you want to exercise a good update and maintenance process for your WordPress site. If you can’t update them as and when you get a notification, perhaps batch process it once a week or once a fortnight.
The same goes for your WordPress Themes. I tend to advise deleting all but 1 backup theme so you don’t have to constantly keep components updated that you are unlikely to ever need.
So, remove any unnecessary inactive themes and plugins but just keep one backup theme for testing.
Keep WordPress Updated
As with WordPress plugins, occasionally but less often, WordPress core has a vulnerability that gets discovered and this can provide the backdoor necessary for attackers to take over your site or inject their own backlinks, redirects, and malware.
Update PHP Version and MySQL
WordPress websites run use PHP and your server will have a certain PHP version assigned to your server. You want to make sure you are running a 7.x version ideally the latest which is 7.3.
Can you believe only 38.5% of WordPress sites use the latest versions of PHP? See the chart below, what’s even scarier is that the 5.x chain that most people use has reached its end of life and is no longer receiving any updates, not even security patches. This means if you are running your site on version 5 of PHP your site is at an increased risk of infection.
Go into your CPanel and you can upgrade your PHP version yourself with most hosts. If however, you aren’t comfortable doing that, contact your host and request they upgrade your server to the latest stable version which as of writing this is 7.3.
The bonus here is that newer versions of PHP have been optimized for more than just security and will also give you a nice speed and performance boost at the same time.
Set Secure File Permissions
All of the files on your server need to have the correct permissions to ensure they can’t be edited and changed by backers.
If you connect to your server via FTP or in File Manager then you can right-click on any file or folder and go to properties or file permissions and you will see a number that represents the permissions levels.
These can be set on a per-file and per-folder basis or in batch but it’s important that they are set to as secure as possible.
Below are the file permissions you should have for your WordPress install.
- wp-content – 755
- wp-includes – 755
- All .php files – 644
- All folders – 755
- wp-config.php (public_html folder) – 400
- index.php (public_html folder) – 444
The wp-config.php file is the most sensitive because it can allow a hacker to take over your website so this is why you want your file permissions to be more strict here and set to 400 while all other PHP files aside from this and index.php should be 644.
If your website has been hacked or repeatedly hacked then it might be a permissions related issue that’s allowing them to easily regain access.
You can learn more about how WordPress file permissions work here.
If you have a good backup system you can rest a lot easier knowing you can always restore your website to a previous and healthy state. Most good web hosts offer a daily backup system which is usually sufficient.
I also recommend taking a manual backup before and after you perform website updates and maintenance in case any issues are introduced as a result of these changes.
Check your hosting account’s CPanel to see if you have a backup facility installed. This will differ from host to host, with Siteground the backup feature is available via CPanel, with WPEngine they have their own proprietary dashboard for backups.
If your hosting provider doesn’t offer free backups then consider upgrading or moving to a host that does.
A free option I can recommend that I sometimes use as a backup-backup is Updraft Plus Backups which can be installed from the WordPress Dashboard by going to Plugins and Add New.
This plugin lives inside your WordPress install and allows you to take backups from there which you can keep on your server, download or have them upload to DropBox or Google Drive.
This is a good plugin for using before and after doing updates to your plugins so you can ensure everything is working as expected and easily restore it to the previous state with a few clicks and without having to venture over to CPanel.
See our full guide to taking WordPress backups so you are aware of the available options and methods for restoring your site.
Use a Reliable WordPress Hosting Provider
This point can’t be stressed enough, it’s essential you use a web host that takes the security of its servers seriously. Over the years I have had nightmares with clients who have been on GoDaddy shared servers and been infected with malware.
On both GoDaddy and Bluehost, I have heard horror stories from people who have had issues and then been forced to sign up for an additional “security protection” product that costs hundreds when the truth is, security should be included with any professional hosting company.
Just take a look at what I found when I did a quick search for “WordPress hacked” on Facebook…
A good hosting company should website security seriously and:
- Continuously monitor the network for any suspicious activity.
- Have tools available to prevent large scale DDOS attack campaigns.
- Ensure that all server software and hardware is up to date and maintained to prevent hackers exploiting vulnerabilities in that area.
- Have a system in place for disaster recovery, data protection and a way to restore your website back to its previous working state.
Oh, and did I mention without charging you hundreds each time for the privilege.
Ultimately on shared-hosting, you are always open to cross-contamination from other websites being hacked that share the same server resources because they might not be taking security and maintenance as seriously as you.
Siteground is a more affordable starting point but WPEngine offers some more useful tools and has the best WordPress support I have ever experienced. Both are a LOT better than any of the other hosting companies you hear being recommended.
Siteground and WPEngine offer additional WordPress managed features like auto-updates for plugins and themes when something critical needs to be updated.
WPEngine takes speed and security so seriously they even have an ongoing list of banned plugins you aren’t allowed to use while hosting with them, this list even included Wordfence but fortunately that’s only because it duplicates security features already included with WPEngine’s server-side tools.
Wordfence works fine with Siteground and most of the other hosting companies out there.
Bottom line, if you want a managed WordPress hosting option, go for WPEngine.
With Siteground I would advise you go for their Web Hosting over Managed WordPress option and opt for their Grow Big package until you need to upgrade to Go Geek for even better performance and more CPU.
If I ever have an issue with the above two hosting providers then I will update this.
Make Sure Your Computer is Clean
You can take all of the security precautions in the world but if you have a keylogger installed on your computer then it will all be in vain as the hacker that planted it on your PC will easily be able to see your new passwords even if you change them and use a firewall.
So make sure you take good care of the computer you use and have some sort of protection in place.
Personally I mostly use Windows and Windows Defender is a good enough form of protection provided you are taking safety precautions but nothing can help you if you visit dodgy websites like streaming website and other less tasteful video content because if you do then there’s a high chance you have malware, adware or some type of malicious files on your computer.
Hackers can even install Bitcoin and cryptocurrency mining software on your PC and collect the earnings remotely. Imagine what happens someone has hijacked hundreds or even thousands of computers to do this process en masse.
If you use a Mac you might be a little safer but don’t think having a Mac means you are impervious to viruses and hackers. It’s 2020 and this is what they do for a profession, all day, every day and the Mac OS has been a growing target for years.
Manage Your DNS with Cloudflare
Another way to add another layer of security to your website is to use Cloudflare CDN. This means pointing your domain nameservers to your free Cloudflare account and managing your DNS from there.
When you do this you benefit in lots of ways.
In terms of security, you benefit from
- Unmetered mitigation of DDoS attacks – A great way to prevent brute force attacks.
- Global Content Delivery Network (CDN) – Meaning your website will still be available even if it did go down for any reason.
- Shared SSL certificates – Easy to install SSL and free so you can serve your website over https.
Cloudflare can also help you improve you speed up your WordPress website with its caching and Railgun features so it’s a win-win.
It will even serve your website when your server is down to prevent you from missing out on any previous visitors.
I manage all of my domain DNS settings through Cloudflare.
If you do opt for the pro plan from Cloudflare then you can also use their WAF (Web Application Firewall).
Use HTTPS / SSL Certificate
In 2020 you really should be using an SSL certificate and forcing your website to load over https only. This means all http URLs redirect to https to force a secure connection.
Any connection from a visitor to a website over https is encrypted and this prevents any data leakage happening that could result in sensitive information like passwords being discovered.
An encrypted connection secures the data being sent via any contact forms on your website which is now a requirement in the EU as part of the GDPR regulations that came into effect in 2018.
As you can see in the above, the Not Secure notice is far from ideal when you want customers to trust your business and website.
You can use the Really Simple SSL plugin once you have your SSL certificate so you can force https only connections.
If you have any issues with mixed content causing your https security to fail you can solve that with the Mixed Content Fixer plugin and/or by manually changing any http links in your content to https.
reCAPTCHA is a free service provided by Google that protects your website from spam and abuse. reCAPTCHA uses an advanced risk analysis engine and adaptive challenges to keep automated software from engaging in abusive activities on your site.
It does this while letting your valid users pass through with ease.
While ReCAPTCHA won’t protect your website from being hacked, it can be used to prevent bots from emailing you spam which could, in turn, lead to you downloading something malicious on your laptop that results in an even worse situation.
You can apply ReCAPTCHA to your WordPress login page, your contact form and your comments form to ensure no bots are getting through.
Optional & More Extreme Website Security Measures
If you have completed all of the above steps then your WordPress site should be pretty damn secure but if you want to harden it, even more, you can consider these ideas.
Blocking Certain Countries
Let’s say you are a company in the USA and you only work with local or regional customers and you are getting a lot of bot traffic and login attempts from China and Russia. Well, you could say “this traffic is useless to your business at the best of times” and just outright block these two regions from being able to access your website.
The benefits of this can also include reducing your CPU usage and speeding up your website. If your server doesn’t have to concern itself with 100s of bot visitors anymore it can save resources for the visitors that do matter.
This process isn’t too difficult, all you need to do is add the country blocking code and IP addresses to your .htaccess file in the root of your websites file manager or via an FTP client if you prefer.
You can go to ip2location.com to download the IP lists for any countries you want and then copy and paste them over to your .htaccess file.
You will want to select Apache and the Deny option to block visitors from these countries when downloading the IP lists from the above website.
It should be formatted something like the below example.
Deny from 220.127.116.11
Deny from 18.104.22.168
Deny from 22.214.171.124
If you use Cloudflare on an Enterprise plan then you can block entire countries from there instead. but I personally use the free Cloudflare service.
Change WordPress Database Prefix
By default, most auto-installs of WordPress use the database prefix of wp_ which makes it easier for hackers to guess your table names.
Some hosts like WPEngine automatically generate a random 2 or 3 letter prefix instead to ensure this isn’t an issue.
This is a more advanced step and I would advise proceeding only if you feel comfortable.
First, take a full backup (always take backups).
Then go to edit your wp-config.php file (in your WordPress root folder) and look for the line that says
and see if it uses wp_
If it does, change it to something unique like
$table_prefix = 'wpx34x_';
Make sure it’s unique, don’t just use my example of wpx34x_.
Next, you want to go to CPanel and then PHPMyAdmin.
Open the database that’s connected to your website and matches the database_name in your wp-config.php file.
There should be 11 tables to edit, you can easily edit them one by one by clicking on the edit button for each, adding your new prefix and saving or you can use the below SQL Query.
RENAME table 'wp_commentmeta' TO 'wp_a123456_commentmeta';
RENAME table 'wp_comments' TO `wp_a123456_comments';
RENAME table 'wp_links' TO 'wp_a123456_links';
RENAME table 'wp_options' TO 'wp_a123456_options';
RENAME table 'wp_postmeta' TO 'wp_a123456_postmeta';
RENAME table 'wp_posts' TO 'wp_a123456_posts';
RENAME table 'wp_terms' TO 'wp_a123456_terms';
RENAME table 'wp_termmeta' TO 'wp_a123456_termmeta';
RENAME table 'wp_term_relationships' TO 'wp_a123456_term_relationships';
RENAME table 'wp_term_taxonomy' TO 'wp_a123456_term_taxonomy';
RENAME table 'wp_usermeta' TO 'wp_a123456_usermeta';
RENAME table 'wp_users' TO 'wp_a123456_users';
You paste the above to the SQL tab and click the Go button in the bottom right, of course making sure to change the above wpx34x_ to whatever you chose to use in your wp-config.php file in step 1.
Once complete check your website to make sure it’s loading, this will confirm the change in wp-config and the change to your MySQL database match up.
Everything should be complete.
Password Protect Directories
If you want to add an additional layer of security to your login page you can also set up a password-protected directory via CPanel.
Go to your CPanel dashboard and under the security section you will see “Password Protected Directories”. Click on that let it open on your root folder.
Once the page loads select the folder for wp-admin.
Then you check the checkbox to password protect this directory, give the protection a name like “Login Page” and create a username and secure password.
This will then show a pop-up login dialogue when anyone accesses your websites /wp-admin folder URLs.
Disable File Editing
WordPress features a file editing tool accessible via the dashboard under Appearance > Theme Editor and Plugins > Plugin Editor, but even professional WordPress developers like myself don’t touch that.
This is for two reasons.
- There aren’t many core files you want to edit in the first place.
- If we do want to edit anything it’s far better to keep edits to your child theme folder only and use an FTP program like Filezilla or WinSCP and a code editor like NotePad++ to properly edit code.
Now, if a hacker can get into your WordPress dashboard they can use this to hijack your site and install malicious code and files. They don’t even need FTP or CPanel access as long as this feature is available.
To turn it off, go to your wp-config.php file in the root folder that contains all of your WordPress files and add the following lines of code and hit save.
// Disallow file edit
define( 'DISALLOW_FILE_EDIT', true );
Then check WordPress to make sure it has worked and the file editor has now gone.
Disable Directory Indexing
Most hosts seem to do this by default these days in the global config but you might want to check if yourdomain.com/wp-content/plugins/ allows you to browse the contents of the directory from your browser.
This, of course, gives hackers a list of the plugins you are running and will allow them to check which versions you have so they can check if any of them contain known vulnerabilities.
If you find yours is visible it might be best to contact your host or you can add the line
Options All -Indexes
in your .htaccess file right above the line that says “# END WordPress”
Limit Login Attempts
WordPress allows users an unlimited number of attempts when logging in, which means with no protection at all a bot can run 100s or even 1000s of different passwords once it knows what your username is.
Wordfence will automatically block users after a certain number of attempts and block their IP address if the WAF (firewall) is running.
There are alternative plugins specifically to limit the login attempts to a specific number like Login Lockdown.
Use 2FA / Two-Factor Authentication
You can make your WordPress login page even more secure by adding two-factor authentication.
If you aren’t already familiar 2FA allows you to connect a web service to a 2FA app like Google Authenticator so that every time you log in you must have access to the device where your 2FA app is installed.
It’s similar to how a lot of banking apps on phones generate security codes these days that expire but for other accounts.
This can be an annoyance to some but it really does add a lot of security as it’s impossible to guess or fake your 2FA key.
2FA creates a 6 digit code for each service you use which expires every 30 or 60 seconds.
You will log in with your username and password and then enter the 6 digit authenticator key before clicking login.
Google Authenticator is popular but if you lose your phone with the authenticator installed then you are in trouble and will lose access to your accounts.
An alternative called Authy allows you to backup your account so you can retrieve it on another device later.
You can use the Two Factor Authentication on the WordPress plugin repository to set up 2FA with your WordPress site.
WordPress Security Final Thoughts
The above is everything you need to know about securing a WordPress website and making sure it takes significant resources to penetrate which in most cases will deter hackers and make them move onto the next target.
If you take all of the above steps you will protect your website, your business, your reputation and likely benefit from improved page speeds as a bonus.
Remember website security is also important for SEO reasons so it should be a priority to ensure everything is secure for a handful of reasons.
WordPress has its strengths and its weaknesses but with a bit of work, even the biggest weaknesses can be rectified.
If you are interested in having your WordPress maintenance and security taken care of for you then feel free to contact us to find out how we can help with our comprehensive WordPress maintenance service.
Want to learn how to fix a hacked WordPress website? Check our guide on WordPress malware removal.
To learn more about the security side of managing WordPress sites I strongly recommend the WordFence blog and their vulnerabilities list which is a great way to learn about the latest hacks taking place that target WordPress.
You might also want to check the official WordPress guide on hardening your install.
For people who are generally interested in infosec and learning more my favorite security blog is krebsonsecurity.com by Brian Krebs.