22 Ways to Improve Your WordPress Website Security
As a site owner, you’ve heard rumors about other sites getting hacked. You might have experienced having your site hacked in the past.
Either way, you know how infuriating it is to deal with.
It can take hours, sometimes days, to try to figure out how to repair the damage caused by a low-level hack, but that’s only if you’re lucky enough to avoid the damage from a more severe attack.
Fortunately, many hacks can be fixed with some simple repairs and site changes, such as switching to a different web host. If you’re searching for a new web host, we have a list of our favorite, trusted web hosts to help you choose.
Before you start thinking that this won’t happen to you, the odds are that it will.
Yes, hackers WILL target your site.
Even if it’s a small WordPress site.
Unfortunately, WordPress sites get hacked more frequently than you think, and the number of reported hacks have been increasing annually since 2009.
Don’t let your website be one of the hundreds of thousands that are vulnerable to hacking, especially since the odds of your site being hacked are steadily rising.
Instead of wasting your time trying to reverse the damage that occurs when your site gets hacked, work on tightening your WordPress security before it’s too late.
No Site Is Too Small to Be Hacked
Even if you think your website’s smallness protects it from the possibility of being hacked, there’s evidence that the popularity of a website does not prevent hacking.
In fact, many hacks are automated and do not take into consideration the quality or success of a site before attacking.
Most hackers are interested the collective sites they can get their hands on.
That means, while your site is insignificant by itself, lots of websites like yours altogether are crucial for a hacker’s goals: database scraping, black hat SEO, and mass email sending. That said, it should be clear that even small sites are vulnerable to hacking.
If you’re using WordPress, you likely already have a sense of security with your website. WordPress is a huge platform that caters to a variety of your site’s needs. It’s possible that you think WordPress, all its own, will protect you from being hacked. That’s not true, though.
While WordPress is large and powerful, its high number of users makes it a target for hackers. This is because many websites are run on the same system, and hackers can generalize the vulnerabilities to attack the most significant amount of sites.
Instead of figuring out the vulnerabilities of one system, a hacker can figure out a vulnerability of WordPress’ large, widely used platform. What does this have to do with you? As a WordPress user, you should make sure you have set up the necessary precautions and security measures.
That way, you can rest assured that your site isn’t vulnerable to the most common hacks.
For your convenience, our list of security tips starts with the most basic ways to secure your site and then progresses to the more advanced and professional options.
If you have a small, personal website, stick to the basics unless you feel so inclined to amp up your security to the most advanced levels. Begin by learning about basic internet safety, and then follow this list.
For those of you with professional and high-profile websites, you might want to follow this list until the end, depending on your needs.
Let’s get started:
1. Make Sure Your Administrator Account Is Protected
The Administrator account is the default account for all WordPress users. That means, when a hacker wants to attack the primary account on your site, they will know the exact default set up to try.
When choosing a new Administrator account, don’t pick something easy to guess, and do not select “admin” as your username. Be creative and make it something personal.
Unfortunately, you can’t change your WordPress username after it’s been created. Instead, follow these instructions to work around this:
- On the USERS page of your WordPress dashboard, create a new user account. Don’t forget to use a unique (A.K.A difficult to guess) username/password.
- Assign this new user account to the Administrator role.
- Then DELETE your original Admin account.
2. Keep Your Site Updated
It can be tedious to keep up with updates, but I can’t stress enough how important it is to keep your site updated at all times.
Most updates include strengthening and repairing vulnerabilities and bugs that exist in older versions of WordPress. Don’t be an easy target because your site isn’t updated!
You might be doubting that updates are seriously that important, but they are. WordPress announced that sites using a particular version in 2014 were vulnerable to attacks. A large percentage of WordPress sites were susceptible at that time because of the outdated version of WordPress they were using.
Your site’s security includes updating plugins! Make sure none of the plugins you use are outdated. A vulnerability in a plugin can result in hackers gaining access to and control of your site.
You might’ve heard about the MailPoet hack, where over 50k sites were hacked.
If that doesn’t speak for itself, let me spell it out for you: keep your WordPress version and plugins updated at all times.
Pro Tip: Delete plugins you don’t use. This will save you from worrying about any unnecessary plugins and their updates; all while keeping your site more secure.
3. Don’t Use Your Administrator Account for Content Writing/Editing
As we’ve already established, protecting your Administrator account is essential.
Don’t risk your site by using this account to work on your content, such as writing and editing posts or pages. Be particularly cautious when using public Wi-Fi.
If you can’t use your Administrator account, then what do you use? Create and use a new account with the Editor role.
To do this:
- On the USERS page, click ADD NEW.
- Assign the user the Editor role in the drop-down menu.
- Use this account for writing or editing content (especially in public).
4. Don’t Make It Easy for Hackers to Guess Your Passwords
This is possibly the easiest and most obvious way to deter a hacker from accessing your site.
Hackers are skilled enough already at breaking into websites, don’t make it any easier for them by using a familiar or predictable password.
Pick a password that is unusual, not comprised of distinct words or phrases, and that includes a variety of characters: symbols, letters, and numbers.
Here are some options to secure your passwords:
- Browse different password managers, such as LastPass.
- Try a password generator.
5. Start at Home by Securing Your Computer!
You likely already know all about the viruses that can attack your computer, but you probably haven’t realized that protecting your network helps protect your online data as well, including your site.
Some hackers use viruses to track the keystrokes to figure out your login information and passwords.
Follow these steps to keep your computer healthy and safe:
- Complete updates often.
- Use a secure, reputable anti-virus software.
- Be cautious when using public Wi-Fi.
6. Prevent A Hacker from Guessing Your Password by Blocking Their Login Attempts
If you allow unlimited login attempts on your website, you’re letting hackers and bots to guess your login information over and over again until they figure it out.
Even if your password isn’t the easiest to guess, with an unlimited amount of attempts, a hacker will eventually narrow down the possibilities until they guess it.
Luckily, there’s a plugin that easily fixes this problem. Try Login LockDown!
7. Use Well-Known and Trusted Sources for Downloaded Content (Like Themes and Plugins)
Not every source is reputable and trustworthy, and many sources provide downloadable content for the explicit purpose of creating vulnerabilities to expose your site to hackers.
While you might not be aware of it, using untrustworthy sources can make you compliant in the hacking of your website. Don’t let the hackers trick you!
Stick to sources from the WordPress.org directories. If you must use an outside source, always double check the reviews and reputation of sellers you might purchase from.
Advanced Tip: Delete ALL plugins that have been reported for vulnerabilities or malicious content. Check Sucuri or WP White Security to monitor the plugins you use that might be or become vulnerable.
8. Choose A Web Host You Can Trust and Rely On, Not Just the Cheapest One Available
You might be able to find affordable hosting that seems like a steal, but the one being robbed is you if the host you’re paying for doesn’t provide everything your site needs.
You should require a quality web host that will keep your site protected and functioning.
Shop around and compare the prices, reputations, and reviews of several web hosts before making your choice.
9. Keep Frequent Back-Ups of Your Site, Just in Case
Our goal is to prevent your site from ever being hacked in the first place, and while it’s an admirable and achievable goal if the correct precautions are taken, sometimes hackers win.
If that happens, keep your site protected by having saved back-ups of all your data and content. That way, you’ll be able to get your site back to running smoothly.
While you can do this manually, an automated service will help you avoid human errors (like forgetfulness). Try these two services: WordPress Backup to Dropbox and VaultPress. The former is free, but the latter is a paid option with more features.
10. Add Additional Security to Your Site with A Plugin Designed to Keep Your Site Safe
Several free and paid security plugins will take care of some of the harder work for you. Rest easy knowing one of these plugins has your back!
What can these plugins do for you? Most of them will:
- Block brute force and complex attacks
- Scan your website for any issues or security breaches.
- Monitor and protect your files
- Secure your login information
- Report on any hack attempts
- Help you restore your site if anything problematic happens
The best part? All you have to do is configure the settings, and then let the plugin take care of the rest.
Advanced Tip: JetPack now protects against Brute Force attacks (attacks that involve hackers or bots aggressively and repeatedly attempting to guess your login information back to back until they figure it out).
11. Check Frequently for Malware
Malicious software (malware), in simple terms, is software created to attack computers and websites. You might have heard of one kind already: viruses.
All too often, you don’t notice that your site has malware in time to prevent damage. Avoid this by scanning your site frequently for malware.
You can use one of the security plugins listed above, or shop around. Some paid services are more reliable than the free options, so be sure to check the reputation and reviews before picking.
12. Make Sure Your Theme Complies with The Latest Standards
Use a plugin, such as Theme Check, to scan your theme to determine whether it is up to date with the most recent theme review standards.
This is important because the standards reflect requirements and precautions that protect your theme and website from vulnerability and hackers.
Don’t forget – only use themes from trusted sources, as we discussed earlier.
13. Disable Pingbacks and Trackbacks
The danger of pingbacks likely outweighs any convenient functionality that they provide. Hackers can use pingbacks to target your site and cause it to crash.
These attacks are called DDoS attacks, and they can cause your site (or server) to be unavailable for actual visitors that are trying to access your site.
Visit the DISCUSSION tab of your WordPress dashboard to disable pingbacks and trackbacks.
14. Consider Cloudflare to Boost Your Site’s Performance and Security
CloudFlare is a service that is committed to streamlining the internet and providing free services to protect your access to safe, reliable features.
CloudFlare offers several plans for different levels of need. For a small website requiring only the basics, you can use their Free plan.
Here’s what the free plan can get you:
- Mitigation of DDoS
- Global CDN
- Shared SSL certificate
- 3-page rules
The paid plans provide all that and more but pick a program that’s right for your site’s needs.
15. Secure Your WordPress Security Keys
16. Protect Your .htaccess File
Advanced Tip: Your .htaccess file can be used to provide your site additional protection, as well. You can use it to password protect your admin folder or disable PHP execution in some directories to prevent hackers from gaining access to your site.
17. Edit Your Database Prefix
When you install WordPress, your default database is prefixed with “wp-.” By now, you might have noticed that many default setups make it much easier for a hacker to figure out your system and gain access to your site.
Secure your site by changing the prefix, located in the wp-config.php file.
18. Consider Disabling Features You Don’t Need (Like Xml-RPC And Php Error Reporting)
XML-RPC has been reported to increase WordPress vulnerability because it allows multiple commands to be executed at once.
This has resulted in it being used for brute force attacks. Protect your site by disabling or deleting this file (xmlrpc.php) if you’re not actively using it.
Another feature that has good intentions, but could possibly cause your site to be vulnerable is PHP error reporting. While this feature is useful while building or setting up new PHP sites, it records your server’s entire path. This could be hazardous information for a hacker to get their hands on.
If your site is set up and running, you might not need this feature. Learn how to disable it here.
19. Make Use of Google Search Console
Google provides several tools to benefit your site, but their Search Console can be especially useful to keep an eye on anything sketchy that might be happening.
Google Search Console can help you monitor your site’s performance and how your site displays in search results for users.
Pay attention to GSC… it could alert you early to any hacks to your site.
20. Monitor the Activity of All Your Users and Your Dashboard
We know you (hopefully) trust the users you’ve added to your WordPress dashboard, but even the most trustworthy users make mistakes. Keep up with all their activity and the changes they make on your site to monitor for mistakes or unintentionally introduced vulnerabilities.
Here’s a free plugin that can help you keep an eye on all the activity taking place on your dash: WP Security Audit Log.
21. Watch for News About WordPress Vulnerabilities And New Attacks
22. Enable SSL On Your Site
This might be the trickiest and most time-consuming item on this list, but we wouldn’t include it if it wasn’t worth the effort.
Enabling SSL on your website can protect any and all data that is transferred when a visitor browses your site.
Here are a few guides on enabling SSL:
- How to Add SSL and HTTPS in WordPress by WPBeginner
- How to Install an SSL Certificate On Your WordPress Site by GreenGeeks
- How Can I Get HTTPS for My Site by WPEngine
- How to Migrate from HTTP to HTTPS
That’s All We Have for You Today.
Are you overwhelmed by all the items on this list? Don’t worry, most of them are easy enough to implement, and they’ll save you a lot of trouble in the future.
Use these tips to make your websites’ security a priority, and avoid dealing with the aftermath of a hack.
Do you have anything to add? We want our list to be comprehensive and to cover all the basic and advanced WordPress security measures, so let us know if we left something out!