Last Updated: June 30, 2021
If you own a business with a physical location, what would you normally do to protect it?
A guard in front? An alarm system? Maybe a bunch of security cameras here and there?
The same goes for your WordPress website. (Metaphorically speaking in a very literal sense.)
Even though it is an online property, your site is just as vulnerable as any brick-and-mortar store. Maybe even more. That’s why the question of how to secure your WordPress website is one of the hottest topics in the WP community.
The trend has its reasons for existing. While specialized, managed WordPress solutions become more and more prevalent (they tend to boost security), official security and vulnerabilities stats from the last two years do reveal some alarming facts about the platform. Here’s the Hosting Tribunal take on WP security,
The WordPress Reality
According to WPWhiteSecurity research among the most popular WordPress websites, over 73.2% of those are susceptible to exploits. Plugin vulnerabilities are the main culprit in such cases, accounting for over half of the known breaches.
Other well-known exploits target the WP core (31.5%) and the rest focus on themes (14.3%).
When it comes to WordPress security, things are getting worse by the year and businesses seem to realize that. In 2018, Big enterprises suffered around 53% more attacks than the year before, and they are trying to actively tackle that alarming trend with increased investments in cybersecurity.
Despite the overall awareness and efforts, today over 90,978 attacks on WP sites occur every minute.
Yes, you read right — every minute!
The total market domination WordPress enjoys comes at a price.
And if you think you’re safe just because your site is not making a lot of money or garnering a lot of traffic, better think again. Every hacker is driven by different reasons so you never know his ultimate goal.
A good practice for avoiding most WordPress security issues, then, is to first understand the enemy.
What are the most common vulnerability types?
Cross-site scripting (or XSS attacks) is a type of injection attack. The hacker inserts a malicious piece of code in your browser when you visit an infected website. While it’s considered less dangerous than other types of attacks, there can still be consequences. The offender can still gain access to personal details through your web cookies or make arbitrary modifications to your website.
SQL injections are another type of breach that can be a real pain in the backend. Any semi-proficient WordPress hacker can mask a piece of malicious code and send it straight to your database through a standard user input section (like user/pass). Once inside, it can do irreversible damage to your SQL database, gain access to user data, or make unauthorized changes to billing records.
SQL injections are very common and quite difficult to deal with. That’s why it is imperative to back up your database regularly.
Brute Force Attacks aim to gain access to your system by “guessing” your username and password. WP does not limit login attempts by default and hackers love that. They utilize the secure WordPress login to execute an algorithm, which connects to a database of frequently used login details and tries to predict the correct credentials with trial and error.
It’s like forcing yourself in through the front door.
Website security stats further confirm the danger of weak and unprotected login data – stolen or insecure passwords account for more than 81% of WordPress attacks.
In light of these facts, leaving the default username – admin – active is a major security lapse. Brute force attacks need username and password to gain access and not changing the default user has already lost you half the battle.
Enough with the scary statistics.
You are here to get actionable tips and solutions on how to secure WordPress, so I will make headway to the good stuff.
Get a Good Web Host
Every online project needs a virtual home.
Your web host is (unsurprisingly) the first and most essential barrier between websites and hackers. So, before you rush into any decisions, make sure the hosting provider you consider is up to par with the latest security standards, and its servers are configured for WP and its safety.
A managed WordPress platform from a reliable host should offer more than the standard perks. Automatic backups and updates, custom server configuration, and skilled support often prove to be indispensable when you are looking for ways to prevent WordPress hacking.
A quality WordPress host has a perfect understanding of the application and its known vulnerabilities. This allows it to ensure a safe environment for WP projects to flourish. Such providers are always on the lookout for new updates and security patches so, more often than not, you can dodge a particular threat before you even realize it’s there.
Remember the tale of the Three Little Pigs?
If you are looking to make a WordPress site secure from the Big Bad Hacker, would you “lock it” in a house built of straw, wood, or concrete?
Yeah, that’s what I thought.
Backup WordPress Regularly
A responsible business owner should always have a contingency plan in case things go south.
Website security is no exception. Mind, backup databases, and websites because a corrupted DB will render your web pages useless.
As reliable as your host might be, you need to always prepare for everything. Backing up your site frequently is a must if you want to avoid any irreversible changes. I am talking about both online and offline backups.
Don’t get me wrong — as I mentioned automatic host backups are essential for your WordPress site security. But no method is 100% hacker-proof; failures do happen, plus most providers have a limited server capacity and keep backups for only a few days.
Many exploits are not triggered right away, so if you fail to notice the issue immediately, you might end up with only infected copies of your website.
Never underestimate the power of offline backups.
They take minimal effort but can save a lot of sleepless nights. Just backup your site online, download it over FTP, and store it in an offline location or cloud service. That’s all there is to it. I can’t think of anything better you can do in five minutes than ensuring your WordPress protection is up to snuff.
Many webmasters strictly save and backup the website after each new modification. While this is a good practice to follow, I’d personally recommend going one step further and backing up your data every day. You know what they say (for a reason):
Better safe than sorry!
I already outlined how important regular updates are for your website speed in this article. Unsurprisingly they do as much and more for your WordPress website security.
Prominent open-source projects are all about progress and improvements, so they rarely stay the same for long. A lot of the software updates include security fixes and patches, and the newer versions minimize the risk of old backdoor exploits that can let intruders in.
That’s a valid point not only for the WordPress core but for all additional site components as well.
Plugins, themes, PHP — make sure to frequently check if they are all up-to-date.
Far too often hackers are gaining access from add-ons that have not been updated for years. WordPress hacking stats from 2018 reveal a sad fact — only 39% of all WordPress installations are updated to the latest stable release and about the same percentage run the most recent PHP version.
It turns out that more than half the WP users might as well be having smoke on a barrel full of explosives, hoping it wouldn’t catch fire.
Props to them, but I prefer to be more practical when it comes to my business and livelihood.
Keeping everything up-to-date proves advantageous when it comes to website diagnostics and compatibility issues. Should a problem occur after an update, you can turn each additional component off from the WP backend and thus locate the one that doesn’t operate properly in the new environment. The bottom line is:
The key to knowing how to secure your WordPress website is to keep up with the regular software updates as they’re being released. They patch the vulnerabilities automatically.
Passwords and User Permissions
Password exploitation is the single most common method for hackers to gain unauthorized access to a system. I know that a lot of you might prefer to keep their login details easy to remember, but it’s 2021, and risks for your online safety are abound.
Especially if your passwords are the same or similar across multiple platforms. Forget about crowd favorites like:
Forget all their derivatives too.
Hackers are well aware of these passwords and they are oftentimes their first guesses.
You can’t ultimately secure WordPress if you give trespassers the key, right?
I know that a password like Zx!aAr%eNy#1b seems impossible to remember, but luckily you don’t have to. Reliable online password managers keep all your third-party credentials safely locked up under a master password and away in a secure location.
LastPass and Dashlane are a couple of top choices that immediately spring to mind.
Opting for a long and complicated login pass is well worth the effort— your site’s assets might very well depend on it one day.
A full tutorial on how to secure WordPress would be impossible without mentioning the role of user permissions. Some projects do require multiple users to access the WordPress platform. In such cases, you need to apply certain limitations to what different users can access.
That’s where user permissions come to the stage.
You need to closely monitor the process and ensure each user has just enough access to do what they need.
Remember when we talked about brute force attacks earlier?
One easy way to protect your WordPress application from them is to limit login attempts. While this is unavailable by default, there is an easy-to-install, secure WordPress plugin that does the trick perfectly. The tool also provides an extra layer of protection in the form of captcha verification.
While on the subject of security add-ons, let’s assess their role in our long-term WP protection.
Use Safe Plugins
We’ve now picked a solid hosting provider and established an optimized server environment. We’ve also made sure our login credentials are safe enough from prying eyes.
WP-specific security plugins address the most common vulnerabilities and threats for websites — cross-site scripting, SQL injections, malware infections, phishing pages, and other popular attacks. Figuring out these plugins is the next step toward understanding how to secure your WordPress website.
Keep in mind, plugins are the most exploited doorway from hackers worldwide. As such, you need to pay close attention to which ones you pick.
Download only essential tools from known sources, update them regularly, and monitor if they are affected by known vulnerabilities.
Over the last year, WordPress registered a 30% increase of reported vulnerabilities, more than any other CMS on the market. Where do you think the majority of breaches came to pass?
You guessed it — plugins!
The situation is so bleak that even top WordPress security plugins are not entirely fail-safe. Wordfence and iThemes Security are just a couple of renowned security tools, which had their own vulnerabilities exploited in the past.
When the threats were discovered though, the developers were quick to inform the community. To their credit, they also promptly released a security patch. In such cases, that’s the most you can ask for.
And therein lies the rub — 100% online safety is impossible to achieve, so quick reactions in unsavory situations are just as important.
Here are a few plugins that enjoy constant improvement and a loyal online following.
Sucuri is undoubtedly one of the industry leaders in WordPress site security. Both developers and users benefit greatly from Sucuri’s regular reports, case studies, and in-depth guides. One of their highly regarded creations is the Sucuri Security plugin.
This addon can do practically everything – it scans and audits your entire website, monitors file integrity, and even applies security improvements. Its developers take great pride in their activity monitoring system, which sends real-time information to the Sucuri Security Operations Center (SOC).
It’s like the Swiss army knife of security add-ons.
The Wordfence developers spent years figuring out how to secure WordPress and it shows. Wordfence has had a rocky past but is now deservedly back on top. The plugin keeps an ever-growing database of over 40,000 known threats. This makes it work like a charm when it needs to sniff out vulnerabilities. Whenever the add-on detects a possible exploit, it assesses the risk and sends you comprehensive instructions on how to tackle the situation.
Many hacker attacks originate from the same geolocation. In such cases, Wordfence’s country blocking features often come in handy.
As useful as its other features may be, the real gem in the Wordfence crown is undoubtedly the in-built WordPress firewall (WAF). It identifies and blocks malicious traffic from ever reaching your website.
Bulletproof Security is a neat tool that keeps a record of the industry’s most pressing issues and makes sure to address them all. XSS attacks, SQL injections, malware infections — there are hardly any limitations for this plugin.
Bulletproof compensates for the lack of flashy visuals with a step-by-step wizard, which is immensely helpful in the beginning. Once installed, you are in for a treat with a plethora of useful security tweaks – login monitoring, malware scanners, and error logs among them.
Even modern-day headscratchers like GDPR compliance are no match for one of the most popular WordPress security plugins.
What’s the bottom line?
Carefully select a few essential plugins from trusted sources, monitor their performance, and update them regularly.
A small price to pay for ultimate website security, don’t you think?
Secure WP Folder
If you’ve dipped your toes into the WordPress game even once, you are well aware it comes with some default settings, which most webmasters prefer to leave unchanged.
The WP backend resides in the /wp-admin folder.
The default administrator username is admin.
The SQL database table contains a wp_ prefix.
You know that and hackers also know that. Keeping this default installation data leaves your website wide open for all kinds of WordPress security vulnerabilities. The few keystrokes it takes to change those are definitely worth it.
Do yourself a favor and change the default parameters — you will thank me later!
WordPress Security Matters
WordPress is a favorite target for hackers. As a website owner, you should rise to the challenge. The good news is the commonly exploited sources of attacks aren’t that many. In other words, fending off hackers is easier than it sounds.
You barely need any technical knowledge to understand how to secure your WordPress website —a series of quick tweaks will do the job just fine:
- Choose a solid web host
- Backup everything online and offline
- Update regularly
- Keep strong and secure passwords
- Use trusted plugins
- Secure WP login parameters
See, nothing much to it.
By now you should feel like a WordPress security wizard yourself. Compared to most website owners, you actually are. Now go ahead and make your website secure. No better time for it than now.