We wrote a popular article about WordPress security already a couple of years ago, but considering the pace of WordPress development with many major releases coming out since then, we decided to revisit the subject. For most tips in this article, there are multiple ways to implement, and we wrote this one to stay more general and current compared to the older article, not giving too many plugin recommendations until the end of the article. The recommendations are ones we have used for a few years ourselves, so if you want quick solutions scroll down before reading on about the “how” and “why” of WordPress security.
Before getting started with prevention methods, remember that no matter how secure your website is there are still risks involved with yet undiscovered vulnerabilities. Therefore our first advice is to make daily backups of both the site files and database, to let you recover quickly. If you are actually hacked at some point, try to understand what happened, so you can notify any involved developers of vulnerability.
Keep WordPress up to date
This is usually the first tip you get when reading about WordPress security. The platform is updated frequently by Automattic, and each time they patch a security vulnerability they publish the changes in a log, making it public knowledge and therefore easily accessible to people with malicious intentions.
Keeping up to date also extends to any plugins and theme you might have, which can be even more important since many plugins and themes are created by single developers who don’t always have enough time on their hands to keep everything 100% secure and up to date at any given point – and in some cases even popular plugins stop being updated completely. This also means you need to be careful when installing new plugins or selecting your theme, and remember to check for vulnerabilities.
Everything uploaded to WordPress.org is scanned, which is also the case for the premium plugins and themes at ThemeForest – meaning those tend to give the most secure options. You can scan your own site with plugins using the WPScan security directory, which is frequently updated with the latest vulnerabilities. If you find a vulnerable plugin or if your theme has security holes, make sure to not only deactivate but also delete it, and also try to contact the developers who created it, so they can prioritize security.
If you create a child theme, a custom theme or build your own plugins, remember to follow the WordPress guidelines to keep everything secure and stable. Major upgrades to the system often include security patches, and in some cases there are important changes to the API, with new guidelines for which functionality to use and some functions becoming deprecated – developers need to make certain that their code doesn’t use deprecated code with potential security issues.
Use a unique and secure custom username and a good password
One of the first things you should do after installing WordPress is to change the admin user to not have one called “admin” – and also don’t use for example the site name or other easily guessed word as username.
When it comes to passwords, I’m sure you’ve heard over and over again that you shouldn’t use simple ones such as “password” or even “p@ssw0rd”, so we won’t go into depth about how easy it is to crack those with modern methods. The recommended option is to use a password generator, such as Norton Password Generator or Strong Password Generator – although my personal preference is LastPass, where you can create and manage all passwords across devices in one secure place, only having to remember the password for LastPass itself (which of course also needs to be a secure one). We also recommend changing the password frequently, as some attackers hack a site once to find out the password and then come back later with more malicious intentions.
For even more admin login security, you can add two-factor authentication, for example with the Google Authenticator plugin. Besides that, verifying that someone is human with a “No CAPTCHA reCAPTCHA” plugin can help keep the bots away, along with password protecting access to your wp-login.php through an .htpasswd file to help avoiding brute force attacks. Read more this and similar advanced techniques in a good post about protection from brute force attacks by BulletProof Security. If using .htaccess to limit by IP as mentioned, remember to make certain your IP is static first, and also understand that you will only be able to access the admin area when connected with that IP address.
Use managed WordPress hosting
One of the great advantages with Managed WordPress hosting is that the hosting provider helps keep your website secure and updated. Besides updating WordPress and key plugins, they often have other security measures in place, such as hardware firewalls and configuration. Our top choice for managed WordPress hosting providers is inmotion, with secure WordPress hosting, great professional support and quite a few extras to top it off.
Secure your server, database and files
If you have an unmanaged custom WordPress website, there are multiple things you can do yourself to improve security on the server. For example, in general you shouldn’t let just anyone install, edit or update WordPress, plugins and themes. Keeping a local version of your website you can make any file edits and updates there and turn it off on your live website by adding define('DISALLOW_FILE_MODS',true); and define( 'DISALLOW_FILE_EDIT', true ); to your wp-config.php file for the live site. However, please note that DISALLOW_FILE_MODS also disallows the update of theme and plugins, meaning you have to update those in another way. Our team has the habit of keeping separate wp-config files for the development and live versions of WordPress websites we create, making any debugging easier while also keeping the live version more secure.
While on the subject of securing your files, another advanced technique is to set WordPress file permissions to something else than 777, which means anyone with enough access to the server can edit the files. In general, 755 permissions for folders and 644 for files are advisable, but it’s a good idea to talk to your friendly developer or hosting provider about it, as some files can have even stricter settings. Some also advise to hide your WordPress admin area by changing the URL of /wp-admin and /wp-login.php, but according to many security experts this has little or no effect. It does however help hiding the fact that your website is based on WordPress, although you would then need to hide this fact in quite a few places (which can be done either manually or by a plugin, but we won't cover those today).
When it comes to database security, make certain that the user only has access to SELECT, INSERT, UPDATE and DELETE command, and use strong usernames and passwords which are different compared to the WordPress admin login. Don't use the default root, admin or similar usernames for anything, and avoid using the same for different logins to access for example database, WP admin pages, FTP (also, if using FTP consider disabling it and use more secure options) and server root access.
Keep your local computer secure
There are some hacking techniques where a local computer is attacked instead of a website, and lets malicious software for example inject code in your page editor which is then shown on your website. Most of these techniques can be avoided by frequently scanning your computer, taking action when needed and keeping everything up to date. Keeping your own computer free of viruses, malware and spyware helps keep both your local and your website stable and secure.
An advanced option, while keeping your own computer secure, is to create a local copy of your website, using for example XAMPP or WAMPP as a local test server environment. This helps developers debug and scan both their own code and any plugins being considered for the website, and gives the option of having different settings debugging and malware scanning compared to the live website.
Recommended security plugins
As promised at the start of this article, below are a few good and frequently updated plugins to improve security. We advise against installing them all side by side, since some have the same functionality and might conflict with each other – try out the free version to see what you find most suitable, and then consider getting the premium version for enhanced security. As mentioned earlier, it is possible to add much of the same functionality manually, which might be preferable in some cases, and with Managed WordPress hosting you often get at least some of the features included without the need to install additional plugins.
- BulletProof Security: Complete security suite with everything from various logging and admin security features to database backup and firewalls.
- WordFence: Alternative to BulletProof with similar features, plus a few of its own. Note: an old version had a security vulnerability, which however was swiftly patched. With this in mind, don’t forget to check even the security plugins for vulnerability.
- Anti-Malware and Brute-Force Security by ELI: Scans your entire WordPress website for potential security issues such as back-doors and other threats. Updates with new definitions frequently.
- Plugin Security Scanner: Looks for vulnerable plugins and themes by comparing to the WPScan directory.
- blogVault Real-time Backup: Creates daily backups of your website at offsite locations, with 9 independent backup copies of your WordPress website.
- BBQ (Block Bad Queries): Blocks a number of queries made through the URL. Prevents attacks on your website by blocking URL:s with specific criteria according to a blacklist.