This is a complete guide for WordPress security that helps you learn why you need to secure your WordPress site, why and how WordPress sites get hacked, and how you can easily improve your WordPress security.
Investing time and money into securing your assets are both true in the real world and as well as in the digital. Patchstack is a security company, and speaking from experience, we have seen many WordPress websites hacked, and taken over, and their private information was stolen because they overlooked a single vulnerability within their website.
That’s all it takes; if you have one loophole in your website and if it is discovered and taken advantage of, you will risk losing your digital presence.
WordPress security is a vast topic as there are many techniques you can use on your website and hosting server to secure against malicious attacks. In this guide, we will aim to cover every method there is to secure a WordPress website.
Before we begin, we should mention that it is not necessary to implement all the techniques talked about in this article.
You can use this guide to create the security policy governing your websites. With that said, the following methods are highly recommended by our team, while others will depend on your use case.
- Have a vulnerability scanner for early detection.
- Block attacking IPs.
- Have multiple website backups.
- Keep your WordPress core, theme, and plugins up to date.
- Use the latest version of PHP and other server software, such as Apache, LiteSpeed, and Nginx.
- Use an uptime monitoring service.
- Use strong passwords and usernames with two-factor authentication.
- Secure your WordPress admin login URL.
Why do you need to secure a WordPress website?
This is a question or a thought that can pop into your or your client's mind. Many design and development agencies offer security as a service to their clients, and new clients who are just starting out building their online presence won’t be interested in securing their WordPress websites.
It is essential for both the agencies and clients to understand that without a proper security policy, they risk losing their time and investment, their data, their domain, and much more.
With so many malicious bots scanning continuously for vulnerabilities in WordPress websites, it is necessary to invest in website security.
What are some common WordPress security issues?
As mentioned above, hackers have built bots and scanners that can find and automatically try to hack into your WordPress websites. There are many types of attacks that bots carry out; one of the most notorious ones is brute force attacks on the login page, where bots keep on entering combinations of usernames and passwords on your website’s login page in hopes of cracking the combination.
Once the bot gains access, it will notify its hacker, and he will gain access to your WordPress dashboard to carry out further attacks. Choosing strong, unique passwords will stop these brute-force bots from succeeding. Better yet, consider 2FA.
Another attack on WordPress websites is a DDoS attack, where a set of compromised servers or websites try to send requests to a WordPress website to waste the victim website’s server resources and eventually render the website unreachable. The best solution to this kind of attack is blocking the attacking IPs on a network level.
However, the most common attack is gaining access to a WordPress website by exploiting a vulnerability in a theme or plugin. At Patchstack, we see most compromised websites had a vulnerable plugin that wasn’t updated as soon as a patch was available. That is why having a vulnerability monitoring service that offers vPatching, which can help to detect issues within the plugins that you are using, is the safest bet to secure against such attacks.
Why do WordPress sites get hacked?
WordPress is used on millions of websites, so it is no surprise that many hackers invest their time finding vulnerabilities to access WordPress websites. WordPress also has a large open-source community that builds plugins, themes, and other scripts to extend WordPress’ functionality.
Since there are thousands of plugins and themes built by third-party developers, there are bound to be vulnerabilities within the code that hackers can use to hack WordPress websites.
Luckily to combat hackers, an active community of security researchers invests their time in finding security loopholes within the WordPress core and plugins and themes before they are exploited. At Patchstack, we encourage WordPress security researchers and introduce the Patchstack Alliance, a team of security experts. We also work closely with other WordPress companies, such as hosts, agencies, and plugin and theme developers, to notify them and their clients of website vulnerabilities.
Will my site be protected from vulnerabilities?
With so many attacks that can be carried out against WordPress websites, we get asked this question: “Is there a guarantee that my website will be safe?” The answer is no, but you can take security precautions to block some common attacks, make it harder to access your website and secure your data by having backups that you can easily restore if your website gets hacked.
The role of the hosting provider in WordPress security
WordPress hosting is big business, and since we trust hosting providers with our digital assets, it only makes sense to know what level of security your WordPress hosting provider has.
There are many types of hosting services, but we aren’t going to cover them in this article as it is not the scope of this article; however, if you are using a hosting service that calls itself a specialist WordPress hosting provider or a “Managed WordPress Hosting” provider, then that should be a good indication that your hosting service provides support, speed, and security intended for WordPress websites.
A WordPress hosting service should provide some level of security, and that is:
- Timely server software updates
- Malware scanning.
- Automated backups.
- DDoS attack mitigation or easy integration with third-party services.
- Secure connections, SSL certificates, and SSH/SFTP access.
- Using secure hosting networks/servers.
- Uptime monitors with logs of incoming traffic.
- Real-time support.
Essential WordPress security practices
Before diving deeper into techniques to block certain types of attacks, we will first cover some of the basics or essentials of WordPress security. These methods shouldn’t be overlooked and should be taken care of by your team, client, or hosting provider.
1. Keeping WordPress updated
The first method is always to have an up-to-date version of all WordPress-related software, this includes WordPress core, themes, plugins, and any other third-party code or scripts that you may be using.
If you are using an older version of WordPress that is no longer supported, you are leaving many backdoors open for attackers to take over the website. A similar statement is true for plugins and themes. Some websites use a lot of plugins and still have older theme files on their WordPress websites. It is best to remove unwanted plugins and themes and the ones that are deactivated.
If you have multiple WordPress websites, updating and testing everything on every website will take a lot of your time. That is why it is a best practice to use a service that automates checking outdated plugins, themes, and WordPress core and gives you a single dashboard from which you can update all your websites easily.
Our WordPress security app, Patchstack, provides a central dashboard from where you have complete control over multiple WordPress websites. Patchstack automatically scans and notifies you immediately if an outdated software version runs on your WordPress website. You can also turn on the auto-update feature in Patchstack to apply any new updates to the WordPress core, themes, and plugins.
2. Use complex passwords and usernames
Using most common usernames, such as “admin,” and passwords, such as “drowssap,” will make it easier for brute force attacks to be successful. To make it more challenging, using a complex combination of passwords and usernames for each user on your WordPress website is wise.
If you run an e-commerce or any membership website, forcing users to use unique usernames and complex passwords is especially important.
3. Use secure WordPress hosting with updated software
We mentioned earlier in the article that WordPress hosting does offer some level of security for your WordPress websites and hosting servers. One essential security feature that a hosting provider should have is the ability to easily create, schedule, or automate backups and restore your website’s older versions if your website is compromised.
Some noteworthy WordPress hosting providers that provide good security along with optimized servers are:
- WP Engine
Note: The above list is not exhaustive, and we recommend that you research when it comes to choosing a hosting provider that will fulfill your security needs.
4. Use an Uptime Monitor
Some hosting companies do provide a built-in uptime monitoring service, but it is still a good idea to install your uptime monitoring service on your website. Some agencies use uptime monitors for early warnings when the website goes unresponsive.
If your website is offline, that doesn’t mean that your website is hacked or under attack. It could be that your hosting server is experiencing an outage. But in any event, it is a good idea to be warned as soon as your website goes down so that you can investigate the cause and take necessary action.
5. Change the default WP-login URL
Automated bots try to gain access to WordPress websites by conducting brute-force attacks on the /wp-admin or /wp-login.php URLs. Keeping the default login URLs makes your website open to such bots and attacks. Disabling the default login URL and using a custom URL for logging in to your WordPress dashboard is a good idea.
It is important to note that you shouldn’t simply redirect your default login URL to a custom URL, instead, you should restrict access to /wp-admin and /wp-login.php URLs.
Patchstack provides this feature and you can simply enable it under Hardening > Login Protection, you can read about this feature in our documentation here.
WordPress security important considerations
Now that we have covered some WordPress security essentials, we will define some advanced security considerations that you should implement to make your WordPress websites secure and safe.
You can use a combination of security measures mentioned below and make it a part of your WordPress security policies.
6. Use a vulnerability monitoring service for early detection
Nothing beats early warning systems. Patchstack is one such service that continuously monitors your WordPress websites for vulnerabilities, and it syncs the WordPress core, theme, and plugin versions and notifies you if you have outdated or vulnerable software installed on your website.
If there are any vulnerabilities within your code, Patchstack notifies you and blocks any malicious attacks on your websites, even if you haven’t updated your websites. This is termed vPatching.
7. Have a Solid Backup Solution
To be better prepared for any potential loss of a website and its data, it is highly recommended that you have a backup policy and that too that is multi-tiered. Meaning that you should have multiple backups created of your website on multiple sources. For example, have a backup of your website files and database on your hosting server and an offsite backup on a cloud server or storage service like (Dropbox, Amazon S3, or Google Drive).
8. Block brute force attacks and attacking IPs
These attacks have become a nuisance for WordPress websites, and the only way to get rid of them is to block attacking IP addresses. It is almost impossible to block them manually as Brute Force attacks come in from various IPs.
CrowdSec’s plugin is a good solution to combat such attacks, it comes with a behavior detection engine that logs the attacking IPs in a central database and combats the attacking IP addresses by blocking them or challenging them with a captcha.
You can also block attacking IPs, within Patchstack we notify our users of attacking IPs that you can then manually block to get rid of the attacks. Even if you do not block the attacking IPs you will be protected against attacks as Patchstack will block them. You can read about our firewall rules in our documentation here.
9. Limit login attempts
Limiting attempts to log in also secures your WordPress website against automated brute-force attacks. There are many methods to secure the login page of your WordPress websites, but limiting login attempts is a sure way to deny access to automated bots.
You can set rules on your login page to block anyone who fails to log in after a certain number of attempts. For example, you can block an IP address if it fails to log in after three attempts. There are many plugins available on the WordPress.org plugin repository to help you limit login attempts. Patchstack also has this feature built-in and you can create your own rules.
10. Add Recaptcha on the login page
A free service by Google that blocks bots by presenting a Turing test on forms. reCaptcha can be implemented on the login page and contact forms to block automated spam inputs.
Since this is a service by Google, you can be protected against numerous IPs bots use. Adding reCaptcha does add friction to your login page and forms, but it also improves the security of your WordPress website. You can easily add reCaptcha to your WordPress websites through Patchstack.
11. Use two-factor (2FA) authentication
This method adds another layer of verification to authenticate logins to your WordPress website. Adding Two-Factor Authentication on your WordPress website will greatly reduce the chances of any unauthorized access to your dashboard.
Popular methods of 2FA include adding a verification code sent to an email address, phone number, or an authenticator app that is installed on your phone.
You can either use Patchstack’s feature to enable 2FA on your WordPress websites, or you can use a plugin like Two-Factor.
12. Use a WAF
Adding a web application firewall to your WordPress websites will protect you against some of the known attacks. Cloudflare is a popular choice of WAF among WordPress users as it adds a lot of security layers that block common attacks.
Similarly, at Patchstack, we provide what we call vPatching – it safeguards your WordPress website if your website is vulnerable and there is no patch available. Our WAF at Patchstack will block potential attacks even if no security fix is available.
13. Use SSL and migrate to HTTPS
Using an SSL certificate is just as crucial as purchasing a web hosting service and a domain name. Adding an SSL certificate right from the get-go is generally a good idea.
Deploying SSL certificates and using the HTTPS protocol to access your website will encrypt any information shared between a client (visitor) and your server. It makes it harder to crack information and do man-in-the-middle attacks. Using HTTPS protocol will secure your website visitors if they are accessing your website through unsecured networks, such as public wifis that are not password protected.
Almost all hosting companies provide free SSL certificates by Let’s Encrypt. But if you are running a commercial website like an e-commerce store, membership site, or social networking forum, it is best to invest in premium SSL certificates. Paid SSL certificates provide a better level of encryption, and they come with warranties that you can claim in case your data is stolen.
14. Disable file editing within the WordPress dashboard.
By default, the file editor within the WordPress dashboard is enabled. Anyone with administrative access can edit the theme files by navigating to Appearance > Editor. You can easily avoid this security risk by simply disabling Editor access from within the WordPress admin. You can add the following line of code in your WordPress’ wp-config.php file to disable it.
// Disallow file edit
define( 'DISALLOW_FILE_EDIT', true );
15. Disable PHP file execution
Some of the folders within a WordPress installation are writable, specifically folders under wp-content, where your themes, plugins, and images are uploaded. You can’t entirely disable permissions to write in these folders because it will stop you from uploading and installing plugins and themes.
You can, however, stop PHP code from executing in these folders. In order to do that, you will need to create .htaccess files and upload them to folders where you want to stop PHP files from executing. The “uploads” folder under the wp-content folder is where all the media files are uploaded, and hackers can find ways to trick you into uploading a file name that is named as an image but instead is a .php file with malicious code.
Create a .htaccess file with the following code and upload it to wp-content/uploads to stop all .php files from executing in that particular folder.
deny from all
16. Disable directory indexing and browsing
WordPress subfolders may become accessible in some cases, e.g., if there is a misconfiguration within your hosting server.
To be safe, it is a good idea to entirely disable the chances of directories being viewed through browsers by adding the following line of code at the end of your .htaccess file in the root folder of your WordPress installation.
You can also disable file indexing by simply enabling the option “Disable index views” within Patchstack under Hardening > Firewall > .htaccess Rules, provided that you are using Patchstack to secure your WordPress website.
17. Disable XML-RPC in WordPress
The API gives access to interact with your WordPress website remotely.
If you aren’t going to use this API, then it is better just to turn it off. Simply add the following lines of code to your .htaccess file.
# Block WordPress xmlrpc.php requests
deny from all
You can also disable XML-RPC and WP-REST API on your WordPress website if you are using Patchstack, you can find that option under Hardening > Hardening Features.
FAQs Related to WordPress Security
Is WordPress secure?
WordPress is generally a secure platform, but like any website or software, it can be vulnerable to hacking attempts if it is not adequately secured. It is important to follow security best practices and use security plugins to protect your site and prevent security breaches.
Is WordPress easily hacked?
WordPress can be hacked if it is not adequately secured. However, if you follow security best practices, use the latest version of WordPress, and use a security plugin, you can significantly reduce the risk of hacking.
What percentage of WordPress sites are hacked?
The percentage of hacked WordPress sites varies depending on factors such as the security measures taken, the WordPress version, and third-party plugins used. The estimated number or percentage of WordPress sites can not be determined. However, we see a growing number of attacks against WordPress sites with each passing year.
Which is the best security plugin in WordPress?
Many security plugins are available for WordPress; the best depends on your needs. Some popular security plugins include Patchstack, Wordfence, Sucuri, iThemes Security, and Jetpack Security. Choosing a security plugin that provides the features you need to protect your site is essential.
Do I need a WordPress security plugin?
While WordPress has built-in security features, a security plugin is highly recommended. A security plugin can provide additional protection against hacking attempts and help you detect and fix vulnerabilities in your site.
Does WordPress have built-in security?
WordPress has built-in security features such as password protection, user roles and permissions, and automatic software updates. However, it is still essential to follow the best security practices and use a security plugin to ensure the highest level of security.