Here's my "Making & Keeping WordPress Secure" presentation, which I presented to the WordPress Greenville meetup group. The rest of this blog post gives more detail than these slides.
Note: This page contains affiliate links. Please see Affiliate Disclosure.
An ounce of prevention is worth a pound of cure. It's better to put your energy into preventing your site from being hacked, than to spend it on responding to a hack.
Create strong passwords. Use 20+ characters. Use uppercase, lowercase, and special characters. Use a password manager like BitWarden to generate strong passwords.
Store passwords securely. Keep them in a password manager like BitWarden.
Share passwords securely. Many password managers like BitWarden have feature for sharing with other users of the same password manager. You can also use an encrypted messenger like Signal. Don't send passwords by email or SMS/text message!
Use SFTP or FTPS, not FTP. Plain FTP sends your password in cleartext, where eavesdroppers can see it. SFTP and FTPS are secure FTP.
Ensure that each WordPress user has their own account. WordPress accounts shouldn't be shared. If each user has their own account, it makes it easier to trac, who does what in the site, and to cut off access when someone no longer needs it.
Give each user the lowest role possible. The User Role Editor plugin can fine-tune permissions.
Using a managed WordPress host is probably the easiest way to improve security, because they handle so much of the network, server, and site security for you.
We recommended Flywheel and WP Engine, though there are other good managed WordPress hosts.
Even though managed WordPress hosts handle many aspects of security for you, it's worth checking if you should do anything else. Check your host's support documentation, or ask them.
Some budgets don't allow for managed WordPress hosting. If that's the case for you, you may end up using shared hosting. In this space, we recommend SiteGround.
Shared hosts may offer security add-ons. For example, SiteGround has their SG Site Scanner. Some hosts' security scanners will notify you of malware, but won't remove it. Find out what your host does.
Because shared hosts usually don't offer the same level of security as managed hosts, you should consider a security plugin. Be sure to weigh the pros and cons. Some potential downsides of security plugins:
These are some of the best-known WordPress security plugins:
The free versions of these plugins usually have limited features, and you can pay for the premium versions of the plugins for more features.
Hardening is the process of increasing your site's defenses. Managed hosts may handle some or many of these for you, so find out what they do before you proceed with your steps.
Put the code from Securing wp-config.php in your .htaccess file. This denies access to anyone looking for the wp-config.php file.
Put the code from Securing wp-includes in your .htaccess file. This blocks scripts from running where they shouldn't.
Put the code from Disable File Editing in your wp-config.php file. This disables the file editors which are built into the WordPress admin area. If a hacker gets access to the admin area, they can use these file editors to edit the code of your plugins or themes. You shouldn't be editing your site using these editors anyway (you should be using SFTP/FTPS or version control).
Ensure that no admin account is named admin, because hackers look for that account. If it exists, create a new account to replace it, then delete the admin account.
Add brute-force protection to prevent hackers from repeatedly trying to break into your site. Use Login LockDown or a similar plugin. Security plugins often include brute-force protection.
Add a TLS/SSL certificate. This encrypts the communication between your website and the browsers of visitors, preventing eavesdropping. Your entire site should run over HTTPS (all URLs should start https rather than http).
Consider Cloudflare, which includes a firewall, for an extra layer of protection.
Add two-factor authentication (2FA) to your site. That way, even if a hacker acquires or guesses a username and password, they won't be able to log in without a 2FA code. Use Google Authenticator or a similar 2FA plugin. Despite that plugin's name, it works with 2FA apps besides Google Authenticator, such as Authy.
Before I say anything about updates, I need to warn you to always back up your site before installing updates. You should have automatic daily backups, but it doesn't hurt to take another manual backup before updating, especially if it's a significant update.
Because hackers start exploiting vulnerabilities as soon as they learn about them, in general you should install updates as soon as possible. However, you need to consider that updates sometimes break sites, so weigh that risk against the security risk of delaying updating.
For plugins that are more likely to contain bugs that can break features of your site (such as Yoast SEO and WooCommerce), check the plugin's changelog before updating, to see what changes the update includes. If the update doesn't include any security fixes, consider waiting a few days to update, while others act as guinea pigs to discover any bugs the plugins may contain.
Backups should happen automatically. Ensure your backup system is automatically taking backups at least daily.
You can use a management tool such as ManageWP, or a backup plugin such as UpdraftPlus or BackWPup.
You should have at least one set of backups stored off-site, on a system not owned by your hosting company, and in a location far from your web server. That's because if your hosting company has a problem, you don't want to lose access to your site and your backups. Sadly, I've seen that happen.
Keep backups for long enough; I recommend at least 30 days. People don't always discover website problems as soon as they occur; sometimes days or weeks pass. By keeping backups for a month or more, you'll be able to grab files or database records from before the problem occurred.
WordPress security isn't "set it and forget it"; you need to monitor your site's security.
Monitor suspicious login attempts. Brute-force protection plugins (mentioned earlier) will often do this for you. Have some way of being notified when people are trying to break into a site, or have a rule in place to automatically block such attempts.
Consider an activity log. ManageWP will track changes made to your site through that tool. You can also consider a plugin such as WP Activity Log. Activity logging is included in several security plugins.
All the code that makes up your site contributes to its attack surface. Think of a house; the more windows and doors, the greater the risk that someone can find a way in. With your website, the more code and user accounts are in place, the more opportunities for hackers to get in. Remove anything that's not truly necessary.
Remove unnecessary plugins, themes, and users.
Simply deactivating plugins and themes isn't enough, because the code is still present on your site. You must delete them.
No defense is 100% effective. Even if you do all the above prevention steps, there's still the chance your site could be hacked. Let's consider what to do in that unfortunate situation.
There are 3 entities that can deal with a hacked site:
If you decide to clean a hacked WordPress site yourself, be sure you know what you're doing, or you'll likely miss malware or leave the hacker a way to reinfect the site.
You probably don't have a WordPress website because you want to spend time on website security. You probably want to be running your business, not worrying about security issues. Why not let someone else focus on securing your website? Contact OptimWise and get back to doing what you do best.