The Internet is full of WordPress security advice; some good, some bad. What if you could get WordPress security advice straight from the developers of the WordPress software? You can, in the WordPress Support article Hardening WordPress. Below I'll share quotes from that article, and explain how to use them to make your WordPress site more secure.
Note: This page contains affiliate links. Please see Affiliate Disclosure.
What security is though is risk reduction, not risk elimination. It’s about … reducing the odds of making yourself a target, subsequently getting hacked.
You'll never get to the point where you can say your site is 100% secure and can't be hacked, but that doesn't mean it's not worth taking steps to become more secure.
Often, a good place to start when it comes to website security is your hosting environment.
Your WordPress website is a collection of files and a database running on a web server somewhere. If you only focus inside the WordPress software, you'll be overlooking a lot of other software that's connected to your site, such as web server software and database software. Securing those areas outside of your site are usually the responsibility of your web host. That's why it's so important to choose a host that takes WordPress security seriously. We recommend Flywheel, WP Engine, and SiteGround.
Qualities of a trusted web host might include:
Readily discusses your security concerns and which security features and processes they offer with their hosting.
Provides the most recent stable versions of all server software.
Provides reliable methods for backup and recovery.
As you evaluate web hosts, look at how they secure their systems, how they update their software, and what backup and recovery options they offer. Flywheel and WP Engine are excellent in all these areas. SiteGround does better than similarly-priced budget hosts in these areas.
Having a plan to backup and recover your installation in the case of catastrophe can help you get back online faster in the case of a problem.
Your site could be damaged by hackers, user error, software errors, natural disasters, and more. What will you do when disaster strikes your site? It's critical that you have a backup, and the ability to restore it. If you're not confident that you have a solid backup system, and that you could restore a backup in an emergency, find a company to keep your WordPress site backed up.
Do not get plugins/themes from untrusted sources. Restrict yourself to the WordPress.org repository or well known companies. Trying to get plugins/themes from the outside may lead to issues.
There are over 57,000 free plugins in the WordPress Plugin Directory, which provides WordPress plugins in a way similar to how the Apple App Store and Google Play Store provide mobile apps. Plugins here are evaluated for security vulnerabilities, so it's a safe source, though not 100% safe (as is true of repository of third-party software). Be wary of getting free plugins from other sources.
There are reputable WordPress companies that provide trustworthy plugins. For example, Gravity Forms is our favorite forms plugin.
Don't download free cracked versions of premium (paid) plugins. Not only is that theft, it's also a common way to get malware in your WordPress site.
Like many modern software packages, WordPress is updated regularly to address new security issues that may arise. … you should always keep up to date with the latest version of WordPress.
Do you install updates on your phone and computer? Your WordPress website needs software updates too. Updates help maintain security, fix bugs, add features, and improve your site's functionality. If it's difficult for you to keep up with the update treadmill, find a company to keep your WordPress site updated.
The web server running WordPress, and the software on it, can have vulnerabilities. Therefore, make sure you are running secure, stable versions of your web server and the software on it, or make sure you are using a trusted host that takes care of these things for you.
This emphasizes again the importance of choosing a host that keeps its software updated.
If you’re on a shared server (one that hosts other websites besides your own) and a website on the same server is compromised, your website can potentially be compromised too even if you follow everything in this guide. Be sure to ask your web host what security precautions they take.
If you use shared hosting (which most inexpensive WordPress hosting is), find out how your web host keeps security issues in one site from affecting other sites on the same server. You don't want your site to suffer because someone else isn't keeping their site secure. SiteGround, our favorite budget host, isolates accounts from each other to prevent issues from spreading beyond one account.
An Internet cafe where you are sending passwords over an unencrypted connection, wireless or otherwise, is not a trusted network.
Check your WordPress login page. Does the URL/address start with https, or http? If http, then your username and password are sent over the Internet in a way that eavesdroppers could steal them. The danger isn't very high when you're on your own home network, but it's much higher when you're on a shared network (such as open Wi-Fi at a coffee shop, hotel, or library).
The best solution is to switch your site to HTTPS, which requires a TLS certificate (sometimes called an SSL certificate). This is much easier than it used to be, thanks to many hosts offering Let's Encrypt certificates, which are usually free.
If your site isn't served over HTTPS, and must log into your site when you're not on a trusted home or work network, then you should use a mobile data connection or VPN (virtual private network) over Wi-Fi.
The goal with your password is to make it hard for other people to guess and hard for a brute force attack to succeed. Many automatic password generators are available that can be used to create secure passwords.
Password managers are excellent tools for creating strong passwords. I've used LastPass for years, and highly recommend it.
WordPress also features a password strength meter which is shown when changing your password in WordPress. Use this when changing your password to ensure its strength is adequate.
Things to avoid when choosing a password:
Any permutation of your own real name, username, company name, or name of your website.
A word from a dictionary, in any language.
A short password.
Any numeric-only or alphabetic-only password (a mixture of both is best).
In addition to using a strong password, it’s a good idea to enable two-step authentication as an additional security measure.
You probably use two-factor authentication (sometimes called two-step authentication, two-step verification, or multi-factor authentication) on a variety of websites, such as financial and social media sites. It's when you enter a code from your phone to log into a site or app. It's a good idea to add two-factor authentication to your WordPress site.
When connecting to your server you should use SFTP encryption if your web host provides it. If you are unsure if your web host provides SFTP or not, just ask them.
Using SFTP is the same as FTP, except your password and other data is encrypted as it is transmitted between your computer and your website. This means your password is never sent in the clear and cannot be intercepted by an attacker.
If you need to connect to your web server to edit its files, avoid using plain FTP if at all possible. Instead, use SFTP or FTPS.
The ultimate implementation of this “second layer” password protection is to require an HTTPS SSL encrypted connection for administration, so that all communication and sensitive data is encrypted.
As noted above, it's best to switch your site to HTTPS, which requires a TLS certificate (sometimes called an SSL certificate). This is much easier than it used to be, thanks to many hosts offering Let's Encrypt certificates, which are usually free.
A second layer of protection can be added where scripts are generally not intended to be accessed by any user. One way to do that is to block those scripts using mod_rewrite in the .htaccess file.
If you use a server with .htaccess, you can put this in that file (at the very top) to deny access to anyone surfing for it:
The WordPress Dashboard by default allows administrators to edit PHP files, such as plugin and theme files. This is often the first tool an attacker will use if able to login, since it allows code execution. WordPress has a constant to disable editing from Dashboard.
First of all, make sure your plugins are always updated.
As noted above, it's critical to keep plugins (along with other software) updated, because updates often fix security vulnerabilities. If it's difficult for you to keep up with the update treadmill, find a company to keep your WordPress site updated.
Also, if you are not using a specific plugin, delete it from the system.
The fewer the plugins on your site, the smaller its attack surface. In other words, there’s less code for hackers to exploit. The settings for most plugins will remain in your database even if you delete the plugin, so it's easy to reinstall a plugin later if you delete it and later decide you need it. That's not the case for every plugin, so if you're concerned about it, before you delete the plugin, check if it will delete its data when it's deleted.
A website firewall can also be added as intermediary between the traffic from the internet and your hosting server. … A few companies offer such service, like CloudFlare, Sucuri and Incapsula. Additionally, these third parties service providers function as Content Distribution Network (CDNs) by default, introducing performance optimization and global reach.
We've used Cloudflare for several sites, to add a layer of security in front of the website. Some hosts have Cloudflare integrated and make it easy to enable. If your host doesn’t, you can still set it up directly through Cloudflare. As a bonus, Cloudflare is a content delivery network (CDN), so it can make your site faster, too!
Back up your data regularly, including your MySQL databases.
As noted above, it's critical that you have a backup, and the ability to restore it. If you're not confident that you have a solid backup system, and that you could restore a backup in an emergency, find a company to keep your WordPress site backed up.
A sound backup strategy could include keeping a set of regularly-timed snapshots of your entire WordPress installation (including WordPress core files and your database) in a trusted location. Imagine a site that makes weekly snapshots. Such a strategy means that if a site is compromised on May 1st but the compromise is not detected until May 12th, the site owner will have pre-compromise backups that can help in rebuilding the site
Imagine that your site is backed up daily, and each day's backup replaces the previous. What if you discovered today that your site was hacked 5 days ago? You wouldn't have a clean backup to restore. It's important to take backups frequently, and keep them for long enough. That's why we take daily backups and keep them for 90 days. If you're not confident that your backup system covers situations like this, find a company to keep your WordPress site backed up.
Sometimes prevention is not enough and you may still be hacked. That’s why intrusion detection/monitoring is very important. It will allow you to react faster, find out what happened and recover your site.
As I said at the beginning of this post, you won't get to a 100% secure, unhackable site. If something happens despite your security measures, you don't want your site visitors to be the ones to tell you that your site is hacked. You want to find out before them, so you can take care of the problem.
Do you know when a hacker is trying to brute force their way into your website? Would you know if your site got infected by malware? Do you know when your plugins are out of date? If not, find a company to provide WordPress security monitoring.
You may be thinking, "Why do I have to care about all this? I have better things to do!" You're right that your time is better spent focusing on your business, not dealing with the technical details of WordPress security. That's why we provide our WordPress Maintenance Plans, to take care of WordPress security for our clients. Contact us today!