WordPress is a popular content management system (CMS) for building websites. With a market share of over 41% of all websites, it’s a prime target.
If you’re expending time, effort and money into your website, you want to keep it safe.
There may be billions of websites out there and chances of attack are low, but the ramifications can be so serious you have to take precautions.
That’s what this post is all about.
We’re going to discuss WordPress security, the threats, the common attack vectors and how to protect your website from harm.
There’s no such thing as total protection but if you follow this guide, you’ll have the next best thing!
- Common security risks for WordPress websites
- 15 Tips to secure your WordPress website
- 1. Use strong passwords
- 2. Install an SSL certificate
- 3. Regularly scan your WordPress website for malware
- 4. Choose a secure WordPress host
- 5. Enable two-factor authentication on website logins
- 6. Modify your WordPress login page
- 7. Automatically log out idle users
- 8. Use the latest PHP version
- 9. Schedule WordPress backups
- 10. Limit the number of failed login attempts
- 11. Remove unused WordPress themes and plugins
- 12. Hide the WordPress version
- 13. Disable PHP file execution with the .htaccess file
- 14. Turn off file editing
- 15. Log user activity
- Conclusion
Common security risks for WordPress websites
Learning about the types of WordPress security risks and how they work helps you stay aligned with your WordPress agency to take proper precautions to safeguard your site.
The intent of this guide is to make you aware of the risks, but not afraid of them. We’ll share 15 steps to protect your website later on.
Malware
Malware, or malicious software, aims to compromise the security and integrity of websites or systems.
Hackers attempt to infect WordPress websites using malware in various ways. For example, they exploit vulnerabilities found in WordPress core, plugins and themes.
When malware successfully infects a WordPress site, the attacker can freely manipulate the site elements, inject malicious code into ads, and alter links so they point to harmful sites.
There are several common types of malware:
- Backdoor – Provides remote access to the administrative system, so hackers can modify user permissions, steal confidential data, and take control of the website.
- Pharma hack – Infects a WordPress website with spam links that redirect to fake pharmaceutical websites.
- Malicious redirect – Hijacks buttons on ads or links and sends unsuspecting visitors to malicious sites.
- Drive-by download – Tricks visitors into downloading malware onto their computers simply by visiting an infected WordPress website.
Brute force attacks
Hackers attempt brute force attacks to gain access to a WordPress website by repeatedly trying to guess passwords and usernames with a hacking tool.
These cyber attacks are particularly dangerous for WordPress website owners who use weak or repeated passwords. Hackers only need patience and determination since they use bots that can cycle through possible password combinations in no time at all.
You can install useful apps on your Mac like CleanMyMac to protect your system from Malware as it helps in removing unwanted files and system junk.
If the attacker successfully gains access to a website, they can easily steal sensitive information, delete data, and alter how applications respond to user requests.
Several known brute force attacks are:
- Reverse brute force attack – A brute force attack technique to guess usernames with a list of commonly used passwords to gain access to user accounts.
- Credential stuffing attack – Uses lists of compromised usernames and passwords from previous data breaches to attempt to log in to other accounts.
- Dictionary attack – Involves using a predetermined list of words from dictionaries and commonly used passwords to guess yours.
- Hybrid brute force attack – Combination of two or more brute force attack techniques to increase their chances of success in gaining unauthorized access to your account.
Cross-site scripting attacks
A cross-site scripting (XSS) attack exploits vulnerabilities within a WordPress website and injects malicious JavaScript code.
The goal is to steal sensitive information, redirect visitors to malicious websites, and launch phishing campaigns.
When users land on an infected website, the malicious script will automatically run in the background and gain access to their browser, including cookies and browsing session information.
There are three types of XSS attacks:
- Stored XSS – Injects malicious code into a website’s database but the code will only run when the affected database is loaded.
- Reflected XSS – An attacker places malicious code into a web application through user input to hijack browsing sessions and steal sensitive information.
- DOM-Based XSS – Utilizes a harmful script in a Document Object Model (DOM) application and attempts to steal the target’s personal information.
Distributed denial-of-service attacks
A distributed denial-of-service (DDoS) attack floods a targeted system or a high-traffic network with multiple compromised devices, known as botnets. Its purpose is to overwhelm and make the system or network inaccessible.
DDoS attacks can cause significant disruption to companies or businesses, leading to damaged reputation, decreased productivity, and lost revenue.
Hackers also use this cyber attack to distract a company’s security team so they can carry out other attacks like injecting malware.
There are three common types of DDoS attacks:
- Protocol attack – Exploits vulnerabilities in TCP/IP, ICMP, or DNS and then overloads the targeted website with a huge amount of traffic.
- Application layer attack – Targets web applications or web servers using automated scripts or bots that mimic usual user traffic.
- Volumetric attack – Floods the network’s bandwidth or resources with botnets, overloading it with huge amounts of traffic.
Structured query language injections
A Structured Query Language (SQL) injection is a WordPress security risk targeting SQL databases. If the attack successfully breaches a website’s database, the attacker will inject malicious SQL code or scripts into a login page or a search box.
An attacker can easily insert harmful SQL commands into the input field and trick the web application into executing them. These commands include inserting, modifying, and deleting the WordPress databases.
The most common types of SQL injection attacks are:
- Inferential SQL injection – Hackers exploit vulnerabilities in the website’s code or input fields using logical inference and timing techniques allowing them to execute SQL commands or inject malicious code.
- In-band SQL injection – Also known as a traditional SQL injection. It retrieves, modifies, or deletes data from the database by executing SQL statements to vulnerable input fields, such as a search bar or a login form.
- Out-band SQL injection – Uses different communication channels, such as an email or a DNS query, to extract valuable information or data from a targeted website’s database.
There are other threats out there, but those listed above are the most common.
Now you know the threats, let’s show you some effective methods to secure your WordPress website against them.
15 Tips to secure your WordPress website
The popularity of WordPress works for it and against it. It’s so good at what it does and so popular, it’s a natural target for anyone who wants what you have.
Fortunately, there are some simple, effective measures you can take to protect yourself from the majority of risks and take control of your data.
- Use strong passwords
- Install an SSL certificate
- Regularly scan your WordPress website for malware
- Choose a secure WordPress host
- Enable two-factor authentication on website logins
- Modify your WordPress login page
- Automatically log out idle users
- Use the latest PHP version
- Schedule WordPress backups
- Limit the number of failed login attempts
- Remove unused WordPress themes and plugins
- Hide the WordPress version
- Disable PHP file execution with the .htaccess file
- Turn off file editing
- Log user activity
Let’s discuss each point in a little more detail.
1. Use strong passwords
A strong password is an essential security feature for WordPress websites as it helps protect user accounts and personal information from unauthorized access.
The stronger the password, the harder it will be to crack.
Follow these tips to create strong passwords for your WordPress website:
- Use a combination of uppercase and lowercase letters, numbers, and symbols to make it harder for hackers to guess the passwords.
- Create passwords containing at least 15 characters to increase the complexity and strength.
- Avoid using easy-to-guess phrases, such as the combination of your name and your birth date. Hackers can use multiple brute-force attack techniques to guess your passwords.
- Avoid using the same passwords across multiple accounts, such as your WordPress account, web hosting, and email. Otherwise, you might fall victim to credential-stuffing attacks.
- Use a password manager instead of storing your passwords in your local computer or web browser. Several popular password managers are 1Password, Bitwarden, and NordPass.
2. Install an SSL certificate
Establishing a secure connection is important as it helps protect user data, build customer trust, and improve the site’s visibility on search engines.
One of the best methods is to install an SSL certificate on your WordPress website.
Short for Secure Sockets Layer, SSL is a cryptographic protocol that establishes an encrypted connection between a web server and browsers. During the communication encryption process, SSL implements two security layers – the SSL Record Protocol and SSL Handshake Protocol.
The following is a brief overview of how SSL works:
- When a user’s browser attempts to connect to your WordPress website, it initiates an SSL connection to a web server by requesting an SSL version and supporting cryptographic algorithms.
- The web server responds to the request by providing its SSL version, selected chipper suite, and digital certificate.
- The web browser verifies the digital certificate and authenticates the server’s identity. Then, it generates a random session key, encrypts it with the server’s public key and sends it back to the server.
- The web server decrypts the session key using its private key. After that, the two parties exchange messages to establish the SSL connection parameters.
- Once the SSL connection is established, the user’s web browser can securely communicate with the web server. Visitors can safely create an account and purchase a product or service from the website.
Most web hosting providers already include a standard Let’s Encrypt SSL for free in their plans.
You can also use your own SSL certificate instead using your web hosting control panel.
3. Regularly scan your WordPress website for malware
The total number of malware infections on WordPress sites remains consistent, with roughly 310,000 sites infected in December 2022.
Hacked WordPress sites will show several indications, such as poor performance and falling search engine rankings.
It’s crucial to take preventive action, like regularly scanning your WordPress website using a security plugin with a malware scanner, such as Wordfence, iThemes Security, and Sucuri.
For this tutorial, we will show you how to perform a malware scan using the Wordfence plugin:
- Log in to your WordPress dashboard.
- Install and activate the Wordfence plugin.
- Complete the Wordfence installation process by choosing a plan and activating the license key.
- Once finished, go to the Scan page under the Wordfence section.
- Select Manage Scan and choose Limited Scan, Standard Scan, High Sensitivity or Custom Scan.
- Return to the Scan page and click the Start New Scan button.
- Once completed, you can see the scan log by clicking View Full Log or Show Log.
4. Choose a secure WordPress host
Web hosting providers play a crucial role in providing a secure experience. Therefore, choosing a reliable web host is important for your long-term success.
However, deciding on a suitable hosting provider can be challenging as there’s usually marketing and lots of technical jargon to contend with.
Consider the tips below to help you find the most suitable web host:
- Security measures – Find out what security measures the web hosting provider uses to protect their servers and data centers against digital and physical security threats. Look for one that provides firewall protection, security monitoring tools, and intrusion detection.
- Security features – Ensure the hosting company offers powerful features and tools, such as DDoS protection, a malware scanner, free SSL certificate, as well as automatic backups and updates.
- Reliable support – Check the level of support the hosting company offers in case you experience issues. Choose a web host with a reliable 24/7 support team and a dedicated security team.
- Reputation – Read client reviews and testimonials to see whether the web hosting company offers robust security protection.
There are hundreds of quality web hosts to choose from, take your time, perform your research and you should be fine!
5. Enable two-factor authentication on website logins
Having only a password to protect your website and important data is not enough to prevent sophisticated brute-force attacks.
By implementing 2FA, you must provide two different authentication factors to verify the identity so that you can access the website. They can be passwords or PINs, physical tokens, app codes or biometric data like a fingerprint.
If someone guesses your password or login, it’s much harder for them to access that second factor. Without your fingerprint, SMS code or other verification, the attacker won’t be able to access your website.
That’s the strength of 2FA.
The only drawback is that WordPress doesn’t have a built-in 2FA feature, meaning you need to install a plugin. Wordfence is one of the most popular WordPress security plugins offering a variety of security features and tools, including 2FA.
6. Modify your WordPress login page
Changing the login page URL helps secure your WordPress website from cyber threats like brute force attacks. This URL is where you enter your username and password to access the WordPress admin panel.
By default, all WordPress website’s login page URLs are the same – https://example.com/wp-admin. As a result, having this default URL can make you an easy target for hackers.
You can use a WordPress plugin, such as Change wp-admin login and WPS Hide Login, to enable a custom WordPress login page URL.
Changing the /wp-admin URL is a small change but one that can protect you from many automated attacks.
7. Automatically log out idle users
Hackers can target idle user accounts that remain logged on a shared network, such as public WiFi. It’s important to log out right after a period of inactivity, but sometimes we forget.
Open sessions are a marginal threat but the solution is so simple, we recommend using it.
There’s a great plugin like Inactive Logout to help handle the problem. It automatically logs idle users out and sends a custom notification telling them the website session will finish soon.
The basic plugin is free to use and simple to set up. There’s absolutely no reason not to try it!
8. Use the latest PHP version
Short for Hypertext Preprocessor, PHP is a popular open-source scripting language for server-side programming. It is especially useful for creating dynamic web pages and applications, as it lets developers write code that can interact with files and databases.
PHP is the core language for WordPress and enables functions like managing databases, handling user requests, and allowing developers to customize websites.
Therefore, updating your WordPress PHP version is crucial as you will get the latest features, bug fixes, and security patches.
Using the latest PHP version ensures the compatibility of WordPress with the newest technologies and helps deliver a better user experience.
Here are some tips to securely update or modify your WordPress PHP version:
- Check the PHP compatibility with the WordPress version. Before starting the PHP update process, check whether your WordPress version is compatible with the latest or specific PHP version.
- Create a staging site environment. If updating the PHP version on the live production site feels risky, consider creating a staging environment. This way, you can test whether the new PHP version works as expected while you can see if there are any conflicts with plugins or website performance.
- Temporarily disable plugins. Some plugins might not support the latest PHP version. We recommend disabling your plugins before updating. Then, you can activate them individually to see if there is any compatibility issue with the installed plugins.
- Back up your WordPress site. Create a backup of your WordPress files and database. You then have a copy in case you encounter an unexpected error after the update.
- Contact your host’s customer support. We highly recommend contacting your web hosting provider’s support team if you are unsure which PHP version to use. You can also ask them to update the PHP version for you if you like.
9. Schedule WordPress backups
Creating a regular WordPress backup schedule is another crucial task for securing your website. While we’re helping you secure your WordPress website, a backup can help in case they still get through.
Having a backup file is also useful if you change your design, mess up custom CSS or have some kind of accident when configuring your website.
The easiest way to back up your WordPress site is by using a plugin.
WordPress offers a variety of great plugins for backing up your website, such as UpdraftPlus.
Here’s how to schedule a backup with UpdraftPlus:
- Go to Plugins → Add New, then search for the plugin.
- Once the plugin is activated, navigate to Settings → UpdraftPlus Backup.
- Go to the Settings tab. Then, set the Files backup schedule and Database backup schedule, such as Weekly or Fortnightly.
- Click Save Changes to finish the process.
Many hosting companies offer an automatic backup feature. We would recommend using that as well as having your own.
That way you’re doubly protected!
10. Limit the number of failed login attempts
Limiting the number of login attempts on a WordPress website is important security mitigation to help prevent unauthorized access and protect user data. It’s especially useful for protecting your website against brute force attacks.
A WordPress security plugin like Limit Login Attempts Reloaded is a great tool for restricting the number of login attempts. It has a safelist of IPs and usernames, logging of blocked attempts, and is compatible with Wordfence and Sucuri plugins.
Setting up the Limit Login Attempts Reloaded plugin is relatively straightforward.
Here’s how:
- By default, the plugin will set four allowed login attempts and lock any user who fails to provide the correct login credentials for 20 minutes. To change this number, head to Limit Login Attempts → Settings.
- Under the App Settings section, change the values of the Lockout option. For example, you can change the allowed retries, minutes lockout, and hours until retries are reset.
- Confirm the changes by clicking the Save Settings button.
One of the drawbacks of using this WordPress security plugin is that legitimate users might get locked out of the WordPress admin panel if they repeatedly enter the wrong credentials.
You can overcome that by providing an email address or chat address they can request a reset.
11. Remove unused WordPress themes and plugins
Keeping unused WordPress themes and plugins might pose security threats if they aren’t regularly updated.
This is another of those marginal risks but can also keep your database tidy and free up disk space so it’s well worth doing.
To remove unused WordPress plugins, follow the steps below:
- On the WordPress admin page, navigate to Plugins → Installed Plugins.
- Remove the unused plugin by clicking the Delete button. If there are multiple plugins, select them all by clicking the radio button.
- Click the Bulk actions dropdown menu and select Delete. Click Apply to confirm the action.
As for deleting unused WordPress themes, follow the instructions below:
- Go to Appearances → Themes.
- Choose the unused theme and click Theme Details.
- Click Delete to remove the theme. Note that you can only delete one theme at a time.
This is a useful housekeeping task as well as security so is well worth doing if you’re experimenting with different themes and plugins.
12. Hide the WordPress version
Different WordPress versions have different strengths and weaknesses. Hiding the version you’re using means any hacker is going to have to guess, making their attack less effective.
It’s another marginal gain but is so easy to do, it’s well worth doing.
You’ll need to insert a code snippet into the functions.php file. Don’t worry, it’s very easy to do.
Here’s how:
- From the WordPress dashboard, navigate to Tools → Theme File Editor.
- Go to Select theme to edit, and choose your active theme from the dropdown menu. Click Select.
- Under Theme Files, select Theme Functions to open the functions.php file via the text editor.
- Go to the bottom line and paste the following code snippet on the text editor:
function dartcreations_remove_version() {
return '';
} add_filter('the_generator', 'dartcreations_remove_version');
- Add the following code to remove the WordPress generator meta tag, as it also displays the WordPress version:
remove_action('wp_head', 'wp_generator');
- Finish the process by clicking the Update File button.
A potential attack will now not be able to identify your WordPress version, making your site slightly more secure.
13. Disable PHP file execution with the .htaccess file
The .htaccess file plays a vital role in ensuring your WordPress website works as intended. It contains rules that limit content visibility and control access to certain areas of the website.
The .htaccess file also lets you block malicious requests from unauthorized IP addresses and disable PHP execution on specific folders.
There are two ways of enhancing WordPress security using the .htaccess file. We will use the .htaccess file to disable the PHP execution in the Uploads folder since hackers often target it by uploading malicious backdoor scripts.
To demonstrate the steps, we will use the cPanel File Manager:
- On the cPanel dashboard, click File Manager under the Files section.
- Go to public_html → wp-content → uploads.
- Create a new file by clicking the File icon on the toolbar. Type .htaccess in the New File Name field. Ensure the file’s location is set to public_html/wp-content/uploads.
- Open the file via a text editor and paste the following code:
<Files *.php>
deny from all
</Files>
- Click Save Changes to finish the process.
Another way to secure your WordPress site is by implementing the .htaccess rules or code into the wp-config.php file.
This file has WordPress core files and MySQL database details which often become hackers’ primary target.
Follow the steps below:
- On cPanel’s File Manager screen, open the wp-config.php file in the public_html folder.
- Scroll down to the bottom of the line and enter the following .htaccess rules:
<files wp-config.php>
order allow,deny
deny from all
</files>
- Save the changes.
You have now denied access to upload files and execute PHP files. Two common methods of attack for WordPress websites!
14. Turn off file editing
All administrator users can edit theme code directly from the dashboard, which isn’t the most secure way of working.
Hackers can potentially inject malicious code or scripts into your theme and eventually take control of your website and we don’t want that!
Turning off the file editing feature is useful to prevent hackers accessing WordPress site code.
To do that:
- Access cPanel File Manager.
- Open the wp-config.php file located in the public_html folder using a text editor.
- Add the following line of code:
define( 'DISALLOW_FILE_EDIT', true );
- Save the changes.
If you want to re-enable the file editing, open the wp-config.php file and remove the code.
15. Log user activity
Logging user activity means keeping records of what logged in users are doing on your WordPress website.
While spying on people isn’t great, being able to trace exactly what someone did, where and when can help a lot when tracing an attack or nefarious activity.
Keeping track of user activity is also a great WordPress security measure for several reasons:
- Detecting suspicious activity. Tracking all actions performed on your website is great for detecting any suspicious behavior that potentially risks your site’s security.
- Identifying security vulnerabilities. User activity logs can help identify security vulnerabilities. For example, if the log shows multiple login attempts, it might indicate a sign of a brute-force attack.
- Investigating security incidents. If a security incident occurs, user activity logs can help you investigate the causes and take the right mitigation to prevent similar incidents from happening in the future.
The easiest way to record user activities is by utilizing a WordPress plugin. There are various user logging plugins, such as WP Activity Log or Activity Log.
We will show you how to log user activity using the WP Activity Log plugin:
- Install and activate the WP Activity Log plugin.
- The plugin automatically displays a popup window asking whether you want to run the setup wizard. Click Yes to confirm.
- On the WP Activity Log’s configuration wizard, click Start Configuring the Plugin.
- Choose the Geek option to know all activities on your website in the Log Details section. Then, click Next.
- On the Log In section, click Yes if you use a custom WordPress login page or No if you use the default one. Click Next to continue.
- Choose whether you want visitors to register as users and click Next.
- In the Log Retention section, decide how long to keep the activity log data. The minimum log retention time is six months. Then, click Next and finish the configuration.
The WP Activity Log plugin displays any log activity information from your site visitors, and you can see the log details, such as log ID, user, IP address, event type, and message.
Conclusion
Implementing WordPress security best practices can help minimize cyber attacks and boost your site’s reliability and credibility.
Your website may never be attacked or hacked, but you don’t know that. Just like car insurance, it’s better to have it and not need it than need it and not have it.
Considering securing your website takes less than an hour and uses a bunch of free tools, there’s absolutely no reason to not do it!