Creating your own WordPress site is both exciting and overwhelming. There’s a lot you need to do to set everything up, from picking out a theme to writing your first blog post. Yet, the one factor many people neglect is security.

WordPress is very beginner-friendly and easy to learn, but that comes with some caveats. Hackers like to take advantage of relatively inexperienced users and breach new websites. They do so to get access to sensitive information or use the site to spread malware to unsuspecting visitors.

After all, WordPress powers almost 35% of the web. That means more than a third of all sites share similar vulnerabilities, making it a lucrative target for hackers. So is WordPress still really worth using? Aren’t we just opening ourselves up to being hijacked?

The truth is, with the right knowledge, using WordPress is arguably just as safe, if not safer, than making your own website. It’s impossible to develop an impregnable website that will never ever be breached. Even if you’re trying to create your own site from scratch, remember that you’re on your own.

WordPress users have access to hundreds of resources, like this one that can help patch security holes, making it all but impenetrable. Let’s go over the pros and cons of WordPress security in detail, and give some tips for making your website safer.

WordPress: Is an Open Source Product Really Secure?

WordPress is open source, which means that the code that runs your website is free to be examined by anyone who wants to. This includes hackers searching for vulnerabilities to exploit. With that in mind, is it safe to use open source platforms?

As it happens, using open source platforms can be much safer than making your own site, especially if you have no idea what you’re doing. Many programmers will have an understanding of how to make a secure system, but you’ll often need to hire a security engineer to be fully protected. And even then, you’ll have to maintain your own code and keep it updated, and that’s expensive.

WordPress’ code isn’t only scoured by hackers. It’s also maintained by the WordPress security team, volunteer developers, ethical white hat hackers, and other interested parties with good intentions. So even if something slips through, there’s a good chance it’ll be caught fast.

Most security breaches aren’t even caused by a vulnerability in an up-to-date WordPress installation. They happen because people don’t keep WordPress and its plugins up to date, they may install malicious software accidentally, or use insecure passwords. If you follow good practices, chances are you’ll be perfectly safe.

That said, let’s dive into some of the things you can do to protect your WordPress site.

WordPress Security: 9-Step Checklist

1. Choose Secure Hosting

One major factor behind these security vulnerabilities is low-quality hosting

Invest in a host that places high value on security. You aren’t doing yourself any favors if you feel that cheaper hosting costs outweighs security. Part of your market research must include looking into the hosting company’s security record. Are they security-conscious? Do they rely on latest technology and standards? 

This is also true for shared hosting. While it is a cheaper option, it also means that you’re sharing server space with other customers. Unfortunately, all it takes is for one website to get infected, and the malware to spread across every site on the network. 

This is why we should consider upgrading to cloud, VPS, or dedicated hosting when we can afford it.

In addition, we should be looking for a host that offers the following services:

    • Up to date server software – Too many hosts still run on PHP 5, which has long lost support. At this point in time, servers should at least use PHP 7.0+. The same goes for other software like cPanel, MySQL or other database programs, and the operating system.

    • Malware monitoring and removal – Pick a host that actively makes an effort to detect and prevent malware infections, and possibly offers malware scanning and removal for when you do get breached. Not all web hosts have a policy for removing malware from an infected site, and among those that do, some will charge extra for this service.

    • Firewalls and other security measures – There are many ways that hosting providers can increase their server security. Possibly, the most effective among them is to rely on a firewall as it prevents unauthorized outside access to the server. It might be a good idea to check whether a provider has this and other means of prevention in place before making a choice.

2. Install an SSL Certificate

A Secure Sockets Layer (SSL) certificate encrypts the data served between the user and your website. SSL grants you an https URL and a certificate to go with it, without which users will receive a red “Not secure” notification in the address bar when visiting our site.

Browsers are increasingly blocking access to websites without SSL, making this a must-have for any WordPress website.

Migrating your WordPress website to HTTPS can be a difficult process for existing websites. Your website is migrated by following these four steps, which can easily be automated with Really Simple SSL. 

1. Acquire your SSL certificate. As SSL has become the golden standard, most hosting providers will set you up with a free certificate which can be activated in your hosting dashboard. If your hosting provider charges you for an SSL certificate, or doesn’t provide one at all, you can generate your free Let’s Encrypt certificate.

You can also turn to IdenTrust and Comodo for SSL certification
 

2. Activate SSL. Once your SSL certificate is installed, you can easily activate it with the free Really Simple SSL plugin

3. Upgrade all requests to https. Now that your site is secured over https, you’ll want to prevent any visitors from (deliberately or accidentally) visiting the insecure (http) version of your site. This is usually done with a 301 redirect. All links to used resources on your site (eg. Images, scripts, etc.) will need to be updated to https to prevent your visitors from seeing an ‘insecure site’ warning in their browser

4. Enforce SSL. To further secure your site, you can add security headers to your site, which further enforce SSL and add an extra layer of security

3. Back-Up Your Website

Before you even begin making changes to your site, before updating WordPress or installing a plugin, the very first thing you should do is set up your backups. This way, no matter what the worst case scenario is, an accidental change to the code, WordPress glitch, a corrupted database – we have a solution.

Even if our site gets hacked, and the damage is irreparable, we won’t have to build it all over again from scratch.

Manual backups, copying files and transferring them manually to hard-drive or cloud, are the free but time-consuming. True, we can do this as often (once a day) or as rarely as we want. Although a backup done once every 6-months might be a little risky.

Check to see if your host offers weekly, monthly, or daily automated backups. This service is usually commercial, but occasionally free. If this is the case, and your host backs up both your files and database, you don’t need to do anything else. Though it may be a good idea to keep a few manual backups just in case.

WordPress Backup Plugins

UpdraftPlus

If our host doesn’t offer website backups, or if the backup provided by our host excludes files or our database, we can also rely on plugins.

It’s a good idea to have at least a solid solution for each website you own or administer, and WordPress backup plugins can provide that extra layer of protection.

iThemes is one good example. This security plugin offers free database backups, along with its suite of tools and patches. Their related plugin BackupBuddy allows you to do a full site backup as well.

Free or freemium plugins like UpdraftPlus, BackUpWordPress, and VaultPress also do the job efficiently and are worth checking out. 

Remember that even if you decide to rely on a backup plugin, you will still need a security plugin, such as Wordfence, if you want to stay safe.

Don’t wait till it’s too late. Setting up your security at the last minute is as effective as fixing the holes in your roof during a rainstorm. 

Spending an hour or so to set up your backups and security will save you months, perhaps even years of work.

4. Keep Your Plugins and Theme Secure

If you’ve chosen a good host, and your backups are set up, you have a fairly good security infrastructure in place. But there are still a few more things that you should do to fully secure your site. 

An outdated plugin or an insecure theme is the huge gateway for infiltrating your website. Keeping them updated helps to patch up potential holes, preventing this from happening.

Updating your site components is as simple as going to your WP admin dashboard and checking for update notifications under Dashboard > Updates.

Dasboard plugin updates

Mark any themes or plugins you want to update by ticking the boxes, then click the button at the top/bottom to start updating them. If you have a habit of ignoring these alerts, it’s time to stop. 

As you know, plugins and themes can be updated through the Plugins and the Themes tabs. Also, not all premium third-party themes push automatic updates, so you might want to check their websites every now and then.

More importantly than updating your plugins and themes is keeping WordPress up to date.

39% of hacked WordPress sites were outdated. Sometimes you may need to push off an update because it may interfere with a plugin you’re using, but eventually you may have to lose the plugin to save your site. Leaving WordPress outdated for months is possibly the worst thing you can do.

(Pro tip: Always back-up your site before introducing updates. Just in case there is a hiccup.)

While you’re at it, you should remove the version number from your source code.

By default, WordPress websites carry a meta tag containing the WordPress version number that the site is using. We have to agree with security specialists that this just makes life too easy for hackers. 

You can manually remove WordPress’ version number by placing some simple code into your functions.php file. If, as we’ve suggested, you are using a WordPress security plugin, many of them hide your WP version automatically. If you’re considering using a performance plugin, the Perfmatters plugin also includes an option to hide WP version.

5. Install Plugins and Themes From Reliable Sources

Another big mistake WordPress users make is getting their plugins and themes from unreliable vendors. A bad theme or plugin can corrupt, deface, or inject malware into your pages. 

Third-party websites and developers are not endorsed by WordPress, and as such, you never know what you’re getting. It would be best to avoid anything coming from unknown websites. If the plugin in question has many positive reviews and seems to be popular, it should be safe enough to install. 

Bad plugins can slip through the cracks.

Even if a plugin is in the official directory, it is not guaranteed to be safe. Before downloading anything from the repository, take a look at the stats listed in the sidebar on the right of the page. Avoid downloading plugins that haven’t been updated over the last year or more, have less than a few hundred installations, or receive low ratings. 

The same is true for themes. WordPress offers a some themes in the theme repository (including our own Hello theme). If, like many users, you’re looking for more variety, be sure to only purchase your themes from vendors and creators who are trusted and well-known in the community.

You should avoid “nulled” WordPress plugins and themes. Nulled software is a term used for premium plugins distributed for free, and without permission.

Besides being questionable and possibly illegal, nulled themes and plugins are a huge security risk. By relying on a developer already acting unethically to not include malware in the code, is about as sensible as asking a mouse to guard your cheese.

Some nulled distributors include code that causes excessive ads to appear on your site, distribute malware, or outright corrupt your database. Plus, you won’t have access to any updates, and that can leave you vulnerable to attack when the software becomes outdated.

All in all, it’s well within our best interest to avoid nulled plugins all together, and only install software from the WordPress repository or trusted vendors.

6. Disable File Editing

WordPress comes with a set of easy-to-reach theme and plugin editors. You can find them under Appearance > Theme Editor and Plugins > Plugin Editor. These allow direct access to your site’s code.

While these tools are useful to some, many WordPress users aren’t programmers and will never need to touch anything here. Playing around with this code without knowing what you’re doing is a sure way to break things. If you are such a user, it’s best to just disable file editing, as hackers can use the file editor to quickly execute malicious code or delete entire parts of your website. Disabling this slows them down.

You could also turn off the theme and plugin editors with one line of code in wp-config.php. If you end up needing to edit your site or plugins, just temporarily turn them back on. Alternatively, you can edit them via an FTP client.

Disabling file editing won’t necessarily prevent attackers from doing damage, but it can confuse less experienced hackers and stop them in their tracks. At the very least, it’ll make it a little more difficult for them and give us more time to realize something is wrong.

7. Strengthen Your Login Process

When someone figures out your password without resorting to exploiting the site’s code, it’s most likely a result of brute force attacks. This involves forcibly trying various combinations of letters and numbers until they get the password right.

Sometimes a potential attacker will try common combinations, before moving on to using programs run an automated process that tries several random password combinations per second.

If you’re beginning to feel as though you might as well give up all hope of keeping your sites secure, don’t. There are tons of ways to slow down hackers, deter, and even prevent attackers from doing things like brute force attacks.

WordPress’ default installation relies on a similar login path each time. Making this a prime and easy target for hackers trying common or easily guessable passwords.

The reason that so many people continue to use WordPress is that many of these issues are easily fixed.

8. Create a Strong Login Combination

The first and most important step is to choose a proper username and password. We could hide the login page under a different URL, but if you’re login is something as mundane as admin/password, it wouldn’t make any difference once hackers find it. 

Here’s a list of usernames you should definitely avoid.

  • Admin – This used to be the default username for WordPress and is, therefore, one that will definitely be tried in a brute force attack.
  • Your real name or nickname – This is both public information and as easy to guess as “admin”. In addition, it can make sense to create a separate profile without administrator right to publish content. That way, the username of the main login does not appear on the website.
  • Any personal information – Including birthday, etc. Only use a personal detail if it’s something no one could ever know.
  • The title of your site, or something obviously related to it  – “Kittens” for a cat adoption agency, etc.

You also need to choose a secure password. The general gist of this is the same: avoid personal info, obvious choices like “password”, or anything clearly related to your website.

A good password is 10+ characters, uses a variety of characters, and avoids common words and phrases. The best passwords are a long series of completely random letters, numbers, and symbols that no one could ever possibly guess. Services like Secure Password Generator can help you create them.

If you have a hard time remembering your login information, consider using a service like LastPass.

9. Lock Down Your Login Page

By default, anyone can log into your website by going to yoursite.com/wp-admin. You can stop them in their tracks by changing the URL entirely. WPS Hide Login allows you to switch it to whatever you want. Just install it and go to the plugin settings to change it.

You should use a login path that isn’t obvious. It might deter them a little if you change it to something like /login or /new-login, but if they’re determined, they’ll figure that out pretty quickly. Therefore, it’s better to choose something very hard to guess like /jacksparrowshideout.

Next, install a plugin to limit login attempts. Any person can spam your server with hundreds of requests until they guess it right. A plugin that limits login attempts will give them only a few chances before they’re locked out. It can also detect and redirect bots away from your login page.

Alternatively, you could activate a CAPTCHA to slow them down even further.

At this point, most hackers will search for easier targets. They can keep trying once their time is up, but in that time we could check our audit logs, notice their attempts to get in, and issue an IP ban. 

You could also try Cloudflare Rate Limiting. This automatically detects brute force as well as DDoS attacks and blocks the offending IP address.

The last step is to set up two-step authentication using a plugin. Besides requiring a username and password to get in, it asks the visitor for a third authenticator. The most common is a text verification of a message sent to your phone. A hacker might be able to gain access to your email,but it’s very unlikely they could steal your phone.

Keep WordPress Safe

An untouched installation of WordPress is open to attackers. Neglecting security leaves you vulnerable to hackers looking to defaced, deleted, or even injected your site with malware. 

However, a day spent installing and setting up the right security plugins and filling in all those little holes could make all the difference.

By following the advice we’ve provided, your site will be far safer from attackers. The great part is, many of these methods are “set-it-and-forget-it” actions. Simply changing one setting and you won’t need to think about it for a long time.

In summary: Pick a trustworthy host with secure servers, install an SSL certificate if you’re collecting user data, keep your website backed up and your installation and themes up to date, and make sure you have a secure login. Do all this and hackers, especially amateur hackers, will be stopped at the gate.

Has your WordPress site ever been hacked? How did you manage to reclaim your website and clean it up? We’d love to hear your story in the comments.