17 Steps to a Secure WordPress Site

Alexandra Belski Alexandra Belski
Reading time:  7  min.

WordPress is one of the most popular content management systems in the world with over 60% market share today. Unfortunately, this popularity has its drawbacks, as WP is also the most hacked CMS in the world. To secure your WordPress site, take a look at our 17 step checklist and ensure maximum safety of your business.

17 steps to a secure WordPress site

Why Take Safety Measures

Site owners often underestimate the risk of their website being hacked. Even if your project hasn’t grown to large-scale business yet, it’s still important to protect it against possible attacks. Most often, blogs are hacked for the following purposes:

  • For fun. Usually, these are novice hackers who are simply interested in the process, and your site just came to hand.
  • To insert malware and build a network of bots, send spam and infect users’ computers.
  • For black-hat SEO — to inline links or put additional pages so that the hacker can promote their own website.
  • To access the server. Someone can hack a neighboring site located on the same server as yours.

When you think “How do I make my WordPress site secure,” remember to ensure protection at different levels—site URL, login and password, quality software and so on. You need an integrated approach and constant monitoring, for example, thoroughly check the software for viruses before installing and updating, work with users (automatically log out when inactive), install plugins for automatic checking, etc. 

How to Ensure Safety on Your WordPress Blog

Below, we’ve accumulated a number of simple and advanced measures that any site owner can take. By following this WordPress security checklist, you can significantly improve your site safety and prevent a lot of potential hassles.

1. Regularly Update WordPress Version

Most of the vulnerabilities of WordPress sites are associated with outdated software versions, as hackers learn their vulnerabilities after some time. With each release, all bugs and security problems of previous versions are closed, performance indicators and speed are improved, compatibility with plugins and themes of new versions is increased, and more tools for working in the system appear.

To secure a website, WordPress notifies users of latest releases, so make sure to update your site as soon as you see a notification (be sure to back it up before any updates!).

2. Update Plugins

Not only does the WordPress version need updating, but so do plugins and themes. Hackers often use disabled and outdated templates and plugins (even official WordPress plugins) to gain access to your control panel, or upload malicious content to your server. Updated plugins, on the other hand, have less bugs and are compatible with the latest WordPress version. 

Try to not install many plugins, as the more adss-on you have, the lower the site performance. Thus, remove plugins that you are not using, but first deactivate it and then delete (plugin files that are simply deactivated remain on the server).

As a rule, WordPress automatically updates installed themes and plugins, but you still need to monitor the status of the software on your site and manually upgrade plugins that were left unattended.

3. Never Skimp on Good Hosting

Those who don’t pay enough attention to hosting choices, run the risk of being hit by malware, easy hacking of their site, limited WordPress usage, and other problems. Check out the best WordPress hostings and be sure that the one you choose: 

  • Supports the latest PHP and MySQL versions.
  • Is optimized for WP.
  • Has a firewall that targets WP too.
  • Offers malware scanning and intrusion detection.
  • Comes with a CDN that can sort out attacks and spam before they reach your site.

If it’s shared hosting, make sure your account is isolated from other users.

4. Backup Your Site

Always backup your site before updating the WordPress version, themes, plugins, and other software. That way, you’ll be able to restore it should anything go wrong or in case of a server crash. 

To create a backup, you can manually download the site files and export the database, use the hosting solutions or install security WordPress plugins, such as:

For better WordPress protection, combine safety measures, for example, entrust the creation of a backup copy to your hosting and install a plugin at the same time.

5. Alter Your Login URL

Changing the login URL is one of the easiest ways to protect your site from password cracking. By default, the WP login page can be easily accessed via wp-login.php or by adding wp-admin to the main URL of the site. If hackers know the direct URL of your login page, they can try to simply guess your password to get into the admin area.

There are two ways to move the login page to another site: by making changes to the .htaccess file or using a plugin, which is easier and suits even novice WordPress users. These can be dedicated plugins, as well as multi-purpose WordPress security plugins: 

6. Check Themes Before Installing

Use only trusted sites like WordPress.org to download themes, as the experts thoroughly check the themes for compliance with standards: security, cross-browser, GPL compliance. Third-party resources, on the other hand, might offer similar themes but with viruses or other malware.

You can also check a list of commercially supported GPL themes if you don’t mind paying for one in exchange for premium features. 

In any case, check the theme before installing to see whether it works fast and doesn’t have any additional encoding. For instance, you can open the files in Notepad ++ editor and search for forbidden codes with words:

  • base64
  • decode
  • encode
  • Uudecode
  • str_rot13
  • eval

Scripts that may be a danger to your site are:

  • wshell \ .php, ShellBOT (used to gain control over your server)
  • uname -a (this script reveals the operating system your server is running on)

You can automate the process and use dedicated tools such as: 

7. Create Strong Password and Alter It Regularly

A good password is essential to protect WordPress sites from hackers. First, create complex passwords, which are at least eight characters and contain numbers, uppercase and lowercase letters as well as special characters. Second, change your password from time to time. Tools like LastPass and 1Password can help you create and manage complex passwords.

8. Install a Security Plugin

Even though safety measures might seem complicated at first, you can automate the process and protect WordPress sites using dedicated plugins. Such tools operate automatically and notify you of security breaches or necessary updates. Here are a few popular plugins:

  • All In One WP Security & Firewall. This plugin protects user accounts, code files, makes it safer to log into the site through personal accounts, and makes backup copies of databases.
  • BulletProof Security. This plugin scans for malware, protects site authorization, does not allow spam to pass, and makes backups.
  • Wordfence Security. Save CMS from hacking and malware attacks by protecting site login, scanning for code changes, login attempts, and notifications of suspicious activity.
  • iThemes Security. This plugin protects when entering the admin panel and performs the functions of an antivirus.
  • Disable XML-RPC Pingback. This site closes a possible XML-RPC vulnerability through which scammers can attack other sites and slow down your blog.
  • Sucuri Security. A complex plugin that monitors changes in site files and performs the functions of an antivirus. 

9. Hide Your WordPress Version

If hackers know which WordPress version you use, it greatly facilitates attacks on your site. You can use one of the security plugins or hide your version number manually (and also remove the version number from RSS feeds) by adding the following code to your functions.php file:

function wpbeginner_remove_version() {
return ”;
add_filter(‘the_generator’, ‘wpbeginner_remove_version’);

Remember that when you update the template, the function.php file may be updated and the code you add will be removed. So after updating this file, you need to check and, if necessary, make the appropriate edits again.

10. Turn On Two-Factor Authentication

Another good measure to secure WordPress websites from hackers is to enable a two-factor authentication module (2FA) to the site’s admin login page. In this case, you’ll need to use two types of data to log in. 

The website owner can choose the exact components. This can be a regular password followed by a security question, pass code, character set, or the Google Authenticator App that sends a pass code to your phone. This way, only the person with your phone (you) can enter your site.

11. Change Your Admin Username

When installing WordPress, never choose “admin” as the default username for the primary administrator account. This is the most common site vulnerability. All that a hacker needs to figure out is the password, and then your entire site falls into the wrong hands.

If you did use “admin” to log in, it makes sense to change it. Start phpMyAdmin, choose the desired database and execute an SQL query that changes the administrator login and username. The second option is to create a new administrator account with different data, log out, log in again, and delete the admin account. 

12. Get an SSL Certificate

An SSL certificate will help you navigate to https and encrypt site data, preventing hacker attacks. Such a certificate is a must for all platforms that work with personal data in order to protect transactions and prevent unauthorized access to information. The https protocol indicates that the site is safe, which positively affects its ranking on Google. 

Most hosting providers offer to buy an SSL certificate for a small monthly fee. If you do not have a commercial site, you can use a free SSL certificate from Let’s Encrypt. Many hosting control panels support its automatic installation.

13. Disallow File Editing

If users have admin rights in the WordPress dashboard, they can edit system files, including plugin and theme files. If you disable file editing, no one can accidentally or intentionally change any of the files, even if a hacker gets admin access to your WP dashboard.

To disallow file editing from your WP dashboard, you should add the following line to your wp-config.php file (at the very end): define(‘DISALLOW_FILE_EDIT’, true);

14. Add User Accounts With Care

If multiple users have access to a blog on WordPress, this can make your site potentially more vulnerable. Add new user accounts with care and give admin access only to those whom you know and trust. Also, you can create accounts with different access rights for different roles, for example, super admin, administrator, editor, subscriber, etc. 

It is also very important that all users use strong passwords and two-factor authentication! Make sure your coworkers keep their passwords secure. There are special plugins, for example, Force Strong Passwords, thanks to which you can be sure that other admins are using only strong passwords.

15. Limit Retry Attempts When Logging In

The function of blocking unsuccessful attempts to log in to the system can solve the problem of continuous brute-force attempts. Whenever a hack is attempted with repeated incorrect passwords, the site is blocked for the hacker’s IP address, and you are notified of an unauthorized action.

iThemes Security is one of the best plugins to help you configure security settings on your website. You can choose a certain number of unsuccessful login attempts before the plugin blocks the attacker’s IP address.

16. Enable Idle User Logout

Some users don’t log out of their account after the end of the session. Is WordPress secure in this case? Not at all, as hackers could take over the session, change passwords, or make changes to the account. 

The easiest way to prevent this is to configure WordPress to automatically exit idle user mode within a given period. You can use the BulletProof Plugin, which allows you to set individual times for user accounts, after which they will be automatically logged out.

17. Use a Web Application Firewall

Protecting your WordPress site is only effective with a comprehensive approach touching on different levels. One great way to filter the traffic to your site is by installing a web application firewall, which is able to drop out hacker, brute force, and DDoS attacks.

You can install the firewall at different traffic entry points:

  • DNS level. Firewalls will direct your website traffic through their cloud proxies. At this level, dangerous traffic will be screened out and good traffic will be sent to your web server.
  • Application level. The firewall checks traffic as soon as it reaches your server, but before loading most of the WordPress scripts.

Here are some popular web application firewalls:

How to Protect My WordPress Site From Hackers

There are several dozen different technologies for gaining access to a site illegally, and one vulnerability can entail a complete loss of control over the website. Therefore, it’s crucial to develop a comprehensive approach to securing your site at different levels, combining dedicated software with manual checkup and monitoring to reduce the risk of hacking.

15 AI Tools Tackling Travel Bloggers' Top Challenges