How to secure WordPress? That is the question.
WordPress security is serious, especially for digital businesses that can’t afford to suffer breaches and service interruptions.
If you’re just getting started in WordPress, the amount of cybersecurity information can be overwhelming. This article will summarize why you need to secure your website and 12 things you can do today to secure it.
How safe is WordPress?
WordPress is the world’s most popular CMS, powering around 43% of all websites. With such a large market share and community, it’s no surprise that WordPress websites are often the target of cyberattacks.
WordPress security’s three main elements are core installation, plugins, and themes. The WordPress core is developed by professionals that include world-class cybersecurity experts. As a result, the core is very secure.
The security standards of plugins and themes vary depending on the developers behind them. The ones developed with security in mind are safe and frequently patch security vulnerabilities. On the other hand, some plugins and themes are less safe for various reasons (time and resources spent on security, the nature of the plugin, how often they’re updated, etc.).
Why is securing WordPress important?
Cybercrime is a very profitable business. The World Economic Forum estimates that in 2021 global cybercrime costs reached $6 trillion, which could rise to $10 trillion annually in 2025.
WordPress security is important because:
- Security breaches are expensive and can dent a company’s financial state.
- Widespread lack of cybersecurity affects users emotionally and financially by exposing their data and making them vulnerable to identity theft, loss of credit card information, and more.
- Security breaches affect a company’s reputation.
- Users expect websites and computer systems to be secure.
- Unsecured websites may run into legal trouble, depending on the jurisdiction.
- Secure websites receive an SEO boost on search engines.
12 ways to secure WordPress
Now that we have better context on WordPress’s security environment let’s explore the 12 basic security measures every website should have in place.
Update WordPress, PHP, plugins, and themes.
The cybersecurity landscape is constantly changing. What was secure a few years ago may not be anymore, and what’s top-of-the-line security right now may be deprecated in a decade.
The developers of WordPress core files, PHP versions, plugins, and themes always review their code to detect vulnerabilities attackers can exploit to inject malicious code. When they find vulnerabilities, they release security patches to fix them. If the version installed on your site is not updated, you are opening yourself to attacks.
Keeping these elements updated helps your website run faster and be more secure.
Install a security plugin.
WordPress security plugins are software security suites that protect your website from known vulnerabilities and threats. They allow you to protect confidential information, avoid being locked out of your site, and stop cyber attacks.
Their most common features include the following:
- Monitoring and scanning your website for malware.
- Spam filtering.
- Checking SSL certificates.
- Protecting your site from zero-day attacks.
- Repairing and restoring hacked sites.
- Hardening your site.
- Securing the authentication process.
- Applying firewalls.
Some popular security plugins include Sucuri, Jetpack, Wordfence, iThemes Security, and All In One WP Security.
Use a web application firewall (WAF)
WAFs are evolutions of the traditional hardware firewalls that control data flow at the IP address and transport protocol levels. WAF can filter attacks performed at the application level, where applications run code and perform functionality on the web server.
The main benefits of WAFs are:
- Filtering, monitoring, and blocking malicious HTTPS traffic attempting to enter web applications.
- Preventing unauthorized data from leaving the application.
- Creating an application profile to understand data patterns, typical requests, URLs, and allowed values and data types. App profiles make recognizing illegal, abnormal, and malicious requests easier.
- Providing content delivery networks (CDNs). CDNs improve website load times, an essential user experience, and SEO metrics.
- Protection from cross-site scripting and SQL injection attacks are two of the most prevalent security threats.
- They can be deployed from the cloud or as a local software/hardware installation.
Some of WordPress’s most popular WAF plugins include Sucuri, WebARX, Wordfence, MalCare, and Cloudflare.
Limit login attempts
This measure is essential for preventing brute-force attacks.
WordPress allows infinite failed login attempts to your site; a hacker can theoretically keep trying to crack your passwords until they succeed. Explore plugins that temporarily prevent IP addresses from trying to access your admin dashboard if they fail a certain amount of times in a row (like 3, 5, or 10 times).
The limited attempts and waiting time will reduce the chances of a successful brute-force attack.
The most popular plugin that limits login attempts is Limit Login Attempts Reloaded.
Enforce unique, strong passwords.
Weak, short passwords are predictable and easy to crack. Plus, people often reuse passwords across multiple accounts, opening all accounts to being breached. Follow these guidelines when creating unique passwords for all team members.
- Use long (12-20 characters) complex passwords that combine upper and lowercase letters, numbers, and special characters, such as “*” and “/.”
- Create rules for the words used in passwords. For example, you can demand that words be truncated halfway or that vowels are removed (“honey” turns into “hny”) to avoid using predictable letter combinations.
- Avoid common, everyday words and predictable patterns, such as a common word followed by four numbers.
- Don’t use “a” or “1” as the password’s first character.
- Use unique passwords for all accounts associated with your WordPress site.
- Consider using a password manager to keep up with all these complex, unique passwords.
Add two-factor authentication
A multiple-factor authentication is a form of access control that allows access only after the user has provided two or more identity proofs. Generally, only two proofs are required.
The first proof is the password/username combination. The second proof varies. It can be a second password that changes periodically, a verification code sent to your email address or any other verification form. The idea is that even if an attacker knew the regular password, they’d still need to gain access to the second authentication factor, which is known only by each team member.
One of the most popular plugins that enable two-factor authentication is Shield WordPress Security.
Backup your site regularly
Backing up your website is making a copy of all the files that make your website possible, including the core installation files, plugins, themes, and databases.
Backing up your website is like insurance. You’re protecting its contents and can restore them anytime if necessary. It’s also a good practice to back up before making significant changes like installing or updating plugins and themes.
You can back up your site manually, with a plugin, or with your web host (if they offer that option). We recommend always using your web host as the default option and using plugins only if necessary. Manual backups are the easiest to mess up and most time-consuming to restore, but they may have their place sometimes.
For a full guide to backing up your site, read our article about WordPress backups.
Install an SSL certificate.
A secure Sockets Layer (SSL) is a protocol that makes information exchanges over the internet safe by encrypting the contents of the messages. AN SSL certificate is a digital file containing the information of an internet domain. The file is installed in the server containing the domain to secure traffic.
The benefits of SSL certificates include the following:
- Protecting login information.
- Domain, organization, and extended validations. A Certificate Authority (an organization that manages SSL certificates) validates that your website is run by the people it claims to be run by.
- SEO ranking boost.
More authoritative and validated SSL certificates cost money, but less authoritative certificates can be obtained for free. Some popular plugins offering free SSL certificates include WP LetsEncrypt, Really Simple SSL, and WP Force SSL.
Monitor user activity and log out inactive users.
Monitoring user activity means creating an automated log of their activity (which pages they opened, which files they downloaded, etc.). That may sound intrusive, but it’s necessary to determine which users are legitimate and which users are bots or compromised accounts.
In addition to logging user activity, you should log out users who’ve been idle or inactive for a certain period. It is a good security practice because it minimizes the chance of someone else taking over their account and causing trouble.
For logging user activity, the most popular plugins are Sucuri, WP Audit Log, Simple History, and ActivityLog. For logging out inactive users, install Inactive Logout.
Perform malware scans
Malicious software (malware) is created to crack security vulnerabilities, control computer systems remotely, take a website hostage to demand ransom, and many other uses. It’s one of the most common security threats in the WordPress environment, with attacks like cross-site scripting (XSS) and SQL injections being widespread.
Malware scanners explore your website’s files to:
- Identify and eliminate malware.
- Prevent malware from spreading to user computers and stealing user data.
- Protecting databases from injection attacks.
Some of WordPress’s most popular malware scanners are Sucuri, Wordfence, and iThemes Security.
Modify file permissions
A file’s permissions are the list of users that can read, write, and execute the file. “Reading” means viewing the file, “writing” means editing the file, and “executing” means being able to run the file, like you would when running a script.
File permissions are important because they determine which team members can view and modify core installation, plugin, and theme files, an essential part of managing a WordPress site. Being too strict interferes with site, theme, and plugin performance, but being too permissive opens you up to security threats.
You’ll have to find the balance between strict and permissive that works the best for your workflow.
You can modify file permissions by using an FTP client like FileZilla and right-clicking on files and folders. You’ll get a list of permissions for each type of user, which you can modify.
Get a secure web host.
The services offered by your web host play an important role in website security. When choosing or changing hosts, consider whether they provide the following services:
- Securing and restricting access to confidential information.
- Easily backing up and restoring your website.
- Scanning for malware.
- Preventing denial-of-service attacks.
- Offering maximum uptime.
Choose the web host that offers the best balance of security measures.
Securing WordPress saves you time and money.
As you can see, there are quite a few measures to take to secure your WordPress site. It may seem overwhelming or overkill at first. Still, as you learn more about cybersecurity, you’ll realize these are all necessary.
Now that you know the basics of securing your site, you’re in a much better position to avoid the time and resource sink that security breaches can lead to, especially for larger websites.
If you found this article helpful, read our blog for more WordPress insights, guides, and tricks.