WordPress is the most popular content management system (CMS), opted by nearly 43% of the total websites on the internet today. Because of its popularity, it is also the preferred target for hackers. This has made WordPress security a big concern for thousands of site owners globally. If you are using WordPress or looking to run your site on this CMS, then you must know how to secure WordPress website from hackers and malware.
It is because if you don’t pay heed to the security of your site, it might become vulnerable to various sorts of cyberattacks. Regardless of the type of content you publish or the traffic numbers, the WordPress security issues remain the same.
This is a must-read WordPress security guide for everyone who owns a WP site and is serious about it. Read on to understand how secure is WordPress, primary vulnerabilities, tips and best practices on how to secure WordPress website, as well as the right plugins to make your WordPress site more secure.
How Secure is WordPress?
Is WordPress secure?
This is a common question among all the WP site owners comprising famous bloggers, authors, as well as businesses. The answer is YES. WordPress is a secure platform that is audited by a large team of security experts and developers.
However, there are some WordPress security best practices and measures that the site owners need to take. It is because the choice of themes and plugins is different for every person, and not all themes and plugins are secure. Additionally, keeping the WordPress version updated always is the responsibility of the publisher (in case automatic updates are not enabled).
What this means is that the core WordPress platform is highly secure, but you need to follow some best WordPress security tips in order to keep the hackers away.
Here are some important statistics that you must know about WordPress and its security:
1. The average number of websites hacked every 24 hours is 30,000.
2. Talking about the CMS-based sites (based on WordPress, Joomla, Magento, Drupal, etc.), 94% of attacks target WordPress websites.
3. As per 2019 stats by Sucuri, 56% of all the CMS-powered sites were running on outdated versions at the time of the attack.
4. The reason behind 60% of the hacked websites was the use of outdated and vulnerable plugins and themes.
These are some alarming WordPress security statistics that might make you question whether WordPress is secure or not.
Suggested Reading: Magento vs WooCommerce Comparison 2022: All Differences
Primary WordPress Security Issues & Vulnerabilities
Before diving into how to secure WordPress from hackers and malware, and understanding the primary WordPress security best practices, let’s first go through the core issues and vulnerabilities.
1. Outdated WordPress Version
Since its inception in 2003, the CMS has released more than 100 version updates to date. The new WordPress version updates are released multiple times in a year. You can check the alerts about it within your WordPress dashboard in the Updates section.
If you use an outdated version, it makes your site vulnerable because hackers know what were the security bugs in the previous versions. Moreover, when the latest version is announced, it shows what are the bugs fixed by the developers at WordPress. Hence, you must be running your site on the newest WordPress version.
What is the Latest WordPress Version in 2022?
WordPress 5.8.1 is the latest version. You can check the new releases here.
2. Choosing Random Themes and Plugins
Not all WordPress themes and plugins exhibit equal security. Moreover, many of them are not built by trusted and reliable developers.
Most of the beginners to WordPress choose the themes solely on the basis of look and feel, not paying attention to whether they are secure and trusted or not.
In addition, to add functionalities to the site, the use of random plugins without knowing their security status is a huge mistake. Many themes and plugins are not updated by the developers.
All these things can cause attacks on your website or blog. What you must do to secure your WordPress site is to go with only the trusted themes and plugins that have high ratings, positive reviews, and a substantial number of downloads. In our online WordPress course and training, we suggest the best themes and plugins one must use and what to avoid.
3. Outdated Themes and Plugins
WordPress vulnerabilities are caused by out-of-date themes and plugins as well. Typically, you use a single theme and a number of important plugins on your site for required functionalities.
It is crucial for you to keep your theme and all the plugins up-to-date even when you have installed trusted plugins only. If not, the attackers can trick the flaws and attempt unauthorized access to your blog or website.
When the updates are available, you can see in the WordPress dashboard menu bar the number of updates available (as shown in the screenshot below).
When you click on it, you will see the updates available for specific plugins and themes. Update everything from here. It is advised to keep a backup of your site before updating themes and the core WordPress version.
4. Poor Web Hosting Solution
Whether you are using shared hosting, a dedicated server, or even a VPS server to host your site, it is crucial that you buy web hosting from a good service provider.
Many site owners and individuals buy cheap web hosting at a very low cost to start a new website. However, the cheap options don’t come with relevant security measures.
While purchasing a web hosting plan, you must check the security features available. These can include:
- Network security
- DDoS protection
- SSL certificate
- Directory password protection
- Email spam protection
- Virus and spam protection
5. Weak Passwords
This is common for all types of websites and content management systems. If you set weak passwords for your WordPress site or the cPanel account, it will remain vulnerable to dictionary attacks.
The dictionary attacks try the common passwords with multiple combinations until the password is cracked. Therefore, you must use strong passwords.
The characteristics of a strong password are that it is at least 8 letters long, comprising a combination of uppercase and lowercase characters, numbers, and symbols. If you are using a weak password, it is time to update it.
Top WordPress Security Tips and Best Practices 2022
Now that you know about the main WordPress security vulnerabilities and issues, let’s move on to the best WordPress security tips to prevent attacks.
1. Install SSL Certificate
The role of an SSL Certificate is to enable HTTPS for all the URLs on your site and get rid of the ‘not secure’ warning in the URL bar.
From a security point of view, an SSL Certificate encrypts the communication between the users’ browser and your web server. This means that if a user is filling in and submitting a contact form on your site, subscribing to a newsletter, or making any transaction to buy your service or product, his details will be secured.
These details can include the personal information of the user, banking details, address, email address, phone number, etc. When these details transmit from the browser of the user to the webserver of your site, the communication needs to be encrypted so that the attackers can’t eavesdrop on it. An SSL Certificate helps you to enable that encryption.
Lastly, having HTTPS in your URL with an SSL is a ranking factor on Google. Without SSL, your site will show HTTP and ‘not secure’ warnings, which will break the trust of your audience and decline your overall rankings on search engines.
Therefore, install the SSL now if not already.
2. Change Default Log-in URL (wp-admin)
The login URLs for a majority of WordPress websites are domain.com/wp-admin or domain.com/wp-login.
This means that attackers also know the login URL of your site and they can carry out brute-force attacks. Hence, it makes sense to change the login link in WordPress without plugins or with a plugin.
Doing it without a plugin requires changes to the htaccess file and also to some other important files, which is a risky practice if you don’t have any sound knowledge of coding or development.
Any mistakes can result in breaking the site or cause other issues. Hence, we suggest you to change the WordPress login URL with a plugin like WPS Hide Login.
How to Create Custom Login URL in WordPress?
- The first step is to find and install the WPS Hide Login plugin.
- Activate it once installed.
- Navigate to the Plugins section and find WPS Hide Login.
- Click on Settings under the plugin name.
- Add a new URL in the Login url field. Make sure to keep it memorable so that you don’t end up forgetting it.
- In the Redirection url field, you can add a link to your blog section or homepage so that if anybody tries the default login URL, they get directed to that page.
- Once done, click on Save Changes.
It will change the WordPress login link.
3. Limit Login Attempts
By default, you can attempt to log in to the WordPress site or blog as many times as you want. While it doesn’t matter if you are doing it, but what if hackers try the same? They can try multiple variations of passwords on your website until they get the right one.
This is usually carried out using brute force attacks. To prevent such attacks and avoid hacking of your site, it is vital to limit the number of login attempts. For instance, if you limit the attempts to 5, then the site will temporarily block the hackers after 5 false login trials.
How to Limit Login Attempts in WordPress?
You can do this using a free and trusted plugin named Limit Login Attempts Reloaded.
Install and Activate this plugin. Go to the Settings section in the plugin and configure it.
The plugin allows you to specify the number of retry attempts during the login process, configure lockout timings, get an email notification about blocked attempts, etc.
4. Specify User Permissions in WordPress
If there are multiple users of your site who publish content on their own or manage the site, then you must ensure that not every user has the same level of access and permissions.
For example, if someone’s role on your site is to just publish the content, then giving him admin login details or assigning admin roles doesn’t make sense.
WordPress User Roles
Before learning how to change WordPress user roles, let’s talk about what are the different WordPress user roles available.
How to Change User Permissions in WordPress?
To give permissions to users in WordPress, open the dashboard and go to Users > All Users. It will show you all the users on the site with names and roles (as shown in the screenshot below).
To change the user permissions, hover over to the name of the user and it will show the option to Edit User. Click on it. On the new page, find the Role dropdown and select the one that is relevant for that user.
For instance, if the role of a specific user on your site is just to publish content, then assign the Author role. That user will then not be able to perform other actions like managing themes and plugins, editing code, customizing, etc.
This is one of the best WordPress security tips because even if the account of a particular user is compromised, it can’t exploit the entire site.
5. Backup Your WordPress Site
Many people ask should I backup my WordPress site or how to back up a WordPress site for free. The answer is that keeping a backup of your website or blog is necessary to avoid loss of data.
For instance, if your site gets hacked, deleted, or an error is caused somehow, you can restore the backup without losing your important data and content. Let’s learn how to backup a WordPress blog or site with a plugin.
How to Backup a WordPress Site for Free?
The plugin we recommend is UpdraftPlus. It is a trusted plugin having more than 3 million active installations.
With the free version, you can backup your data to Google Drive, Dropbox, Amazon S3, Rackspace Cloud, FTP, Openstack Swift, and email. If you go for the premium version, it allows backup to Microsoft’s OneDrive and Azure, Google Cloud Storage, SCP, Backblaze B2, STFP, and more services.
- Go to Plugins > Add New.
- Search UpdraftPlus in the search bar and install the UpdraftPlus WordPress Backup Plugin.
- Once installed, Activate it.
- Now configure it from Settings > UpdraftPlus Backups.
- Set up the WordPress backup plugin from the features and functionalities available, like choosing backup schedule, where to store the backup, what to backup, and more.
6. Keep Everything Up-to-date
Whether it is your theme, plugins, or the WP core, everything must be kept updated.
You can enable auto-updates or update these things manually on your own. To check whether the updates are available for any theme or plugin, see the Updates section in the dashboard or the updates icon in the menu bar.
From here, you can see the updates available and simply click on Update under each theme or plugin.
Before updating the WordPress core version, it is highly recommended to backup your site so that you can restore it in case things go wrong.
7. Go With Secure and Reputed Themes & Plugins
Many beginners to WordPress make the mistake of choosing random themes and plugins because of not having the idea about the security perspective.
If you have been using untrusted themes and plugins, it is time to get rid of these and avoid the same in the future. There is a secure plugin for almost everything today. You just need to do your research to find the right themes and plugins.
Suggested Reading: Top 10 Latest Digital Marketing Trends for SMBs
Here are some trusted WordPress plugins for common purposes:
- SEO: Yoast SEO, Rank Math, All in One SEO, XML Sitemaps
- Contact forms: Contact Form 7, WPForms, Ninja Forms
- Analytics: MonsterInsights
- Marketing: OptinMonster, Constant Contact
- Optimization: WP Rocket, W3 Total Cache, Smush, Imagify, WP-Optimize
- Social feed: Smash Baloon, Instagram Feed
- Others: Simple Author Box, Really Simple SSL, Insert Headers and Footers, WP Call Button, Easy Affiliate, Smart Slider 3
8. Add Google reCAPTCHA on All Forms
You probably have gone through hundreds of reCAPTCHAs on numerous websites. The role of a reCAPTCHA is to allow only human users to access the content or fill the forms. It is one of the best ways to secure a WordPress blog or website.
Hackers run scripts on your site where bots can attempt to breach the security, inject malicious code, do spam activities, etc.
The process to apply reCAPTHCA in WordPress is easy. You just need to sign up with your Google account to get an authentication key for your website. In WordPress, you need to configure and validate it on different forms. You can also do it using a plugin like Simple Google reCAPTCHA.
9. Disable File Editor
In the WP dashboard, there is a file editor or theme editor option, usually under the Appearance section. It allows you to add new code to the theme, applicable to the entire site.
You must disable the editor option from your dashboard once you are done creating the entire website. Once disabled, the file editor will not be accessible from your WP site dashboard.
The role of doing this is to prevent hackers from injecting malicious code to the site even if it is hacked.
How to Disable File Editor in WordPress Dashboard?
Here is the step-by-step process to disable the file editor feature in WordPress:
- Log in to your hosting cPanel account.
- Navigate to File Manager and open it.
- Find and open the wp-config.php file.
- At the bottom of this file, paste the following code:
- define(‘DISALLOW_FILE_EDIT’, true);
- Click on Save to save the updated file.
The file editor will no longer be available in your WP admin dashboard.
10. Use Strong WordPress Login Credentials
The common usernames for most of the WP websites are either admin or administrator. This is one of the most common mistakes made by WordPress site owners. This makes your site vulnerable to brute force attacks.
It is because the hackers now know the username already and all they need to do is attempt passwords. What you need to do is change your username to something unique and difficult to guess.
Another thing to do is to set strong passwords that can’t be guessed. It should be a combination of small and capital characters, numbers, and symbols. This is among the best WordPress security tips you must follow today.
How to Change WordPress Username and Password?
By default, WordPress doesn’t allow you to change the usernames.
You can change it from cPanel or by using a plugin.
If you want to do it with a plugin, then install the Username Changer and activate it.
Once activated, navigate to the Users section in the WP dashboard and change the username. You will be able to do it now.
The password can be changed easily from this section, without using this plugin.
Without Plugin, from cPanel
If you are someone who is looking for ways on how to secure WordPress site without plugin, then this method is for you:
- Login to your cPanel account
- Navigate to phpMyAdmin and open the database.
- When you see the list of tables in the database, find wp_users.
- Here, find the username that you want to modify and change it by clicking on Edit.
- Click on Go to save the updates.
Now, you need to log in with your new username.
11. Avoid Nulled WordPress Themes
This is another important thing that matters a lot in our WordPress security checklist. Nulled themes are actually the cracked versions of original premium themes.
Many site owners want to use premium themes of their choice without paying the related cost. Hence, they find the cracked versions and use them on their site.
However, this is one of the biggest WordPress security mistakes to avoid. Because the cracked versions come with security vulnerabilities. Mostly, the attackers hack the original themes and inject malicious code into them. When people use cracked themes, the websites that use those themes can be hacked.
Therefore, avoid the use of nulled WordPress themes at any cost. If you can’t buy a theme, better go with a free trusted theme.
Best WordPress Security Plugins in 2022 (Free)
Now that you have know some important WordPress security best practices and understand how to secure a WordPress website, let’s talk about some reliable plugins that are free.
Is Your Website Secure? How to Check WordPress Website Security?
Coming to the last question: “How to scan your WordPress site for malware?”
By now you might have understood the importance of securing your WP site and the top WordPress security tips. Scanning the site for malware is an easy process that you can perform using any of the security plugins mentioned in the previous section.
If you want to scan the WordPress website online, then simply go to the WPSec tool, enter your site URL and click on Start Scan.
It will start the scanning process and show you the results. If the WP version, theme, plugins are outdated, it will show them. Other security factors are also checked and shown. This is how you can know about the security status of the site and proceed with taking measures to secure your WordPress blog or website.
WordPress platform is undoubtedly secure and reliable. If you use it for your blog or website while following the best security tips, practices, plugins, then you can prevent attacks. We have mentioned everything in the WordPress security guide which you must implement today to strengthen your site and avoid all sorts of hacking attempts.
Which of these WordPress security tips are you already following? Let us know in the comments.
Read Next: 11 Link Building Mistakes that Kill your SEO