Reading Time: 7 min read

WordPress is an open-source platform that makes building a website as easy as just a few clicks. Because WordPress is open-source, it’s always updating and changing.

However, it’s these very same benefits that also lead to many vulnerabilities within the platform itself.

More than 70% of WordPress websites today are vulnerable to hacker attacks.

Why is WordPress such a popular choice for hackers? In reality, there are a number of compelling reasons:

  • Some WordPress websites fail to update and still use outdated versions
  • There are over 74 different versions of WordPress
  • Open-source themes and plugins welcome even more risk

It seems like every day you’re hearing about a new attack online. Are only big-name companies at risk? Not at all.

A startling 43% of all cyber attacks are against small businesses. This means it pays to be informed and to take measures to protect your own website security.

Since WordPress is the most popular Content Management System (CMS), it’s bound to be a target of most online attacks. Hackers are becoming savvier than ever, so it’s not enough to wait around for something to happen.

Here are 30 ways to secure your WordPress website against attacks and data breaches.

Hosting

First, you’ll want to take a few different steps to secure your website through your host. This is considered back-end security, and it’s usually the strongest. Here are some ideas to get you started securing your WordPress website effectively.

  • 1. Choose the Right Hosting Company
  • If you have a poor hosting provider, your options for security will be limited. The right hosting provider is proactive about problems, not reactive.

    While it’s tempting to choose the cheapest hosting provider, realize this might cause problems down the road. A quality host adds more layers of security, plus it will speed up your website significantly.

  • 2. Install a SSL Certificate
  • Known as Single Socket Layers, SSL certificates are no longer optional no matter what type of website you run. If users are entering any type of information (even an email address), you need this security.

    An SSL secures your browser so users’ information isn’t available by hackers. Most hosts now provide an SSL certificate for free or included in the cost of hosting.

  • 3. Hide Your WP-Admin Directory
  • Your WP-Admin directory has all of your core files. If it’s damaged, your entire website is at risk. Through your cPanel, add a password to your WP-Admin directory for added security.

  • 4. Monitor Your Files
  • Using a plugin that can monitor your files for you will keep you more secure. We don’t all have the time or the skills to look through our files for malware.

    The Wordfence plugin adds a secure firewall.

  • 5. Change the Prefix
  • All WordPress files come with the default wp- prefix. Changing this to something unique will make you less prone to database SQL injections. However, always backup your website before making changes to your database.

  • 6. Make Backups
  • Speaking of backups, make them regularly. No matter how secure your website is, things can still go wrong. Having a backup will let you restore your website in just a few clicks.

  • 7. Strong Database Passwords
  • Your database needs a strong password too. Ensure your cPanel also has a difficult password with a string of random characters, numbers, and symbols.

  • 8. Set Directory Permissions
  • If you’re using a shared host, you’ll want to protect your directory permissions. Setting your directory permissions to “755” and files to “644” will protect your whole system. You’ll do this in your file manager within your cPanel.

  • 9. Prevent Hotlinking
  • Hotlinking is when someone takes an image that’s hosted on your server and displays it on their own website by linking to the file URL. This is a security risk and also increases the load on your server.

    You can prevent hotlinking through the All in one WP Security and Firewall plugin.

Themes and Plugins

Did you know problems could be lurking in your themes? These can be created by anyone, and they’re not always secure. Here are some best practices.

  • 10. Don’t Use a “Cracked” Theme
  • A “cracked” theme is a hacked version of a premium theme that’s offered for free. They might seem like a great way to get professional-looking websites at no cost, but there’s a huge risk.

    Namely, these themes often have hidden malicious codes that can harm your website.

  • 11. Update Your Themes
  • Many themes, like WordPress itself, offer several updates throughout their lifecycle. Always update your themes to ensure you have the latest security patches installed on your website.

  • 12. Choose Your Theme Carefully
  • It’s not always easy to know if a theme is secure. The most secure themes will likely be found in WordPress’ official Theme Directory since these have a strict review process.

    Another option is to choose a reputable seller who has demonstrated a commitment to security. If a deal sounds too good to be true, it probably is.

  • 13. Disable Inactive Plugins
  • Don’t keep more than you need on your website. Not only does having dozens of inactive plugins reduce your website performance, but it’s also less secure. Deactivate and delete any plugins you’re not using regularly.

  • 14. Use WooCommerce Support
  • If you’re using an e-commerce platform or plugin like WooCommerce, make sure you take extra security measures. Finding the best WooCommerce support partner is an important step. You don’t want to risk your online business.

Login

Using the wrong password or login measures can spell a nightmare for your website. It might sound simple, but these things below make a massive difference.

  • 15. Use a Strong Password
  • Is your password easy to guess? If you’re using something easy like your birthday, pet’s name, or 123456, it’s time to upgrade. Sure, these are easy to remember, but that also makes them simple for hackers to guess.

    Using a complex password with several numbers, letters, and special characters is key. A tool like LastPass will assign a nonsensical combination of letters, numbers, and characters and store it securely for you.

  • 16. Change Your Password
  • Even with a secure password, you’ll want to change it regularly. Changing it at least once every 3 months is a good idea.

  • 17. Change Your WP-Login URL
  • By default your WordPress login is yoursite.com/wp-admin. Because everyone knows this, it’s easy to gain access to your login page. It’s smart to change this URL so it’s not easy to guess.

    You can change the URL name through your FTP WordPress folder by simply renaming it to something less guessable.

  • 18. Enable Two-Factor Authentication
  • Two-factor authentication is an extra layer of security. Instead of simply entering a single password at login, users will be expected to complete an additional step.

    This is usually a text code sent to the user’s phone or email. Two-factor authentication is an extremely secure way to prevent hackers from gaining entry.

    Google Authenticator and Two Factor Authentication Plugin for WordPress are great solutions.

  • 19. Limit Login Attempts
  • WordPress allows users to attempt to login as many times as they want by default. This can help hackers get in through brute force.

    Instead, limit your login attempts which will temporarily block users who attempt to gain access. The WordPress Login Lockdown plugin will do this for you.

  • 20. Use Your Email
  • Instead of using a username to login, use your email. While usernames are easy to predict, an email ID is much more challenging. All WordPress users are given a unique email address, so this is a valid way to login.

  • 21. Log Idle Users Out
  • Leaving your dashboard page open is not secure. Your website could be left open on a public computer and then altered by anyone who comes in contact with that computer next. Enable automatic log out for any idle users. BulletProof Security plugin has this feature.

  • 22. Never Use Admin Username
  • When you first create your WordPress website, it sets your admin profile to “admin” as a username. This is extremely easy to guess, and it should be avoided at all costs.

WordPress Security

Finally, let’s discuss how to secure WordPress itself. Make sure these things below are second-nature.

  • 23. Install a WordPress Security Plugin
  • Security plugins are designed for a reason. Because it’s too time-consuming to manually check your website for malware and other harmful software, you need a way to automate this process.

    A security plugin will do this for you so you don’t need any additional tech skills. Sucuri and WordFence are great options.

  • 24. Disable File Editing
  • On WordPress, it’s easy to login and edit your files directly in your browser. This means anyone who can access your website can mess with valuable code and files. This is accessed through Appearance > Editor. Disable this feature for extra security.

  • 25. Update WordPress
  • Yep, the easiest way to keep your WordPress website secure is to set up automatic updates. Each update comes with advanced security features which means your website will be more secure. The same goes for themes and plugins.

  • 26. Be Careful with New Users
  • If you have multiple authors on one blog, be careful when adding new users. The more people who have access to the admin panel, the more things can go wrong. If possible, limit their accessibility to key features.

  • 27. Monitor Your Activity
  • You want to keep an eye on what your users are doing. This is true of any multi-author website. Using the WP Security Audit plugin will show you a full list of user activity, and you can even get reports sent to your email.

  • 28. Remove Your WordPress Version Number
  • If your WordPress version is listed prominently on your website (and it probably is), this can be used by hackers to tailor-build a perfect attack on your website. You can hide this by adding a code to your functions file.

  • 29. Keep Your Computer Safe
  • If your computer or devices aren’t safe, neither is your website. Install a malware and virus scanner onto your computer to stay aware of any security problems. Never log into your WordPress website through public wifi or an unsecured website.

  • 30. Educate Yourself
  • Last but not least, take the time to educate yourself about the most common WordPress attacks. The more you know about how hackers work, the better equipped you’ll be to fight attacks before they happen.

How is Your WordPress Security?

Now’s the time to take a close look at your WordPress security. Your website is a huge asset. Don’t risk it by not being prepared with your own security.

These tips above don’t all have to be done at once. Start with the most important steps and grow your strategy from there.

However, make sure you take action. The worst thing you can do is wait for a cyber attack before changing your website. The more secure your WordPress site is today, the less problems you’ll face in the future.

30 Ways to Secure Your WordPress Site infographic