How to Secure WordPress Sites from Hackers (Ultimate Guide)

If you buy something through a link on this page, I may earn an affiliate commission, at no extra cost to you.

The most common reasons why WordPress sites get hacked are:

1. Security vulnerabilities in a plugin or theme
2. Compromised admin account

Therefore, to keep your site secure from the most common hacks, make sure you use quality plugins and themes that are kept up to date, and secure your WordPress login area.

Obviously there is a lot more to WordPress security, but that’s the 80/20 of it.

Keep reading to learn how to secure WordPress sites from the full range of security vulnerabilities.

1. Use Secure WordPress Hosting

Using better hosting is the first step towards securing WordPress.

1.1. Use Managed WordPress Hosting that Focuses on Security

The best WordPress hosting for security, in my opinion, is a good managed WordPress host. I believe that the majority of website owners are better of with a hosting provider that manages security for you behind the scenes. i.e. the server security essentials are preconfigured, ongoing security is managed by your host, security scans are done in the background, and security issues are fixed by the host if they occur, e.g. malware removal.

My top pick for a secure WordPress host is Rocket.net. Get a 1-month trial for just $1.

I also like Kinsta and Cloudways.

Here is what I look for in a secure hosting provider for WordPress sites:

• Free SSL/TLS certificates
• SFTP access
• Real-time server level malware scanning and patching/removal that doesn’t slow down your site. e.g. using Immunify360.
• Web Application Firewall (WAF) at the DNS level, e.g. through Cloudflare Enterprise integration.
• Protection against DDOS attacks, SQL injections, XSS attacks and other known attack types.
• 2FA for hosting account login security
• Dedicated IP address. i.e. does not share it with other accounts and websites on the same server.

A secure WordPress host should protect against all known threats, continually scan your website for threats, and provide the ability to restore or automatically fix security issues that occur.

1.2. Install an SSL/TLS Certificate and use HTTPS

If your site still uses HTTP instead of HTTPS, then it’s critical that you install an SSL/TLS certificate so that you can start using HTTPS.

Most managed hosting providers will automatically add an SSL/TLS certificate to your domain name once you’ve updated your DNS to point your domain name at their server.

However, some hosts, like Cloudways still require you to manually install an SSL/TLS certificate. It’s usually easy though. And it should be free. e.g. on Cloudways, you would go to your application > SSL Certificate > Add Domain > Add the www and non-www version of your domain > Save Changes.

If you don’t use one of my recommended hosts, and you aren’t sure how to install an SSL/TLS certificate to use HTTPS, then I suggest reaching out to your hosting support. If you don’t have support, or they make you pay for an SSL/TLS certificate, then you should consider moving to a better host.

What is an SSL certificate?

An SSL (Secure Sockets Layer) Certificate aka TLS (Transport Layer Security) Certificate is a protocol that encrypts information online between a server (e.g. Rocket.net, Kinsta, etc.) and browser (e.g. Chrome, Firefox, etc.). This is really important to keep user information safe, e.g. credit card details when making an online purchase and information entered via online forms. The SSL/TLS certificate also helps protect people from fake websites. This is because the certificate verifies that your browser is connecting with the correct server that actually owns the domain name.

This is why you should always check the URL to make sure the domain name is correct and secure. Most modern browsers show an icon (usually a padlock icon) to the left of the URL that you can click to check the domain name is correct and that your connection is secure.

1.3. Use a Web Application Firewall (WAF) at the DNS Level

If you use the hosting provider I recommended above, then you’ll get two preconfigured firewalls: 1. Cloudflare Enterprise to protect your site at the DNS/network level, and 2. Immunify360 to protect your server. Both of these will help protect your site from:

• SQL Injections (this protects your database from hacked scripts)
• Cross Site Scripting aka XSS attacks
• Malicious file uploads
• Directory traversals
• Unauthorised access
• Comment spam

If you want to save time and money, I highly recommend using Rocket.net.

Other WAF options include:

• Set up Cloudflare yourself along with custom WAF rules. You’ll need the PRO plan at a minimum, which costs $20/month.
• Try an alternative to Cloudflare called Fastly.
• Use a WAF provider like Sucuri.

Hopefully the above was helpful. I know it’s annoying to have to migrate to a new hosting provider. But if your current host doesn’t focus on security and performance, and if they don’t have an integration with Cloudflare Enterprise, then you should really consider upgrading to a better host.

2. Use a WordPress Security Plugin

One of the easiest ways to secure your WordPress website is by using a security plugin. They won’t do absolutely everything, but they will get you at least 80% of the way to a fully secured site.

2.1. How to Choose a Good WordPress Security Plugin

Here is what I look for in a quality WordPress security plugin:

• Web application firewall (WAF) that processes all requests before WordPress runs, acting as a real-time WAF, protecting against bad bots and malicious requests.
• Brute force login protection with advanced options
• 2FA
• Reporting of blocked users, IPs, etc
• Options to easily unblock users and IPs
• Ability to run one-time malware scans with options to scan additional folders and files
• Malware scans that tell you exactly what’s wrong and how to fix

2.2. Best WordPress Security Plugins

My favourite WordPress security plugin is currently Wordfence. This is what I use (free version) and what I recommend for most WordPress websites. It can depend on your particular website and hosting setup though.

My favourite WordPress website security plugins are:

1. Wordfence
2. Patchstack
3. Malcare

All of the above plugins have a free version too. However, only the free version of Wordfence is worth using in my opinion. If you choose Patchstack or Malcare, I would definitely use the paid version. I’ve also heard good things about Solid Security.

Recommended Wordfence Settings

Wordfence automatically configures default settings that are ideal for most websites. So I won’t go through all settings. What I will do is mention some additional settings I use for most sites.

In addition to the default settings, I recommend the below:

• Enable extended protection for the web application firewall
• Enable 2FA
• Lock out after how many login failures = 3 to 5 (the default of 20 is too high)
• Lock out after how many forgot password attempts = 3 to 5 (the default of 20 is too high)
• Increase the amount of time a user is locked out depending on your particular website and users. e.g. I lock people out for 2 months because I’m the only admin, but I have some clients who lock users out for only 10 minutes because they have thousands of users/members.
• Prevent the use of passwords leaked in data breaches = All users with publish post capabilities
• Enforce strong passwords = Force all members to use strong passwords
• How long is an IP address blocked when it breaks a rule = I like setting this to at least 1 hour, oftentimes 1 day
• Disable scheduled malware scans unless your website is at risk of malware infection
• When running a manual malware scan, tick the box to scan theme and plugins

Does Wordfence slow down your site?

No, Wordfence does not slow down your site IF you have it configured properly AND using a good hosting provider. I have never had an issue with Wordfence slowing down my site or any client site in any significant way.

The Wordfence firewall is actually really fast. The only thing that might slow down your site are scheduled malware scans that tax your server resources, but this is only an issue if you have a slow hosting provider or one with extremely low server resource limits. Scheduled scans should be disabled though unless your site is at a high risk of malware infection.

If you use cheap shared hosting or a host with low resource limits (e.g. CPU & RAM), then it’s certainly possible that Wordfence will slow down your site, especially while running a malware scan.

If you do have a shitty hosting provider, and you want to use Wordfence, makes sure you tick the box to ‘Use low resource scanning (reduces server load by lengthening the scan duration)’ and set ‘How much memory should Wordfence request when scanning’ to 50% or less of your max memory limit. e.g. my memory limit is 1GB and my allowed memory usage for Wordfence is set to 256MB.

I would also disable scheduled malware scans. I usually always disable this feature regardless of server resources and only run manual scans during WordPress maintenance.

Wordfence WAF vs Cloudflare WAF

If you are using one of my recommended hosting providers, you are probably wondering why you need a web application firewall (WAF) at the WordPress level in addition to a WAF at the network level through Cloudflare. Well, they both do a lot of the same things, but they provide the protection at different layers.

Generally speaking, Cloudflare provides a broad level of protection at the network level before traffic gets to your site, while Wordfence is tailored to WordPress and protects your site at the WordPress level before PHP requests are executed. In other words, Wordfence WAF acts as a layer 2 WAF to the Cloudflare WAF.

3. How to Secure WordPress Admin Login

Below you’ll learn how to secure the WordPress admin login page. You should apply most of these suggestions. I’ll let you know which ones are optional or situations in which they shouldn’t be applied.

3.1. Use Stronger Passwords

If your admin password is easy to guess, you are asking to be hacked. You should also force all website users with publishing capabilities to use strong passwords.

So, the first step is to force everyone to use a stronger password. This can be done using a number of security plugins, one of which I recommend is Wordfence, which has a feature to force stronger passwords AND many other great security features that I will talk about in more detail below.

The second step is to use passwords with random numbers, letters and symbols.

Tips for creating a stronger password:

Follow these guidelines to set a stronger password:

• Don’t use real words (I know it makes a password easier to remember, but it makes your password easier to guess by real human hackers and brute force login attempts).
• Passwords should be at least 16 characters long.
• Include at least one uppercase letter, lowercase letter, number, and symbol.
• Don’t repeat any letters, numbers or symbols.
• Don’t place letters or numbers in ordered sequences. e.g. abc, cba, 123, 321, etc.
• Set a different password for every account.

Tools for creating a stronger password:

While I don’t think you should fully trust any password generator (the generated passwords could be stored in a database somewhere?), I think they are a good starting point to set a stronger password. i.e. Use them to create a random password, then rearrange and change some of the numbers, letters and symbols to make it your own.

So, here are a few tools that you could use to help you set a stronger password:

• Bitwarden password generator (this is what I use)
• 1Password password generator
• Use the suggested password feature from your browser. e.g. Chrome and Firefox give you a suggested password when creating accounts on different websites.

Different ways to store your password

There are quite a few ways to store your password, each with their own inherent security risks.

Here are a few different ways to store your password:

• In your brain
• Written down on paper (e.g. notebook, back of a novel, etc.)
• Using an online password manager like Bitwarden or 1Password
• Stored in your browser’s password manager (e.g. Chrome, Firefox, etc.)

Storing a password in your head is usually limited to the most important passwords or a master password that you use to log into a password manager.

Writing passwords down on paper can be good for a few additional important passwords, especially if they are too hard to remember. But don’t write them all into the same book or on the same piece of paper. Don’t let anyone know you have passwords written down. Don’t leave your written passwords out in the open. And consider writing half of the password in one book and the other half in another book or piece of paper, especially if it’s used for something very important.

Using an online password manager like Bitwarden should be your go-to for passwords to every day accounts. Bitwarden is free to use to store and secure logins, cards, identities, and notes.

You can also use your browser’s password manager to remember all of your passwords. But I don’t recommend using this to remember logins to anything important. i.e. use it for Netflix, but don’t use it for your online banking. If you do use it for something important, make sure you set up a master password that is required to access and use all of the saved passwords.

3.2. Use Multi Factor Authentication (MFA)

Using multi factor authentication aka MFA is one of the best ways to secure the WordPress admin login. Each factor is like a category of potential credentials you can use to secure your site.

There are 3 primary authentication factors including:

• Knowledge Factor: This is something you know like your username, password, answer to secret questions, etc.
• Possession Factor: This is something you possess like a mobile phone to receive verification codes via SMS, authentication app, etc.
• Inherent Quality Factor: This is something inherent to you, like a face scan, fingerprint scan, etc. Most smart phones have this feature.

For the best security, use at least one credential from each of the above authentication factors. However, using credentials from two different authentication factors is usually enough. e.g. Username/password and verification code sent via SMS. It is possible to configure a face scan or fingerprint scan though using your smart phone.

Two Factor Authentication (2FA)

You’ve probably heard of two factor authentication aka 2FA? Well, this is one form of multi factor authentication, which adds an additional layer of security to your WordPress login area.

My second authentication factor is the possession factor where a verification code is sent to my smart phone. I’ve used quite a few different 2FA plugins for WordPress to achieve this, but my favourite is the 2FA feature from Wordfence. You scan a QR code, using an authentication app downloaded from Google Play or the Apple App Store like Authy or Google Authenticator, then use the verification code from your authentication app when logging into WordPress.

I also use and recommend Wordfence, so it makes sense to use their 2FA feature and not one from another plugin. However, the Wordfence 2FA feature only enables verification codes through apps like Authy, Google Authenticator, etc. If you want verification codes sent via SMS, email, etc, you’ll need to find another 2FA plugin.

2FA should be the bare minimum for your WordPress login security.

What’s the best plugin for adding 2FA to a WordPress login page?

I recommend using the Wordfence security plugin and enabling the 2FA option through its Login Security section. Or you can use the standalone Wordfence Login Security plugin if you have a different security plugin in place without 2FA.

Alternatively, here are some other good 2FA plugin options for WordPress:

• WP 2FA – Two Factor Authentication for WordPress
• Two Factor Authentication
• MiniOrange’s Google Authenticator

3.3. Use Unique Account Usernames

If you use a common account username like ‘admin’ or something obvious like the site owner’s name, you are basically giving hackers a head start.

So, when creating WordPress user accounts with admin privileges, don’t create one using common account usernames like ‘admin’. And don’t use a name if it exists somewhere on the website.

To help you create stronger usernames, I recommend using the Bitwarden username generator.

Delete the Default WordPress Admin Account

You should delete your default WordPress admin account If your hosting provider has configured WordPress to create one with the username ‘admin’ upon installation.

Deleting the default WordPress admin account can help prevent brute-force login attempts when the only unknown is your password.

3.4. Use a Unique Email Address as Login Username

Because WordPress allows you to use an email address as the username, you should also consider which email address you use to set up your user account.

To secure your WordPress login, it’s best to use an email address that doesn’t appear on your website (e.g. contact page) or the one used to register your domain name. Hackers will often test the email address found on a website’s contact page or the one associated with a domain name by doing a Whois domain name registration lookup.

3.5. Limit Login Attempts

One really good way to secure your WordPress site’s login area is to limit login attempts. This is especially important for protection against brute force login attempts.

The way I do this is by installing Wordfence, enabling brute force protection and customising the settings to my liking. The default settings are more conservative than what you see below.

You could also installed Limit Login Attempts Reloaded to limit login attempts and protect your WordPress site against brute force login attempts.

3.6. Use Cloudflare Turnstile (Not reCaptcha)

Have you heard of reCaptcha? You know, the thing that asks if you are human or to click all the boxes showing a fire hydrant? Well, Cloudflare Turnstile is the performance-focused alternative to this. It’s easier to set up, it doesn’t annoy real humans trying to log in (i.e. it doesn’t show a CAPTCHA), and my favourite thing is that it doesn’t slow down your site like Google’s reCaptcha.

Adding Cloudflare Turnstile to your WordPress login area is a great way to protect against bots and verify that visitors are human. If you use my recommended hosting provider, your site’s login area will already be protected out of the box with the Cloudflare Enterprise Firewall and a version of Turnstile where it automatically checks a visitor’s browser. If Cloudflare suspects the visitor is not human, a browser challenge will appear requesting the visitor to verify they are human.

If you use a different host, then I recommend setting up Cloudflare Turnstile using the Simple Cloudflare Turnstile plugin. It also has some really good options to enable turnstile for other important forms like registration forms, password reset form, comments form. And if you use WooCommerce, you can add it to the checkout, account login, account password reset, etc.

Note that if you have Wordfence installed, don’t enable reCaptcha. Use Cloudflare Turnstile instead, either through my recommended host or the aforementioned plugin.

If you were a bad bot or possibly visiting my login area from a private browser like Brave’s Private Window with Tor, you would probably see the below challenge to verify you are human.

Securing Your Contact Forms

You can also use Cloudflare Turnstile to protect your contact forms from spam. It integrates with all of the most popular contact form plugins.

If you care about performance though, I recommend using Fluent Forms. Fluent Forms allows you to drag and drop a Cloudflare Turnstile widget into each form you create. If your current contact form plugin doesn’t support Cloudflare Turnstile, then I highly recommend moving to Fluent Forms. They even have an easy-to-use migration tool!

3.7. Log Out of WordPress When Finished

It’s good practice to log out of WordPress when you are not working on it. This way there is no active session that someone else could get into. This is important if you are logging in from a device that is not your own, e.g. public library, someone else’s computer, etc.

3.8. Automatically Log Out Inactive Users

Following on from above, it’s good practice to log out inactive users to keep your WordPress site secure. You don’t want randoms being able to access your WordPress site from a user’s account if they’ve left it logged in on someone else’s computer.

Try thinking about your WordPress website that same way you would about online banking. Most online banking websites will automatically log out users after a certain amount of time or inactivity to keep their account secure. Do the same with your WordPress site.

If your WordPress website has multiple users, you can automatically log out inactive users with a plugin called Inactive Logout.

3.9. Use a VPN When Logging into WordPress from Public Wifi

If you like to work on your WordPress website from cafes or anywhere where you use someone else’s wifi network, it’s best practice to use a VPN before logging in.

In fact, you shouldn’t be logging into any accounts, not just WordPress, from public wifi or insecure networks without using a VPN.

I recommend using Mullvad VPN when logging into WordPress from public wifi.

You should also consider using a private browser like Brave, Firefox, or Mullvad Browser.

3.10. Update Passwords Regularly

It’s good practice to update your passwords regularly, even if you set strong passwords. By resetting your password, you help mitigate the risk that someone has figured out your password without you knowing via a weakness in your WordPress security.

For example, let’s say you made the mistake of sharing your password via email. The person you shared it with might have bad intentions OR they might get hacked themselves revealing your password to the hackers. Either way, resetting your password would eliminate these risks.

P.S. Don’t share your admin login details. Instead, share a temporary login link that expires after a set period of time (more on this below).

3.11. Limit Admin Access to Specific IP Addresses

Another way to secure the WordPress admin login area is to limit admin access to specific IP addresses. This can be very effective, but it could cause headaches if you have multiple users. It could also be very problematic if your users access the site from a dynamic IP address, which is common for home wifi setups.

If you want to limit admin access to specific IP addresses, you have a few options:

1. Add rules to your .htaccess file (if using Apache)
2. Add rules to Cloudflare WAF
3. Talk to your hosting provider

Here is an example of option #1 where the .htaccess file blocks access to the login page for everyone except the IP address 1.2.3.4. Just replace the 1.2.3.4. part with your own IP address.

<Files "wp-login.php"> 
Order Deny,Allow 
Deny from all 
Allow from 1.2.3.4 # Replace with your allowed IP addresses 
</Files>

Note that I don’t recommend limiting admin access to specific IP addresses if:

• You have a dynamic IP address, not a static one
• You have multiple WordPress users
• You have WooCommerce installed

If you do, then you might cause more harm than good.

Whatever you do, test changes in a staging site first!

3.12. Add HTTP Authentication to the Login Page

You could also add HTTP authentication to the login page. Basic HTTP authentication adds a login prompt for a username and password before being able to access the usual WordPress login. Don’t use this if you aren’t using HTTPS though, otherwise, it’s not secure.

I don’t personally use this for the WordPress login page as I think it’s overkill. I also don’t use it for other pages because WordPress has an option to password-protect these if I want.

However, I do think HTTP authentication is very useful for protecting specific folders or files. If this is something you want to do, talk to your hosting provider.

3.13. Consider Hiding Your Default WordPress Login URL

Firstly, if you already have the essential login security measures in place like a strong password, 2FA, web application firewall at the network and application level, brute force login protection, etc., then hiding your WordPress login URL isn’t necessary.

With that being said, changing your WordPress login URL from the default URLs (/wp-admin and /wp-login.php) to something like /max-custom-login or /ajsdbksc can help protect your site from bad bots and brute force login attempts targeting your default login page. This is because those bad bots and automated programs for guessing your password no longer know what page to target. Everyone knows the default login page for WordPress sites, but no one would know your custom login URL except for you and other users with admin privileges.

However, hiding your login URL doesn’t necessarily protect it. This tactic is known as security through obscurity, which doesn’t really secure anything. It just makes it a little harder for hackers.

Also, changing your WordPress login URL can cause problems with some plugins and prevent other security measures from working as intended. So be careful when using this tactic!

If you want to hide the default WordPress login URL and replace it with a custom URL, the most popular plugin is WPS Hide Login.

You could also use the hide login feature of Perfmatters.

Why I don’t usually hide the default WordPress login URL

I personally don’t use a custom login URL for this website. Doing so would be overkill.

I also prefer to see security analytics reported within Wordfence. e.g. Login attempts, blocked IPs, failed attempts, usernames used, which country the hackers are from, etc. It gives me a good feel for how many people/bots are trying to hack me. I think it’s better to know.

I could use a custom URL though but I doubt there would be any real benefit to my login security considering automated password-guessing programs are not getting through my login security measures anyway.

Also, if I get login attempts from a certain IP, I’d prefer that my system block them (this wouldn’t always happen with a custom login page). This way I’m using my default WordPress login URL as bait to block as many potential hackers as possible. i.e. if they are going to attempt a login, they are probably going to attempt other hacking tactics too.

Here is what I’m using instead of hiding the default WordPress login URL:

• Cloudflare WAF with firewall rules (mostly rate limiting) protecting /wp-login.php
• Brute force login protection through Wordfence
• 2FA through Wordfence

My login page has plenty of protection.

Check out the video below where Mark Maunder, the CEO of Wordfence, explains why you don’t need to hide your WordPress login page with a custom URL.

3.15. Never Share Your Admin Logins

You should never share your WordPress admin login details. If you need to give someone access to your WordPress site with admin privileges, send them a temporary login link that expires after a set time instead. To do this, I recommend using a plugin called Temporary Login Without Password.

3.16. Delete Inactive User Accounts

It is good practice to delete inactive user accounts to mitigate the risk of an exploit. They might have an easy to guess password or worse, they could be a hacker! It’s not just admin accounts you should be worried about, consider deleting inactive user accounts regardless of role.

Check out the below report from Patchstack showing new WordPress vulnerabilities found in 2023 associated with a range of different user roles.

3.17. Disable Setting – Membership: Anyone Can Register

If you don’t want visitors being able to register an account from your WordPress login area, then you should disable the setting for ‘Membership: Anyone can register’.

This setting should be disabled by default. Otherwise you’ll attract spam bots that automatically create user accounts. These spam bots can do a lot of damage to a WordPress site depending on the default user role assigned to registered users.

Most websites, even membership sites, don’t need this setting enabled. If you have a membership site with a plugin like MemberPress, member signups will work even if the Membership: Anyone can register setting is disabled.

You also don’t need it enabled to work with WooCommerce. If you use WooCommerce, customers can register an account during checkout or from the My Account area. This works differently to your WordPress Dashboard login area found at /wp-login.php or /wp-admin.

3.18. Secure all other online accounts

To maximise your WordPress security and online security in general, apply everything above to all of your online accounts.

Other critical accounts to secure include:

• Domain name registrar account (e.g. Cloudflare, GoDaddy, Namecheap, etc.)
• DNS management account (e.g. Cloudflare)
• WordPress hosting account (e.g. Rocket.net, Kinsta, Cloudways, etc.)

All accounts should be using at least the below security measures.

• Use strong passwords
• Use 2FA

4. Use Secure WordPress Software

Using secure software, i.e. WordPress, WordPress Themes, and WordPress Plugins, is critical to your WordPress security. Otherwise, your WordPress site could have known security vulnerabilities that hackers are actively trying to exploit.

4.1. Use Quality WordPress Themes & Plugins

The best place to start is with a quality WordPress theme built for security.

Here is what I look for in a quality WordPress theme and plugins:

• Lightweight
• Clean code (does not have a million unneeded design options)
• Follows coding standards and best practices
• Made for the default WordPress editor called Gutenberg
• Under active development (the longer the better)
• Compatible with the latest supported PHP versions

My favourite WordPress themes include:

• Generate Press
• Kadence

I prefer WordPress themes that use a block-based builder that works with the default WordPress editor (e.g. Generate Blocks, Kadence Blocks, etc.), not a theme that requires a different page builder that doesn’t work with the WordPress editor (e.g. WP Bakery, Divi, Elementor, etc.). I think clean, lightweight WordPress themes are the best way to mitigate the risk of future security vulnerabilities. Clean code with only the essential design options is the way.

As a general rule, don’t use ‘premium’ themes from marketplaces like Themeforest. They are often bloated with a million unneeded design options, not always actively supported, and managed by smaller teams that can’t patch a security vulnerability as quickly.

Look for Regularly Updated Changelogs

It’s a good sign if a theme or plugin has been under active development for many years. Especially if they are making proactive improvements, adding new features, etc, not just fixing issues for users.

4.2. Use the Latest WordPress, Theme & Plugin Versions

Every time I’ve had a call from someone needing help with a hacked website, the vulnerability has almost always been because of an outdated WordPress theme.

The latest version of WordPress, themes and plugins often have security patches to known security vulnerabilities. This is the security reason why you should use the latest versions.

However, sometimes a website is built using a WordPress theme or plugin that is not actively supported by its developer, i.e. the dev doesn’t patch known security vulnerabilities. This is why it’s important to use a WordPress theme and plugins that are actively supported by its developers and are built for security.

***Auto Updates

Because WordPress minor version releases often have security fixes, I set minor versions to auto-update. Everything else is manually updated so that I can manually check everything still works.

Add this to your wp-config file – define( ‘WP_AUTO_UPDATE_CORE’, ‘minor’ );

4.3. Delete Non-Essential Plugins

To mitigate the risk of current and future security vulnerabilities affecting your WordPress website, it’s best to keep it as clean as possible. i.e. Don’t install anything that you don’t absolutely need to. So, do some security maintenance right now and delete any non-essential plugins. This way you don’t have to worry about them being a potential security vulnerability in the future.

Make sure you delete, not just deactivate!

4.4. Use the Latest PHP Version

PHP is the underlying programming language used by WordPress sites. And just like WordPress, themes, and plugins can have security vulnerabilities, so can PHP. So, for the best security, you should be using the latest supported PHP version.

As of 27/04/24, the latest supported PHP version is 8.1. So if you are using anything below 8.1, you should update your PHP version immediately.

5. WordPress Security Best Practices

Below you’ll find some tips and tricks I’ve picked up over the years to keep your site secure.

5.1. Don’t Share Your Password

Note: I mentioned this in step 3 about securing your admin login area, but it’s worth mentioning again because so many website owners do this.

Sharing your password might seem like something you have to do if you want someone to work on your site, but it’s better to send someone a temporary login link instead. This way their access expires after a set period of time and your password is kept a secret. The same goes for creating user accounts with admin privileges – It’s better to send a temporary login link instead.

My favourite way to share a temporary login link without a password is with the plugin called Temporary Login Without Password.

If you absolutely have to give out your admin login details, don’t send them all through in the same email. Instead, send your username in one email, then your password in another but don’t mention the word password. This way if someone hacks your email account (or the person’s account who received your logins), they don’t then get access to all of your account passwords shared via email. As you can imagine, it’s pretty easy for the hackers to search your emails for keywords like, password, username, login, etc.

5.2. Regular Website Maintenance

Doing regular website maintenance is important to keeping your WordPress site secure. Specifically updating software to the latest available versions, especially when they have a patch for known security vulnerabilities.

Here is the general process I follow once per month for WordPress site maintenance:

1. Check server health, e.g. CPU, RAM, disk usage, etc.
2. Check security statistics to see if your site has been under attack.
3. Take a full server backup just in case I need to do a restore.
4. Run a malware scan.
5. Update WordPress, your theme, and all plugins to the latest available versions. Test updates in a staging site first though to make sure styling and/or functionality don’t break.
6. Following software updates, test contact forms and run a test order if you use WooCommerce.
7. Make sure your site is still sending email notifications, and that they aren’t ending up in spam.
8. Check Google Search Console for indexing issues, errors, etc.
9. Check for broken links.
10. Run a speed test using Google PageSpeed Insights. Check diagnostic items for performance, accessibility, best practices and SEO.

Check for expired theme and plugin licenses

Make sure your theme and all plugins are receiving the latest available updates. i.e. you should be getting a notification for each when there is an update available.

I’ve seen some WordPress sites that hadn’t updated their theme or a particular plugin for 5+ years. Mostly because the license expired, therefore the API wasn’t bringing in new available updates. So the outdated theme and plugins just went unnoticed.

And unfortunately I’ve seen some of these sites get hacked so bad they needed to be completely rebuilt from the ground up. So make sure you check all of your licenses are up to date and that the theme and plugin versions are actually the latest and greatest.

5.3. Take Regular Website Backups

Imagine if your site got hacked, stop working all of a sudden, etc, and you didn’t have a backup? You’d have to manually fix everything, which is often a nightmare. So make sure you take regular website backups so that you can easily restore your website when things go horribly wrong.

Here are the backups I recommend taking:

• Automated server backups taken on a daily basis (minimum)
• On-demand server backups taken immediately prior to software updates or any major website changes or activities like a revamp, migration, handover, etc.
• Redundancy backups stored in the cloud using a backup plugin like UpdraftPlus.
• If you use WooCommerce, use a software like Blogvault for real-time backups. This way you don’t lose recent orders during a full website restore.

Check out my guide to the best WordPress backup plugins.

• Server backups (minimum daily, but you could do daily)
• Off-site backups (e.g. using Blogvault or Updraft)
• Make sure you can easily restore backups if needed

5.4. Conduct Regular Website Security Scans

Conducting regular website security scans should be part of your month to month website maintenance. If it’s not, start by implementing all tips from this article.

Once you have a solid security foundation, I recommend running a security scan once per month.

I currently use and recommend Wordfence to run a manual scan each month. If you use it as a security plugin, then it’s a no-brainer to use it’s security scan feature.

If you don’t use Wordfence, then you could try:

• Patchstack
• Malcare
• Sucuri

Security scans are great for checking:

• Security vulnerabilities in WordPress, themes, and plugins
• Suspicious activity, e.g. file changes
• Malware

5.5. Limit WordPress User Permissions

Make sure your users don’t have higher permissions than they need. Most importantly, don’t make just anyone an administrator. Assign user roles based on what they need, nothing more.

Here is a list of WordPress user roles and their permissions:

• Administrator: Admins have full control over the site and can perform any action.
• Editor: Editors can manage and edit all posts, pages, comments, categories, tags, and can also upload media.
• Author: Authors can create, edit, and publish their own posts, as well as upload media.
• Contributor: Contributors can write and edit their own posts but cannot publish them or upload media.
• Subscriber: Subscribers receive updates from your site.

You could also manage the exact permissions for each user role, even create your own, using a plugin like User Role Editor.

5.6. Monitor All Users

If you have multiple users with admin, editor, author or even just contributor access, it’s worth monitoring them all to help keep your WordPress site safe.

Key user activities to monitor include:

• Logins (successes & failures)
• Creation of new user accounts
• User account deletions
• File uploads
• Creating/publishing new pages
• Plugin installations
• Theme changes
• Settings changes

Benefits of monitoring users include:

• Monitor suspicious activity
• Monitor employees doing work including time spent on tasks
• If your website breaks, activity logging can help troubleshoot the cause and the user responsible for breaking your site

If you use Rocket.net, make sure you enable the Activity Log. This will log all website activity and changes including: Date, Author, IP Address, Type, Label, Action, and a Description.

If you don’t use Rocket.net and your current host doesn’t have activity logging, then you could try using one of the below activity log plugins:

• WP Activity Log: Detailed activity tracking and reporting
• Activity Log: Simple activity tracking and reporting

5.7. Monitor Downtime

If your website goes down without you knowing about it, you could be leaving money on the table. You could be missing out on leads and/or sales. So, it’s a good idea to use downtime/uptime monitoring so you are made aware as soon as possible.

I use and recommend a free website monitoring service called Uptime Robot.

6. How to Harden WordPress Site Security (Advanced)

I’ve included advanced security hardening tips at the end, because these won’t be needed by most WordPress sites if you implement everything from above.

But if your site is built using poorly coded themes, plugins, or using a bunch of custom code that looks dodgy, then you might want to consider implementing the security hardening tips below.

6.1. Enable WP Toolkit Security Measures If Using cPanel

If your hosting provider uses cPanel, make sure you have WP Toolkit installed with relevant security measures enabled. These security measures encompass all of the best security hardening tactics.

WP Toolkit security measures include:

• Disable scripts concatenation for WordPress admin panel
• Enable bot protection
• Restrict access to files and directories
• Configure security keys & salts
• Block access to xmlrpc.php
• Block directory browsing
• Forbid execution of PHP scripts in the wp-includes directory
• Forbid execution of PHP scripts in the wp-content/uploads directory
• Block access to wp-config.php
• Turn off pingbacks
• Disable PHP execution in cache directories
• Disable file editing in WordPress Dashboard
• Change default database table prefix
• Block access to sensitive files
• Block access to potentially sensitive files
• Block access to .htaccess and .htpasswd
• Block author scans
• Change default administrators username

If you don’t use WP Toolkit on cPanel, I’ll share some of the more important security hardening tactics below and how to implement them.

6.2. Disable File Modifications

If a hacker gets access to your WordPress Dashboard, they could easily install a free plugin like WP File Manager to get access to all of your website files, i.e. all files inside the public_html folder on your server, and install a free plugin like WP phpMyAdmin to get access to your database. From here a hacker can do almost anything!

To prevent this from happening, you can disable the functionality to install new plugins by disabling file modifications. This can be done by adding the below rule to your wp-config.php file.

define( 'DISALLOW_FILE_MODS', 'true' );

Note that this rule will disable more than just plugin installations though.

Disabling file modifications using define( ‘DISALLOW_FILE_MODS’, ‘true’ ); will:

• Disable & remove button to Add New Plugin
• Disable & remove button to Add New Theme
• Disable & remove Theme File Editor
• Disable & remove Plugin File Editor
• Removes the Updates section from Dashboard > Updates
• Removes ability to update WordPress, theme, and plugins
• Prevents auto software updates

If a hacker tried to access the URL for any of the above functions/areas, e.g. /wp-admin/plugin-install.php to install a new plugin, WordPress will show a security notification that says, ‘Sorry, you are not allowed to access this page.’.

Disabling file modifications is one of the best ways to harden your security and lock everything down IF you don’t need to add any new plugins or themes, edit any files from within WordPress, or update WordPress, themes or plugins.

However, if your site is already secure from using a good host, securing the admin login area, using a security plugin like Wordfence, using secure software, and following best practices for WordPress security, then disabling file modifications is likely overkill. But it’s better to be safe than sorry. Just make sure to re-enable file modifications once per month when you are doing website maintenance. This way you can update all software to the latest versions and add any new plugins you’ve got planned for new functionality.

Editing wp-config.php

You can edit your wp-config.php file via:

• Hosting account > file manager > wp-config.php
• FTP/SFTP
• SSH

6.3. Disable XML-RPC

XML-RPC is an outdated way for applications outside of WordPress to communicate with WordPress. External applications should be using the WordPress Rest API instead.

XML-RPC can also open up your site to security risks. After all, it allows communication between external applications and yours. So you can imagine hackers love this protocol to help find ways to access your site.

So, to harden your WordPress security, it’s best to disable XML-RPC.

You can easily disable XML-RPC via the 2FA login security section of Wordfence.

6.4. Use .htaccess File to Restrict Access

If you are using a good host that focuses on security, the below restrictions should already be in place. However, if you don’t use one of my recommended hosts, you should definitely consider using the .htaccess file to restrict access (if using Apache). If you use another web server like Nginx, talk to your host about adding a compatible version of the below restrictions.

Start by checking if you can access the below files:

• yourdomainname.com.au/.wp-config.php
• yourdomainname.com.au/.htaccess

If you don’t see a message saying forbidden or you have been blocked, and can see the file details, then you should definitely add the below rules!

Protect wp-config.php file

<FilesMatch "wp-config\.php">
  Require all denied
</FilesMatch">

Protect .htaccess file

# Protect .htaccess file
<Files .htaccess>
	Order allow,deny
	Deny from all
</Files>

Prevent directory browsing

# Prevent directory browsing
Options All -Indexes

Restrict login access to specific IP addresses

This rule is also mentioned in 3.11. about limiting admin access to specific IP addresses. Just replace the 1.2.3.4. part with your own IP address.

<Files "wp-login.php"> 
Order Deny,Allow 
Deny from all 
Allow from 1.2.3.4 # Replace with your allowed IP addresses 
</Files>

If you are wanting to harden your security, start with the above .htaccess rules. These rules prevent access to important files. However, if you feel your site security is still weak, and hackers are likely to get in via other methods, you could also add a secondary security hardening layer of .htaccess rules like the below.

Prevent PHP backdoors

<Files *.php>
deny from all
</Files>

Restrict access to WordPress includes folders

# Block Uploads to WordPress Includes Folders
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ – [F,L]
RewriteRule !^wp-includes/ – [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ – [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php \
– [F,L]
RewriteRule ^wp-includes/theme-compat/ – [F,L]
</IfModule>

6.5. Prevent Image Hotlinking

Image hotlinking is when someone embeds an image from your site. This way it loads from your site, using your server resources, while it display on their website.

Here is a .htaccess rule written by Jeff Star at Perishable Press to prevent image hotlinking.

# Prevent Image Hotlinking
<IfModule mod_rewrite.c>
 RewriteEngine on
 RewriteCond %{HTTP_REFERER}     !^$
 RewriteCond %{REQUEST_FILENAME} -f
 RewriteCond %{REQUEST_FILENAME} \.(gif|jpe?g?|png)$           [NC]
 RewriteCond %{HTTP_REFERER}     !^https?://([^.]+\.)?domain\. [NC]
 RewriteRule \.(gif|jpe?g?|png)$                             - [F,NC,L]
</ifModule>

6.6. Disable PHP Code Execution for Uploads Directory

Enable the Wordfence setting: Disable Code Execution for Uploads directory.

Wordfence will add another .htaccess file inside your uploads directory to prevent php code from executing even if PHP files are uploaded or present.

6.7. Add Security Headers

Start by scanning your website via securityheaders.com. This security header test will tell you what security headers are missing, recommended security headers and an explanation of each.

Recommended security headers include:

• HTTP Strict Transport Security (HSTS): HTTP Strict Transport Security is a security feature that enforces the use of HTTPS on your site. By setting this header, you instruct the browser to only interact with your site over a secure connection, enhancing your site’s protection against protocol downgrade attacks and cookie hijacking.
• Content Security Policy (CSP): Content Security Policy is a robust tool to defend your site from Cross-Site Scripting (XSS) attacks. By defining a whitelist of trusted content sources, CSP restricts the browser from loading assets from unapproved origins, thereby preventing the execution of malicious scripts.
• X-XSS Protection: X-XSS-Protection configures the XSS Auditor in older browsers to detect and block XSS attacks. The recommended configuration was “X-XSS-Protection: 1; mode=block”, but with the advent of Content Security Policy, this header is becoming less relevant.
• X-Frame Options: X-Frame-Options controls whether your site can be framed by other sites. By setting this header, you can protect your site from clickjacking attacks by specifying whether your content can be embedded in a frame or iframe. Common values are “DENY” and “SAMEORIGIN”.
• X-Content Type Options: X-Content-Type-Options prevents the browser from MIME-sniffing a response away from the declared content type. The only valid value is “nosniff”, which ensures the browser adheres strictly to the specified content type, mitigating certain types of attacks.
• Referrer Policy: Referrer Policy allows you to control how much referrer information the browser includes with requests originating from your site. This helps manage privacy and security by limiting the amount of information sent during navigation away from your site.
• Permissions Policy: Permissions Policy (formerly known as Feature Policy) allows you to specify which browser features and APIs can be used on your site. This helps to improve security and privacy by restricting potentially harmful functionalities.

How to Add Security Headers to WordPress

To add security headers to your WordPress site, follow the below steps.

Step 1: Copy paste the below security header rules into to your .htaccess file if using Apache. You can access your .htaccess file via your server’s file manager or via SFTP/FTP. If using NGINX, ask your host to add the NGINX formatted version.

Note that these security headers won’t suit all websites, so edit them to suit your particular setup and security requirements. However, they should suit most WordPress websites.

# Security Headers
<IfModule mod_headers.c>
	Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS
	Header set X-XSS-Protection "1; mode=block"
	Header set X-Frame-Options "SAMEORIGIN"
	Header set X-Content-Type-Options "nosniff"
	Header always set Content-Security-Policy "upgrade-insecure-requests;"
	Header set Referrer-Policy "strict-origin-when-cross-origin"
	Header set Permissions-Policy "geolocation=*"
</IfModule>

Step 2: Clear server cache and then test your website using https://securityheaders.com/ to ensure security headers are implemented. You should get an A+ score with everything in green.

Step 3: Add your website to Chrome’s HSTS preload list. This will hardcode your website into future versions of Chrome as being HTTPS only. This should also include all other major browsers (e.g. Firefox, Safari, Edge, Opera, etc.) because their preload lists are based on Chrome’s HSTS preload list.

6.8. Move wp-config outside of the root folder

Your wp-config.php file contains sensitive information like your database username and password, so it seems logical to store this file somewhere secure, i.e. not in the root folder that could potentially be accessible to the public. Storing it one level up is usually best practice.

Note that there are differing views about whether this security measure helps or not. It seems to me that it can’t hurt to implement, just in case a hacker was somehow able to view the sensitive database credentials in the wp-config.php file.

If your hosting provider allows (some don’t), move the wp-config.php file one level up, outside of the WordPress installation. WordPress should still be able to find this file if it’s only one level up.

6.9. Setup Security Keys & Salts

WordPress uses security keys to improve encryption of info stored in a user’s cookies. If you don’t have these set inside your wp-config.php file, then use https://api.wordpress.org/secret-key/1.1/salt/ to generate your security salt keys.

Once you have generated them, add them to your wp-config.php fie using the below format:

define( 'AUTH_KEY', 'security-key-goes-here' );
define( 'SECURE_AUTH_KEY', 'security-key-goes-here' );
define( 'LOGGED_IN_KEY', 'security-key-goes-here' );
define( 'NONCE_KEY', 'security-key-goes-here' );
define( 'AUTH_SALT', 'security-key-goes-here' );
define( 'SECURE_AUTH_SALT', 'security-key-goes-here' );
define( 'LOGGED_IN_SALT', 'security-key-goes-here' );
define( 'NONCE_SALT', 'security-key-goes-here' );

6.10. Check File Permissions

Your file permissions determine who can read, write and execute files. This is really important!

Patch Stack recommends the below file permissions for WordPress sites:

• 755 for directories: This means the owner can read, write, and execute directories, while the group and others can only read and execute.
• 644 for files: This means the owner can read and write files, while the group and others can only read.
• 640 for wp-config.php: This means the owner can read and write the wp-config.php file, while only the group can read the file.

For a full explanation of WordPress file permissions and why the above permission settings are recommended, read this guide from Patch Stack.

Security Hardening Tactics Not Worth Doing

Disabling Theme File Editor & Plugin File Editor

Note: If you have already disabled file modifications by following step 6.1 above, you can skip this step. Disabling file modifications automatically disables the theme and plugin file editors.

Disabling the Theme File Editor and Plugin File Editor doesn’t necessarily harden security, but it does prevent other users from accidentally making changes to files they shouldn’t. e.g. Another user with admin privileges could make changes to theme files through Appearance > Theme File Editor. So it can help to disable these settings from showing.

To disable the Theme File Editor, add the below code to your wp-config.php file:

define( 'DISALLOW_FILE_EDIT', 'true' );

Note that if a hacker was able to log into your site, having your theme file editor and plugin file editor hidden will not keep your site secure. The hacker could easily install a new theme, new plugins, etc, including certain plugins that give them access to all of your website files and your database. If you want to lock down your site, not just prevent accidental file changes, follow step 6.1 above to disable file modifications instead.

Using a Custom Database Prefix (don’t use wp_)

• This is security through obscurity
• Only real benefit is hiding from bots scanning for wp_
• If someone wanted to hack your site, they don’t need to know you are using wp_ prefix.
• To hack your site, they would get into your WordPress Dashboard > install WP phpmyadmin and get instant access to your database. Or install file manager > get database credentials from your wp-config file > then get get access to your database remotely

Hiding WordPress Version

• This is similar to other security through obscurity measures.
• It doesn’t help with security, it only MAYBE hides your Wordpress version from bots scanning your site.
• You should be using the latest version of WordPress anyway. So you should show bots and hackers you are using the the latest most secure version. This is more likely to deter them.

WordPress Security Statistics 2023

To give you an idea about the importance of WordPress security, here are some of the key WordPress security statistics published by Patchstack.

• Plugins contributed to 97% of new security vulnerabilities, Themes contributed to ~3%, and WordPress core contributed to ~0.2%.
• In 2023, Patchstack found 5,948 new vulnerabilities in plugins and themes (24% more than in 2022)
• Cross-Site Scripting (XSS) attacks accounted for 53.3% of all new security vulnerabilities.
• 58.9% of security vulnerabilities did not require any authentication to be exploited! 
• In 2023, Patchstack reported 827 plugins and themes as abandoned (up from 147 last year). Are you using an abandoned plugin? When was the last time the plugin author/developer updated it? If it was more than a year ago, you should probably remove it ASAP.

Most Common WordPress Security Vulnerabilities

The most common WordPress security vulnerabilities in 2023 as reported by Patchstack include:

• Cross-Site Scripting (XSS) = 53.31%
• Cross-Site Request Forgery (CSRF) = 16.85%
• Broken Access Control = 12.9%
• SQL Injection = 4.47%
• Sensitive Data Exposure = 2%
• Arbitrary File Upload = 1.53%
• Privelege Escalation = 1.19%
• PHP Object Injection = 0.91%
• Bypass Vulnerability = 0.81%
• Server Side Request Forgery (SSRF) = 0.74%

My WordPress Security Stack

My current WordPress security stack includes:

• Rocket.net (Hosting)
• Cloudflare (CDN + WAF)
• Wordfence (WordPress security plugin including 2FA)

I also use the below tools for general online security:

• Bitwarden (Password Manager)
• Mullvad (VPN)
• Brave or Firefox (Browser)

Wrapping Up

Securing your WordPress site is essential to protecting your website from hackers, malware, downtime, and potentially expensive malware removal services or website rebuilds.

By following the steps I’ve outlined in this guide – from choosing a reliable hosting provider and keeping WordPress, your theme, and plugins up to date, to implementing strong passwords and 2FA – you can significantly reduce the risk of website hacks.

Also, regular backups, using a good security plugin like Wordfence or Patchstack, and proper file permissions provide an extra layer of defense.

Remember, security is an ongoing process, not a one-time task. So, make sure you are maintaining your website from month to month.

Need help with website maintenance? View my WordPress website maintenance plans.