WordPress is the world’s most popular website platform. Providing a solid baseline that can be further enhanced with thousands of community-sourced plugins, it can do almost everything you can think of. But success can draw the wrong kind of attention, with many WordPress website owners finding their sites under attack. 

Fortunately, there are plenty of ways to up the security of your WordPress site that don’t require a lot of know-how. In addition to choosing a reputable WordPress Hosting provider with excellent security features, you can implement common-sense security best practices like setting strong passwords and always installing the latest WordPress updates. Below, we look at the most common threats for WordPress websites and 19 ways to improve the security of your site, whether you’re just starting out or well established.

Why is WordPress security so important?

WordPress is a widely used content management system and is favoured by many due to its user-friendly interface, extensive plugins, themes and open-source nature. However, its popularity also increases the risk of security vulnerabilities, which can have serious consequences if not addressed.

Security breaches on WordPress sites can result in data theft, website defacement, malware injection, and even complete site takeover. These incidents can damage your online reputation, and lead to financial losses, legal implications, and a breach of customer trust. None of these are what you want – especially if you run an online store on WordPress!

For bloggers and content creators, a security breach can compromise their hard work, expose private information, and potentially lead to the loss of valuable content and audience engagement. With this in mind, it’s important to maintain a secure WordPress site to protect your online presence, safeguard your data, and ensure a positive user experience for your visitors. 

Why focus on WordPress security?

First, before we look at our top tips for improving WordPress security, we need to establish why we need to focus on this as a priority. Isn’t WordPress secure enough already?

While WordPress is a safe and reliable platform, this doesn’t mean you can ignore essential security measures. Any website could be vulnerable to hackers if proper precautions aren’t taken, and because WordPress is popular and open-source, it does have its own security flaws that need to be addressed. So why are all of these security tips so important?

1. Improving SEO

Google wants to recommend the best and most helpful content to users, and because of this, it punishes sites with poor security measures in search engine rankings. Google certainly doesn’t want to recommend malware-ridden websites to its users, so if it detects that your site is infected or vulnerable to attacks, it won’t give you high rankings in the results of relevant search terms – or you could even be blacklisted from search results in more extreme cases.

So, to improve your WordPress website’s SEO – which means you’ll be appealing to search engines in order to increase your rankings in search engine results – you need to fix your site’s security measures. Having robust security in place (which we’ll discuss below) sends all the right signals to Google, rewarding you with higher rankings and more traffic as a result. 

2. Earning trust

It’s not just Google that expects strong security from your WordPress website. Visitors to your site expect their data to be protected and to not pick up any malware from your site, especially if they’re hoping to enter their payment information to make a purchase. 

If visitors sense that your website isn’t secure (such as by noticing spammy links or a lack of SSL certificates), they’re much more likely to leave your website and look for what they need elsewhere, leading to reduced traffic and conversions. No one wants to take risks when it comes to their personal data, so to earn trust from your visitors, you need to demonstrate that you take security seriously.

3. Protecting your reputation

It only takes a few security blunders and data leak incidents to completely destroy a website’s reputation. If you’ve demonstrated that you don’t invest time, money and effort into protecting customer data, you’ll earn a negative reputation in your industry as a brand that doesn’t care about its customers. No matter how good your products or services are, it’s hard to change people’s opinions when they’re worried about their data being compromised on your site.

On the other hand, if you offer robust security, this increases consumer confidence and can help you build a strong reputation in your industry. While good security alone can’t build your brand, it’s certainly a key ingredient of success.

Common WordPress security problems

But what kind of security threats will you need to protect yourself against? It’s important to have a well rounded security strategy to protect against a range of cyber threats, but here are the most common vulnerabilities for WordPress websites:

1. SQL injection attacks

SQL injections, also known as database injections, are a type of cyber attack where a hacker submits malicious code to a website’s database through an entry field like a contact form. The database then stores this malicious code, allowing the hackers to view and modify your database. This compromises data privacy and security. 

2. Brute-force login attempts

Brute-force login attempts are a very simple and unsophisticated type of cyber attack, but this doesn’t mean you should get complacent with them. With this type of attack, hackers attempt to gain access to your WordPress accounts by using automation to guess as many username and password combinations as possible, in the hopes that they will eventually get the right details. 

3. Denial-of-Service attacks

Denial-of-Service or DOS attacks prevent users from accessing websites by overloading the server with traffic, causing it to be unable to respond to authentic requests or completely crash. This leads to website downtime, causing lost revenue and a lot of frustration for both visitors and website owners. 

This issue is exacerbated with DDoS (distributed denial-of-service) attacks, which is when servers are overloaded by multiple computer systems exploited by hackers. Since these attacks are conducted by many more machines, the consequences for your website are even more severe.

4. Cross-site scripting

Cross-site scripting (XSS) is another type of injection attack where a hacker injects malicious code into a website. This code consists of client-side scripts that will execute in an unsuspecting user’s browser when they visit your website, compromising their interactions and allowing hackers to gain access to data and hamper your website’s functionality.

5. Backdoors

Backdoor attacks help cybercriminals bypass authentication procedures on your WordPress website to gain unauthorised access. They can place these backdoor files among other WordPress source files to help them gain access discreetly, as inexperienced WordPress users often won’t be able to detect these backdoors.

6. Phishing

Phishing is an extremely common type of scam that involves fraudsters posing as legitimate companies to persuade people to do something, such as divulge personal information or download malware. If a hacker gains access to your WordPress account using one of the techniques listed above, they could easily impersonate your brand and send out phishing emails to customers, which would be disastrous for your brand reputation.

Plus, hackers look for these common vulnerabilities to see if they can exploit them to get access to your site’s data:

  • Outdated plugins and themes that haven’t installed the latest security patches.
  • Outdated versions of WordPress that also don’t have the latest security fixes.
  • Plugins and themes from unreliable or untrustworthy third parties.
  • Default settings (more on this later).

7. Using third-party add-ons

While WordPress plugins and themes provide useful features, they can also pose security risks if not developed and maintained properly. Using outdated, nulled, or pirated plugins/themes from untrustworthy sources can be particularly dangerous, as they may contain malicious code or security vulnerabilities that can exploit your WordPress site.

8. Human mistakes

Human errors happen, such as accidentally exposing sensitive information, using poor security practices, or falling for social engineering attacks. Although these attacks are becoming more sophisticated, a lack of user education and awareness about security best practices can result in avoidable security incidents. If it doesn’t look right, it probably isn’t!

Any one of these common WordPress cyber attacks or vulnerabilities could be a huge problem for you. Luckily, you can reduce the risk of becoming a victim yourself by implementing robust security measures on your WordPress site. 

19 ways to secure your WordPress site

1. Use the right WordPress security plugins

You likely have a number of plugins installed on your site, covering everything from basic features to fully-fledged ecommerce capabilities. With all the possibilities available, it’s no surprise that plugins can be used to help you secure your WordPress site, too. Here are some essential WordPress plugins to consider:

All-in-one security plugins 

Wordfence, Cerber Security and iThemes Security are security plugins that act as all-in-one firewalls for your WordPress site. They scan the files of your website to ensure there’s no malware hidden in anything that’s been uploaded. They also mitigate brute force attacks by limiting login attempts to the site, among many other features. If you’re serious about protecting your site, using at least one of these plugins is a must.

Audit log plugins

An audit log plugin, such as WP Security Audit Log, is also a very helpful tool for managing your server. These plugins will show you a log of any activity on your website, including showing when users log in or out, and any changes to your site’s files. By collecting this information in one place, they help you keep an eye on what’s happening to your site.

Two-factor authentication plugins

Two-factor authentication (2FA) isn’t implemented in WordPress sites by default, but you can get a plugin to do it. Two-factor authentication adds a crucial extra step to logging into your website, preventing unauthorised logins even if they crack your password. All-encompassing plugins such as Wordfence also include 2FA within their functionality, and as you’ll find out, it’s best to limit your number of plugins where possible.

CAPTCHA plugins

Wondering why you sometimes get asked if you’re a robot when browsing online? These are called CAPTCHA tests, and they can help to prevent spam and cyber attacks from bots by determining if the user trying to access a web page is actually a person. If you’re struggling with bot-based security threats like DDOS attacks, adding a CAPTCHA test to your WordPress site with a CAPTCHA plugin is a great idea. Plugins like Advanced Google reCAPTCHA and reCaptcha by BestWebSoft are popular examples.

2. Perform a WordPress security audit

Doing a WordPress security audit is key to spot weak points and keep your website safe from online attacks. This involves looking at how secure your site is at this point in time – including updates for themes and plugins, access controls and much more. Checking helps find weak spots that hackers could use, which stops possible break-ins that could put user info at risk and damage your site’s reputation.

To audit your WordPress site, there are a variety of tools you could use, such as:

  • Sucuri SiteCheckscans your website for malware, hacks, and blacklist status
  • WPScanscans your site for known vulnerabilities within the WordPress core and WordPress plugins and themes. It also checks for weak passwords and exposed files
  • PHPStan – allows you to find bugs in your php code without running tests
  • XSSertests Cross-Site Scripting (XSS) vulnerabilities
  • Wordfence – improves and manages the security of multiple WordPress sites from a single console
  • …and many more.

3. Upgrade to HTTPS

Where having an SSL certificate used to be something reserved for ‘proper’ websites, initiatives from web giants like Google to push sites towards HTTPS have had a huge effect on the prevalence of site encryption. Now, sites with only HTTP are flagged as insecure when visited, which can be problematic when you’re trying to draw visitors to your site.

But looking good for potential visitors isn’t the only reason why HTTPS is so vital. Having HTTPS in place prevents data being intercepted while it’s being transmitted across connections by encrypting it while in transit. This protects it from not only malicious attackers but also intrusive companies and ISPs that seek to monitor the data.

You’ll need to choose whether you go for a free or paid SSL certificate, but what you choose will depend on the site you have. Whichever method you decide, HTTPS is a must for your website.

4. Move away from default settings

By default, the URL of the page you use to log into and administer your website will be www.example.com/wp-login. It may also refer to /login or /admin. The issue with these URLs is that they’re easy to guess for someone who isn’t familiar with your site. All they need to access your login form is the address of the website, which they can easily see if it’s public. They can then get to your login page using one of the above URLs, then proceed to make any number of brute-force login attempts to breach your account, as explained earlier.

Furthermore, the default administrator login is set to ‘admin’. That means that if your site is left using the defaults, someone can reach your login page and enter the correct username without needing to crack anything. They only have the password to get past at that point before gaining access to your site.

That’s why we recommend using one of the security plugins above, which will automatically detect if a user is named admin and allow the username to be changed to make it more difficult to guess the login details. They also enable you to adjust the login URL of the site to make it harder for unauthorised users to locate it.

While a strong password and 2FA setup will prevent many attempts to access your account, every step you can take to prevent attackers even getting that far is a no-brainer.

5. Keep up to date

Even if you have no plugins installed, there are a few things powering your site that will be updated every so often, including your WordPress install itself. And no matter what cocktail of plugins you decide to add to your setup, they will all need updating at some point or another.

It’s critical that you ensure your WordPress install and all of your plugins are always updated to the latest version. While this seems like a hassle at times, especially when you have a lot of plugins, it’s vital that any patches are applied as soon as possible. To find out why that is, simply take a look at the patch notes released with each update. You’re likely to come across a number of bug fixes – and many of those represent vulnerabilities within the plugin or within WordPress itself.

When vulnerabilities are discovered, the plugin creators are often very quick to fix them, announcing the latest version as soon as they can. However, as users do not update their plugins often enough, many are left without the fix – and with a gaping hole in their security.

If you are running quite a lot of plugins, a further plugin such as Easy Updates Manager allows you to click a single button to check for, and install all available updates. This makes it far easier to ensure that all possible holes are patched.

Don’t forget to upgrade to the latest version of PHP too! PHP is the scripting language used for WordPress, and if you want bugs and security issues to be addressed, you need the most recent versions with active support.

6. Minimise your footprint

Contrary to many of the suggestions in this post, another effective method of increasing your WordPress site’s security is to try and use as few plugins as possible. Rather than using a completely different plugin for each feature, try and find a plugin that encompasses all of those features into one. These multi-functional plugins also tend to have better support behind them than those that only fulfil one function, with many of the larger security and management plugins even having whole teams of people working on them.

Every separate plugin or theme you have installed on your WordPress site should be treated like another door you need to lock, and another potential entryway for malicious attackers. Therefore, minimising your number of plugins is a surefire way of reducing the likelihood of an unauthorised user accessing your site.

And vulnerabilities being found in plugins is not rare – in 2020 three popular plugins were found to contain vulnerabilities, and more recently other plugins like User Submitted Posts and Abandoned Cart Lite for WooCommerce have been under the spotlight for their security risks. which allowed unauthorised users to gain admin access. The compromised versions of these plugins affected a combined 400,000+ websites.

7. Create secure accounts

Still using a weak password or using the same one for all of your accounts? It’s time to switch to a strong, unique username and password to keep your WordPress site secure. If a hacker can guess your login credentials, this could give them unfettered access to your website, where they can steal data, install malware, reduce your revenue and severely damage your reputation.

The key to a strong password is to make it very hard to guess – your password should have lots of characters, including a mix of uppercase letters, lowercase letters, numbers and symbols. For example. “My$!t£2024” would be more secure than simply typing “mysite”. Plus, if you’ve got a team of employees, make sure you highlight the importance of setting a strong password and not sharing it with anyone else. You should also remind your employees not to reuse passwords across multiple accounts. If they’re worried about forgetting passwords, they can use secure password management software to store them.

Account permissions and deletion

Team training can go a long way towards improving your site’s security, but to be extra safe, you should always set the appropriate permissions for each account. It’s best to implement a policy of least privilege, meaning that employees should be given the minimum level of access or permissions needed to do their jobs. This will prevent junior employees from accessing important files they don’t need to see, reducing the risk of security breaches and accidental file deletion. 

Plus, if you create accounts for freelancers and developers, you should always remember to remove them after their work is complete. Inactive accounts can easily become potential entry points for hackers, so don’t get complacent with them.

Auto-logout

If you often use public computers, you can easily get caught out by forgetting to log out of your account, which means anyone can either see your data or make changes to your WordPress site. If you don’t trust yourself or your employees to always remember to logout properly, you can enable an auto-logout feature on WordPress. You can use a plugin like Inactive Logout to do this, which automatically logs users out once they’ve been inactive for a set period of time.

8. Create backups

In the unfortunate event that your WordPress website is hacked, you’ll need to mitigate the damage to your business as much as possible. Data is your most valuable asset, so protect it by creating off-site data backups you can access if data on your site is deleted, compromised or held hostage by cybercriminals. 

There are multiple types of backups you can create, and the more backups you have, the more protected your data will be. For example, you could store copies of your data in both the cloud (using a cloud backup solution) and on a physical device – just make sure that these backup locations are secure too! You should back up your website daily or at least weekly so that you always have a recent version of your WordPress site to fall back on.

9. Scan for malware

Security breaches aren’t always easy to spot. To ensure that no hackers slip through the cracks, you need to consistently and automatically scan for malware on your WordPress website. This will instantly alert you if the worst should happen.

There are plenty of malware scanning plugins you can download to constantly monitor your site’s security, or you can install an all-in-one WordPress security plugin that includes this feature. With automatic malware scanning, you can rest easy knowing that hackers won’t be able to get past your defences undetected. 

10. Implement downtime monitoring

Security breaches can lead to website downtime, which can seriously damage your reputation and profits if it isn’t resolved quickly. However, you certainly don’t have time to constantly check the status of your website, so how can you ensure that you respond quickly enough if your website goes down?

This is where downtime monitoring can be extremely helpful. Website monitoring and all-in-one plugins like Jetpack contain downtime monitoring tools that make it super simple to keep track of the current status of your site. You’ll receive instant alerts if something goes wrong, and you can check the detailed activity log to pinpoint exactly how, when and why downtime occurred. 

11. Install a WordPress firewall

You should already have a firewall for your server if you’ve chosen a reputable web hosting provider like Fasthosts, but have you installed one for your WordPress site? WordPress firewall plugins like Shield Security and Security Ninja will monitor the traffic coming to your site, blocking potentially harmful visits by scanning for suspicious IP addresses and bots. Installing a WordPress firewall is a quick and easy way to instantly block harmful traffic from your website and reduce your overall vulnerability to security breaches. 

12. Install secure WordPress themes and plugins

As we’ve explained, every theme and plugin you use could be a potential security vulnerability on your website. But this isn’t only true for outdated plugins and themes – you also have to be careful when downloading third-party themes and plugins that don’t come from reputable sources. These themes and plugins could become gateways for cyber attacks, or in the worst case scenario, downloading this software from unreliable sources could directly infect your site with malware.

When looking for WordPress themes and plugins, always look at official WordPress directories and take recommendations from reputable tech brands like Fasthosts. You should also check the reviews before downloading any software, ensuring there are plenty of genuine user reviews without suspicious links, spam or impossibly high ratings.

13. Filter out special characters in user input forms

As explained earlier, SQL injection and cross-site scripting attacks occur when hackers inject malicious code into your website using common user input forms, such as contact forms and payment forms. To help prevent this from happening, you can filter out special characters in these forms to block suspicious answers in text fields. This is especially useful for sites that rely on these user input fields, such as businesses that track conversions based on users signing up for mailing lists or consultations through these forms.

14. Disable file editing

If you want to go the extra mile (which we highly recommend), you can disable the ability to edit files directly from the admin area of your WordPress site. This is especially useful if someone were to gain unauthorised access to your site, or someone other than yourself was an admin and you want to have more control over your site’s security. By default, WordPress allows administrators to edit plugin and theme files from the admin dashboard, and while this can be convenient for making quick changes, it also presents a significant security risk. 

To disable file editing, add the following line to your wp-config.php file:

define('DISALLOW_FILE_EDIT', true);

This constant tells WordPress to disable the plugin and theme editor for all users – including administrators.

15. Restrict access to wp-config.php

The wp-config.php file contains sensitive information like database credentials and authentication keys. Protecting this file from unauthorized access is crucial for maintaining the security of your WordPress site.

This is because wp-config.php is one of the key components of your WordPress site at risk of being targeted by cyber attacks, so it's crucial to protect it. A simple solution is relocating it to throw off hackers who might be looking for it in its usual spot. While a few developers might disagree with this approach, many others see the benefits. Check out the wp-config.php discussion here.

One way to restrict access is by adding a .htaccess file in the same directory as wp-config.php with the following code:

<Files wp-config.php>

Order Deny,Allow

Deny from All

</Files>

This code blocks access to the wp-config.php file for everyone except the server itself. If you need to edit the file, you'll have to do so via SFTP (or your hosting control panel's file manager).

16. Consider disabling your xml-rpc.php file

XML-RPC is a protocol that allows WordPress to communicate with external web and mobile apps, by usingXML for encoding calls and HTTP for transport. With the rise of the WordPress REST API, XML-RPC is not as popular as before, but it is still exploited by some for launching attacks on WordPress sites. Essentially – you can never be too careful!

Similar to distributed denial of service (DDoS), attackers can use XML-RPC to submit numerous commands, making it easier to carry out brute-force login attacks. Plus, XML-RPC is less secure than REST because it includes authentication credentials in its requests, which can be vulnerable to exploitation. If you're not using XML-RPC, you can disable the xmlrpc.php file. To check if your site is using XML-RPC, you can use an XML-RPC validator. If not, you can easily disable the file using a plugin like Disable XML-RPC-API or through your WordPress security plugin.

17. Log all user activity

Using plugins like WP Activity Log can help you keep track of all actions performed on your site. You can use this information to regularly review changes - particularly if your site does experience an attack or something unusual. While it doesn't mean that every password change or file edit is always a sign of a hacker on your team, if you're working with lots of outside contributors and giving them access rights, it's always smart to keep an eye on things. 

18. Hide your WordPress version

Concealing your WordPress version may help keep your site safe from potential attackers. This is because when you show the version number, it can give hackers a clear path to your site's structure. When certain versions have known weak spots – making this info public can leave your WordPress site open to focused attacks. 

While it’s not a catch-all approach, by hiding or removing the version number, you make it harder for hackers to figure out what security flaws might exist. While it's not perfect on its own, it adds an extra layer of protection.

19. Choose the right hosting provider

Finally, don’t forget to choose carefully when selecting a web hosting provider for your website. Not all hosting companies are equal when it comes to security, so make sure you choose a reputable provider that offers great security features and technical support. Key features to look out for include:

  • 24/7 support
  • Secure data centres
  • Built-in firewalls
  • Regular data backups
  • Free SSL certificates
  • Security scans

All of these features and more are available with Fasthosts WordPress Hosting, which is optimised specifically for the performance and security of WordPress websites. You can also benefit from instant setup, on-screen guidance and curated plugins and themes, so absolutely anyone can set up their own secure WordPress site from scratch.

While WordPress with its customisability is a powerful platform when running your own website, it’s worth bearing in mind that installing third-party code onto your site is always a security risk. But with these tips and common sense, you can minimise the risk considerably.

We offer WordPress Hosting here at Fasthosts, which will automatically apply WordPress patches and hotfixes to your install, as well as allow you to enable auto-updates for full versions. You can take care of keeping your site up to date without lifting a finger, and all your sites will be hosted in our secure UK data centres.