Simple Security Checklist for WordPress Sites
Did you know over 100,000 websites are hacked daily? That’s right, cybercrime is a serious threat to any company, and anybody with a WordPress site isn’t safe either. I have had a run-in with hackers (and had to recover my WordPress site), and you probably know it was ugly.
Hackers are actively looking for vulnerable websites to break and steal data that they can release for monetary gain or pure malicious intent. To protect yourself and your precious site, you should seriously contemplate hardening your WordPress security.
Considering you will lose revenue, time, and effort when hackers break into your website, we’ve created the following security checklist that you can use to secure your WordPress website. All the security items in the post are relatively easy to implement even for first-timers:
- Update WordPress
- Update Themes & Plugins
- Use Unique & Strong Passwords
- Install a WordPress Security Plugin
- Choose Great WordPress Hosting
- Use SSL (HTTPS)
- Create a Full Site Backup
- Use a Web Application Firewall (WAF)
- Disable File Editing in WordPress Admin
- Secure Your Login Page
- Add Authentication
- Log Out Inactive Users
- Scan for Malware & Issues
- Use a VPN
AS you can see, we will break the post into multiple parts covering everything from choosing a secure host to hardening your admin area and others. You will need to repeat some security tasks, such as updating your themes regularly. Other tasks are a one-off thing, but still have a significant impact on keeping your site secure. Check what you need to fix, and do it right away because hackers don’t waste time either.
1. Update WordPress
WordPress core is regularly audited and checked for security vulnerabilities. If security flaws and bugs are detected, core developers usually release maintenance updates. Minor updates are installed on your WordPress website automatically.
You will, however, need to update WordPress manually for all major releases. It’s a relatively straight forward process since you get a nagging message in your WordPress admin. Only 22% of websites run on the latest version of WordPress, which is sad considering how easy it is to update.
Don’t be in the remaining 78% since you’re essentially exposing your site to all manner of attacks by not updating your website. Usually, hackers are the first group of people to learn about any vulnerabilities in old versions, since they count on the flaws to launch successful attacks.
Before you update WordPress we recommend reading the release notes to see what’s changed and taking a backup of your website (just to be safe). This way you now what to expect when you click that update button, and you have a failsafe should anything go awry.
2. Update Themes & Plugins
While updating the WordPress core, don’t forget to update your themes and plugins too. Hackers are particularly fond of old themes and plugins with known security holes.
They exploit these security vulnerabilities and may even hide a backdoor in an old theme or plugin. If you don’t update, they can hack your website whenever it pleases them.
To avoid losing your custom styles, we recommend using a WordPress child theme as opposed to the parent theme. That way, you won’t lose your customizations when you update your theme.
Yo should also eliminate any inactive themes, plugins, and unused WordPress installations. Not only will you save bandwidth and make your website faster, but you will also keep hackers at bay.
Another quick note, never download “nulled” premium themes and plugins. Only go with trusted sources such as WordPress.org, Envato, or other reputable theme shop.
3. Use Unique & Strong Passwords
You’ll be surprised to learn that most websites are hacked when the bad guys steal your login information. Additionally, brute force attacks are quite common and involve bombarding your login page with thousands of username-password combinations until something gives.
If you use weak usernames and passwords (such as the infamous “admin” or “12345”) you are making it incredibly easy for hackers to break into your website. Get in the habit of creating unique and strong passwords that you change regularly. You can even use a free online generator, like this one from LastPass.
Managing many strong passwords can be a problem. To help, I often rely on password managers such as 1Password or LastPass, among others. Don’t reuse the same password on multiple websites, and always keep your login information safe. Ensure your WordPress users use strong passwords too.
While you’re at it – remember to use strong passwords for your email, cPanel, MySQL databases, and FTP accounts as well.
4. Install a WordPress Security Plugin
Whenever I create a new WordPress website, I usually have several defacto plugins I install almost automatically. I get an anti-spam plugin, Contact Form 7, Symple Shortcodes, and iThemes Security, my go-to WordPress security plugin.
The plugin allows me to fortify my WordPress defenses without breaking a sweat. It comes with so many features that make keeping the bad guys out of my websites a breeze. Configuring the plugin is super duper easy; you should be up and running in no time.
The best WordPress security plugins offer you different features, so be sure to check before installing to ascertain you are getting all the features you need to secure your entire website, no matter how unique. Standard features include malware scanning, IP blocking, brute-force prevention, two-factor authentication, and so much more – checking many of the boxes for this security checklist you’re reading right now!
5. Choose Great WordPress Hosting
Typically, beginners spring for the first cheap hosting package they come across. I wouldn’t hold it against you since you don’t know any better, but questionably cheap (or even free) shared hosting can expose you to security risks. I know this for a fact since I have been hacked on two different hosting companies offering shared hosting.
Shared hosting involves sharing a server with thousands of other websites. This increases the risk of cross-site contamination. That is, a hacker can gain access to your site even if someone else’s website was the original point of attack.
Managed WordPress hosting, on the other hand, focuses on WordPress websites only. You don’t share a server with others, and you get more security options to stay safe. They offer dedicated support too, and more recovery options should the worst happen.
If you must use shared hosting, say you’re starting with a blog that doesn’t make money yet, make sure the sites are isolated, or “jailed.” If you are running a business or eCommerce website, it pays to use the best WordPress hosting you can fit in your budget from the word go – such as VPS, dedicated, or managed WordPress hosting.
6. Use SSL (HTTPS)
Nowadays, many WordPress hosting companies offer free SSL certificates from the word go and for a good reason. SSL certificates make your website more secure than sites without SSL. Google also recommends using SSL certificates to protect data on your website (and make sure users know whether you use SSL or not).
HTTPS is more secure than it’s predecessor HTTP. A website that uses HTTPS encrypts all the data that moves between the user’s browser and your servers. If a hacker intercepts the communication, they will only find encrypted data that is as useful as a one-legged man in an ass-kicking competition 🙂
Installing SSL certificates on most web hosts is as easy as A, B, C. Most offer one-click installers that make the whole process easy. Simply log in to your cPanel and click a single button to install and manage your SSL certificates. If you’d like a more hands-on approach, consider checking out Let’s Encrypt.
7. Create a Full Site Backup
When hackers dethroned me, I had to rebuild my websites from scratch, a headache I would have avoided if I had reliably remembered to backup WordPress.
But no, the backups that were with my web host were corrupted during the attack, and no, I didn’t have a secondary backup solution. A classic case of putting all of your eggs in one basket that taught me a hard lesson.
Nowadays, I create full website backups that include my website files and databases. I mainly use ManageWP, but I also use the Duplicator plugin to store backups on my computer and in Google Drive.
I urge you to create full backups regularly. Many WordPress backup solutions allow you to automate the whole process, saving you time and giving you peace of mind.
8. Use a Web Application Firewall (WAF)
To add an extra layer of security to your WordPress site, and sleep better at night, enable a web application firewall (WAF). A WAF protects your website by blocking malicious traffic long before it gets to your site. It’s a proactive measure to stop the bad guys dead in their tracks before they cause any damage.
The firewall filters your incoming traffic, eliminating hackers while letting legitimate users through. Many WordPress security companies offer web application firewalls alongside other features. Popular options in the industry include Sucuri and Cloudflare.
9. Disable File Editing in WordPress Admin
The WordPress CMS comes with a fantastic code editor that allows you to edit plugin and theme files inside your WordPress admin dashboard. The code editor is a great tool to have at your disposal, but in the wrong hands, hackers can use it to deface or add malware on your website.
You can always edit your theme and plugins files (if need be that is) via FTP or file manager in cPanel, which means you can altogether disable the code editor in WordPress. You don’t want hackers who gain access to your WordPress admin area to have access to the code editor, because they can cause a lot of damage with a few lines of code.
What to do? You can disable the built-in code editor using the free Sucuri Security plugin. Alternatively, you can add the following code to your wp-config.php file:
// Disallow file edit define( 'DISALLOW_FILE_EDIT', true );
We are moving on.
10. Secure Your Login Page
Usually, the login form on your WordPress has two fields; username and password. With brute force attackers and bots getting smarter by the day, how do you stop hackers from gaining access to your WordPress admin area? It’s simple; you add CAPTCHA or security questions that make it harder for anyone to gain unauthorized access.
And you don’t have to edit code to add CAPTCHA or security questions to your login page. There is a popular WordPress plugin known as WP Security Question that’s easy to configure and use. If you’d like to use CAPTCHA, you can use Simple Login Captcha, WordFence, or one of the many other options available for free at WordPress.org.
At the same time, you can change your wp-login URL to something unique. That way, bots, and hackers will have a hard time trying to guess the URL to your login page. wp-login is already popular among hackers, so it makes perfect sense to change the URL to something else. You can use a plugin such as WPS Hide Login.
11. Add Authentication
Additionally, consider implementing two-factor and multi-factor authentication. In case a hacker gets access to your login details, they won’t be able to login to your WordPress site. There are many options available, but Google Authenticator is a popular choice.
Other than that, limit logins on your login page. If a visitor is trying to login with an account that doesn’t exist or is retrying to log in many times, they are most likely a hacker or bot trying to brute-force their way in. You can use a plugin such as Limit Login Attempts or Login Lockdown to keep these intrusive elements away.
12. Log Out Inactive Users
When you have a multi-user WordPress website, you cannot fully control how or where users access your website. An author might decide to use free public Wi-Fi to make final touches on an article. A web designer might leave their desk and return from a one-hour lunch break.
In such scenarios, your user may expose your website to security risks unknowingly. A malicious person might take over their session, edit their details, and simply wreak havoc. If the unauthorized party knows what they are doing, they can easily take over the user’s account and do damage.
What to do? You can log out inactive users automatically after a pre-defined period. And the best part? There are plugins for this exact purpose. One popular option is the Inactive Logout plugin which includes options to customize the idle time before logout, custom popup message or redirect upon logout, and timeout according to user role.
13. Scan for Malware & Issues (Regularly)
Often forgotten, scanning your WordPress website regularly can help you identify security problems early on. It takes just a second for a hacker to break into your website and do all manner of nasty things. This is precisely why you should stay on top of things at all times.
Many WordPress security plugins to scan for malware infections, known security vulnerabilities, outdated scripts, brute force attacks, non-existent backups, and so on. The plugins send you detailed reports on known problems, so you can fix them or hire a professional.
There are many website scanners, such as Sucuri SiteCheck, that you can use to check your site in a flash. All you have to do is enter your URL, and the tools will check your website automatically. After that, they offer you a report on what you need to fix. Once you have the report, fix all security vulnerabilities immediately.
14. Use a VPN
If you run a website that carries sensitive information that must never get in the hands of hackers, consider using a virtual private network (VPN), more so when using free public Wi-Fi. A VPN protects you from man-in-middle attacks that are common in public networks, including at home and work.
A virtual private network ensures that even if the attackers gain access to the system and steal your details, they cannot do anything with the data they take from you. If you have an internet network that you’re sharing with many people, always use a VPN before accessing your WordPress admin area.
Other WordPress Security Options
Need more to do? We would love to keep your website secure at all times, so here are bonus security items to add to your checklist:
- Disable PHP file execution in /wp-content/wp-uploads/
- Change your WordPress database prefix
- Password protect your admin and login pages on the server-side
- Disable directory indexing
- Disable WP REST API and XML-RPC if not needed
- Don’t edit/change WordPress core – write or use a plugin that offers the functionality you need instead
- Ensure your website runs the latest version of PHP
- Use an antivirus program on your computer
- Enable Google Search Console
- Reduce XSS and SQL Injection vulnerabilities (you might need a more tech-savvy person to help with these two)
Really, the number of steps you can take to protect your site are endless. But if you can check off the 14 items we’ve listed it’s a huge step to securing your site.
Securing your WordPress website is challenging but not impossible. With the right tools and skills, you can quickly harden your WordPress security and keep the bad actors away.
As a recap, always keep your website up to date. On top of that, never download themes or plugins from untrustworthy sites. And to be on the safe side should the worst happen, always have a reliable backup solution in place.
We hope you found all the tips you need to secure your WordPress website, hence online business. If you have a question or need help figuring out how to secure your WordPress website, please let us know in the comments. Stay safe!
Great topic Freddy! There’s a need in the market to educate in terms of website security. As I’m myself a practitioner in the field (I did a bachelor on Web security) I don’t think people really know how important it is to really understand the online security matter. Good that you guys tackle the matter here!
WordPress seems to be working strange for a few newer blogs I launched. The default installation (from QuickInstall on Cpanel) is an older version of WP. If I try upgrading the version to the latest (the Gutenberg versions), none of what I write gets saved in draft. If I install the Classic Editor plugin, then I don’t seem to be able to even click and point my cursor into the writing screen.
I ended up uploading HTML versions of my content because debugging was taking too much time. It has happened one too many times that I am doing nothing wrong (I’ve been installing WP for over a decade now).
That is very weird. May I ask what hosting company you’re using? You might need to open a ticket with them. My thoughts are that it could be an issue on their end with the way they’ve setup Quickinstall on their shared servers (but I’m just guessing).
Already have a strong password, always update it, and I use Surfshark VPN for more security. I see there are definitely more things I could do, but it’s good to know that I’m on my way there. I think adding 2FA and installing a WordPress Security Plugin are going to be my next steps.
Nice and comprehensive list of security checks. Thanks for sharing!
Security is very important for a website. Nowadays it is often heard that websites are hacked. Hackers play with your information all the time. They can hack anyone’s data at any moment. So in the case of the website you have to use a maximum-security system
Very true – your best protection is simply being prepared!