WordPress Security Guide 2019
With so many websites relying on WordPress it’s no surprise that millions of website owners are out looking for the best ways to secure their WordPress sites. The widespread prevalence of WordPress also makes it a target for hackers, with tens of thousands of websites getting infected with malware, becoming the sources of phishing schemes and getting blacklisted by search engines. In this guide we cover everything you need to know about WordPress security, including a comprehensive list of do-it-yourself WordPress security tips for hands-on website owners. Read on to see how you can protect your website against even the most determined attacker.
Why WordPress security is so important
At its core WordPress is very secure, the CMS is audited by hundreds of expert coders who write security into WordPress. Nonetheless WordPress can still be hacked and often it is due to a lack of basic security practices.
WordPress sites that are hacked can be very damaging for the owner as it inevitably leads to a loss of reputation while also leading to financial loss. A hacker can rob a business of its confidential user data, can install software that leads to further damage down the road or even install malicious programs on your user’s PCs.
Google plays a strong role in policing websites. First, it can exclude potentially hacked websites from search results – and indeed it blacklists tens of thousands of sites every week. Google also warns users away from infected sites by displaying a warning in Chrome. The resulting warnings can lead to a huge drop in traffic for website owners.
The responsibility for securing a website lies, of course, with the website owner. It’s no different from business security at a physical place of business. Essentially, your website is your premises and you need to ensure that it is secured.
General WordPress security tips
At Plesk we appreciate that risk elimination is very difficult to achieve, if large and well-protected government and military websites can be hacked it is clearly difficult for even the most capable security regimes to eliminate risk. That’s why we believe in risk reduction instead. These are the first, most actionable steps we suggest that you take.
Pick a host you can trust
Though much of your WordPress security regime is simply up to you, there is one element that you probably do not control: security on the server hosting side. In fact, it can be argued that picking a secure shared hosting provider is your very first step in getting WordPress security up to scratch.
With shared hosting you share the physical and software hosting environment with many other users. So, when one user’s website gets hacked it can spread across to yours. This is called cross-contamination and can mean that your site gets infected through no fault of your own.
Therefore, you need to select a host that you can really trust. One option is to use a managed WordPress hosting company which can offer a range of services that help you secure your WordPress site, including advanced security configurations and automatic backups and updates.
User permissions and passwords
A stolen password is like handing the keys to a hacker, which is why stolen passwords are so commonly involved in compromised WordPress websites. One way to “steal” a password is to guess it, if you use a weak password a hacker can easily guess it and get access to your WordPress instance.
Instead, choose strong passwords for both your WP logins as well as every other area of your hosting solution including FTP and MySQL. This goes for your email addresses too as a hacked email account can be used to reset passwords.
Also watch out for user permissions, don’t hand out your admin credentials to just anyone. Where your website works using a larger team including contributors you need to ensure you control access by limiting user privileges to the absolute minimum. Don’t give users full administrator access unless they really need it.
Always update WordPress
If your host doesn’t provide automatic WordPress updates you should make sure you execute these updates yourself, regularly. As open-source software the WP codebase is regularly updated, with minor changes to the code automatically installed. However major new releases of WordPress require user intervention for the update to install.
Updates also stretch across to the stacks of plugins and custom themes that so many websites make use of. Here, too, you must ensure that 3rd-party updates are tested and installed in a timely manner. Both WordPress core updates and 3rd-party updates are key to ensuring your WordPress website is impervious to hackers.
Getting a third party involved to boost WordPress security
We’ve outlined some of the basic elements of good WordPress security. Later in this WordPress security guide we will cover DIY steps, but one way to ensure your WordPress site is really secure is to make use of a third party security service.
In this section we will cover the WordPress security tips you can follow that doesn’t require an understanding of how WordPress works, and which you can implement just by pointing and clicking. For beginner users these steps are ideal as they are easy to implement yet effective. Let’s take a look.
Activate an automatic backup solution
Earlier in this article we highlighted how it is almost impossible to make a website 100% secure against hacker attacks. You can reduce the probability of a successful attack but not eliminate it. So, website owners must assume there is a chance of a successful attack. Effective backups are the most important defence against a successful attack as it allows you to restore your website should the worst happen.
Thankfully it’s not hard to get WordPress backups into place, and you have a choice of paid-for and free solutions. However, you must save your backups in a remote location – not in your main hosting account. Otherwise, if your hosting account is compromised, your backup is simultaneously compromised. Instead store your backups in cloud storage such as OneDrive, Dropbox or AWS.
Backup frequency is important, depending on how often your site is updated it should be at least once a day but for many scenarios ongoing backups that mirror all site changes are the better option, especially where user registrations are involved. Some of your best no-coding backup solutions include VaultPress as well as Backup Buddy.
Install a third-party WordPress security plugin
Backups are your first step, but you should go further when setting out your WordPress security measures. Understanding what happens on your site is important, so you need a monitoring tool that can audit everything from failed access attempts, scanning efforts performed by malware and the integrity of WordPress core files.
One excellent tool is from a company called Sucuri. The Sucuri plugin installed directly into your WP instance and is free to install and use. You start by generating a free (API) key which will activate logging as well as automatic integrity checks and various other core Sucuri features. We also recommend that you fully activate the WP “hardening” features offered by Sucuri – simply click “Harden” next to every option on the relevant Sucuri tab.
Sucuri’s hardening features essentially automatically lock down a number of areas the are often targeted by WP hackers. There is one hardening option that Sucuri uses that is not included in the free plug-in, it is effectively a firewall for websites, we cover it in the next section.
In fact, we will also cover some of Sucuri’s hardening features in a later section where we show you how to manually harden your WordPress site, thought note that these options are typically for the more technically savvy.
Overall Sucuri is really easy to set up because, once you’ve ticked all the “Harden” boxes, it’s job done, you don’t need to change much else. However we do suggest that you customise the email notifications that Sucuri sends as these can be bothersome.
To stop your inbox cluttering up too much with notifications you should edit the settings in Sucuri so you only get a message when there is a major change, for example when a new plugin is installed or when a new user registers.
Overall the Sucuri plugin is a top choice for automatic WordPress protection and we encourage you to browse through the different sections of the plugin including its malware monitoring, logs and the list of failed logins. However, you can take Sucuri to the next level if you are willing to pay for a subscription.
Get a firewall for your website
Also called a Website Application Firewall or WAF, a firewall for your website is one of the best ways to keep your website safe and secure. Why? Because a firewall protects your website from malicious traffic before this traffic even reaches your website.
Clearly, stopping intruders from reaching your site in the first instance is top WordPress security priority but Sucuri offers more. In the unlikely chance that intrusion succeeds Sucuri can also do a cleanup and can help you remove your sites from black lists, in fact the company guarantees that it can do so. Sucuri will do the fix themselves.
It’s not cheap to get a hacked website fixed and it can take a long time, which makes hacks costly. Sucuri’s technicians charge over $200 per hour, but you get access to the full Sucuri service for just $199 in subscription fees. Note that you have other choices for website application firewalls, one example would be Cloudflare.
The DIY WordPress security guide
We’ve given a number of important pointers that should get your WordPress site to a point where it is reasonably safe from attack, but if you are more technically minded you can go further and do a few more things to help you get your WordPress site as safe as can be. Some of the following instructions require a bit of knowledge of coding, but other steps are simple to complete. Let’s take a look.
Stop PHP file execution where it’s not needed
Some WordPress directories are not intended to run code, instead these just store files. For example, /wp-content/uploads/. Hackers can, for example, upload PHP code to these directories and then execute the malicious code. Stop hackers from doing so by blocking PHP code execution where WordPress doesn’t need it.
It’s simple to do so, open a pure text editor such as Windows’ Notepad and paste this text:
deny from all
You then need to save the code to a file called .htaccess and upload it to the directory you want to block PHP code execution in, such as /wp-content/uploads/. However don’t add this code to just any WordPress directory as it can stop your site from working.
Alternatively, simply use the Sucuri plugin to help you, blocking PHP file execution in unnecessary directories is one of the hardening options included in the plug-in.
Change file editing permissions
WP comes with a code editor built-in which allows you to edit the files used by plugins and themes, but we recommend that this is turned off. This direct access can cause problems when used by a rogue actor. It’s easy to switch off the ability to edit plugin and theme files. Just add this code to your wp-config.php file:
// Disallow file edit
define( 'DISALLOW_FILE_EDIT', true );
Of course, as we explained, Sucuri allows you to change this setting right in the Sucuri plugin’s control panel, ideal if you’re not keen on editing configuration files.
Don’t use “admin” for the administrator account
Older WordPress installations started out with “admin” as the username for the main administrator account so many WordPress website owners still access their sites via the “admin” account. This matters because of a lot of automated WordPress attacks rely on hitting “admin” with a guessed password to get into the WordPress instance.
Now, WordPress forces users to choose a different administrator username so that “admin” is no longer the default for a new installation. That said some auto-installers that do a one-click install can still make use of “admin”. If you see that your administrator username is “admin” you should really change it.
Unfortunately you can’t simply rename an existing user, so if your administrator username is “admin” you’d need to change it some other way. You do have three options. First, you can create a new administrator account with a different name and delete the old one. The “Username Changer” plugin can also do it for you. Finally, you could simply hack into the WordPress database via phpMyAdmin and make the change yourself.
Change the WordPress database name
A bit like the issue around standard administrator usernames, WordPress assigns a “wp” prefix to the WordPress database, and all its tables. This hasn’t changed and hackers can try and search for WordPress tables using this prefix. Changing it can trip up hackers, but you must be extremely careful when you make this change as it can break your WordPress site so we recommend that you read our detailed instructions before you try to do it.
Set a password for the WordPress login and admin pages
Make life harder for hackers by setting up further password protection server-side that asks for login details before your server presents the WordPress wp-admin directory and the login page inside of it.
Each hosting solution will have a different way of making this change, but it can prevent hackers from running a DDoS attack or some other tricks that try to access the WordPress admin directory.
Stop directory browsing and indexing
Hackers can try to find out whether your site has a vulnerability by browsing the content of your site’s directories. Many hosting solutions leave directory browsing enabled by default providing an opportunity for hackers.
It’s not just hackers you need to be worried about. Directory browsing lets anyone who is curious hunt through the files on your website to find images and other documents or to copy down your directory structure. We strongly suggest that you disable the ability to browse directories as there is rarely any purpose for doing so.
To stop directory indexing you need to edit the .htaccess file for the root directory on your website. You can do so using the file manager on your website’s control panel. You need to add this line to the .htaccess file:
Do that and you will stop unwanted users from exploring the file content of your website’s directories.
Disable XML remote procedure calls
XML remote procedure calls, or XML-RPC, can magnify the impact that a brute-force hacker attack has on your WordPress instance. It is a powerful protocol and though it is useful on the one hand (you can connect other websites and apps using XML-RPC) it does carry risks.
XML-RPC has been enabled by default since WordPress 3.5 but it can open the door to hackers. Instead of using 500 individual password attempts on your site, a hacker can simply use system.multicall, a function in XML-RPC, to try these login attempts. In fact this function can try thousands of password with just twenty to fifty XML-RPC requests.
If you are not using XML-RPC the general recommendation is to disable it so that it does not open the door to hackers. You have three options: the most direct and least resource-heavy is doing so by using .htaccess. Alternatively, you can use the Sucuri WAF to do it for you.
Put a cap on the number of chances to login
Hackers often use a technique called “brute force” to try and get into a website if they don’t know the password. They simply keep trying the username against a list of potential passwords. WordPress usually allows users to try to log in as many times as they like, but you can change this. First, a website application firewall can do this for you as it will automatically block brute force attempts.
Alternatively, download a plugin called Login LockDown and install it. We have more detailed instructions on how to install a WordPress plugin elsewhere, consult these if you need more help. You have to set up the plugin once you’ve installed it, visit the Settings > Login LockDown page to do so.
Put a time limit on idle users
Hackers don’t always work from faraway corners in the world. When your administrator walks away from their PC while logged into WordPress they can open your site to security risks. Just as a lot of important sites like financial services force a log out after a period of inactivity you should also consider forcing a log out when a user is idle.
One way to do so is using the “Idle User logout” plugin. Once you’ve installed it go to the Settings > Idle User Logout page and set up the plugin. Here you can set the time duration that you prefer. Make sure to uncheck the “Disable in wp admin” option for maximum security.
Mix up the WP login screen with a security question
Again, in an effort to trip up automated hacking attempts you can make it more difficult to get past your WordPress login screen by setting up a separate security question which hackers won’t expect.
Thwart unauthorised access by installing a plugin. We recommend “WP Security Questions”, again easy to install as a plug-in if you follow our simple instructions. To activate this plugin go to Settings and then to the Security Questions page where you can customise the security question.
Set Alternative WordPress Login URL
Everyone who have an idea about WordPress CMS is aware that it is possible to access WordPress site via wp-login.php. No doubt it is awesome when we talk about the simplicity of WP usage, however not really acceptable when WordPress security is the subject to be concerned of.
There are numerous ways on how to change the default WordPress login URL, however we suggest to use WPS Hide Login or Better WP Security plugins for this purpose.
What to do when every WordPress security effort fails
The are so many facets to protecting your website against WordPress hacking threats. It is not uncommon for even the most switched-on website owners to trip up when they set up protection for their sites and that is why it is so important to have a dependable backup solution and reliable website security partners.
Should the worst happen you should consider letting a security expert do the clean-up as it can be difficult to get rid of everything a hacker installs. It is easy for intruders to leave what is called a “backdoor” which can enable future intrusion attempts. A company such as Sucuri can help fix your site for you. These security companies know what to do to ensure that a website is 100% safe after clean-up. That said, a backup of your site is important too because it makes the repair and clean-up process far easier.
Alternative approach is to use Plesk as a hosting platform for your VPS or dedicated server and enjoy the power of WordPress Toolkit – an ultimate WordPress management solution which will help not only to harden WordPress security, but also to run updates, manage themes/plugins/databases, edit global settings and lots more.
How useful was this post?
Click on a heart to rate it!
Average rating 5 / 5. Vote count: 4
Oh no, sorry about that!
Let us know how we can do better below
Thanks for your feedback!