WordPress security
Please note that the security measures described in this article cannot guarantee that your website will be 100% secured from hacking. The main concern is the value of your website data. If it’s worth millions of dollars, you will definitely need an experienced team of webmasters to develop and maintain website security. In case it is less costly (around several thousand dollars), the advice below can help to secure your WordPress site from hackers.
Note! We highly recommend to check the general security recommendations as well because they will not be mentioned in this article. They are applicable for all sites, not depending on the CMS used. This article describes recommendations specifically for WordPress-built website security.
How to secure your WordPress-built website?
1. Updates
Check the official website for CMS or extension updates as often as possible. There you can find and download various patches that help to fix vulnerabilities, bugs and other issues. For instance, a hacker finds a certain vulnerability that allows him to hack the CMS. As this CMS was used to build thousands of websites, he can gain access to any of it. Once this vulnerability is reported, developers fix it and upload a certain patch to the official website. That’s why we highly recommend to update the CMS itself and all possible components and themes on a regular basis. Just don’t forget that all components and their updates should be downloaded only from WordPress official website.
2. Third-party extensions
Don’t install suspicious third-party extensions or modules. The least they can do is work improperly and cause issues with a certain feature. Though, it is more likely that they contain malicious code that allows to gain access to your websites. Afterwards, these so-called developers can blackmail you or sell confidential information to third-parties (on the black market). Moreover, even if the plugin does not contain malicious code, it does not mean that it is very secure and does not contain any vulnerability. So, we recommend either to download extension only from the official website, or to research thoroughly before installing a particular plugin.
3. Trustworthy hosting provider
When speaking about website security, we mean a complex of both CMS security and hosting security. The software installed on the server has it’s own vulnerabilities and can also be hacked. So it is required to update it as well. Unfortunately, not all hosting providers update their software often enough. Moreover, if the server security level is poor, your sites may be down, if your server ‘neighbour’ is undergoing a DDoS-attack. Due to this, make sure that the hosting provider you’ve chosen is secure (provides anti-DDoS protection, an antivirus and malware scanner, monitors servers, updates the software). We recommend to consider companies with good reviews and lots of customers. You can find different ratings in our footer.
4. Login credentials
Don’t use ‘admin’ as the username to your admin panel. Also, make sure that your password is hard to guess, contains letters, digits, special characters, upper and lower case. Do not provide your login credentials to anyone. In case you need to change some settings, it’s better to Google them than to ask someone to set them up for you. Besides, editing WordPress settings does not require in-depth programming knowledge.
5. Login attempts
If the hacker uses brute force attack (submitting many passwords or passphrases with the hope of eventually guessing correctly) to gain access to your login credentials, he might achieve his goal, if the login attempts are not limited. That’s why we recommend to limit the login attempts from a particular IP address. You can use Limit Login Attempts or Login LockDown plugins for this purpose. Just don’t forget about this limitation while logging in.
6. Themes
Before installing a theme, research all possible information about the company (or person) that developed it. Reading reviews and checking forums is also a good idea. You will definitely find people that were using this theme for a certain period of time and ask them whether they faced any issues after installing this theme. Also, once the theme is installed, it is better to disable theme editing. This might help in case the hacker gained access to your admin panel via the installed theme. To disable editing, it is required to add the following line to the wp-config.php file:
define( 'DISALLOW_FILE_EDIT', true );
7. Encryption keys
We recommend to change the encryption keys as there is a possibility that hackers are already aware of the standard ones. To do this, you need to visit this section of the WordPress official website, copy the indicated values and paste them into the wp-config.php file. Alternatively, you can enter your own values.
8. Security modules
Feel free to use the following extensions to ensure your website's security:
- Better WP Security - one of the most popular security plugins with lots of different features;
- WP Security Scan - uses lots of different criteria to check your website security. However, please note that hasn’t been updated for 4 years. So it is quite useful, however, we would recommend to use it with another plugin as this one can contain vulnerabilities;
- WP Antivirus - scans your website for vulnerabilities and unauthorized login attempts. In case it finds something suspicious, you will receive an email notification. This plugin has the same issue as the previously mentioned one: it hasn’t been updated for 3 years. So it may not be possible for it to detect new virus signatures and vulnerabilities;
- Sucuri Scanner - malware scanner and anti-hacking tool. This plugin is updated on a more or less regular basis (it was updated a month ago), so it can be considered as trustworthy.
9. Move wp-config.php file
It is better to remove the wp-config.php file from the public_html folder. You can place into a folder that is one level above in the file hierarchy. Here you can find the guidelines.
10. Login IP-address restriction
Restrict the access to the admin area by IP address. To block all IP address, apart from one IP, you need to enter the following text to the .htaccess file:
order deny,allow
allow from xxx.xx.xxx.xx
deny from all
The xxx.xx.xxx.xx should be replaced by the IP address that you use to log in to the admin panel.
11. File permissions
Set up the following permissions values: 755 - for folders and 644 - for all files. Sometimes 777 is set up for wp-content folder, however, we recommend to replace it with 755 (this will mean that other users will not be able to add any content to your website).
12. Virus scan
Do not follow suspicious links, open emails from unknown (and suspicious) senders and install third-party software. Even if you are cautious and don’t do any of this, we still recommend to update your antivirus and perform a virus scan on a regular basis.
If you have any suggestions regarding WordPress website security, feel free to leave them in the comment section and we will gladly add them to the article.
We highly recommend not to purchase the cheapest hosting package. Usually, they come with a row of issues: the server is often down, the hardware is outdated, lousy and slow support, registration and payment errors, etc.
For your convenience, we have created a tool that can help you to choose the right hosting package for you just by answering a few simple questions.
CMS is a content management system. A lot of hosting providers offer so-called CMS optimized packages. However, this is a marketing trick because most CMSs do not have special software or hosting requirements.
Trial period is a period of time, usually from 7 to 30 days, during which you can use the hosting services for free to test them.
Moneyback policy allows the customer to receive a refund for his order within a certain period after the purchase.
OS means the operating system is installed on the server. We recommend to choose Linux hosting unless your website requires another OS.
Bulletproof hosting - it’s a type of service that allows to host almost any type of content, even the restricted one (adult content, warez, spam etc). Bulletproof hosting providers do not remove your content in case someone reports an abuse.
Unlimited hosting - refers to companies that provide packages with unlimited disk space, bandwidth, number of domains, databases or email accounts, etc. This is usually a marketing trick but sometimes you can find something worth a try.
Secure hosting - it’s a type of service when the hosting provider is mostly responsible for the security of the user’s account: updates the software installed on their servers, provides an antivirus and malware scanner, firewalls and basic anti-DDoS protection, etc.
DDoS-protected hosting - companies that provide packages that include anti-DDoS protection. These packages are considerably more expensive than regular ones. Nevertheless, they’re totally worth their price because the company will ensure that your website is secured from cyber attacks.
Most websites require MySQL and PHP installed on the server to work correctly. Almost all hosting providers support these technologies.
ASP.NET is a Microsoft web application development platform.
The more comfortable the control panel is, the easier will it be for you to change the website and hosting account settings.
Most hosting providers that are in TOP20 in our rating offer user-friendly control panels, such as cPanel, Plesk or DirectAdmin. That’s why we recommend to pay attention to other, more important parameters, while choosing a hosting provider.