WordPress Security Checklist: 12 Steps to Secure Your Website

TO PRINT THIS PAGE — right-click on the document and select "Print" or press Crtl-P
WordPress Security Checklist: 12 Steps to Secure Your Website

When talking about WordPress security, many things can be done to secure your website and prevent hackers and vulnerabilities from affecting your online presence.

WordPress is one of the most popular platforms for self-hosted blogs and websites and powers over 40.3% of all websites on the web. Even WhiteHouse.gov is using the WordPress platform! So because of its popularity, it may fall victim to attacks by hackers.

With the various themes and plugins that exist out there, it is not a surprise that vulnerabilities exist and are continually affecting websites.

The last thing that you want to happen is to find out one day that your website got hacked. In our efforts to help you prevent this from happening, we will be sharing multiple tips and techniques you can use to secure your WordPress website and stay protected.

WordPress Security Checklist

It’s important to remember that WordPress is open-source software. This means that anyone can examine the code that makes WordPress works. Sure, yes, hackers are always analyzing this code to find potential exploits, but so are security teams at WordPress, as well as volunteer developers and ethical white hats, plus the millions of people who contribute to WordPress for the opposite reason of hackers – to keep it secure and be on the lookout for the community-at-large.

Additionally, most security breaches aren’t even caused by a vulnerability in WordPress’s code. They happen because people all too often don’t keep their WordPress site and the plugins installed up-to-date.

Invest in Rock-Solid WordPress Hosting

Every web host out there should take security very seriously. The reason why it is essential that you choose a web host you can rely on for your business. The research you do before choosing a web host should absolutely include inquiries into how they handle security events.

You should look for a host with the following basic services:

  • Up to date server software stacks. Whether they use LiteSpeed, NGINX, Apache, or IIS, they should be running the latest versions, patched and all. If they’re still offering PHP 5, you should probably look elsewhere. The earliest version of PHP they should be offering is PHP 7.0 and PHP 8.0 should be available for you as well.
wp-security-list-02.webp

The same goes for other software, like MySQL, MariaDB, cPanel, Plesk, and the server operating system.

  • Firewalls and other security defenses. There are literally hundreds of ways your hosting provider can keep their servers secure. If they own their own servers and are co-locating them, for example, putting strict controls on the ways someone can physically access that server, for example, is something they should be doing. They should also be using firewalls and other defense mechanisms, like intrusion detection to keep unauthorized users out.
  • Malware monitoring and/or removal apps: You should select a host that makes an effort to detect and prevent malware infections, and possibly offers full-service malware scanning and removal. When doing your research, you should inquire what the policy is when the host spots an account infected with malware and whether they offer such services, and if so, what their costs are.

We use cloud infrastructure for all of our WordPress Hosting customers to keep their data safe. By distributing data across redundant servers, the information hosted in the cloud is always protected against hardware failure.

In addition, our servers run on CloudLinux OS which allows us to use a virtualized file system for each account and completely isolating it. A significant advantage of it is that if one user account becomes compromised, the malware infection does not spread to the other accounts hosted on the same server. What’s more, we’ve partnered with Imunify360 to provide you with a secure and reliable WordPress Hosting service. Its multi-layered defense architecture ensures precision targeting and eradication of malware and viruses.

Through these services, we add additional layers of protection for your website.

Install and Use a (Good) SSL Certificate

An SSL or Secured Socket Layer Certificate encrypts the data transmitted between the user and your website. This is CRUCIAL to websites where your users are actually customers, and they are submitting payment information to acquire items from your store.

If you’re running a blog and not selling anything, you can get away with a Let’s Encrypt SSL Certificate which is free. But if you’re taking payments, you need an SSL. Using an SSL means you get to use https:// in front of your site instead of seeing a red “Not secured” notification in the address bar.

SSL Certificates have enabled engrained trust in the populous because of their security, and even more so with the famed Green Bar SSL, aka an EV SSL Certificate, because they know those companies are verified and authenticated by a trusted security provider.

Always Keep Your WordPress Version + Plugins Up To Date

wp-security-list-03.webp

See this? This is scary. That’s a user who doesn’t care about their site, right there. 10 updates, including a WordPress version update.

An outdated WordPress site, plugin, or theme, is a potential wide-open gateway to your website. Let’s review some WordPress stats from 2019/2020:

  • 62% of websites had an SEO spam infection during our cleanups. Database spam was the most prevailing form of infection. Our remediation team often found database infections without backdoors, which may be related to SQL injections and reflective of our user base.
  • 47% of all infected websites contained one or more backdoors, allowing attackers to maintain access to compromised environments after the initial infection.
  • In 2019, over 56% of all CMS applications were out of date at the point of infection. Stats for 2020 on this metric aren’t available quite yet.
  • Fortunately, a recent update in a major release of WordPress enabled us to use the GUI to automate things like automatic updates for themes and plugins, as well as WordPress itself.
  • Previously you needed to be somewhat savvy and edit your wp-config.php file by hand to add some lines of code for these things.

How to Enable Auto-Updates for Plugins

Enabling automatic updates for plugins couldn’t be easier!

Step 1: Log in to your wp-admin.

Step 2: Locate the Plugins option on the left.

wp-security-list-04.webp

Step 3: In the far right column, click “Enable Automatic Updates” for each plugin you want to be able to update itself automatically.

wp-security-list-05.webp

Now, your plugins will update themselves automatically when the developer publishes a new version.

How to Enable Auto-Updates Updates for Themes

Step 1: On the left side of your WordPress Admin Dashboard, click Appearance in the menu.

Step 2: Select Enable auto-updates for your theme.

Note: You will need to do this for each of your themes. Also, as of this writing, not all WordPress themes have been updated to support this feature, and as such, you may not see the option to enable auto-updates for your theme until the developer provides an update.

If you’re more of a hand-on type and don’t trust automation, no worries, this release hasn’t forgotten about you! Feel free to turn off those automatic updates and when you’re ready to update a theme or plugin, simply upload it in the form of a ZIP file, and voila! It’s updated!

Use Smart Usernames and Smarter Passwords

When it comes to user security, using good security practices is really key to keeping your login credentials secure. Avoid using a username as “admin” and always choose a complex password. Instead of using Admin for the WordPress admin, use your name, or a variation of it, or a random username altogether. Actually, here’s a list of usernames you should definitely avoid.

  • Admin – This used to be the default username for WordPress and is, therefore, one that will definitely be tried in a brute force attack.
  • Your real name or nickname – This is both public information and as easy to guess as “admin”. In addition, it can make sense to create a separate profile without administrator’s right to publish content. That way, the username of the main login does not appear on the website. Don’t use variations of your name either. If your name is John Jacob Jingleheimer Schmidt, don’t use jjjschmidt as the username.
  • Any personal information – Including birthdays, etc. Only use a personal detail if it’s something no one could ever know.
  • The title of your site, or something obviously related to it – “Kittens” for a cat adoption agency, etc.

Make sure to choose a complex password. Google has some great tips on how you can choose a secure password. You should be using a password manager, like 1Password or Bitwarden.

If you are managing multiple WordPress sites, it is prudent to use different passwords. One way to generate random passwords is to use the one from random.org which uses literal atmospheric noise from our planet to create true randomness when generating a password.

If you want to store your passwords locally, on your computer, then you can use a free tool such as KeePass.

Use Two-Factor Authentication

Take advantage of Two-Factor Authentication to completely secure your WordPress login. Two-Factor Authentication involves a second step to the login process. It is a text (SMS), or time-based one-time password (TOTP) required to log in. Two-factor authentication is a 100% effective way to prevent brute force attacks on your WordPress admin panel.

wp-security-list-06.webp

We prefer using the free Google Authenticator plugin as you can use it for an unlimited amount of users. Just install the plugin and click on a user account. You can then set up two-factor authentication by creating a new secret key or by only scanning the QR code. Then make sure to mark it “Active.”

With 2-Step Verification enabled, on your login page, you will be asked to enter a six-digit code after you provide your username and password. If you do not provide this six-digit number, you will not be able to log in, even if you have the correct username and password.

Disable The Plugin Editor

WordPress comes with a set of very easy-to-reach plugin and theme editors. These editors, while super handy if you want to edit your theme/plugins in the same wp-admin you do everything else in, but allow direct access to your site’s code. If someone compromises a user account of sufficient privileges, they would have direct access to make some malfeasant changes on your site with ease.

Most WordPress users will never need to touch the plugin and theme editors. If you are the type of user who likes to tinker and do some custom coding, re-enabling the plugin and theme editors to do just that is just as easy as disabling them. It’s one line of code in your wp-config.php:

define('DISALLOW_FILE_EDIT', true);

Doing this won’t be the end all be all of stopping a hacker, but it will confuse less experienced hackers and stop them in their tracks. And at the very least, it will make doing something on your site that much more difficult to do and give you time to sort out what’s gone wrong.

Lock Down Your WordPress Login URL

If you want to make it even harder for hackers to find certain backdoors, then you are less probable to be the target of an attack. Locking down your WordPress admin URL and login is the right way to increase your login security.

The default WordPress site’s login URL is domain.com/wp-admin. One of the problems with this is that all of the bad bots, hackers, and scripts out there also know this. By changing the URL for your WordPress admin panel, you can make yourself less of a target and better protect your site against brute force attacks.

Out of the box, anyone can access your wp-admin page simply by going to https://yoursite.com/wp-admin. You can (and should) use a plugin to stop them in their tracks, such as the free WPS Hide Login plugin. This plugin allows you to rename the /wp-admin to anything you want, like /login, or even something like /mywordpressadminloginpageishere if you wanted to.

You should use a path that isn’t obvious. I use this plugin on my own site, and while I won’t tell you what the path is, it’s something you wouldn’t guess but is still easy to remember.

You should also install a plugin that limits the number of attempts a user has to log in before they’re blocked. The aptly named, Limit Login Attempts plugin (also FREE) gives users several attempts to login before they are locked out. The plugin can also cleverly detect and redirect bots away from your login page.

If you wanna go the extra mile, you can enable Cloudflare Rate Limiting to further control access to your site. Using the Cloudflare network, this tool automatically detects brute force attacks and DDoS attacks and blocks those offending IP addresses.

How to Change Your WordPress Login URL

To change your WordPress login URL, we recommend using a free plugin called WPS Hide Login.

This plugin lets you quickly and safely change the URL of the login form page to anything you want. It renames or changes files in the core, nor does it add rewrite rules. It merely intercepts page requests and works on any WordPress website. This way, the wp-admin directory, and wp-login.php page become inaccessible.

Once installed, go to General Settings of your WordPress dashboard and just set your admin panel URL.

Deactivating this plugin brings your site back precisely to the state it was before.

Harden Your wp-config.php File

The wp-config.php file stores all the necessary details for an intruder to gain access to your site’s database. It is one of the most important files in your entire WordPress install.

Deny Access to the wp-config.php File

You can prevent the file from being accessed by adding the following code to your .htaccess file.

<Files wp-config.php>
order allow,deny
deny from all
</Files>

Anyone that tries to access your site’s wp-config.php will receive a 403 Forbidden error.

Disable directory listing

By default, when your web server does not find an index file (index.php or index.html), it automatically displays an index page showing the files and folders in that web directory.

This could make your site vulnerable to attacks by revealing the critical information needed by hackers to take advantage of a vulnerability in a WordPress plugin, theme, or your server in general.

How to disable directory browsing in WordPress

Just add the following line in the site’s .htaccess file located in the root directory of your website.

Options -Indexes

If you are an Archer Data Hosting customer, we have you covered. By default, the directory listing is disabled on our servers.

Disable PHP Execution in WordPress Directories

Most of the time, hacked WordPress sites usually have backdoor files. These backdoor files are often disguised as core WordPress files and are placed in /wp-includes/ or /wp-content/uploads/ folders.

An easier way to improve your WordPress security is by disabling PHP execution for some WordPress directories.

Create a blank .htaccess file and paste this code inside it:

<Files *.php>
deny from all
</Files>

Then upload this file to /wp-content/uploads/ and /wp-includes/ directories.

Prevent Hotlinking

Hotlink Protection will prevent other websites from directly linking to files on your website. An example of hotlinking would be using a tag to display an image from your site on some other site on the internet. This will result in the other site stealing your bandwidth.

How to Prevent Hotlinking

To prevent hotlinking simply insert the following code into your .htaccess file:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?domain.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]

Alternatively, you can use this online tool in order to create a .htaccess file for hotlink protection of your images and pictures.

Perform regular backups

Backing up your site is about creating a copy of all the site’s data, and storing it somewhere safe. That way, you can restore the site from that backup copy in case anything bad happens.

Most hosting providers now provide backups. Archer Data Hosting has free automated backups, that are stored offsite, allowing a quick restore, so that you can rest easy knowing your data is safe!

WordPress Backup Plugins

As an extra measure or if your host doesn’t have backups, there are some popular WordPress backup services and plugins which you can use to automate the backup task.

  • Duplicator
  • WP Time Capsule
  • BackupBuddy
  • UpdraftPlus
  • BackUpWordPress
  • BackWPup
  • WP BackItUp

In addition, if you installed WordPress using the Softaculous Apps Installer, there are application backup settings you can enable. You'll find it in cPanel in the Software section.

Hide Your WordPress Version

Another good practice is to hide your WordPress install version. Anyone that checks the source code of your site can easily reveal what version of WordPress you are running and if you aren’t good at staying up with the latest updates this can be a welcome sign for intruders.

Simply add the following code to your functions.php file:

function wpversion_remove_version() {
return '';
}
add_filter('the_generator', 'wpversion_remove_version');

Please note that editing the source code of the WordPress functions.php file could break your site if it is not done correctly. If you are not feeling comfortable doing this, please check with your web developer first.

Summary

As you can see, there are various ways you can improve your WordPress security, so it is important to take into serious the security of your site and find some time and implement some of the security best practices mentioned above, sooner rather than later.

 

Updated on December 8, 2021