How to Secure your WordPress Site?

How to secure your WordPress site 1

Every person who owns a website understands the importance of WordPress security. Over 10 thousand websites get blacklisted by Google each day because of malware, and nearly 50 thousand websites are blacklisted by them every week for phishing.

Anyone serious about their website should take care of WordPress security. They need to follow the best practices needed for their safety. Here, through this guide, you will get to know about the best tips related to WordPress security. These will help you in protecting your site against malware and hackers.

Though the core software of WordPress is secure, and it gets audited on a regular basis by many developers, there’s much more that you could do for securing your website.

When we talk about security, we do not just mean eliminating the risks. But, we also mean about reducing the risks. If you own a website, you could do so much more to help improve the security of your WordPress. You do not have to be tech-savvy to do this.

Your website could be protected from security vulnerabilities if you take the actionable steps mentioned by us in this article.

Why is it Important to Secure your Website?

A WordPress website that is hacked can badly affect your business reputation and revenue. Your passwords and user information can get stolen by hackers. They can even get malicious software installed and spread malware to the users of your site.

And the worst could be ransomware, because of which you may be forced to pay the hackers a heavy amount in order to regain your site’s access.

In 2016, as per Google, over 50,000,000 website users were cautioned about a site containing malware or stealing information that they had been visiting.

Usually, WordPress has had a bad reputation for being susceptible to security issues and also for not being a secure platform inherently to be used for business purposes. This happens most of the time mainly because users continue following the worst security practices that are proven by the industry.

Use of WordPress software that is outdated, bad system administration, management of credentials, nulled plugins, and less or no security and web knowledge among WordPress non-tech savvy users help hackers to be up in their game of cybercrime.

Industry leaders also do not necessarily follow the required best practices always. For example, Reuters was once hacked. This happened because the WordPress version being used by them was an outdated one.

Basically, security is just not about perfectly secure systems. It may not be possible or practical to find or maintain a perfect security system. Security is actually about risk reduction than risk elimination. It is more about having all the needed controls to help you in improving your whole posture by reducing the chances of becoming a target, thus saving yourself from getting hacked– WP Security Codex.

Vulnerabilities do exist. As per the 2017 study done by Sucuri, which is a security company for multiple platforms, WordPress tops when it comes to the infected sites they have worked on (nearly 83 per cent). This has increased from 74 per cent in 2016.

Security Vulnerabilities of WordPress

Nearly 40 per cent of sites present on the net today are powered by WordPress. With so many plugin and theme combinations available, it should not be a surprise to know that vulnerabilities do exist. They are being discovered constantly, in fact. But, at the same time, the platform of WordPress has a large community that ensures that such things get tackled immediately.

Today in 2021, the security team of WordPress comprises nearly 50 experts. These experts include security researchers and lead developers. Half of them are Automattic’s employees, and a few are from the online security industry.

A few of the security vulnerabilities of WordPress are:


This vulnerability fittingly named as backdoor helps hackers by providing them hidden passages that bypass security encryption. This lets them get access to WordPress websites using abnormal methods – SFTP, Admin, FTP, and so on.

After it is exploited, backdoors let hackers create havoc on host servers. Multiple websites running on the similar server are vulnerable to these attacks.

In 2017 as per Sucuri’s report, backdoors continued to be among the several post hack actions that attackers took. Nearly 71 per cent of the sites that were infected had some type of backdoor injection.

Backdoors are encrypted often so that they look like WP system files that are legitimate. They enter WP databases by using the bugs and weaknesses present in the platform’s outdated versions. The TimThumb failure was the best example related to the backdoor vulnerability that exploited outdated software and shady scripts compromising websites numbering in millions.

Luckily, avoiding and treating this issue is pretty simple. Common backdoors can be detected by you easily when you get your WordPress website scanned using SiteCheck. Blocking IPs, 2-factor identification, stopping unauthorized PHP files execution easily handles the common threats of backdoor. We will discuss more about this in detail below.

Pharma Hacks

This hack is used to inject malicious code in WordPress plugins and websites whose versions are outdated. This makes the search engines return ads related to pharmaceutical products if a website that is compromised is looked for. The vulnerability here is more like a spam threat than regular malware. However, it provides search engines with a good reason for blocking the website by accusing it of distributing spam.

Pharma hack’s moving parts consist of backdoors in databases and plugins that one can clean up by following the Sucuri blog’s instructions. But, these exploits are most often savage variants of malicious injections that are encrypted. These hide in databases. They need an in-depth process of clean-up for fixing the vulnerability.

Nonetheless, Pharma hacks can be easily prevented by you by using recommended WP hosts with modern servers and by getting your WP themes, installations, and plugins regularly updated. Kinsta is a host that allows hack fixes for free.

Login Attempts that are Brute-force

Automated scripts are used for Brute-force login attempts for exploiting weak passwords in order to get your website’s accessibility. Restricting login attempts, getting unauthorized logins monitored, making use of strong passwords, blocking IPs, and 2 step authentication are a few of the simple and effective methods that help in preventing brute-force attacks.

However, sadly, many owners of WordPress sites do not follow these above-mentioned security practices. Hackers easily manage to break into around 30 thousand websites daily through brute-force attacks.

Redirects that are Malicious

Backdoors are created in WP installations using wp-admin, SFTP, FTP and different other protocols by malicious redirects. And redirection codes are injected by them on the sites. These redirects are mostly placed in encoded forms in the .htaccess file and in other WP core files, directing the website traffic towards malicious websites. We have mentioned some ways to help you prevent these from happening in the WP security steps mentioned hereunder.

Cross-Site Scripting

This happens when a trusted application or website is infected with a script that is malicious. This way, the malicious code, usually browser-side scripts, are sent by the attacker to the site’s end-user. The end-user does not get to know about this. The reason for doing this is for grabbing session data or cookies or even for rewriting HTML on a web page.

As per Wordfence, these kinds of vulnerabilities are extremely widespread in WP plugins.

Denial of Service (DoS)

The most threatening of these all is DoS vulnerability. It exploits bugs and errors in codes to flood the website’s operating system’s memory. Millions of sites have been attacked by hackers. They have collected millions by exploiting buggy and outdated WordPress software versions using DoS attacks. Though cybercriminals who are financially motivated may rarely aim for smaller companies, they still do attack vulnerable outdated websites. They do this so that they can create botnet chains that will help in attacking larger businesses.

The WordPress software’s latest version also is unable to defend itself against DoS attacks that are high-profile. But, at least it can help you in avoiding getting captured in this crossfire happening between complex cybercriminals and financial institutions. I hope you remember 21st October 2016. On this day, a DNS DoS attack made the internet go down.

You have to give extra attention to WordPress security if your site is your business.

Just how a physical store owner is responsible for its safety, the same way, a business owner online also has to protect his or her business site.

How to Protect your WP Website        

Update WordPress

WordPress, which is an open-source program, is updated and maintained regularly. Minor updates are automatically installed by WP by default. For huge releases, you will have to start the updates manually.

WP also has many themes and plugins that can be installed by you on your site. Third-party developers maintain these themes and plugins. They also release updates regularly.

Updates of WordPress are important when it comes to the stability and security of your WP site. You have to ensure that your WP core, themes, and plugins are updated.

Strong Passwords & User Permissions

Stolen passwords are used in the majority of WP hacking attempts. By making use of stronger unique passwords for your site, you could make this difficult. This does not just apply for the admin area of WordPress, but it also applies for FTP accounts, WP hosting account, database, and even your customized email address that uses your website’s domain name.

Most beginners do not prefer having strong passwords. This is because they find it difficult to memorize. But, the best part is that you no longer have to memorize your passwords. A password manager can be used by you.

One other way for reducing the threat is by not letting anyone else have access to your WP admin account unless it is important. If your team is large or you have guest authors, then first try and understand the user capabilities and roles in WordPress and only then add new accounts of users and authors to the WordPress website.

WordPress Hosting

Your WP website’s security depends more on the WP hosting service. SiteGround or Bluehost are great shared hosting providers. Extra measures are taken by them when it comes to protecting their servers from common threats.

So how do you know if the hosting company is a good one for your site? How to check if it can protect your site and data? Read further to get the answers.

A good web-hosting company keeps a check on their network to see if there is any suspicious activity.

Good web-hosting companies, mostly all of them, have the tools required to avoid DDoS attacks that happen on a large scale.

They make sure the PHP versions, hardware, and software of the server are updated. This helps in preventing attackers from exploiting any security vulnerability known in the previous version.

They’ve plans ready to be used in case of accidents and for disaster recovery. These help them in protecting your data if any major accident happens.

When using the services of a shared host, the resources of the server have to be shared by you with few other customers. Hence there is a cross-site contamination risk. A hacker could make use of a neighbouring website for attacking your site.

When using the managed WordPress web-hosting service, your website gets provided with a platform that is more secure. These managed WP web-hosting companies provide automatic WP updates, automatic backups, and security configurations that are more advanced to safeguard your site.

The most simple way of keeping your website secure is by going with the web hosting provider that offers many security layers.

A cheaper web-hosting company may sound and look tempting. It will help you save money. You could use this saved money to help your site in some other way. But, this temptation will do no good. Try and avoid it as it will give you nightmares. You could end up erasing all your data, and your site URL could get redirected to another place.

It is okay if you have to spend a little more. Investing in a good quality web-hosting company will let your site have extra security layers. And also, your WordPress website speed gets improved or increased when you use good WP hosting.

Although there are a lot of web hosting companies in the market, we suggest WP Engine. The security features provided by them are many, including malware scans on a daily basis and support offered 24/7 for the entire year. And all this is offered at a reasonable price.

Avoid Using Nulled Themes

The premium themes of WordPress seem to be more professional. They have many customizable options as compared to free themes. Developers who are highly skilled have coded the premium themes. These themes are thoroughly tested to ensure that they pass multiple WP checks. No restrictions are placed on getting your theme customized. You are provided with complete support if anything goes wrong with your website. Regular updates of themes will be provided to you.

However, few websites do offer cracked or nulled themes. Such types of themes are basically the hacked copy of the premium theme. These are made available through illegal ways, and they are not safe for your website. These types of themes have malicious codes hidden in them. Your database and website could get destroyed by these codes.

Easy Steps for WordPress Security (No Coding)

Beginners may think that WordPress security is difficult. Especially the ones that are not tech-savvy will definitely get worried with the thought of it. But, there is nothing to worry about.

Have a WP Backup Solution Installed

In the event of any WP attacks, backups will help you a lot. Nothing is secure 100 per cent. Government websites get hacked too. So even yours can get hacked.

When you do a backup, you are able to get your WP website restored quickly. This comes in very handy in case anything bad happens.

Many paid and free WP plugins for backup are available on the market. Saving backups of the full site regularly to a secure location is important when you do backups. Please remember not to save this to your web hosting account.

According to us, you should save it on Cloud services. Few examples of these are Dropbox, Amazon, or Stash.

Depending on how often your website is updated by you, the perfect setting could be once a day, or it could be real-time backups.

Fortunately, you can do this easily if you use plugins like BlogVault or UpdraftPlus. Both of them can be used easily and are reliable. You do not need to know to code for this.

Top WP Security Plugin

After doing the backups, what needs to be done next is to get a monitoring and auditing system setup. This will help track everything happening on your site, including failed attempts of login, monitoring file integrity, scanning malware, and so on.

Luckily, you can do all this with the help of Sucuri Scanner, which is the best WP plugin for security. Also, it is free.

This free plugin will need to be installed and activated by you. After you activate the plugin, you will have to reach the menu of Sucuri that you will find on your WP admin. You’ll be first asked to get the free API key generated. This will get audit logging, email alerts, integrity checking, and other main features enabled.

Generation of Sucuri API Key

After the above step, you will need to click the tab ‘Hardening’. You will find this in the settings menu. Click the button ‘Apply Hardening’ after you go through all the options. You can lock the main areas often used by hackers for making the attacks through these options. Web Application Firewall is the single hardening option which is an upgrade that needs to be paid.

Many ‘Hardening’ options are covered by us in this write-up. This information will help those who do not want to use plugins or the ones requiring extra steps like ‘Changing the Admin Username’ or ‘Database Prefix Change’.

Once you are done with the hardening options, the settings of the default plugin are adequate for many sites and require no changes. We only suggest you customize ‘Email Alerts’.

Default alert settings could mess up the inbox. We suggest you receive alerts for important actions like plugin changes, registration of a new user, and so on. You could get the alerts configured by going to the Sucuri Settings for Alerts.

Set Up Email Security Alerts

The security plugin of WP is extremely powerful. You should check all the settings and tabs, so you understand what all it does in terms of scanning malware, auditing logs, tracking failed attempts of login, and so on.

Enabling WAF (Web Application Firewall)

Using WAF is the simplest way for protecting your website and remaining assured about your WP security. Malicious traffic is blocked by the website firewall before it can reach your site.

DNS Level Firewall: It routes the traffic from your site traffic using their servers of cloud proxy. Your web server will receive only legitimate traffic.

Application Level Firewall: This plugin helps in examining traffic that has reached your web server but prior to getting most of the WP scripts loaded. This is not a very efficient method for minimizing the server load compared to the DLF (DNS Level Firewall).

Moving your WP Website to HTTPS/SSL

SSL is a protocol that encrypts the transfer of data between users’ browsers and your site. Because of this encryption, it becomes difficult for sniffing around and stealing information from someone.

How does SSL work?

After enabling SSL, HTTPS will be used by your site instead of using HTTP. Also, you will find the padlock sign near the address of your site in the web browser.

Certificate authorities typically issued SSL certificates. Their prices begin from USD 80 and go till 100s of dollars per annum. Because of the additional cost, many website owners chose to continue using a protocol that is insecure.

To get this issue fixed, Let’s Encrypt offered SSL certificates for free to owners of websites. It is a non-profit organization. Many companies, including Facebook, Google Chrome, and Mozilla, support their project.

Today, it is really easy to use SSL for your WordPress sites. Most web hosting companies now offer an SSL certificate for free for your WP website.

In case your web hosting doesn’t do this, you can buy it from The most reliable and best SSL deal will be found there. They come with a security warranty of USD 10,000 and also a security seal of TrustLogo.

WordPress Security Apt for DIY Users

If you’re doing all the above-mentioned things, then you are doing well.

But, there’s always more that can be done by you to strengthen your WP security.

You may need to know to code for few steps.

Changing Username of the Default “admin”

Previously, ‘admin’ was the WP admin username by default. Usernames are almost half of the credentials used for login. This makes it simpler for hackers to have brute-force attacks done.

Fortunately, WP has changed since then. Today, you need a customized username to be selected if you wish to install WordPress.

But, few WordPress one-click installers still keep ‘admin’ as the default username. If you come across this scenario, you better change your hosting provider.

WP, by default, doesn’t permit you to make changes to the usernames. There are 3 steps involved in doing this change.

  • Erase the old username after creating the new username.
  • Use the plugin for Username changer.
  • Update the phpMyAdmin username.

Please note: Here, we are not talking about the role of the administrator but about the “admin” username.

Disabling File Editing

WP has an editor that is built-in. It lets you edit your plugin files and themes from your WP admin area. If this gets in the hands of the wrong people, this feature could become a risk to security. Hence we suggest putting it off.

On the other hand, you could get this done by clicking on the feature of hardening. You will find this in the Sucuri plugin, which is free.

Disabling Execution of PHP File in Particular WordPress Directories

One more way of strengthening the security of your WordPress is by getting the execution of PHP file disabled in directories where it isn’t required, like /wp-content/uploads/.

To get more explanation in detail, check our guide that explains: how to stop the execution of PHP in WordPress directories.

You could also do this by just clicking once, the feature ‘Hardening’. This could be found in Sucuri’s free plugin.

Limit Attempts of Login

By default, WP allows its users to keep trying to log in how many times they wish. This makes your WP website vulnerable. It could get attacked easily using brute-force attacks. Attackers attempt to decode passwords by keeping on logging in with different password combinations. They keep trying till they crack the password.

You can get this fixed easily. You just have to reduce the number of attempts of login an individual can make upon failing to login with the correct password the first few times. This problem gets handled automatically if the firewall is being used by you.

But, in case there is no firewall setup, please follow the below-mentioned steps:

Firstly, have the LockDown plugin installed and activated. If you need information on this, please check our detailed guide. It will tell you how to get a WP plugin installed.

After activating this plugin, go to Settings, then log in on the LockDown page so you can have the plugin set up.

Login LockDown Options

Check out our post on why and how to limit attempts of login in WP for more detailed information.

Add 2-Factor Authentication

The technique of 2-factor authentication demands users to use a 2 step authentication process to log in.

The first step involves the user id and the password, while the second one needs you to use a separate app or device to authenticate.

Many best online sites like Facebook, Google, Twitter lets you get this enabled for your account. This same functionality can also be added to your WP site.

You have to first get the plugin for 2-factor authentication installed and activated. After the plugin is activated, you have to click the link ‘Two Factor Auth’. You will find this in the WP admin sidebar.

Settings for 2-Factor Authenticator

After this, you are required to get an authenticator app installed and opened on your device. There are many authenticator apps available on the market. Some of these are Authy, LastPass Authenticator, and Google Authenticator.

We suggest you use Authy or LastPass Authenticator. We are suggesting these two because both of them allow your accounts to be backed up on the cloud. This comes in very handy, especially if you lose your phone, reset it, or purchase a new one. It will help restore each and every account login of yours easily.

In the tutorial, we will use the LastPass Authenticator. But, for all authenticator apps, the instructions are the same. Go to the authenticator app and open it. Then click the button ‘Add’ and add the website.

It will ask you if you wish to get the website scanned manually or if you would like to get the bar code scanned. Choose the option for scanning the bar code. Then, point the camera of your phone to the QR CODE that is seen on the settings page of the plugin.

That’s it. The authenticator app will save it now. When you log into your site the next time, after you feed in your password, it will ask you to enter the 2-factor authentication code.

Enter your 2-factor auth code

Just get the authenticator app opened on the phone and then feed in the code that is seen on it.

Changing Prefix of WordPress Database

By default, wp_ is used as the prefix by WordPress for all the tables present in your WP database.  If your WP website uses the default prefix database, hackers find it easier to guess the name of your table. Hence we suggest changing it.

The database prefix can be changed by you by going through our detailed guide. It will tell you how you could change your WP database prefix in order to get your security improved.

Please note that this could lead to harming your website if you do not do it properly. Proceed further only if you are comfortable with coding.

Protecting WP-Admin & Login Page through Password

Usually, hackers could request your login page and wp-admin folder without restriction. This lets them try their tricks of hacking or run DDoS attacks.

On the server-side level, you could add extra password protection. This will help in blocking those requests effectively.

Follow our detailed instructions that tell you how to get your WordPress admin directory password protected.

Disabling Directory Indexing & Browsing

Hackers could use directory browsing to know if you own any files that have known vulnerabilities. This will help them get access by using the vulnerable files.

Other users could also use the directory browsing for checking your files, copying images, finding out the structure of your directory, and much other information. Hence, it is very much needed to switch off the directory browsing and indexing.

You have to get connected to your site using cPanel or FTP File Manager. After that, go to your site’s root directory to search the .htaccess file. If you are unable to find it there, please check our guide that explains the reason why you are unable to see it in WordPress.

Next, in the .htaccess file, in the end, add the following:

Options -Indexes

Please remember to save the .htaccess file and upload it again on your website. If you need more information related to this, check our article that explains disabling directory browsing in WP.

Disabling XML-RPC in WP

WordPress 3.5 has XML-RPC by default enabled in it. This is because it facilitates the integration of your WP site with web & mobile applications.

Being powerful in nature, XML-RPC can amplify brute-force attacks significantly. Say, for example, if traditionally a hacker wants to attempt 50 non-identical passwords on the site, they would need to make 50 login attempts separately. These attempts could get caught, and thus the plugin for login lockdown would then block it.

However, with XML-RPC, by using the ‘system.multicall’ function, a hacker could attempt passwords amounting to thousands with around 20-50 requests.

Hence, if XML-RPC is not being used by you, then we suggest it to be disabled by you.

You can disable XML-RPC in three ways in WordPress. These steps have been covered by us in our detailed tutorial that explains how to get an XML-RPC disabled in WP.

Tip: The best technique is the .htaccess one. This is because it’s barely resource intensive.

If using the previously mentioned web-application firewall, then this will be handled by the firewall.

Logout Automatically Idle Users in WP

Users that are logged in could wander away sometimes from their screen. This could be seen as a type of security risk. Their session could get hijacked by someone, or someone could change their passwords or have changes made to their account.

Due to this, many financial and banking websites make sure to log out a user automatically who is inactive. Similar functionality could be implemented on your WP website also. For this to happen, you will have to get the plugin for Inactive Logout installed and activated. After the activation is done, you will need to go to Settings, then the Inactive Logout page. This will help you in configuring the plugin settings.

You just need to have the duration of the time set and make sure to get the logout message added. Do remember to click and save the changes by clicking the save button. By doing so, you will be able to have your settings stored.

Adding Security Questions to WP Login Screen

When a security question is added to your WP login screen, it makes it even more, harder for anyone to gain unauthorized access.

The security question can be added by you by installing the plugin for WordPress security questions. After activating it, you will need to go to Settings, then the Security Questions page. By doing so, you will be able to have the settings of the plugin configured.

If you are looking for more in-depth instructions, check our tutorial that explains how you could have security questions added to your WP login screen.

Scanning WP to Check for Malware & Vulnerabilities

If the plugin for WordPress security has been installed, then these plugins will regularly check for any malware and for signs related to security breaches.

But, if there is a drop in the site traffic all of a sudden, or if there is a drop in search rankings, running the scan manually would be the right thing for you to do. You could use your WP security plugin, or you could use any one of the security and malware scanners.

It is very simple to run online scans. You need to enter the URL of your site. After that, their crawlers will scan your site to search for any known malicious code and malware.

Remember that many security scanners of WordPress can only help in scanning your site. They are unable to do away with the malicious files or clean the WordPress site that has been hacked.

This gets us to our next section, which is to do with cleaning malware and hacked WP websites.

DDoS Protection

DDoS is a kind of DOS attack. When such an attack happens, a single system is targeted using multiple systems. This leads to a DoS (Denial of Service) attack. Attacks like DDoS have been around for a very long time. Britannica stated that the first case documented was around the beginning of 2000. Attacks of these kinds do not harm your website normally. But, they will get your website down for few days, if not for few hours.

How can you protect yourself from such attacks? We recommend that you try using the security service of a reputed third party like Sucuri or Cloudflare. Investing in the premium plans of these security service providers will make sense if you own a business.

If Kinsta is what you are hosted on, you will not have to bother about getting the DDoS protection setup by yourself. All their plans come with a Cloudflare integration that is free and built-in DDoS protection.

Sucuri and Cloudflare DDoS Protection

The DDoS protection provided by them is advanced. It comes in handy for mitigating all kinds and sizes of DDoS attacks, including those targeting the ICMP and UDP protocols, and also the SYN/ACK, Layer 7 and DNS amplification attacks. Some of their other benefits are putting you at the back of a proxy that helps in hiding your source IP (Internet Protocol) address, although it isn’t bulletproof.

Make time to go through the case study done by us on how you could try stopping a DDoS attack. One of our client’s small size ecommerce website ran Easy Digital Downloads that received more than 5 million requests within seven days on a single page.

Typically this website generated only around 30 to 40 MB per day in terms of bandwidth and a few hundred visitors each day. However, all of a sudden, the website in no time went to around 15 to 19 GB data transfers per day. It increased by about 4,660 per cent. There was no extra traffic as per Google Analytics. This means it is bad.

This client got the web application firewall of Sucuri implemented on their website. After that, all the requests and bandwidth on the website dropped. And, ever since, there has been no more such issues faced by them. Hence from this example’s point of view, investing in such third-party security service providers is value for money and time.

Prevent Hotlinking

Hotlinking is quite simple. Say you come across a picture somewhere on the net, and you use its URL on your website directly. This image or picture will be visible on your site. However, it’ll be served or provided from its original location. In reality, this is a kind of theft as the bandwidth of the hotlinked site is being used here. You may think this is a small issue and may try to ignore it. But this could lead to extra costs.

Getting a Hacked WP Website Fixed

Most WordPress users are not aware of the significance of website security and backups until their site gets hacked.

It can really get very difficult to clean a WP website. Also, it would consume a lot of your time in doing so. Our initial advice to you is to allow a professional to handle this for you.

Backdoors are installed by hackers on affected websites. And, if you do not fix these backdoors properly, your site will surely get hacked once again.

When you let a security company that is professional like Sucuri fix your site, they will make sure that your website is safe to use again. You will also be protected by it from any attacks in the future.


An important part of a website that cannot be ignored is WordPress security. If you fail to protect your WordPress site, then get ready to be attacked by hackers. Your website’s security maintenance is not rocket science. You can do it without even spending a single penny from your pocket. You can also check our article on SFTP vs. FTPS: Secure File Transfer Protocols Explained

Leave a Comment