February 4, 2020 by Editor Leave a Comment Ultimate WordPress Security Guide: Step-by-step Guide to Hardening Your Website in 2020 Every 60 seconds, about 91,000 WordPress websites are hacked, according to WordFence. It is not a wonder considering an August 2019 study on 40,000 Alexa top 1 million WordPress sites showed 73.2% had security flaws. Even novice WordPress hackers could use basic, automated tools to exploit WordPress website security vulnerabilities on your website within seconds. So, you are smart to want to know how to secure your WordPress site from hackers. You’ve also probably wondered which are the best WordPress website security plugins in 2020. What if you had a complete WordPress security checklist to work with? What if you knew which WordPress security vulnerabilities to counter in advance? ContentsWordPress Security – Why You Should Secure Your WordPress WebsiteHow to Secure Your WordPress Website in 2020: PreviewWordPress Security – Are you ready to Secure Your WordPress Website? WordPress Security – Why You Should Secure Your WordPress Website Now get this: In 2018, WordPress accounted for 90% of all hacked content management systems on the web. About 67% of them had backdoors, and 50% were vulnerable to SEO spam. Sites with online stores were particularly attractive to fraudsters. Credit: Sucuri So securing your WordPress site can help protect your users, reputation, and revenue. Also, 85% of online shoppers avoid unsecured sites. So you need to harden your WordPress site to assure and secure your customers’ details and, in turn, attract, convert, and retain them. Yet, search engines are penalizing unsecured websites site with poor rankings, which can mean losing your audience and source of income. Identified, ransomware cases in 2019 hit an all-time-high-record, so without counter-action 2020 could see even more attempted and successful ransomware threats. Still, recovering from a WordPress security breach is often a costly, lengthy, and hair-pulling chaos many webmasters never really recover from. Google also detects and blocks close to 40,000 malware and phishing sites every week. And you don’t want to go under in disgrace now, do you? Credit: Google In this WordPress security guide, you’ll learn what to do to secure your website, whether you are a seasoned WordPress user or just starting out. No coding experience necessary. And no technical jargon, either (we hate it too). How to Secure Your WordPress Website in 2020: Preview We’ve broken the guide into four sections: Top WordPress Security Vulnerabilities Right Now How to Secure WordPress: Basics How to Secure WordPress: Core ProtectionHow to Secure WordPress: Advanced Protection In each section, we’ll recommend the best WordPress security plugins, third-party tools, and more resources to make your work much easier and consistently top-notch. Of course, too many options can be a bad thing, so we’ll not recommend more than three plugins for the same job. Furthermore, too many plugins can slow your WordPress site down because of all the scripts that have to be read in advance. That would be bad for your SEO. Remember, search engines penalize slow sites by dropping them down search engine result pages (SERPs) where there’s much less traffic, hence page views, clicks, and revenue. And with that, here are the absolute must-do WordPress security tips organized in an ultimate WordPress security guide for 2020. Top WordPress Security Vulnerabilities Right Now Carrying over from 2019, the most common WordPress security vulnerabilities include: Unsecure or stolen passwords are the leading cause of successful attacks at 81% (Panda Security)Guarding against brute force attacks and WordPress plugin vulnerabilities can lower your risk of attack by 70% (WordFence)Poorly configured S3 bucket leaked over 70 million records to intelligence-gathering hackersRansomware increased exponentially in 2019Security vulnerabilities in the WordPress hosting service and WordPress plugin used accounted for 51% of attacks (WP White Security)“Admin”, “admin”, “test”, “root”, and “administrator” are the top usernames attacked (WPSmackDown)SQL injections happen when unwarranted access to your WordPress database happens A shocking number of people use outdated WordPress versions, with only 34.5% running WordPress 5.3 right now Credit: WordPress So, how can you protect your WordPress site in 2020? How to Secure Your WordPress Website-Basics Here are simple, actionable steps to harden your WordPress site that you can implement right away. 1. Use the Latest Version of WordPress, Themes, and Plugins Also, the most up-to-date WPScan Vulnerability Database shows the known WordPress security vulnerabilities are logged in WordPress 4.0 and earlier versions. By simply updating your WordPress site to version 5.3 immediately, you can protect yourself hassle-free. WordPress version 3.8.1 has the most vulnerabilities And did you know that as many as 60% of WordPress attacks can be traced back to a vulnerable plugin? Sources: WordFence The database also shows the top 5 WordPress plugins with vulnerabilities, all having more than 17 known vulnerabilities: And then it goes on to indicate the top 10 WordPress themes with the most security vulnerabilities as follows: Not even the latest WordPress version is secure. But the latest WordPress security patches help protect proactive webmasters. Be sure to download the latest WordPress updates, avoid compromised plugins, and change vulnerable WordPress themes. 2. Add Two-Factor Authentication for WordPress security Activating 2-step authentication on your site empowers you to curb backdoor attacks, brute-force login attempts, pharma attacks, and malicious redirects. It should be one of the first lines of defense you use to harden your WordPress site. How 2-step authentication works are by having your site require a seconding login method. In most cases, you’ll need to set up your phone to receive a secret pin or call (the pin is read out to you), a time-based one-time password (OTP), or scanning a code after you enter your WordPress username and password on the login page. It’s effective because a hacker will rarely have access to your username, password, and 2-factor authentication pin at the same time. Here’s a quick video showing you how to set it up quickly: The Google Authenticator plugin for WordPress is a great tool for starters. Here’s how to activate WordPress 2-step authentication with Google Authenticator? Top Google Authenticator alternatives include MiniOrange OTP authenticator for WordPress and Two Factor Authentication. If you are already using a WordPress security plugin such as WordFence or LastPass, there is a Cellphone Sign-in or LastPass Authenticator option, respectively. 3. Use Clever Usernames and Strong Passwords The best usernames and passwords don’t have to be so complicated that you end up losing or forgetting them altogether. Use longer passwordsMix special characters, numbers, and letters to make it less obvious Use an email ID to log in rather than a usernameUse a top password manager in 2020, such as DashLane, LastPass, and 1Password. What next? 4. Change the Default Admin Username Replace the default “admin” WordPress username to something more unique and less predictable. Source: SiteGround Wondering how to change the admin username in WordPress? SiteGround, a top WordPress hosting service, offers a simple, do-it-yourself guide for a secure switch. But you can do it manual and easy by going to Users >> Add New. After creating a solid password and new username, set the role to Administrator. Then click on Add New User. After, assign all content and lead permissions to the new admin account and delete the old account. 5. Invest in Secure WordPress Hosting Vulnerable hosting services are in the top-three causes of hacks. Shared WordPress services are especially concerning compared to managed WordPress hosting. That is so because a hacker can attack your site from a site with which you share the web server and other common resources. Still investing in a high-quality hosting company such as SiteGround and Bluehost can help you secure your site whichever hosting option you pick. 6. Use the Best WordPress Security Plugins Next, ensure you have an always-on monitoring and system auditing plugin to catch what you may not. Using the top WordPress security plugin such as iThemes Security (formerly Best WP Security), Sucuri Security, and WebARX will help you with, among others: Notify you of failed login attemptsWebsite firewallHide your WordPress version numberMonitor file integrity Scan for malware The best tend to be all-in-one WordPress security plugins for WordPress sites, so you don’t have to use multiple tools from different providers and slow your site down. 7. Remove the WordPress Version Number When a hacker knows the WordPress version you are using upfront, they can prepare and direct an attack based on the vulnerabilities they have discovered that version to have. When the version number is hidden, they would have to keep guessing. You can manually do that, including removing the number from RSS feeds, add this function to your functions.php file: But we did promise a less-techy approach. So, look into your installed WordPress security plugin because they easily remove WordPress version numbers. 8. Log Out Idle Users If a passerby gains access to an open wp-admin panel, they can change the user account and even have the means to launch a site-wide attack. So do use a tool such as Inactive Logout plugin or Bulletproof Security plugin to simply and automatically logout idle WordPress users. Once you’ve installed either, head over to Settings to activate it. How to Secure Your WordPress Website – Core Protections 9. Add User Accounts With Care As your WordPress site grows, you’ll have to extend administrator privileges to others, such as your: AdministratorEditorSEO managerGuest posterSubscriberAuthor Use a WordPress security plugin such as Force Strong Passwords to ensure everyone uses solid passwords to secure the admin panel. Do also sensitive everyone about the importance of doing due diligence when logging in and using the website permissions. 10. Add Security Questions to WordPress Login Screen Credit: WPBeginner Under Settings >> Security Questions, you can add, replace, or remove custom security questions on the WordPress login screen to add a layer of protection to your website. Wondering how, already? Watch this quick video to find out: 11. Use SSL to Encrypt Data The Secure Sockets Layer protocol helps encrypt data transferring between your users’ browsers and your website. You know your site is SSL active when it shows a small, green padlock icon to the left of your domain name in the address bar. That means it has changed from the more vulnerable HTTP protocol to the much more secure HTTPS protocol. You can now grab a free SSL Certificate with many web hosting services such as Kinsta, which also offers TSL certificates. Check out the differences between TSL vs SSL certificates here. On the same note, if you do get a choice between SFTP and FTP, always opt for SFTP. 12. Change WordPress Database Prefix The default WordPress table prefix is wp- and it makes a site vulnerable to SQL injection attacks. Consider changing the prefix to say mywp- or newwp- when installing WordPress right from the beginning. Credit: WebsiteSetUp Log in to your hosting account and access the cPanel. Go to File Manager >> WordPress Directory >> wp-config.php. The table prefix will appear like: $table_prefix = ‘egwp_7676_’; Then exit the File Manager. Follow up by accessing the PHP admin area to change all table prefixes-about 11 in total so it is quite a hands-on process. If you can input an SQL query in the SQL tab it might be a bot easier and faster. How? By inputting this: Credit: WebsiteSetUp Then run another SQL query just to be sure everything is revamped to the new prefix. Ensure you use a mix of numbers and letters to make it truly unique. Feel like the manual route isn’t for you? Or you already installed WordPress and skipped this step, use a top WordPress database plugin such as iThemes Security or WP-DManager to change your WordPress database prefix. 13. Log Out Idle Users Like your WordPress login page password, ensure you safeguard the core of your website with a strong password. If you are already using LastPass as your favorite WordPress password manager, you can also use it to generate strong passwords and save them automatically, so you don’t have to remember them to use them in the future. If you want to eliminate the need for a password when logging into a server, use SSH keys. 14. Disable File Editing in WordPress Dashboard Hackers can take advantage of wide-open file-editing permissions to takeover or change how your site works without your knowledge. You may have to insert a bit of code to implement this. But if you already use the Sucuri WordPress security plugin, it can do it for you by activating the procedure under its Hardening feature. If you are okay with a bit of code work, then insert the following code under Dashboard>>Appearance: Locate where to place it here: Credit: WPBeginner And then there are more advanced ways to secure your WordPress site. WordPress Security – Advanced Protections Some may require you to fiddle with one or two lines of code, but most won’t, so read on. 15. Protect the wp-config.php File Keep in mind this is the most important file in your WordPress installation. How important is the wp-config.php file? It hosts your WordPress database security keys and login information. The security keys handle cookies’ information encryption. That important. With this one, you may have to do a bit of coding. Note: If you are not sure how to do it, ask your web hosting service or WordPress security provider to handle it for you because it literally crashes your site if handled improperly. Still, raring to go? Here’s how to do it yourself: Credit: Kinsta Move the file offline by copying it to a non-www file and then place the following snippet in the original wp-config.php file to include the new file Create fresh WordPress security keys, especially after a migration or buying a WordPress site from someone else. You can simply use the WordPress tool to create new random security keys. WordPress recommends changing setting the WordPress files in the root directory to 400 or 440 instead of the default 640, which gives everyone permission to view and change files. Use your FTP client to do that. Again, if not sure how it is smart to ask your hosting provider for help. 16. Limit Login Attempts to Secure Your WordPress Website The WordPress platform allows unlimited login attempts by default. But that setting can set you up for Brute Force compromises if a determined hacker directed one at your site. Modern hackers use programs that come up with a combination of passwords to try and log in. The easiest way to do this is to use the best plugins for the job. Here are two options: Login Lockdown Plugin: Records the timestamps and IP addresses of failed login attempts. You decide and set up the trigger number of failed attempts within the same IP range that prompt the plugin into action by disabling all login attempts from the detected range. Once installed, you can activate it under Dashboard >> Settings >> Login Lockdown. Cerber Login Limit Attempts: You can do even more with Cerber, including setting up IP blacklists and whitelists and lockout durations if you want to be more hands-on. 17. Disable XML-RPC in WordPress Hackers exploit the ability of the system.multicall technique to use a single request for multiple execution methods. It is meant to fool your login attempts monitor by passing multiple commands in just one HTTP request. Fewer tries mean your monitor may not go off and warn you before the hacker breaks in. To disable XML-RPC, you first need to know if it’s active in your site. For example, if you use Jetpack for WordPress, the plugin uses XML-RPC. Use the XML-RPC Validator. It’ll return an error message if you don’t have it. If you do, use the free Disable XML-RPC plugin. Or use Perfmatters to disable it and boost your WordPress site performance as well. 18. Add Latest HTTP Security Headers These are configured at the server level, so you may have to ask your host to do this for you. Or hire a dedicated WordPress security service you can trust. HTTP security headers tell your browser how to behave when interacting with your website content. There are a bunch of them, so use a tool like securityheaders.io to scan through and find which ones you have on your site. Source: securityheaders.com If you are not sure how implementing HTTP security headers will affect your site, do ask your hosting provider to intervene. 19. Prevent Hotlinking Hotlinking can add up hosting costs to your bills. That is when someone uses an image URL on your site to display the image directly on their site. That person would be using your bandwidth. The more people do that, the higher your bandwidth costs add up. To disable hotlinking in WordPress, go to WP Security >> Firewall >> Prevent Hotlink >> Prevent Image Hotlinking (check) >> Save Settings. And you are done. If you are using a content delivery system (CDN) use plugins such as Cloudflare, KeyCDN or MaxCDN for that. 20. Apply DDoS Protection Distributed Denial of Service (DDOS) attacks, while not directly destroying your site, are super frustrating when your end users can’t access your site. It can keep you out of business. Literally. Source: CloudFlare Use CloudFlare to counter both simple and sophisticated DDOS attacks. 21. Use a Top WordPress Backup Plugin to Recover Your WordPress Website Regularly backing up your site means you can restore it to a former working state in case something tricky happens. Use one of the best WordPress backup plugins, such as UpdraftPlus, VaultPress for that. VaultPress also checks for malware and lets you know if something is off. Depending on how much change you create in your WordPress site, you can set it up to backup your site once a week, a couple of days, or daily. WordPress Security – Are you ready to Secure Your WordPress Website? It is natural to see WordPress sites are the number one target of hack attacks, considering around 35% of all websites are powered by it. WordPress holds over 60% of the content management systems (CMS) market share, as well. Perhaps even more interesting is WordPress dominates eCommerce as well, an online fraud magnet. Two of the most popular eCommerce plugins for WordPress are Easy Digital Downloads and WooCommerce. A hacked website can mean a ruined reputation, business, insurmountable frustration, and huge financial losses for you. Use these tips to secure your WordPress website. Read Other WordPress Guides: How to Make WordPress Site LiveHow to Speed Up WordPress SiteInstall WordPress on Windows: Ultimate Step by Step GuideHow to Create the Best WordPress Staging SiteHow to Discover & Recover WordPress SiteHow to Add Custom Fonts to WordPressWix vs WordPress: Platform Crucial DifferencesCan’t Login to WordPress Admin Dashboard?