Every 60 seconds, about 91,000 WordPress websites are hacked, according to WordFence. It is not a wonder considering an August 2019 study on 40,000 Alexa top 1 million WordPress sites showed 73.2% had security flaws. Even novice WordPress hackers could use basic, automated tools to exploit WordPress website security vulnerabilities on your website within seconds.
So, you are smart to want to know how to secure your WordPress site from hackers. You’ve also probably wondered which are the best WordPress website security plugins in 2021.
What if you had a complete WordPress security checklist to work with?
What if you knew which WordPress security vulnerabilities to counter in advance?
WordPress Security – Why You Should Secure Your WordPress Website
Now get this:
About 67% of them had backdoors, and 50% were vulnerable to SEO spam. Sites with online stores were particularly attractive to fraudsters.
So securing your WordPress site can help protect your users, reputation, and revenue.
Also, 85% of online shoppers avoid unsecured sites. So you need to harden your WordPress site to assure and secure your customers’ details and, in turn, attract, convert, and retain them.
Yet, search engines are penalizing unsecured websites site with poor rankings, which can mean losing your audience and source of income.
Identified, ransomware cases in 2019 hit an all-time-high-record, so without counter-action 2020 could see even more attempted and successful ransomware threats.
Still, recovering from a WordPress security breach is often a costly, lengthy, and hair-pulling chaos many webmasters never really recover from.
Google also detects and blocks close to 40,000 malware and phishing sites every week. And you don’t want to go under in disgrace now, do you?
In this WordPress security guide, you’ll learn what to do to secure your website, whether you are a seasoned WordPress user or just starting out.
No coding experience necessary. And no technical jargon, either (we hate it too).
How to Secure Your WordPress Website in 2021: Preview
We’ve broken the guide into four sections:
- Top WordPress Security Vulnerabilities Right Now
- How to Secure WordPress: Basics
- How to Secure WordPress: Core Protection
- How to Secure WordPress: Advanced Protection
In each section, we’ll recommend the best WordPress security plugins, third-party tools, and more resources to make your work much easier and consistently top-notch.
Of course, too many options can be a bad thing, so we’ll not recommend more than three plugins for the same job.
Furthermore, too many plugins can slow your WordPress site down because of all the scripts that have to be read in advance.
That would be bad for your SEO. Remember, search engines penalize slow sites by dropping them down search engine result pages (SERPs) where there’s much less traffic, hence page views, clicks, and revenue.
And with that, here are the absolute must-do WordPress security tips organized in an ultimate WordPress security guide for 2021.
Top WordPress Security Vulnerabilities Right Now
Carrying over from 2019, the most common WordPress security vulnerabilities include:
- Unsecure or stolen passwords are the leading cause of successful attacks at 81% (Panda Security)
- Guarding against brute force attacks and WordPress plugin vulnerabilities can lower your risk of attack by 70% (WordFence)
- Poorly configured S3 bucket leaked over 70 million records to intelligence-gathering hackers
- Ransomware increased exponentially in 2019
- Security vulnerabilities in the WordPress hosting service and WordPress plugin used accounted for 51% of attacks (WP White Security)
- “Admin”, “admin”, “test”, “root”, and “administrator” are the top usernames attacked (WPSmackDown)
- SQL injections happen when unwarranted access to your WordPress database happens
- A shocking number of people use outdated WordPress versions, with only 34.5% running WordPress 5.3 right now
So, how can you protect your WordPress site in 2020?
How to Secure Your WordPress Website-Basics
Here are simple, actionable steps to harden your WordPress site that you can implement right away.
1. Use the Latest Version of WordPress, Themes, and Plugins
Also, the most up-to-date WPScan Vulnerability Database shows the known WordPress security vulnerabilities are logged in WordPress 4.0 and earlier versions.
By simply updating your WordPress site to version 5.3 immediately, you can protect yourself hassle-free.
WordPress version 3.8.1 has the most vulnerabilities
And did you know that as many as 60% of WordPress attacks can be traced back to a vulnerable plugin?
The database also shows the top 5 WordPress plugins with vulnerabilities, all having more than 17 known vulnerabilities:
And then it goes on to indicate the top 10 WordPress themes with the most security vulnerabilities as follows:
2. Add Two-Factor Authentication for WordPress security
Activating 2-step authentication on your site empowers you to curb backdoor attacks, brute-force login attempts, pharma attacks, and malicious redirects.
It should be one of the first lines of defense you use to harden your WordPress site.
How 2-step authentication works are by having your site require a seconding login method.
In most cases, you’ll need to set up your phone to receive a secret pin or call (the pin is read out to you), a time-based one-time password (OTP), or scanning a code after you enter your WordPress username and password on the login page.
It’s effective because a hacker will rarely have access to your username, password, and 2-factor authentication pin at the same time.
Here’s a quick video showing you how to set it up quickly:
The Google Authenticator plugin for WordPress is a great tool for starters. Here’s how to activate WordPress 2-step authentication with Google Authenticator?
If you are already using a WordPress security plugin such as WordFence or LastPass, there is a Cellphone Sign-in or LastPass Authenticator option, respectively.
3. Use Clever Usernames and Strong Passwords
The best usernames and passwords don’t have to be so complicated that you end up losing or forgetting them altogether.
- Use longer passwords
- Mix special characters, numbers, and letters to make it less obvious
- Use an email ID to log in rather than a username
- Use a top password manager in 2020, such as DashLane, LastPass, and 1Password.
4. Change the Default Admin Username
Replace the default “admin” WordPress username to something more unique and less predictable.
Wondering how to change the admin username in WordPress?
But you can do it manual and easy by going to Users >> Add New. After creating a solid password and new username, set the role to Administrator.
Then click on Add New User.
After, assign all content and lead permissions to the new admin account and delete the old account.
5. Invest in Secure WordPress Hosting
Vulnerable hosting services are in the top-three causes of hacks.
Shared WordPress services are especially concerning compared to managed WordPress hosting.
That is so because a hacker can attack your site from a site with which you share the web server and other common resources.
6. Use the Best WordPress Security Plugins
Next, ensure you have an always-on monitoring and system auditing plugin to catch what you may not.
- Notify you of failed login attempts
- Website firewall
- Hide your WordPress version number
- Monitor file integrity
- Scan for malware
The best tend to be all-in-one WordPress security plugins for WordPress sites, so you don’t have to use multiple tools from different providers and slow your site down.
7. Remove the WordPress Version Number
When a hacker knows the WordPress version you are using upfront, they can prepare and direct an attack based on the vulnerabilities they have discovered that version to have.
When the version number is hidden, they would have to keep guessing.
You can manually do that, including removing the number from RSS feeds, add this function to your functions.php file:
But we did promise a less-techy approach. So, look into your installed WordPress security plugin because they easily remove WordPress version numbers.
8. Log Out Idle Users
If a passerby gains access to an open wp-admin panel, they can change the user account and even have the means to launch a site-wide attack.
Once you’ve installed either, head over to Settings to activate it.
How to Secure Your WordPress Website – Core Protections
9. Add User Accounts With Care
As your WordPress site grows, you’ll have to extend administrator privileges to others, such as your:
- SEO manager
- Guest poster
Use a WordPress security plugin such as Force Strong Passwords to ensure everyone uses solid passwords to secure the admin panel.
Do also sensitive everyone about the importance of doing due diligence when logging in and using the website permissions.
10. Add Security Questions to WordPress Login Screen
Under Settings >> Security Questions, you can add, replace, or remove custom security questions on the WordPress login screen to add a layer of protection to your website.
Wondering how, already?
Watch this quick video to find out:
11. Use SSL to Encrypt Data
The Secure Sockets Layer protocol helps encrypt data transferring between your users’ browsers and your website.
You know your site is SSL active when it shows a small, green padlock icon to the left of your domain name in the address bar.
That means it has changed from the more vulnerable HTTP protocol to the much more secure HTTPS protocol.
You can now grab a free SSL Certificate with many web hosting services such as Kinsta, which also offers TSL certificates.
Check out the differences between TSL vs SSL certificates here.
On the same note, if you do get a choice between SFTP and FTP, always opt for SFTP.
12. Change WordPress Database Prefix
The default WordPress table prefix is wp- and it makes a site vulnerable to SQL injection attacks.
Consider changing the prefix to say mywp- or newwp- when installing WordPress right from the beginning.
Log in to your hosting account and access the cPanel. Go to File Manager >> WordPress Directory >> wp-config.php.
The table prefix will appear like:
$table_prefix = ‘egwp_7676_’;
Then exit the File Manager. Follow up by accessing the PHP admin area to change all table prefixes-about 11 in total so it is quite a hands-on process.
If you can input an SQL query in the SQL tab it might be a bot easier and faster.
By inputting this:
Then run another SQL query just to be sure everything is revamped to the new prefix. Ensure you use a mix of numbers and letters to make it truly unique.
Feel like the manual route isn’t for you?
13. Log Out Idle Users
Like your WordPress login page password, ensure you safeguard the core of your website with a strong password.
If you are already using LastPass as your favorite WordPress password manager, you can also use it to generate strong passwords and save them automatically, so you don’t have to remember them to use them in the future.
If you want to eliminate the need for a password when logging into a server, use SSH keys.
14. Disable File Editing in WordPress Dashboard
Hackers can take advantage of wide-open file-editing permissions to takeover or change how your site works without your knowledge.
You may have to insert a bit of code to implement this. But if you already use the Sucuri WordPress security plugin, it can do it for you by activating the procedure under its Hardening feature.
If you are okay with a bit of code work, then insert the following code under Dashboard>>Appearance:
Locate where to place it here:
And then there are more advanced ways to secure your WordPress site.
WordPress Security – Advanced Protections
Some may require you to fiddle with one or two lines of code, but most won’t, so read on.
15. Protect the wp-config.php File
Keep in mind this is the most important file in your WordPress installation.
How important is the wp-config.php file?
It hosts your WordPress database security keys and login information. The security keys handle cookies’ information encryption.
With this one, you may have to do a bit of coding.
Note: If you are not sure how to do it, ask your web hosting service or WordPress security provider to handle it for you because it literally crashes your site if handled improperly.
Still, raring to go?
Here’s how to do it yourself:
- Move the file offline by copying it to a non-www file and then place the following snippet in the original wp-config.php file to include the new file
- Create fresh WordPress security keys, especially after a migration or buying a WordPress site from someone else. You can simply use the WordPress tool to create new random security keys.
- WordPress recommends changing setting the WordPress files in the root directory to 400 or 440 instead of the default 640, which gives everyone permission to view and change files. Use your FTP client to do that. Again, if not sure how it is smart to ask your hosting provider for help.
16. Limit Login Attempts to Secure Your WordPress Website
The WordPress platform allows unlimited login attempts by default. But that setting can set you up for Brute Force compromises if a determined hacker directed one at your site.
Modern hackers use programs that come up with a combination of passwords to try and log in.
The easiest way to do this is to use the best plugins for the job.
Here are two options:
- Login Lockdown Plugin: Records the timestamps and IP addresses of failed login attempts. You decide and set up the trigger number of failed attempts within the same IP range that prompt the plugin into action by disabling all login attempts from the detected range.
Once installed, you can activate it under Dashboard >> Settings >> Login Lockdown.
- Cerber Login Limit Attempts: You can do even more with Cerber, including setting up IP blacklists and whitelists and lockout durations if you want to be more hands-on.
17. Disable XML-RPC in WordPress
Hackers exploit the ability of the system.multicall technique to use a single request for multiple execution methods.
It is meant to fool your login attempts monitor by passing multiple commands in just one HTTP request. Fewer tries mean your monitor may not go off and warn you before the hacker breaks in.
To disable XML-RPC, you first need to know if it’s active in your site.
For example, if you use Jetpack for WordPress, the plugin uses XML-RPC.
Use the XML-RPC Validator. It’ll return an error message if you don’t have it.
18. Add Latest HTTP Security Headers
These are configured at the server level, so you may have to ask your host to do this for you. Or hire a dedicated WordPress security service you can trust.
HTTP security headers tell your browser how to behave when interacting with your website content.
There are a bunch of them, so use a tool like securityheaders.io to scan through and find which ones you have on your site.
If you are not sure how implementing HTTP security headers will affect your site, do ask your hosting provider to intervene.
19. Prevent Hotlinking
Hotlinking can add up hosting costs to your bills. That is when someone uses an image URL on your site to display the image directly on their site. That person would be using your bandwidth. The more people do that, the higher your bandwidth costs add up.
To disable hotlinking in WordPress, go to WP Security >> Firewall >> Prevent Hotlink >> Prevent Image Hotlinking (check) >> Save Settings. And you are done.
20. Apply DDoS Protection
Distributed Denial of Service (DDOS) attacks, while not directly destroying your site, are super frustrating when your end users can’t access your site. It can keep you out of business. Literally.
Use CloudFlare to counter both simple and sophisticated DDOS attacks.
21. Use a Top WordPress Backup Plugin to Recover Your WordPress Website
Regularly backing up your site means you can restore it to a former working state in case something tricky happens.
Depending on how much change you create in your WordPress site, you can set it up to backup your site once a week, a couple of days, or daily.
WordPress Security – Are you ready to Secure Your WordPress Website?
It is natural to see WordPress sites are the number one target of hack attacks, considering around 35% of all websites are powered by it.
WordPress holds over 60% of the content management systems (CMS) market share, as well.
Perhaps even more interesting is WordPress dominates eCommerce as well, an online fraud magnet. Two of the most popular eCommerce plugins for WordPress are Easy Digital Downloads and WooCommerce.
A hacked website can mean a ruined reputation, business, insurmountable frustration, and huge financial losses for you. Use these tips to secure your WordPress website.
Read Other WordPress Guides:
- How to Make WordPress Site Live
- How to Speed Up WordPress Site
- Install WordPress on Windows: Ultimate Step by Step Guide
- How to Create the Best WordPress Staging Site
- How to Discover & Recover WordPress Site
- How to Add Custom Fonts to WordPress
- Wix vs WordPress: Platform Crucial Differences
- Can’t Login to WordPress Admin Dashboard?
- How to Add Security Questions to Your WordPress Login Screen
- How to Stop Users From Sharing Passwords in WordPress