If you haven’t had the unpleasant experience of having your site hacked or infected with malware, consider yourself lucky.
Unfortunately, WordPress sites are a notorious target for hackers. According to Sucuri, 83% of all hacked sites in 2017 were WordPress sites, up from 74% in 2016.
Website security is a complex topic, and although you don’t need to know its ins and outs, you do want to take some basic measures to protect yourself.
Why WordPress is a target for hackers
Many website owners ignore security because they feel that their site is too small or has too little traffic to be a target for hackers.
Sure, there are some hackers that only target high-profile sites. But the majority of attacks are automated and are not selective about the sites they infiltrate.
The way most attacks work is a bot is sent out searching for any websites that meet certain criteria. The bot has no clue if anyone visits your site or how popular it is. It’s just trying to get into as many websites as possible.
There are two things that make WordPress an easy target:
- The WordPress software consists of hundreds of files that are identical across websites. This means that if a hacker finds a security hole, they can easily worm their way into many sites.
- Many WordPress sites are created by beginners who do not take any measures to secure their sites. You’d be surprised how many people use the username “admin” and password “12345” to log into their Dashboard.
- Most WordPress sites use several plugins, some of which are abandoned (meaning not updated) by the developer. It’s highly likely that a WordPress site is running at least one old plugin that might have a security hole.
- 30% of all websites are powered by WordPress. For a bot, this means that nearly 1 in every 3 websites they seek out is a potential target, which increases their chance of a successful hack.
The bottom line is that whether you have 1 visitor or 1 million visitors, your WordPress site is a target.
How much time and effort should you spend on security?
How far you go in terms of security should really depend on how vital your website is. If you are making 100% of your income from your website, you are best off spending quite a bit of time securing your site, and possibly even hiring someone to handle it for you.
If, on the other hand, you have a casual blog that’s just for fun, security might not be something you need to spend a bunch of time on.
Either way, you should know that WordPress security is about minimizing risk, not eliminating it. Although the steps below will greatly reduce the risk of an attack, nothing can completely eliminate the possibility.
The 14 easiest ways to secure your WordPress website
Below I’ve rounded up WordPress security best practices. These recommendations are listed in order of how easy they are to implement, with the easiest methods appearing at the top.
All of these can be done by a beginner or DIY-er, so don’t let this list intimidate you! Below this list, I describe step-by-step how to tackle each suggestion.
- Install Loginizer
- Install Force Strong Passwords
- Configure automated backups
- Update your WordPress software
- Update your plugins
- Update your themes
- Delete unused plugins
- Delete unused themes
- Delete old users
- Monitor who is logging into your site
- Eliminate the “admin” username
- Use a managed WordPress host
- Audit your plugins
- Hire an expert
1. Install the Loginizer plugin
This plugin protects against brute force attacks, which is when a bot tries to repeatedly guess your username and password combinations. Once installed, it locks out anyone who tries to log in more than three times within a short time period.
You can change this setting to allow more than three incorrect logins, and it does un-lock the user after 15 minutes. This is enough to fend off bots, but short enough that if you lock yourself out you aren’t in a bind.
All you need to do is head over to Plugins -> Add New within your WordPress dashboard.
Search for “Loginizer”. Install and activate the plugin and you’re all set.
By the way, this plugin is a new and improved version of “Limit Login Attempts”, which was similar but hasn’t been updated in several years.
2. Install the Force Strong Passwords plugin
The Force Strong Passwords plugin does exactly what it sounds like. It forces any new user to create a strong password when registering for your site.
Although this will not force current users to change their password, it’s good to have in place as your website grows and you add new users.
Installing is simple. Within Plugins -> Add New, search for “Force Strong Passwords”.
Install and activate the plugin. That’s it!
3. Configure automated backups
Alright, it’s technically not a security protection measure, but backing up your site is so important that I included it here.
If your website is ever attacked, you will be eternally grateful to have a backup at the ready.
Backups can take many forms, but you want to be sure that they are automated and stored somewhere outside of your hosting server.
You can find easy, step-by-step backup instructions in the the Ultimate Guide for Backing Up Your WordPress Site.
4. Update your WordPress software
Before you perform any updates on your site, be sure you’ve created a manual backup of your site, just in case anything goes wrong.
Within your WordPress Dashboard, click on Dashboard ->Updates.
If you see a message like the one below, your WordPress software is out of date.
All you need to do is click on the blue “Update Now” button. Your site will be updated within a minute or two.
Ideally, you want to check for updates at least once a week. Although most WordPress sites will install security updates automatically, some won’t, so be sure to double check
5. Update your plugins
In addition to keeping your WordPress software up to date, you want to be sure your plugins are up to date as well. Be sure to check for updates at least once a week.
Navigate back over to Dashboard->Updates. In the Plugins section, you’ll see a list of any plugins that have updates available.
Click the check box next to “Select All” and then click the gray “Update Plugins” button.
6. Update your themes
See a trend here? You want to check for theme updates weekly as well.
Within Dashboard->Updates, you’ll see a list of any themes that have updates available.
Just like with plugins, you want to click the check box next to “Select All” and then click the gray “Update Themes” button.
7. Delete unused plugins
The last thing you want is a bunch of old, unused plugins on your site. Many people Deactivate plugins, but unless you delete the plugin as well, a hacker can still access the files.
I like to treat this as a two-step process.
First, head over to Plugins->Installed Plugins. As you probably know, this is a list of all plugins installed on your site.
Active plugins have bold titles and a light blue background, while inactive plugins have white backgrounds. Notice in the screenshot below that the plugins within the red box are inactive.
Usually, an inactive plugin is one that you don’t need on your site. Click the red “Delete” link under any inactive plugins that you are not planning on using in the near future.
Second, take a look at you active plugins. Are there any that you aren’t using? If so, deactivate and delete them.
8. Delete unused themes
Despite the fact that WordPress can only use two themes at a time (one parent theme and one child theme), most people have several themes installed on their site. In fact, when writing this article, I found out that I was definitely guilty of this as well!
If you head over to Appearance -> Themes, you can see a list of all of the themes on your site. The active theme appears in the top left corner.
Before you go deleting themes, click on the active theme in the top left corner. This will pop up the theme details box.
This is where you can find out if you are using a child theme. This is super important! You must keep both the child and parent theme in order for your site to function properly.
Once you know which themes are safe to delete, you’re ready to go. Click on the first theme you want to delete to pop up the theme details box. In the bottom left corner is a small, red “Delete” link.
When you click on that link, you’ll see a pop up asking if you are sure you want to delete that theme.
Click the blue “OK” button.
Repeat this process for all unused themes on your site.
9. Delete old users
Many people have unused users on their site. Sometimes it’s a friend that’s helped you out, or a developer you’ve hired for a one-off tasks. Sometimes you might even have multiple usernames set up for yourself.
In any case, you want to get rid of anyone doesn’t actually need to log into your site.
In your Dashboard, navigate to Users -> All Users.
Take a look through your users, paying special attention to Administrative users. Anyone with Administrative access will have full access to your site.
If you spot someone that can be deleted, hover over their name and click the red “Delete” link.
On the next page, one of two things will happen.
If the user you are deleting has not added any content to your site, you’ll simply see a blue “Delete” button. Click on that and you’re all set.
If the user you are deleting has added content to your site, you’ll need to either:
- Delete their content, or
- Attribute it to another user
If you aren’t sure, be sure to attribute the content to another user so it’s not removed from your site. In the screenshot below, I’m attributing all content to the user “anneber”.
Once you’ve made your choice, click the blue “Confirm Deletion” button.
Repeat this process for all old Users on your site. Going forward, you should be sure to audit Users regularly and delete anyone who doesn’t need access.
10. Monitor who is logging into your site
There’s a great plugin called WP Security Audit Log that can provide a lot of details to help secure your site. This plugin is especially helpful if you have many users who are contributing content or maintaining your website.
To install, navigate to Plugins -> Add New. Search for “WP Security Audit Log”. Install and Activate the plugin.
Once activated, you’ll see a new “Audit Log” menu item within your Dashboard. If you click on Audit Log, you probably won’t see any data right away, but as users log into your site over the next day or two, this log will start to populate. In addition to seeing a list of users who have logged in, you’ll see the time of login, their IP address and the activity that they performed while logged in.
What you want to do is review this data for anything that looks weird.
Is there a user you don’t recognize who is repeatedly logging into your site? If so, double check to make sure it’s legit.
Are you getting a certain user who is constantly logging several times in the middle of the night? If most of your users are within your home country, this might suggest an international user that shouldn’t be logging in.
What are the users doing on your site? Is there someone you don’t recognize editing your content?
You know your site and your users better than anyone. If there is anything on the log that looks funky to you, take a few minutes to investigate and see what is going on.
11. Eliminate the “admin” username
Hackers are notorious for finding their way in via the username “admin”. It’s best to never use “admin” as a username if you want to secure your website.
Unfortunately, WordPress does not allow you to change usernames after a user has been created. Therefore, in order to get rid of “admin”, you’ll have to create a new username and then delete “admin”.
I promise the steps to do this are pretty simple.
First, head over to Users -> Add New. Assuming you are “admin”, you’ll want to add a new username for yourself.
Fill in the username and email field. Because WordPress only allows one user per email address, you’ll need to use a secondary email address for this step (meaning an email other than the one registered under “admin”). Don’t worry, we’ll switch back to your primary email in just a bit.
Most people have multiple emails, so hopefully this isn’t a problem, but you can always sign up for a free gmail.com email if needed.
After you enter a new username and email, be sure to choose “Administrator” under the Role drop down menu.
Then click the blue “Add New User” button.
Alright, now you have a new user, and you are ready to banish “admin” from your site forever.
Head back over to Users -> All Users. Hover over the “admin” username and click the red Delete link.
On the next page, WordPress will ask you if you want to delete the content created by admin or attribute it to another user. Be sure to attribute it to another user if you want the content to remain on your site!
Click the blue “Confirm Deletion” button. Congratulations! You’ve successfully gotten rid of the troublesome “admin” user.
The final step is to go back to the new user you created and update the email address to the one you actually want to use. In Users -> All Users, hover over the new user you created and click Edit.
Scroll down to the Contact Info section and update the email address.
Because we deleted the old account associated with your email, you should be able to use it again here.
Finally, be sure to scroll to the bottom and click the blue “Update Profile” button.
12. Use a managed WordPress host
Most beginning website owners use what is known as Shared Hosting. This is the cheapest form of hosting, because it’s generic and you share your server with many other websites.
If security is your goal, consider switching to a managed WordPress host. There are quite a few of them out there, but my personal favorite is WPEngine.
The benefit of a WordPress host is that everything about your server is optimized solely for WordPress. Whereas on shared hosting you might have sites running other types of software, WordPress hosts only deal with WordPress sites.
You don’t really need to understand the technicalities of managed WordPress hosting (I certainly don’t). All you need to know is that WordPress-specific hosting provides you with two main benefits:
Managed WordPress hosts are top-notch when it comes to keeping your site secure, and it does make a huge difference in terms of how vulnerable your website is to an attack.
The downside of managed WordPress hosting is the cost; you’ll usually pay at least around $20-30 per month, if not more.
Although switching hosts can be a huge pain, the good news is that most WordPress hosts out there offer free site transfers. This means that all you really need to do is:
- Sign up for a hosting plan with a managed WordPress host like WPEngine
- Contact their support team and let them know you want to switch your website over to their hosting platform.
- The support team will follow up with any additional questions or details that they need before making the switch
- Most hosts will set your site up on a temporary URL so that you can make sure everything looks OK before going live
- Once you give the “OK”, you’re all set and switched to a more secure host
- After you are comfortably settled with your new host, you can cancel your old hosting plan
13. Audit your plugins
In a previous step, I advised you to delete any unused plugins. That’s an awesome first step, but there is some additional work you can do to really beef up your site’s security as far as plugins are concerned.
Unfortunately, many plugins are abandoned by their developers at some point. This means that the plugin is no longer updated. It’s hard to predict what will happen to an abandoned plugin. Some will function properly for many years to come, while others will start causing issues and security holes.
To really have a secure site, you need to periodically take stock of your plugins and see if there are any that have gone by the wayside.
I’m about to describe the process that I personally use to audit plugins, but this is really more an art than a science.
If you head over to Plugins -> Installed Plugins, you’ll see in your plugin list that every plugin has a “View details” link under the description.
When you click on that link, a box will pop up with more information about the plugin.
The first thing I look at here is the Last Updated field. You can see that the plugin in the screenshot below was updated two days ago. That tells me that, clearly, this plugin is still being developed and I can guess that it’s reasonably secure.
There’s no hard and fast rule for how often plugins need to be updated. But if I see a plugin that hasn’t been updated for six months or more, that’s a red flag. Keep a running list of any plugins that seem outdated, and I’ll give you a couple tips in a bit about how to deal with them.
Let’s quickly take a look at another example.
You can see that this plugin isn’t looking so great. It hasn’t been updated in 6 years! I would definitely add this to my red flag list.
Some plugins, however, aren’t so black and white. What about a plugin that was updated, say, 7 months ago? In cases like that, I’ll also look at the Active Installations and Reviews. If the plugin has a large number of installations (~100,000+) and good reviews (4 stars or more), I’ll generally give it a pass and see if it’s updated before my next audit.
So after you’ve gone through all of your site’s plugins, you should have a red flag list of plugins that are outdated. There are a couple of things you can do with them:
- Deactivate and delete them
- Replace them with a plugin that is actively updated
Be careful here, and be sure you have a backup.
If you no longer need the plugin, simply deactivate it and delete it. This is definitely the easier method, so go for it if you are confident that it won’t mess anything up.
If the plugin is in use, you can look for an alternate. For example, the outdated plugin in my screenshot above is “Limit Login Attempts”. If I navigate to Plugins -> Add New and search for “Limit Login Attempts”, I can see that there are many alternate plugins available that have been updated very recently.
In this case, I would simply Install and Activate a newer plugin with the same capabilities.
Unfortunately, it’s not always quite so simple. What if it is the plugin that powers your e-commerce shipping? Or you membership plugin?
How to switch plugins in these more involved cases is beyond the scope of this article and, frankly, will vary greatly depending on your site and the plugin you are using. The reason I have this so far down on the security list is that it is really best left to those who are super confident in their WordPress abilities or developers who are fluent in complex plugin issues.
If you do need a developer to advise and assist you on plugin switches, I highly recommend Codeable.
14. Hire an expert
Real talk. Security is a complex issue, well beyond the scope of a DIY-er and even beyond the scope of most developers. To truly secure your site, you need to tweak everything from your server setup to the way your database structure.
Security is also something that needs to be constantly monitored and changed as new security holes are discovered and web standards evolve.
That’s not to say that every website owner needs to spend money on expert security advice. It’s a risk-reward analysis just like any other business decision.
I look at it like this: if my website goes down, what’s the cost?
Personally, I’m fine securing my site to the best of my abilities and ensuring I have automated backups if I ever need them. But I have many clients who make 100% of their income from their websites. They simply can’t afford a security breach.
If your website is your lifeline, I definitely recommend having an expert monitor security for you.
The leading WordPress security company is Sucuri. Not only do they protect your site, but they provide hack repair if needed.Honestly, I find their website kind of confusing, but what you want to look at is their Website Security Solutions. They offer three packages ranging from $199.99/yr to $499.99 year. I feel like the pricing is a steal for the peace of mind they provide and the time it saves you managing your own website security.
I know that’s a lot to take in. In addition to taking the steps above to secure your site, I want to leave you with one final thought.
WordPress security is an ongoing maintenance task. It’s not something you look at once and then never have to think of again. So as you’re building and maintaining your website, be sure to add security tasks into the mix.
Here’s to safe, secure and hacker-free websites!