10 Powerful Keys to Securing Your WordPress Website in 2023
All too often, WordPress website owners find their sites have been compromised. Given its popularity as a CMS, WordPress is the most targeted platform by hackers and as a result, it gets a bad name as being insecure.
But this is not really the case.
WordPress' open source nature means that anyone can use it, and the large majority of those using it are not well versed in basic cyber security practices. This is what creates an illusion that WordPress is somehow less secure than other website building options.
Those individuals who utilize sound security practices rarely have issues with sites being hacked. So what makes a WordPress website secure?
Securing Your WordPress Website
Here are 10 things to keep in mind when it comes to securing your WordPress website.
Use a Secure Host
If you come away with nothing else from this post, at least pay attention to this one. Your WordPress website is only as secure as the server it lives on.
Most WordPress websites are built on shared hosting, meaning your site lives on the same server as other customers' websites. Choose a hosting company that properly cages account permissions on their servers.
Check this out: Best WordPress Hosting Services Compared
It's not uncommon for one compromised website to infect others on the same server. If you choose a host where permissions are properly separated for each account, the risk of cross-site contamination is minimized.
Contrary to popular opinion, VPS hosting is also susceptible to malware propagation. VMescape attacks, where malware utilizes vulnerabilities in virtualization platforms, can allow the malware to escape one VPS and move to another VPS that lives on the same physical hardware.
Secure hosts will also have other mitigations in place. These include utilizing mod-security in their web server configuration, anti-malware packages such as Imunify360, and DDoS protection to keep sites from being overwhelmed by bots.
Keep Your Core, Themes, & Plugins Updated
Most WordPress sites get hacked because they're running out of date code. That's not an opinion, it's a documented fact.
Security researchers performing forensic analysis on thousands of hacked WordPress websites have determined without a doubt that out of date plugins and themes are responsible for over 80% of them.
Imagine, by simply keeping your themes and plugins up to date, you could eliminate 80% of the chances your site might be compromised. Now, that's a key to securing WordPress worth taking to note.
Enable 2-Factor Authentication
While out of date themes and plugins are responsible for the large majority of hacked WordPress websites, brute force attacks on usernames and passwords are the most common methods attempted to gain unauthorized access to websites.
While the success rate is usually low, still about 8% of hacked websites were broken into simply by guessing a user's password.
One way to protect your website is to enable 2-Factor Authentication (2FA). In addition to your username and password, 2FA will require you to also submit a one-time passcode from your mobile device or from an email message.
If a hacker has your username and password for your website, but they don't have your phone or access to your email, they won't be able to log in.
There are several plugins that add 2-Factor Authentication to your website, and many comprehensive security plugins which we'll talk about in the next section also add it as part of the many features they include.
Install a Security Plugin
There are folks who say that all of the security should be done by your host, but in the cyber security world, we believe that security happens in layers. Having a security plugin on your WordPress website is just one more of those layers.
When it comes to security plugins, there are a variety to choose from. Here are some of the most popular security plugins. You should test them out and see which one suits your needs best.
While this post isn't going to go into which security plugin is the best, the most popular one is Wordfence – and there are great reasons why.
For one, Wordfence is a security-dedicated company in that security is all they do. They're not some WordPress plugin developer who just happens to have a security plugin in their portfolio, they live and breathe security.
The Wordfence plugin comes with a free web application firewall that checks every request against a list of known exploits and blocks them if it finds a match. They also have a malware scanner that looks for telltale signs of malicious activity and files. Another great feature is the ability for the scanner to check all of your theme and plugin files against those in the WordPress.org repository to ensure they match.
Wordfence logs all security-related activity by default so you can review it and ensure your site is safe.
Another nice feature in Wordfence is they have a 2-Factor Authentication module so you can knock out recommendation #3 in this post. In the same line of protection, they also have brute force protection to lock out IP addresses that attempt to login multiple times effectively stopping bots in their tracks.
Sucuri is another great security plugin that can help to protect your WordPress website. It has many of the same great features offered by Wordfence with one notable exception: there is no free firewall – it's only available on a premium paid plan.
One important note about Sucuri is that the plugin was recently purchased by GoDaddy so their ability to support it properly has yet to be proven. In webhosting circles, GoDaddy is not looked upon favorably, so only time will tell if that reputation will extend to Sucuri or if they'll be able to step up to the challenge.
Sucuri also has an audit log so you can review security-related activity on your website such as failed logins.
All in One WP Security & Firewall
All in One WP Security & Firewall is the only plugin that even comes close to Wordfence in popularity. It offers many of the same benefits including a free firewall based on .htaccess rules, brute force protection, and a security scanner.
One thing it does not include is a 2-Factor authentication module, so you'll need to add a standalone plugin for that functionality.
It could be argued that All in One WP Security & Firewall actually provides the most robust firewall of all security plugins. Since the firewall is .htaccess based, it's processed before any scripts are run which makes it very reliable.
All in One WP Security & Firewall also includes a nice feature to help protect against automated comment spam. Alternatively, you could replace the WordPress default commenting system with Deeper Comments for additional features and protection.
Cloudflare gained popularity with WordPress users because of their excellent (and free) CDN service which helps speed up your website. But Cloudflare also offers a host of free tools that help harden your site against attacks.
For one, when you point your name servers to Cloudflare, you get the benefit of one of the fastest and most secure DNS services available and free SSL certificates.
Cloudflare's servers check all traffic before it ever makes it to your server for DDoS attacks and their firewall is highly configurable even in the free version (with a limited number of rules) that allow you to filter traffic based on country, ASN, or even the URL or query string.
As an example, if you only ever log into your website from a single IP address or a small number of fixed IP addresses, you could build a rule in Cloudflare that blocks all other IPs from even accessing wp-admin or wp-login.php. That would block all of the bots trying to perform those brute force attacks we talked about in section 3. You can also restrict access to wp-admin using your .htaccess file instead of Cloudflare. You can implement both if you want multiple layers of protection (highly recommended).
Don't Use Nulled Themes or Plugins
Do you want that premium theme but you don't wanna pay for it? Well if you get it from one of those sketchy sites that offers nulled themes and plugins, you can get it for free. But there is still a price…
When you use a nulled theme or plugin, you lose the guarantee that the product is the same as what's offered by the official vendor. This means, you lose the integrity of the code.
Nulled themes and plugins are a significant source of malware because sometimes whoever made the plugin nulled, added their own malware into it in order to take over your site or perform other malicious actions such as stealing your resources for crypto mining.
Nulled themes and plugins are the malware you willingly install on your own website without even realizing it. Just to save a few bucks? It's not worth it. If you need a premium feature, then pay a reputable developer for it.
Disable File Editing
The WordPress admin dashboard has a very convenient built-in editor that allows you to modify the contents of your theme and plugin files. Unfortunately, this editor also makes it convenient for hackers to modify the code of your website if they happen to break into your account.
The reality is, you're almost never going to use this functionality. If you ever edit a core file, you're probably going to do it directly through your host's file manager or using an FTP client.
You can disable the ability to edit files from the admin dashboard by adding this one line to your wp-config.php file:
Once you add this line, the edit menus are no longer available for plugin and theme files in the WordPress admin dashboard.
Move and Rename your wp-config.php File
While we're talking about the wp-config.php file, a lot of people already know that you can move the wp-config.php file up one directory from your WordPress installation and your site will work just fine. But let's take it a step further.
Did you know that you can actually rename the wp-config.php file to whatever you want and move it out of your WordPress installation completely to a non-public folder? It takes a bit more work to do, but it’s well worth it.
While the file itself generally returns a blank page when called in a web browser, in rare cases when the PHP handler fails, the entire contents of the file could be visible as plain text right in a web browser.
The wp-config.php file contains sensitive information about your website including the database username and password. This information in the wrong hands could be catastrophic. Renaming the file to something random helps to hide it from bots and hackers.
By moving wp-config.php to a non-public folder, you eliminate the ability for someone to get the information through a browser during a PHP hander failure.
Audit Activity on Your Site
If you're not keeping track of what's happening on your website, you might be missing out on key information that could alert you to attempted malicious activity, or even discovering malicious activity if your site has already been compromised.
Aside from the security benefits, if you have a site with multiple users, having a good audit plugin can also help ensure you can track legitimate activities. As an agency, it's a great tool to know if your client might have messed something up even if they say they didn't do it!
There are several good plugins for auditing site activity. Some of the previously mentioned security plugins have some level of audit logging capability, but the ones below take it to the next level by auditing all user activity rather than just security-related events. Here are the top 3.
Simple History – User Activity Log, Audit Tool
Simple History is the most popular plugin for auditing and it's a great one to start testing with. It logs all of the things you'd expect such as content updates, plugin installs & activations, and just about any other type of user activity.
The plugin has a 5-star rating and the developer team is pretty active in the support forums and regularly answers support questions there in a reasonable time frame.
WP Activity Log
The WP Activity Log plugin is another great option to use for your site. It has some more configurable options than the previous plugin such as the ability to enable and disable the auditing of certain events and a configurable retention period for logging. It also has a ton of add-ons to extend monitoring to specialty plugins like WooCommerce and WPForms.
The plugin has a 4.5-star rating and the lead developer responds to just about every single support forum question personally.
If you run an agency, WP Activity Log integrates well with the popular management tool MainWP so you can view the audit logs of all your client sites in a single interface. Among agencies, WP Activity Log is the #1 choice for audit logging.
Another popular option with a 4.5-star rating. Activity Log captures everything you'd expect and has a good number of active installations.
Unfortunately, the developer doesn't often respond to support requests in the forums with most support questions sitting unanswered indefinitely.
Utilize the Principle of Least Privilege
In the world of cyber security, the Principle of Least Privilege is a concept in which a user has only the permissions they need to do their job.
In the world of WordPress, it's not uncommon to see a company with 10 users who are all set to Administrator. There might be legitimate reasons for this level of access, but it's rare to need more than 1 or 2 accounts with such a high level of permissions.
One thing you can't control is what your users do when they're not actively performing work on your WordPress website. This means if they fail to protect their own data from hackers, there's a good chance that sloppiness will spill over into your website.
By limiting their access, you'll be able to mitigate any damage a user might unintentionally do such as clicking a malicious link while still logged in to your website. Even if you're the site administrator, you should use a separate editor account with limited permissions when you're not performing high-level administrative tasks.
Is it tedious to do this? Sure. But it's far less tedious than having to clean up an infected website.
Bonus: Take Frequent Backups
In the worst-case scenario where your site has been compromised, sometimes the only option is to restore it from a clean backup; one that was taken prior to infection. Most decent web hosting companies will back up your site once per day, but they usually only retain these backups for a couple of weeks.
This is problematic if you have an infection that went unnoticed for a while. Many infections effectively hide themselves from logged-in administrators to avoid detection for as long as possible.
Because you now know that security is best in layers, you can apply the same concept to your backups by taking your own backups in addition to your web host.
There are some great free backup plugins available including UpdraftPlus, BackWPup, and All-in-One WP Migration. Each one has their own strengths and weaknesses, but they're all very reliable and allow you to back up your site more regularly. In some cases, you can even automatically backup to remote cloud storage like Dropbox or OneDrive.
WordPress security is an important part of owning a website. It can also be a time-consuming and resource-intensive process if done incorrectly or neglected. By implementing the keys in this post, you can put most of your security needs on automatic so you can focus on what's important: your business.
November 13, 2023
October 23, 2023