The Ultimate WordPress Security Guide 2020
Over 1/3rd of all websites are powered by WordPress – making it the most popular content management system by far. This often leads to the conclusion that all websites powered by WordPress are easy for hackers to exploit.
However, this really isn’t the case. Its popularity paired with the fact that many WordPress users lack basic security knowledge, don’t keep their sites up-to-date, and bad hosting is what causes many to jump to this conclusion.
This is why a proper WordPress security setup and having a plan in place to deal with things if they ever do go south is an absolute must.
Only $124/yr for 48GB RAM and
480GB 960GB NVMe and free backups for LIFE!
Celebrating our 9 year anniversary! Capacity is limited and some deals will sell out. Get yours before they are gone!
If you run a site on WordPress, and especially if it’s an eCommerce or business site, read on. We have compiled the ultimate list of precautions you should take to protect your site or blog.
This extensive tutorial includes all WordPress security basics, for both beginners and more advanced users. Without further ado, let’s dive right into it.
If you haven’t had much experience with WordPress, the above might make you question its basic security. You might be wondering if WordPress is safe to use, to begin with.
The answer to that question is: mostly yes. That being said, whether your WordPress site will become susceptible to security issues depends on how you’re using WordPress. Vulnerabilities usually creep up on you if you haven’t covered your security basics. And due to the sheer volume of WordPress sites out there, as we a result of this it has earned the reputation of not being safe enough to use – which is outright false.
If malicious software reaches your WordPress-run business website, it can have terrible repercussions on your professional outlook and even cost you money. Hackers can get a hold of information such as user passwords, install viruses on your site, and even transmit these to your users. In worst-case scenarios, website owners find themselves paying to hackers who used ransomware in order to get access to them again.
Attacks like these often happen after the website users themselves make a wrong step, such as clicking on a suspicious email or opening a non-trusted website they found somewhere on the internet. After all, Google puts thousands of websites on its blacklist for malicious software and phishing every day.
This is why protecting your website should be as high of a priority as protecting your physical assets. In a time where every interaction happens online, website security negligence can cost you dearly. Let’s see how you can avoid this.
The WordPress Core is frequently updated by “core contributors” – depending on your settings, you can choose to update the WordPress Core automatically for major versions or minor versions.
Throughout the entire community, opinions on what the best way to handle automatic updates really varies. There is however a general consensus that auto-updates are better than never updating, so it is thought that the auto-update feature for major and minor versions of WordPress was introduced for less experienced users who rarely maintain their site. While some users which have complicated setups with a number of plugins will wait 15-30 days before updating their version of the WordPress Core just to give plugin developers a chance to catch up and ensure everything is compatible...
A big part of WordPress’s functionality is its plugins and themes, which also receive updates frequently. Plugins also play a huge role in leading people to believe that WordPress is vulnerable. There is some merit to that point because not choosing your plugins carefully can put your site at risk.
Before installing a WordPress plugin always make sure:
- It is kept up-to-date
- The creators are actively maintaining it
- It has an active user-base (are other popular sites relying on it?)
- Has it been built with performance in mind?
We cannot stress enough how important it is that you get all of these updates in order to keep your WordPress websites safe & secure. Don’t neglect updates at the risk of breaking your site’s functionality. You should never feel like your site is so fragile that updating a plugin to the latest (and most secure) version can lead to something breaking because at some point using the outdated version of a plugin will lead to the exact same issue…
Most situations in which someone has been able to successfully exploit a WordPress website occurs when a plugin exposes certain functionality (that can be misused) to other user roles.
This poses a greater risk when you run an eCommerce store or membership website with an open registration that allows anyone to create an account on your WordPress website with specific permissions.
Creating a stronger password (consisting of letters, numbers as well as special symbols) is a common and widely-known first step. We recommend creating an entirely new password for your WordPress admin dashboards that is not reused on other WordPress websites (or anywhere else for that matter) – and using LastPass to securely store all of these passwords.
There is a whole range of hosting providers out there, ranging from shared hosting and managed hosting all the way to VPS hosting.
What does this have to do with WordPress security?
Not all hosting providers are equally secure and equipped to let you reliably host your website with them...
When it comes to self-hosting, we are a bit biased of course, but rightfully so – SSD Nodes is one of the best solutions out there offering unparalleled value for money. Aside from offering server-side backups, unlike managed hosts that limit what it is that you can do with your servers, we don’t. And, we offer built-in support for two-factor authentication to ensure that only you’re able to access your SSD Nodes account…
SSD Nodes provides VPS cloud servers, which are extremely cost-effective and when paired with one of these cPanel alternatives allow you to easily & securely deploy WordPress...
If you’re relatively new to WordPress, having to deal with security can feel like a lot to handle. But, don’t worry – even if you’ve never come across WordPress before – in this guide, we’ll cover everything you need to know...
One of the main precautions you should have in place in order to deal with any potential security issues are backups.
If someone does manage to gain access to your site, as long as you have a backup, downtime can be minimize which means your site can be back online in minutes instead of hours of trying to locate the cause of the issue on a live site.
Here are the very best WordPress backup solutions:
- SSD Nodes Server-Side Backups
- WP Time Capsule
- Manual Backups via SFTP/FTP
Keeping backups off-site (i.e. on another server) is absolutely essential as if someone does obtain access to your site & server, it would defeat the purpose of having the backup in the first place.
At SSD Nodes, we provide extremely affordable server-side backups that don’t affect the performance of your websites. These are extremely useful if something does go wrong and you want to fully restore your server.
However, other solutions like ManageWP and BlogVault are great if you want to take very frequent backups and also use backups of existing sites to clone and create new WordPress sites for rapid development.
Keep in mind that you should make full-site backups as often as you can. The most complex type of site to backup is one that processes payments or user registrations since when you start restoring the backup you always risk losing some data (even if backups are taken every few minutes). Nonetheless, this is still far better than having a site offline for hours or days while you and your web host try to find the infected plugins/code which needs to be removed.
Aside from backup plugins, there are also a number of security-related plugins that are the line of defense before backups even come into play.
The security plugins that protect your website from even being at risk in the first place.
Here are the very best WordPress backup solutions:
- iThemes Security
The functionality available here really varies but you can’t go wrong with any of the above – we’ve tried & tested them all. They perform a variety of functions including monitoring the integrity of your website, limiting the number of unsuccessful login attempts, scanning for malware, etc.
Installing a web application firewall (WAF) is one of the easiest & best ways to prevent unwanted access from your site.
WAFs filter, monitor, and block malicious HTTP/S traffic traveling to your website.
Web application firewalls work on several levels. DNS-level WAFs check the web traffic from your site route using a cloud proxy service, only allowing safe traffic to pass and reach your origin server (think of this as your web host). A prime example of a service that does this is Cloudflare, which we use at SSD Nodes to secure and improve the performance of our own sites.
On the other hand, application-level WAFs, control traffic at the origin server essentially preventing certain WordPress functions/scripts from being used when they shouldn’t be (something which a DNS-level WAF wouldn’t be able to do). For this, we recommend using WebARX. Its smart firewall keeps your WordPress website safe from plugin vulnerabilities, malicious software, spam, and much more, without slowing down your website at all.
Another good precautionary measure you should take is enabling SSL (Secure Sockets Layer). SSL is a protocol for establishing encrypted links between your website and the end-user visiting it. Encrypting the connection is a safety measure which makes it difficult for malicious third parties that want to steal sensitive information to hack it.
Enforcing SSL on your website means it will drop the use of HTTP and use HTTPS in its place. When you use HTTPS, your browser will show you a lock sign, usually to the left of your site address.
SSL certificates can now be found for free on the web. There are also paid versions available that offer improved encryption.
If you’re already familiar with the measures we’ve covered above, the chances are you’re an advanced WordPress user. Luckily, our WordPress security guide doesn’t end there & there is still more you can do to improve the security of your website.
The following steps are for seasoned WordPress users who want to add an extra layer of security to their WordPress site. Having a basic knowledge of coding & how WordPress works behind the scenes is necessary in order to proceed with some of them.
One of WordPress’s core features is its code editor. With it, you can change theme and plugin files simply by using the WordPress admin.
This feature, however, could harm your site if any malicious party ever gets their hands on it. We advise you to disable it in order to prevent such a situation.
To disable file editing, open your wp-config.php file and add the following code in it:
- // Disallow file edit
- define( 'DISALLOW_FILE_EDIT', true );
Another way to do this is through the Sucuri plugin we talked about above, by using its Hardening function.
We also advise you to disable PHP file execution for the directories in which you don’t need it, for example for /wp-content/uploads/.
To disable it, simply run any text editor (Notepad, WordPad) and add the following code:
- <Files *.php>
- deny from all
After writing the code down, save the document with the .htaccess extension. Next, upload the saved file to the /wp-content/uploads/ folders on your website through an FTP client.
You can also use the Hardening function of the Sucuri plugin to do this instead.
WordPress lets anyone try to log in an infinite amount of times unless users change this option. This makes your site susceptible to brute force hacks, letting potential hackers make as many login attempts as necessary before they finally guess the password.
Luckily, you can set a limit on how many times a wrong password can be used to log into your WordPress. If you have a WAF, this measure is already in place, but in case you don’t, here’s how you can set the limit yourself:
To start with, get the Login LockDown WordPress plugin and activate it. Then, go to Settings, and choose the Login LockDown option that lets you set the limit on failed password attempts.
Its name being pretty self-explanatory, this feature uses two factors to authenticate any login attempt. The first factor is the standard user and password, whereas the second one obliges you to confirm the login attempt through a different device, such as your smartphone, for example.
To enable this method, get the Two Factor Authentication WordPress plugin and activate it. Next, click on the Two Factor Auth link in the WordPress admin.
Once this is done, you’re going to need to download an authenticator app on your smart device. The simplest choice here would be Authy, but there are many others out there and they’re all free.
As an example, we will show you how this is done on Google Authenticator, but the process is going to be virtually the same regardless of the authenticator app you’re using.
- Open Google Authenticator and press the big plus button in the lower right corner. It lets you either scan a QR code or enter a setup key. Choose the QR option, find the QRcode in the plugin’s Settings, and scan it with your smart device’s camera.
- Your two-factor authenticator is now activated. During your next login, after you enter your password, you will need the code which you’ll obtain by opening the authenticator app on your smart device.
WordPress uses wp_ as the default prefix for all tables in your WordPress database. In case hackers try to guess your table name, having this prefix will make it easier for them to do so.
This is why we advise you to change this prefix. Be careful though, as this step can cause damage to your website if not done right. Only skillful coders should proceed with the following steps.
Before you begin, backup your WordPress Database. Next, open your wp-config.php file from your WordPress root directory, and change the wp_ table prefix line to something else.
Next, access your database and change the table names with the prefix specified in the wp-config.php file. Then search the options table for any other fields that use wp_ as a prefix and replace it. Do the same with the usermeta afterward. Now make another backup and you’re done.
Another thing we strongly advise you to disable, if you’re not using it, is the XML-RPC. If it’s enabled, hackers can use the system.multicall function to multiply their brute force attacks. If you’re using a WAF, this is already taken care of, but in case you don’t, proceed as follows:
Disable all xmlrpc.php requests from the .htaccess file before the request is passed onto WordPress. To do so, add the code below in your .htaccess file:
- # Block WordPress xmlrpc.php requests
- <Files xmlrpc.php>
- order deny,allow
- deny from all
- allow from 18.104.22.168
WordPress security plugins automatically scan for malware and vulnerabilities on a regular basis. But in case something suspicious happens, like a suddenly lowered web traffic to your site, it would be prudent that you scan your WordPress site manually.
To do this, we advise using a WordPress security plugin such as Wordfence, MalCare or WebARX. However, it is important to note that most WordPress security plugins will simply let you know if your site is at risk due to a plugin vulnerability or already under attact, it won’t actually fix any of these issues.
MalCare in particular is one of the solutions that does this, on the other hand is a solution that does this with their one-click automatic malware removal functionality that makes it easy to take immediate action against malware without haivng to hire external help at an unreasonable cost.
Keeping your WordPress site is easy to overlook, but thankfully also extremely easy to take care of. And remember, anyone who ever says WordPress is bad for security is wrong. Statistically, WordPress sites are obviously more likely to be a target for hackers because it powers over 33% of the internet.
Every website is at risk if you don’t have the proper measures in place to secure your website – the difference with WordPress is that it’s extremely easy to take all of these steps. Why? Because there’s an active developer community and you’ll be using the same content management system that sites like Bloomberg, CNN, The NY Times, Sony & more use.
We hope you’ve found our WordPress security guide useful & use it to lock down your site today…