Several hacks occur due to entirely preventable reasons: updates not done in time, insecure passwords, and so on. 

How do we know this? We have helped 25000+ hacked WordPress sites and have significant experience with website security. 

In this website security essential guide, we’ll show you how to secure a website:

• Even if… you’re new to website security and you don’t fully get what that means;
• Even if… you’ve tried and failed at securing your website before;
• Even if… you’re overwhelmed and you have no idea where to start;
• Even if… you’ve thought, “I’m no match for hackers – so why even try?”

But even more importantly, we are going to talk about how to think about website security in the first place. This way, you are equipped to make the right decisions for your website. 

TL;DR: The easiest way to secure your website is to install a security plugin. It’s perfect for those who just don’t have the time to engage in website security. Just set and forget the plugin. But if you can afford the time and bandwidth, we urge you to read and implement these measures.

What is website security?

While it is great that you are taking steps to secure your website, it is important to realise that website security is a continuous process. Hackers are a creative lot, therefore threats constantly evolve. 

You will see in the article below that a good security plugin will do most of the heavy lifting in terms of malware, but being cautious and vigilant is what clinches website security.

How to secure a website from hackers? (Actionable Steps)

To have an actionable plan to secure your website, the first step is to understand how websites get hacked. As per our research, websites are primarily hacked through the following 3 methods:

• 90+% → Vulnerability in a plugin or theme 
• 5+% → Compromised username and/or password
• <1% → Poor web host services

This distribution should form the basis of how you plan your website security, and where to allocate the most time and resources.

1. Protect your website from vulnerabilities 

Hackers are on a constant lookout for vulnerable websites. It doesn’t matter whether the website is big or small. They have plenty to gain by hacking just about any website. In our experience, over 90% of all hacks happen because hackers have identified a vulnerability, and exploited it.

Let’s look a little deeper into what vulnerabilities are. This is critical to understand, so that you can shape your website security strategy mindfully in the future. 

What is a vulnerability exactly? 

Your website is made up of 3 main components: WordPress, plugins and themes. These are all basically software, and like any software, they contain bugs which cause them to malfunction on occasion.  

Bugs can have a variety of consequences: some will cause your website to slow down, or throw an error when someone visits it. These are annoying and problematic, but the more serious ones allow unauthorized users (i.e. hackers) to gain access to your website. This sort of bug is known as a vulnerability. 

Types of vulnerabilities

Vulnerabilities can be summed up, as we did in the previous paragraph, as bugs in code. However there are a few specific types that crop up more frequently than others: 

• Outdated software: It is important to keep the core, plugins and themes updated.
• Poor user role management: Don’t give every user full admin access.
• Unsanitized inputs: Input fields need to check the input before storage and/or execution. 

Hacks possible on an unsecured website

Vulnerabilities are closely tied to the kinds of attacks they permit, and are often spoken of interchangeably. The most common attacks that WordPress experiences are: 

• Code injections: where malicious code is inserted via input fields and executed by the website code or database. An often-seen variant of a code injection in an SQL injection, which is particularly egregious for database-driven applications like WordPress
• Cross-site scripting attacks: This type of vulnerability steals user cookies to impersonate them, or even hijack the session. The targeted user’s access is then used to attack your website
• Brute force attacks: As the name implies, there is no finesse in this type of attack. The hacker bombards your login page with combinations of usernames and passwords in an attempt to uncover the right one.
• SEO spam: All spam is serious, but this attack hits where it hurts the website the most: SEO. Website owners spend resources working on their SEO, only for a hacker to take undue advantage by inserting pop-ups and links to illegal or grey market items. SEO spam attacks are also difficult to detect, and often websites will experience the detrimental effects of spam before realising they are infected in the first place. 
• WordPress phishing attacks: In these attacks, the hacker attempts to impersonate a legitimate entity in order to trick a user into giving up their information willing. Phishing works in tandem over email and a hacked website in order to get these credentials.

What is the effect of a vulnerability? 

Plugins and themes are installed on several thousands of websites, therefore the effect of this one flaw is greatly amplified. 

Responsible plugin and theme developers make an effort to plug these security holes in their products by releasing updates. This is actually a key reason why we recommend opting for premium plugins whenever possible. Regular software maintenance cannot be sufficiently emphasized in a website security strategy.  

Great, so the bug has been patched. We’re safe now, right? Well, not quite. The discovery of a vulnerability is a dangerous time for website owners. 

What happens when a vulnerability is discovered?

Vulnerabilities are often discovered by security researchers. They disclose their findings to the plugin or theme developer. As we said in the previous section, responsible developers will race to fix the issue and release an update. 

When the vulnerability is fixed, the security researcher will publish their findings. The developer has released a fix, so websites are safe, right? 

Not quite.

Hackers also read about the vulnerability, and look for websites that haven’t updated their versions. Public vulnerabilities tend to attract novice hackers (also known as script kiddies) because now they can exploit websites without effort. They know with pinpoint accuracy where the target is.

What you need to do to secure site against vulnerabilities

We now talk about the concrete steps you can take to ensure website security and secure the site from hackers . These steps may seem simple, however they are powerful ways to keep your website secure. 

1. Take backups

Backups are the most underrated part of a security strategy. We cannot stress enough the importance of taking regular backups. They are your safety net, the only thing you can rely on when things go south. Backups help you get back on your feet quickly. 

However, not all backup plugins are built equally. Many fail when you need them most: at the time of restoration. There are several factors to choosing the right plugin. Keeping these criteria firmly in mind, we have reviewed the top WordPress backup plugins available. 

2. Keep plugins and themes updated

This may sound very obvious, especially if you read the previous section about how important updates are. However, it is very easy to ignore the red notification on the dashboard, in favour of doing something more urgent. 

Therefore, we will reiterate. Plugin and theme developers release updates with security fixes. Even if you choose to put off installing updates (but please don’t), at least do so after going through the release notes.

3. Choose good quality plugins and themes

By this point, we have amply illustrated how central plugins and themes are to your website. While there is unlikely to be a completely foolproof piece of software ever, there are key factors to keep in mind while choosing the right plugins and themes for your website:

• Is the plugin regularly updated: A plugin or theme which is consistently maintained by its developer is likely to get a security patch if a vulnerability is discovered. 
• Is the plugin popular: This is a double-edged sword. A popular plugin with millions of installs will be the target of hackers. But these plugins also tend to be more secure because a lot more people are monitoring them.
• Is it a premium plugin: Paid plugins support the work of the developers, and therefore are far less likely to be abandoned than a free plugin. That is not to say that open source software is never secure, however with a premium product you are paying for customer support and product quality.
• Never install nulled plugins and themes: Premium software available for free is problematic on many levels. Nulled software often has malware or backdoors that will allow hackers access to your website once installed. 

4. Use a firewall

There is no foolproof way to prevent hackers or the bots they design to attack websites like yours. However we can decrease the probability considerably by installing a firewall. 
Here’s a list of the best WordPress firewalls to choose from.

2. Protect your username and password

We’ve found around 5% of hacked websites were vulnerable to attack because of weak passwords. This may seem a small number when compared to outright malicious activity, but it is still significant enough to command your attention.

Losing the admin password to your site is like losing keys to your home or car. With the key, the thief has complete control over your prized possessions. Likewise, with the password, hackers have complete access to your website. At this point, not even a firewall or a security plugin can prevent hackers from causing damage to your website.

The need for strong passwords continues to be very strongly advocated, but because of the difficulties associated with it, it’s often ignored by website users.

Before we go into mechanisms to have strong credentials, let’s address some common questions people have about them. 

How is it possible to steal a password? 

The answer may come as a surprise: the hacker tries to guess the password. By this, we don’t mean they are trying out various passwords manually, but there are bots to do this. This is also known as a brute force attack, or if the bot is guessing words, a dictionary attack. 

These attacks work very well because of several reasons: 

• Easy-to-guess passwords: common words, short words, the word ‘password’ itself in different permutations
• Data from previous hacks: there is a reason why people recommend using different passwords for different services and websites

How to safeguard against password theft

1. Use a strong password

Strong passwords use a combination of letters, numbers, and symbols in random configurations, because those are hard to crack. It may take hacker bots years to get find the correct one. 

You could try creating a strong password on your own, or use a password generator. Then you can use plugins to enforce strong passwords. 

Strong, hard-to-crack passwords can be difficult to remember, so we recommend using password managers like LastPass.

2. Limit login attempts 

A good way to thwart a brute force attack is to block attackers after multiple failed login attempts. This is an effective mechanism, since, this type of attack consists of hackers’ bots repeatedly trying different passwords.

MalCare firewall comes integrated with this feature. Limiting login attempts is a highly effective way to secure your website without many downsides

If an authorised user has inadvertently reached this point, they can click through the link to find a captcha confirming they are indeed human. 

3. Implement two-factor authentication 

Several services use two-factor authentication during the login process, which essentially means you need to have two (ideally) separate tokens to access your account. Most commonly, these involve a combination of passwords and a limited-time token like a pin code or QR code sent to your email or a device. 

There are several plugins that implement two-factor authentication or 2FA, and they vary depending on the services they provide. 2FA comes integrated in MalCare’s security suite as well. 

4. Implement CAPTCHA protection 

CAPTCHAs can only be resolved by humans. They are designed to prevent hacker bots from accessing an account. You can use it to protect your website.

Here’s a neat little article by Kinsta that’ll help you get started. 

5. Use a firewall

Certain website security firewalls like MalCare’s also keep track of malicious IPs at a global level. The firewall learns from all the sites with the plugin installed. It then automatically blocks bad IPs even before they have attempted to crack your password. This, in combination with limit-login capability, can protect your site from hackers trying to force their way in.

3. Choose a good web hosting provider

There is a tendency to blame the web host for anything that goes wrong with a website. While web hosts are generally responsible for many aspects of a website, they are rarely at fault when a website gets hacked.

In fact, the opposite is generally true, web hosts improve website security. 

Of course, there are some web hosts who play a role in the compromise of websites hosted on their server. It rarely happens, but when it does, it’s a major incident that compromises thousands of websites.

4. Install an SSL certificate

Secure Sockets Layer, more commonly known as SSL, is a security protocol that encrypts all communication to and from a website. Once installed, it appears as a padlock at the beginning of your website’s URL. 

The benefits of using an SSL certificate are as follows:

• All data passing to and from your website is encrypted 
• It is a badge of trust for your website. In fact, most browsers will flag sites without SSL as ‘Not secure’ in the address bar. 
• Google loves websites with an SSL certificate and even rewards them with a higher ranking.

Easily install an SSL certificate on your website. It barely takes any time, and it is well worth the effort spent. 

Good website security practices

As we said at the outset, website security is an ongoing practice. In this section, we are listing out practices that are good to inculcate in your overall website security strategy. Once you get into the habit of doing so, the small investment of your time and effort will pay for itself many times over with a secure website. 

1. Change your password frequently

We understand that setting difficult-to-guess passwords is tricky, especially because they are often synonymous with difficult-to-remember. We can also imagine the dismay at being asked to change this most excellent password regularly.

The reason is that passwords are the weakest links in security; especially if you use the same passwords for multiple accounts. Even if one site experiences a breach, you can safely assume that all your accounts are potentially compromised. There are news stories about breaches every few weeks–and those are just the reported ones. Something to keep in mind. 

Regularly can also mean different things to different people. Some financial institutions, like banks, mandate that passwords be changed every 90 days. Using a password manager is the way forward. 

2. Review website users + track new admin users

Hackers often leave behind admin users, so that they can regain access to a site. Hence, reviewing admin users on a regular basis can improve website security. 

Secondly, website collaborators can change. If a user no longer needs access, it is best to remove their access. The reason is two-fold: you don’t want the user to make any more changes to your website; their inactive accounts can be compromised by hackers. 

Over time, as we build our site with newer content and design, we keep adding new users to our site. We should review these users periodically. You may be following good security practices yourself, but another user getting compromised will cause your site to be affected.

When adding users, give only necessary access levels as far as possible. For instance, If someone is only writing articles don’t give them admin access.

3. Set up activity log on your site

We are big fans of having activity logs for our website. It has saved our bacon multiple times.

Hackers don’t use core WordPress APIs to modify a website, therefore many of the changes they make will not reflect in an activity log. However, they can leave footprints behind, such as creating admin accounts for themselves to access the site. These unexpected actions can help detect hacks. 

Conversely, if changes are made by a collaborator, then activity logs can help avoid unnecessary panic, when you see changes made to your website. 

4. Block PHP in the Uploads folder

A whole class of vulnerabilities (Remote Code Execution, to be precise) lets hackers upload malicious PHP files to the Uploads folder. The hacker can then use it to execute any code they want on your website. In other words, they have complete control over your website.

The attack can be neutered effectively if you block the execution of PHP files in the Uploads folder. Don’t worry. Blocking PHP files in the Uploads folder is safe because they shouldn’t be present there, in the first place. Uploads folder is where you store your media, not scripts.

If you are using, MalCare security plugin, you can block PHP execution in the Uploads folder with the click of a button. For Apache/Litespeed based sites, we can add rules to htaccess to enforce this protection.

Things to avoid when securing your website

A quick Google search will give you numerous tips and strategies to secure your website. Several security plugins will also present multiple options to protect your site against password crackers. Securing your website is a great deal about what you should do; however, there are also some things you should avoid. 

The reasons vary for each of the points we talk about below, but at its core, there should be a tangible security benefit to your measures—especially if you are asking your users to jump through additional security hoops. For example, if you apply both captcha and 2-factor authentication, getting into your site becomes trying, with little additional benefit.

You may get an additional sense of security from applying all available options, but in cost-benefit analysis, they don’t cut mustard. 

1. Hide wp-login page

You’ll see this one on a lot of forums: change the wp-login page to a custom URL for your site. The logic is, if the hackers can’t find the login page, they can’t use brute force attacks to gain entry to your site. 

There are a few flaws with this:

• WordPress also lets you log in using XML-RPC
• It will make your site difficult to use. If you forget the special URL you have created for yourself in lieu of wp-login, then recovering from this can be difficult. 
• If you use a common URL or the default one that comes with the security plugin, it will be easy for the hackers to guess anyway, therefore defeating the purpose entirely. 
• Hiding this page involves applying complicated settings to your site which can have other unexpected side effects.

Therefore, in our opinion, it is just not worth the effort.

2. Geo-blocking

Another commonly recommended security measure is geo-blocking. You may not need or expect legitimate traffic from certain countries, and hence decide to restrict access. MalCare supports this feature, but we don’t recommend you do this because: 

• IPs for regions are not perfect and can have errors.
• If you block yourself out by mistake, reverting this will be difficult.
• You might end up blocking good bots such as Google which can harm your site.

A good firewall can and will protect your website against malicious bots and undesirable traffic. We’ve covered the benefits of firewalls in a previous section. 

3. Password protect wp-admin directory

The wp-admin folder is one of the most crucial folders on your website. Naturally, it attracts a lot of attention from hackers. Therefore, protecting it with a password may seem like a brilliant move, but it’s counterproductive. 

Password protecting your wp-admin directory breaks AJAX functionality on your WordPress website. AJAX is a coding technique that loads parts of your website from the server without changing the currently displayed page. 

If this sounds like gobbledegook, it essentially means that it makes your website dynamic, without constantly reloading it for users every time something changes. 

Think about scrolling on the newsfeed of a social networking site. New stories or tweets load while you are still reading the ones already on your screen, and you can refresh the newsfeed when you want to load the new content. 

4. Hide WordPress version

The logic behind hiding the WordPress version of your website is related to security updates. If your website doesn’t have the latest version of WordPress, a hacker may be able to exploit a vulnerability that exists in an older version. 

However, hiding your WordPress version has no benefit whatsoever. There are several ways to determine a website’s WordPress version: inspecting the site’s frontend code, checking the RSS feed, etc. All of which are legitimate, incidentally. 

The way to combat WordPress vulnerabilities in older versions is to keep your version updated to the latest one. Many website administrators are afraid that updating a live site may cause something to break. Therefore, it is best to do so on a staging site first. 

What to do if your website has been hacked?

If your site has been hacked recently, it is even more important for you to be extremely diligent about the security of your site. If not done correctly, it can lead to the site getting hacked repeatedly and the whole situation becoming a total nightmare.

• Clean the malware first: Use a good security plugin, like MalCare, to automatically remove malware without a trace. 

• Update everything: As we said before, software updates are vital. Make sure you have the latest versions of WordPress, themes and plugins. If you don’t, there is a good chance this is the reason your website got hacked in the first place. 

• Review every admin user: Scrutinise every admin account carefully. We’ve said this already in this article, but hackers create admin accounts to regain access to a website that they have hacked, in case the malware has been discovered. 

• Change all passwords: Assume your credentials have been compromised and change passwords. Hopefully you do not use the same password for different products and services, otherwise you should change those passwords as well. 

• Change DB credentials (if possible): The wp-config.php file contains the credentials the WordPress site uses to connect to the database of the site. In many cases, access to the database is restricted even if the DB credentials are compromised. However, with some hosts, hackers can use this information to directly modify the database. This can cause the site to be reinfected.

• Change security keys: WordPress uses security keys to manage sessions for logged-in users. Read more about what they are and how to make a website secure by changing them.

• Set up a WordPress firewall: We’ve already covered this in detail in this article. A WordPress firewall is your best defence against malicious bots and bad traffic.

Conclusion

We started this article on how to secure a website with a clear signpost: the first step is to think about website security in the right way. It is an ongoing process. A good standard practice to have in any organization is to conduct periodic website security audits.

The threat landscape is constantly changing, and hackers will find more creative ways to defeat defences. Security experts remain constantly vigilant, and this is the main takeaway from all of what we have learned in our years of research: don’t get complacent. 

Have thoughts to share? Drop us a line, or connect with us on social media. Love to hear your thoughts.

FAQs