Ultimate WordPress Security Guide

by

WordPress security

Malware costs businesses billions of dollars every year in lost revenue, legal costs, damage to branding, and data theft. To make matters worse, hackers constantly evolve their tactics, so malware keeps changing and getting harder to spot.  

There are data breaches almost every day, and the scary part is how much people are losing to hackers. When WordPress admins try to protect their WordPress websites, they get their advice online. While the advice is well-intentioned, some of it is very poor. 

But it is not all bad news. Quite the opposite in fact, because you’ve come to the right place. 

The good news is that we, at MalCare, protect over 100,000 WordPress sites every day, so we know plenty about WordPress security. The great news is that we will take you through what you need to know step-by-step to secure WordPress site. The best news is that you don’t need to be a WordPress security expert to protect your website from hackers.

TL;DR WordPress security threats are a serious concern. Securing your site against hackers is crucial to protect your data, maintain trust, and comply with regulations. Using effective tools like MalCare can help simplify the process of safeguarding your website. 

What is WordPress security?

WordPress security is about protecting your site from hackers and malware. When we say “site,” we mean everything—its data and visitors too.

People often ask, “Is WordPress secure?” The short answer is yes.

Importance of WordPress security
Annual malware attacks (in billions)

Number of global phishing attacks data
Global phishing attacks

WordPress comes with security features. Automatic updates, strong password requirements, and more work together to secure your site.

The issue is that WordPress powers a large part of the web, which makes it a big target for hackers. The good news is that WordPress has fixed many security issues because of its popularity. The bad news is that hackers are constantly looking for vulnerabilities to exploit.

A WordPress site can be attacked at any moment. It’s a mistake to think you only need security during or after an attack. You need proactive protection for your site right from the start.

1. Install a WordPress security plugin

A WordPress security plugin is your first line of defense. It identifies and fixes threats that you might miss. Security plugins have features like scanning, malware removal, and firewalls. Good ones will also include login protection.

We recommend MalCare as a solid choice for the following reasons:

  • Daily deep scans for malware
  • One-click malware removal
  • Removes backdoors to prevent reinfection
  • Advanced firewall
  • Vulnerability detection
  • Brute force protection
  • Intelligent bot protection
  • Activity log
Security and Firewall section on MalCare dashboard

Additionally, MalCare doesn’t use server resources to keep your site secure.

It combines the 3 most important aspects of WordPress security: a malware scanner, a malware cleaner, and an advanced firewall.

To protect your site with MalCare, all you need to do is install it. Your website syncs to our servers for scanning. MalCare finds malware hidden deep in site files and the database. And if it finds any malware, cleaning your site is as easy as clicking a button. MalCare surgically removes the malware only, keeping your data intact. In case of complex malware, you can reach out to MalCare’s responsive support team.

2. Use a firewall

A firewall is the next essential component of WordPress security. It acts as a barrier between your site and potential threats, and blocks malicious traffic before it reaches your site. By filtering out harmful data, a firewall reduces the risk of attacks on your site.

MalCare firewall
MalCare’s firewall in action

We recommend MalCare’s Atomic Security. Atomic Security is a smart firewall that goes beyond basic protection. It blocks vulnerabilities from being exploited even before they are discovered. It has prevented zero-day attacks on thousands of sites.

Additionally, MalCare’s firewall:

  • Protects against SQL injection attacks, remote code execution, spam injection attacks, cross-site scripting attacks, and more
  • Includes global IP protection for 100,000+ websites
  • Block bad bot traffic and attacks
  • Learns from all protected websites to proactively block bad traffic on others
  • Loads with WordPress to check all incoming traffic for malicious intent
  • Works out of the box 
  • Bundled with all MalCare’s security plans

There are different types of website firewalls, categorized by where they are installed and how they work. The most effective firewalls load before WordPress, like MalCare and Sucuri, so they can filter out all the bad traffic. Firewalls at the plugin level, like Wordfence, can filter out most of the bad traffic, but not all of it.

Features of firewall vary, like automated threat detection and traffic monitoring. When you are looking for one, it’s important to choose comprehensive protection.

3. Scan your WordPress site daily

Regular scans are one of the most effective ways to secure your WordPress site. A daily scan helps spot any malware or unusual activity as soon as possible. With malware, the longer it stays on your site, the worse it gets.

We recommend MalCare’s free malware scanner which has a host of other benefits.

  • Daily automated deep scans
  • Identifies even the most well-hidden malware and backdoors
  • Advanced scanner that goes beyond signature matching used by most other scanners
  • Identifies malware based on 100+ signals for risk assessment
  • Scans core WordPress files, website database, cron jobs, and plugin and theme files and folders; both free and premium versions
  • 95%+ accuracy with no false positives
  • Doesn’t use site resources to run scans

With MalCare, you will have a definitive answer as to whether or not your site is hacked. Once you have the scan results, you can upgrade to clean your website in minutes. 

MalCare wordpress malware scanner

Important: If you discover malware on your website, clean it immediately. Malware gets worse with time, as hackers get time to spread the malware through your website, steal your data, and infect devices and other websites. It is crucial that you remove malware on priority, otherwise you run the risk of Google blacklisting your site, or your web host suspending it. 

Malware scanners are not all built the same, and have varying levels of efficacy. Most malware scanners use a signature database to detect malware on websites. They compare the code on the website to all the signatures, and if any match, the code is flagged as malware. 

There are several problems with relying solely on a signature database to detect malware. 

Firstly, the database needs to be kept up-to-date at all times. Since malware is essentially code, it can have infinite permutations, so a newer variant is likely to pass through matching scanners without being flagged. 

Secondly, the team maintaining the database needs to have seen the malware to add it to the database. This is easy with free plugins and themes, but premium software often gets short shrift. We have seen malware go undetected in page builders like Elementor and Divi, or in popular themes from Envato and Themeforest for this very reason. 

4. Keep everything on your WordPress website updated

WordPress security vulnerabilities are the primary reason why websites get hacked. These vulnerabilities are caused by errors in code that allow unauthorized access to a website, like unsecured file uploads or SQL injections.

How vulnerabilities are discovered

WordPress core, plugins and themes are all built with code, and despite best efforts, the odd vulnerability may exist. In the best case, a security researcher discovers a vulnerability, and they inform the developers. The developers issue an update to patch the vulnerability. Once an update is released, the researcher makes the vulnerability public.

wordpress plugins dashboard

Other times, a vulnerability is discovered by hackers. It is exploited widely, and once discovered, this is known as a zero-day attack.

Hackers exploit the vulnerabilities on sites that haven’t been updated. Therefore, you must regularly update your WordPress core, themes, and plugins. By doing so, you close the door on known security loopholes and keep your site safer.

Updates also bring improvements and new features, helping your site run better overall. It’s a simple step but one that significantly boosts your site’s security.

Important: Never use nulled themes and plugins. They are usually chock full of malware, and because they are pirated, they don’t get updates from the developer.

Updating your site safely

Now, updating your site might seem daunting. What if your site crashes? What if it loses an important functionality? What if it changes your site radically?

This is why we recommend that you take a full backup of your site before you update anything on it. This ensures that you can easily recover your site in case anything goes wrong.

MalCare takes care of all these aspects. It protects any vulnerabilities on your site from being exploited until an update is available. 

Popup Builder plugin UpdateLens score

It can also help you safely update your site software with Sandbox Updates. If you need more clarity, the UpdateLens feature scores all updates based on several factors to help you understand which updates are safe to apply without major disruptions to your site.

5. Use strong passwords

Poor passwords are the next major reason why WordPress sites get hacked. Passwords are often the weak spot in WordPress security for two reasons:

  • Easy to remember, therefore easy to guess: We have seen countless websites being hacked because admins have set passwords such as: pass@123, P@ssword, or some combination like that. Hackers use bots that try out common passwords, with common usernames to crack into WordPress sites. Bots can sometimes try as many as several hundred combinations per minute.
  • Data leaked from a breach: Passwords are hard to remember, so people tend to reuse them across different websites and products. If just one site gets hacked, your password can be exposed. Hackers then have both your email and password to get into your site.To deal with these issues, force users to create strong passwords. They will not be able to reuse passwords exposed in data breaches. Strong passwords are tough to remember, so consider using a password manager to generate and store them. This small effort is worth the extra security it brings to your site.

6. Secure site logins

Securing your site logins is the next part of protecting your WordPress site. Hackers often target login pages to try and gain access. 

Enable two-factor authentication

Two-factor authentication (2FA) adds an extra step to the login process. It requires a separate, time-sensitive code in addition to your password. Even if someone gets your password, they can’t log in without the second factor.

You can enable 2FA for your users right from the MalCare dashboard. Your users just need to install an authentication app like Google Authenticator or Authy, and they are all set.

Block multiple failed logins

You should also limit login attempts. This prevents bots from trying endless password combinations. After a set number of failed attempts, the site temporarily locks the user out. MalCare automatically blocks repeated incorrect login attempts to thwart bots.

If a legitimate user is locked out of the site by mistake, they can solve a CAPTCHA to regain access.

7. Protect WordPress sessions

Every time you log into WordPress, you are creating a session. A session exists for the duration you use WordPress for, and ends when you log out. But what happens if you close your browser window without logging out of your site?

When you access your site the next time, you will find that you don’t need to login again. But how did this happen?

The answer: WordPress cookies.

Cookies are small pieces of data stored in a user’s browser. They help a site remember things like your login status and preferences as you navigate.

However, these cookies are vulnerable to theft. If a hacker steals a cookie, they can hijack the session. This means they can pretend to be the logged-in user (which is you) and perform unauthorized actions on your site.

This is where WordPress salts and security keys come in. These are secret codes used to encrypt the information in cookies. They make it much harder for anyone to steal or forge cookies.

Any time you suspect unauthorized entry, update your WordPress salts and security keys. It strengthens your defenses against session hijacking.

8. Use SSL 

SSL, or Secure Socket Layer, encrypts information sent between your site and its visitors. This makes it difficult for hackers to steal data like passwords or personal info.

An SSL certificate makes this encryption possible. It verifies and secures your site’s connection. When you have an SSL certificate, your website URL changes from http:// to https://, and you’ll see a padlock icon in the URL bar. This reassures visitors that their data is safe, boosting their trust in your site.

malcare https

SSL certificates are important because they protect your visitors’ information and can improve your site’s search engine ranking. Many web hosts offer free SSL certificates with their hosting plans. You can also get an SSL certificate from a trusted certification authority and install it on your server.To ensure SSL is always used, edit your wp-config.php file and force SSL for all logins and admin activities.

9. Backup your website daily

Malware can wipe sites out. Sometimes, web hosts suspend websites or delete them if they have malware on them. All this could leave you having to start everything from scratch.

Backups are insurance against these worst-case scenarios. A backup is a copy of your website’s data and files. If something goes wrong on your site, a backup helps you restore everything quickly.

MalCare backup dashboard

Daily backups ensure you never lose more than a day’s work. This safety net keeps your site running smoothly without worry. Whether an update fails or a hacker strikes, you can bounce back with minimal downtime.There are several backup plugins available for WordPress sites. Choose a plugin that stores your site data on external servers for maximum data security.

10. Set security headers

Security headers are rules that your site sends to web browsers. These rules help control how browsers handle your site. They add a layer of protection against threats like cross-site scripting and clickjacking.

There are several types of security headers you can set. For example, the Content Security Policy header indicates which resources the browser can load. The X-Frame-Options header prevents your site from being embedded in other sites, reducing the risk of clickjacking attacks.You can set security headers using a plugin, which often provides an easy way to implement them without much hassle. Alternatively, if you are using an Apache server, you can bolster your site’s .htaccess security. The .htaccess file has server configurations and can set headers to block threats effectively. 

11. Choose a good web host

It is a common misconception that web hosts are responsible for malware infections, because people mistakenly assume that the web host isn’t securing their servers. On the contrary, the web host has a lot to lose if malware is discovered on their servers, and therefore their security is usually watertight. 

We say ‘usually’ because web hosts occasionally face data breaches too. In November 2021, GoDaddy had a breach that exposed the SFTP and database credentials of 1.2 million users. Since GoDaddy is one of the biggest web hosts, the number was correspondingly huge. 

However this is an exception and not the rule. Generally speaking, good web hosts have network firewalls, and a ton of other security infrastructure to protect their servers from malware. 

If you are on the lookout for a good web host, these are the things you should look for: 

  • Up to date infrastructure
  • Published security policies and certifications
  • Clear terms and conditions, about how they deal with malware for instance
  • Prompt support

Choosing a good web hosting provider is akin to building a strong foundation for your website. Once you’ve got it, you can forget about it. 

12. Harden your WordPress site

WordPress hardening means taking steps to make your WordPress site more secure. This includes setting strong passwords and using two-factor authentication, which greatly improves security.

There are different ways to add these security measures. If you know how to code, you can do it yourself by following detailed guides. You can also use MalCare to protect your site from weaknesses.

Here are some steps you can take to harden your WordPress site:

  • Disable PHP execution in the /wp-uploads folder: Hackers upload PHP files to your site to take control. This attack is called remote code execution. Since the /wp-uploads folder doesn’t need executable code, blocking PHP execution can stop these attacks.
  • Disable XML-RPC: XML-RPC is an older WordPress feature,  used to talk to other systems. It’s still exists for compatibility but can be used to bypass logins, which is risky.

Note: There are many tips for “hardening” WordPress to protect your site from hackers. Some work well, while others barely improve security while making your site harder to use. The tradeoff is rarely worth it. We’ll discuss these less effective measures in another section.

13. Force SFTP usage

When you connect to your website’s filesystem, you typically use a protocol like FTP or SFTP.

FTP, or File Transfer Protocol, is a method of transferring files between your computer and server. However, FTP is not secure; it sends data in plain text, making it easy for hackers to intercept it.

SFTP, or Secure File Transfer Protocol, encrypts the data, making it safe from snoopers. It ensures that your login credentials and the files you transfer stay private.To make sure you always connect securely, you can edit your site’s wp-config.php file and force WordPress to use SFTP whenever possible.

14. Perform security audits

Security audits are a detailed checkup of your site to find and fix security gaps.

During an audit, you examine various parts of your site, like plugins, themes, user accounts, and server settings. The goal is to spot any issues that could make your site vulnerable to hackers. Consequently, you apply WordPress security updates, if available, and secure your site.

Keeping a track of user activity

Hackers like to take advantage of insufficient logging to hide their tracks. Use an activity log to keep an eye on all actions on your site, like when a post is modified, a plugin or theme is uninstalled, a user has logged in, etc. This helps you catch unusual behavior early, and trace and resolve potential problems.

Audit site users

Regularly reviewing user accounts is another important step. Ensure that all users have appropriate access and remove any accounts that are no longer needed. Inactive accounts typically have the same password for a long time. If that password is exposed in a data breach, it can make your site vulnerable too.

You should also implement a “least privileges” policy. This means giving users only the access they need to perform their tasks and nothing more. For example, a subscriber does not need editor access, or a contributor should not have admin access. This reduces the risk of accidental or intentional damage.

Remove any unused plugins or themes

Once in a while, review the list of installed plugins and themes. If they are not in active use, these tend to get overlooked for updates. Then, if vulnerabilities are found, they become a weak link in your WordPress security. 

It is best practice to remove any unused themes and plugins from your WordPress site. At the very least, remove those that are deactivated. 

  • Review users regularly: The management of a website can change over time, like writers and editors coming and going. Keep an eye on the users, and remove any that no longer need access to the website. Dormant user accounts have the same password as before. If they reused their password elsewhere and it was part of a breach, your site is now vulnerable as a result. 
  • Implement least privileges policy: Make sure to give each user only as much access as they require to your website. A writer doesn’t need admin access, nor does an editor. Limit the number of admin users altogether. 

You can manage users easily from within wp-admin. MalCare includes an activity log as a part of its security plans.

What makes a site insecure?

An insecure site is an easy target for hackers and can lead to serious problems. Here are some common factors that make a site insecure:

  • A site without security plugins has fewer defenses against attacks. These tools help monitor and block harmful activity.
  • Easy-to-guess passwords are a major security risk. Hackers can quickly crack them and gain access to your site.
  • Using outdated WordPress versions, plugins, or themes can leave your site open to known vulnerabilities. Developers release updates to patch these weaknesses, so staying current is vital.
  • If your site doesn’t have SSL, data between your site and users isn’t encrypted. This leaves sensitive information like login details open to interception.
  • Too many users with high-level access increases the risk of accidental changes or malicious actions. Implementing a least privileges policy helps mitigate this.

Common misconceptions about WordPress security

There’s a lot of misinformation out there about WordPress security. Much of it is well-meaning, but it is still bad advice. 

WordPress is not secure

On the contrary, WordPress is well-developed as a secure CMS. It didn’t start out as the most secure, obviously, but over time, the security kinks have been straightened out. Releases and patches have been addressed, and it is now one of the best options available. 

The reason that WordPress sees more than its fair share of hackers and malware is because of its immense popularity. More websites are powered by WordPress, so it makes sense for hackers to find security loopholes in it, because the payoff is bigger. 

In fact, because of this constant threat of hacks, WordPress has eliminated many of the security issues that still exist in other CMS. 

My website is too small to be hacked

Websites have value whether it is obvious or not. All websites have assets that can be used for a multitude of purposes. Website owners tend to believe that smaller sites fly under the radar of hackers. This is not true. While bigger sites have more value that doesn’t negate the value of a small site altogether. 

For instance, a small site may not be a store, and therefore not have financial details. But it can be used as a part of a botnet. Or it may have a small dedicated following, which can be tapped for phishing scams via their email addresses. 

Because people tend to use the same passwords for different accounts, it is theoretically possible to now hack into another site or system using this information. Your website played a small but crucial role in this chain of events.

Your web host is responsible for malware on your website

Although a reliable web host adds a layer of security, it’s not enough by itself. 

Most hacks happen due to vulnerabilities within your site. For example, your visitors use weak passwords. Or your plugins aren’t up to date. All of these are your responsibility to manage and secure.

Additionally, web hosts do not look kindly at sites that have malware on them. They have a lot to lose if there is malware discovered on their servers. That is why they block your site, or worse, delete it if they detect malware.

More security plugins mean more security

You might think that if one security plugin does one thing well, and another plugin does another thing well, you could combine them to secure your site. We get the logic behind it.

However, multiple security plugins on your site can actually conflict and cause other issues. A single, robust security plugin is often more effective than multiple, weaker options.

Take MalCare for example. It has a robust malware scanner and a smart firewall for the basics. Then, it also has vulnerability scanners, bot protection, backups, and much more. Combined together, MalCare has pretty much all you need to secure your WordPress site.

All WordPress hardening advice is good advice

A few sections ago, we recommended hardening your WordPress site to ensure its security. We also suggested some tried and tested measures for that reason.

If you look elsewhere, you will find several other website hardening methods. However, not all advice is useful or necessary. 

Don’t do any of the following things, because they cause more problems than they solve or they are ineffective as security measures:

  • Hiding the WordPress version number
  • Changing login URL 
  • Changing database prefix

These methods do little to improve security. Instead, focus on strong measures.

You should not have to configure your security settings so minutely, because it can become problematic if you are managing more than one website. Plus, a good firewall will take care of these issues out of the box. Additionally, avoid the following:

  • Protecting individual core files: A good firewall should take care of this, and a reliable scanner will find malware quickly in WordPress core files.
  • Geoblocking: Geoblocking involves blacklisting a range of IPs that correspond to the geographic location you want to keep off your website. It could be a city, a country, or a region. However, IPs are not always 100% accurate, so you may end up keeping out visitors you want. Over and above that, if you block out some countries, search bots that operate from those countries will not be able to index your website. 

Why is WordPress security important?

WordPress security is a must because your website holds valuable data, including information about users and content. Protecting this data is essential to prevent unauthorized access and misuse. If a hacker breaches your site, it can lead to identity theft or financial loss for both you and your users.

Security also plays a key role in maintaining your site’s reputation. A hacked site can lose visitor trust, which negatively impacts SEO rankings and decreases web traffic. This can have long-term effects on your site’s success.

Ensuring strong security helps preserve your site’s integrity. It’s far better to prevent hacks than to deal with the aftermath and costly recoveries. Keeping your site secure encourages users to trust and engage with your services or content.

Finally, proper security ensures that you meet legal compliances related to data protection. This helps avoid potential fines and legal troubles.

Final thoughts

In conclusion, WordPress security is an essential part of effectively managing a website. By using proactive security measures, you can protect your site, data, and visitors from potential threats.

Securing your WordPress site requires several strategies. This includes installing security plugins, setting strong passwords, adding CAPTCHAs, and more. Security plugins like MalCare can simplify this process. MalCare offers features like malware scanning and a robust firewall that ensure your site’s security.

Ultimately, WordPress security is about being ready and staying alert. It helps you keep your site running smoothly, maintain your reputation, and ensure you follow legal rules. This gives you peace of mind while managing your website.

FAQs

How secure is WordPress?

WordPress is quite secure when properly maintained. It comes with built-in security features and receives regular updates to address vulnerabilities. However, its popularity makes it a target for hackers. To keep your site safe, it’s important to use security plugins like MalCare, keep WordPress updated, use strong passwords, and follow best security practices.

How can I make my WordPress website secure?

To make your WordPress website secure, start by updating everything regularly, including WordPress itself, plugins, and themes. Use strong passwords and consider enabling two-factor authentication for extra login protection. Install a reliable security plugin like MalCare to help monitor and block threats. Set up an SSL certificate to encrypt data, and back up your website daily to ensure you can quickly recover if something goes wrong.

Do I need a firewall for my WordPress site?

Yes, you must have a firewall for your WordPress site. A firewall acts as a barrier between your site and potential threats. It helps block malicious traffic, reduces the risk of attacks, and can filter out harmful requests before they reach your site. This extra layer of security helps keep your site safe from hackers and malware. We recommend using a WordPress-specific firewall like MalCare for utmost security.

Does WordPress have SSL security?

WordPress itself does not provide SSL security directly, as SSL (Secure Socket Layer) is a separate protocol used to encrypt data between a website and its users. However, WordPress fully supports SSL, and you can easily enable it on your site by obtaining an SSL certificate. Many hosting providers offer free SSL certificates or include them in their hosting packages. Once you have an SSL certificate, you can configure your WordPress site to use it, enhancing security and building trust with your visitors.

How to harden WordPress security?

To harden WordPress security, start by keeping your WordPress core, themes, and plugins up to date. Use strong, unique passwords and enable two-factor authentication for additional login security. Install a reliable security plugin like MalCare to help monitor your site and block threats. Use an SSL certificate for encrypted data transfer and set security headers for added protection. Limit user access by implementing a least privileges policy, giving each user only the permissions necessary for their role. Finally, regularly back up your site to ensure you can recover quickly if anything goes wrong.

Category:

,

You may also like


How can we help you?

If you’re worried that your website has been hacked, MalCare can help you quickly fix the issue and secure your site to prevent future hacks.

My site is hacked – Help me clean it

Clean your site with MalCare’s AntiVirus solution within minutes. It will remove all malware from your complete site. Guaranteed.

Secure my WordPress Site from hackers

MalCare’s 7-Layer Security Offers Complete Protection for Your Website. 300,000+ Websites Trust MalCare for Total Defence from Attacks.