There is nothing scarier than your WordPress site being compromised and you feel helpless not knowing what to do to protect your WordPress site from Hackers. It takes a toll on your business, your revenue, your brand’s reputation and you even lose your sleep over it. Since WordPress Security is always on our mind here is a useful list of the 20 steps you need to take to protect your WordPress site from Hackers.
How can you prevent your WordPress site from keep getting hacked?
Here is a useful top 20 list of all the things you need to do in order to strengthen your WordPress Site Security:
1. Use a secure WordPress Hosting Service
Nowadays, using a regular hosting service under a shared account is not enough. You need to make sure that your hosting provider offers services dedicated to WordPress sites.
If you have enough money to spend, then you should consider choosing a Managed WordPress Hosting Service. These providers offer a hosting environment which is fine-tuned for WordPress sites and they pay extra attention to security.
2. Add a firewall between your WordPress site and your site visitors
Adding a DNS-level firewall as Cloudflare will filter bad traffic and stop it from reaching your hosting server and this way you will protect your WordPress website from hackers. Though often neglected, this security measurement is one of the most important in order to secure a WordPress site.
Application-level firewall filters traffic after it first visits your WordPress site. Even though this is an important security layer it’s not as efficient as the DN-lever firewall because it lets the attacker start abusing your server and site resources.
3. Activate and use an SSL for your WordPress site domain
If you’re using a modern WordPress hosting service they can set up the SSL for you. Let’s Encrypt offers free SSLs for everyone so after adding it to your hosting account you need to convert all of your WordPress HTTP URLs to HTTPS. Having an HTTPS connection on your site guarantees that when a user sends sensitive data like their login details, it is sent to the right place, and not to a malicious third-party.
You can also follow our step-by-step WordPress Free SSL Installation Guide in order to add a Let’s Encrypt SSL to your WordPress site.
4. Disable XML-RPC when possible
XML-RPC used to be exploited in the past for brute-forcing a WordPress admin account and bringing down a WordPress site through a DDoS attack.
By disabling this feature you will decrease the attack surface area for any hacker who wants to break into your site. On the other hand, XML-RPC is an API used by many 3rd party services related to WordPress, like JetPack.
If you want to disable XML-RPC and let JetPack or any other service use the API then add the following code to your WordPress site .htaccess file:
# Disable XML-RPC Start
<files xmlrpc.php>
Order Deny, Allow
Deny from all
Allow from 192.0.64.1/192.0.127.254
Satisfy All
ErrorDocument 403 http://0.0.0.0
# Disable XML-RPC End
In order to whitelist other services for using JetPack you just need to duplicate the “Allow from…” line and replace the JetPack IP range with the ones from the service, you’re using.
5. Rename your WordPress login URL
This a pro-active security measurement which hides your default WordPress login URL and stops automated brute-force login attacks from bots or bad actors.
The safest way to change your WordPress Dashboard login URL is through a plugin like Rename wp-login.php by Ella van Durpe.
6. Set a login rate limit for your WordPress login page
Another way to protect your WordPress site from hackers is by rate-limiting your WordPress Dashboard login attempts. This will add an extra layer of security to your WordPress site. It will do so by blocking an IP from making further attempts after a specified limit of retries has been reached. It makes a brute-force attack difficult or impossible to take place.
Limit Login Attempts Reloaded by WPChef, is one of the plugins we often suggest to our clients after we finish a WordPress Malware Cleanup for their hacked WordPress sites.
7. Use 2 Factor Authentication for your WordPress Dashboard login page
Two Factor Authentication is an extra layer of security added to your login procedure. This way even if your admin login details have been exposed, guessed or brute-forced the attacker will need to complete the 2FA challenge in order to access your WordPress Dashboard page.
We suggest you take a look at Google’s 2FA service and create an account with them, then install and setup the Google Authenticator WordPress plugin by Ivan Kruchkoff.
If you want help on adding 2FA to your WordPress website then make sure to read our own guide on How to Setup and Use Google’s 2FA to your WordPress Site(link).
8. Allow 1 or 2 admins following the least privilege principle
If possible leave only one admin and downgrade all others to Editors, Authors or even Subscribers. The more admins a WordPress site has the more the possibilities of being hacked from a brute-force attack or a login details breach.
You can also use our WP User Admin plugin for scheduling a user or a group of users you want to edit their user role and set a specific time and date which you want this change to be applied. You can also set the same user(s) to have their original user role restored under a future date and time.
This way you can set one user as an admin for a specified timeframe and then automatically downgrade them to Author or any other preferred user role.
9. Use complex passwords for your admin accounts
Using a simple and easy-to-guess password for your admin user account is the fastest way to get your WordPress site hacked. Use complex passwords and if possible change them every once in a while. Nowadays, you don’t need to remember every single password you use. All you need to do is just install a password manager service like 1Password, save your passwords with just one click and protect your WordPress site from Hackers.
10. Change the default admin usernames and randomize them
Once you setup a new WordPress website the default username for your admin account is “admin”(dah!). If you keep the default admin username then you make it easier for the attacker to brute-force their way into your WordPress Dashboard; because they will already know the admin name so they will only need to guess or force attack the password.
You can either create a new admin account, then login with its details and delete the default admin account or use a plugin like the Easy Username Update by Yogesh C. Pant and set a random admin username.
If you want help on renaming your default admin username feel free to check out our guide on How to Change your Default Admin Username.
11. Secure your WordPress site files and database
Take the necessary steps to secure your WordPress site’s files and database. It’s where all the important settings of your WordPress site are located, including your blog posts and pages. For this, you need to change its default prefix and ensure that your database password is far from predictable.
When it comes to files, there is always the risk of a file’s content being changed or malicious files being uploaded on your website. So, what you can do is opt for security plugins such as All-in-One WP Security. You also need to be cautious with your directory and file permissions. Make sure you set the directory permissions to ‘755’ and files to ‘644’. This way, you are able to protect directories, subdirectories, and individual files too. You should disallow file editing for the Themes and Plugins you use and disable directory listing. You can do so through .htaccess.
12. Update your themes, plugins and WordPress core files regularly
One of the great things about WordPress and everything related to it is that new updates are rolled out every so often. This is a great feature which you can use to protect your WordPress site from Hackers. Regardless of the Theme and the Plugin(s) you use, you have to make sure that you update them frequently through the wp-admin dashboard. It is where you can also find all the relevant information regarding the condition of the Themes and Plugins you use. You can locate which ones need to be updated, and you can even see the improvements they come with.
Updating Themes, Plugins and the WordPress core is imperative. Every new update brings security patches and fixes for bugs, new features to improve the performance and the compatibility of your WordPress site. Plugins and Themes are updated on a non-standard schedule. This is why you have to keep an eye on the new updates arriving. Ignoring the updates only gets your WordPress site in jeopardy.
We can’t stress enough the importance of updating your website’s components so as to protect your WordPress site from Hackers. And though we do understand this could be hard work, the truth is that it is necessary. You can always test them on a staging environment before updating them on the live site, especially if you suspect that applying the latest updates might cause your website to break and not function properly.
13. Keep only the active theme and plugins
It is best to remove the Themes and Plugins you no longer use. Primarily because the files of those can be used as attack entry points by hackers. Most WordPress sites have an array of active plugins; managing and maintaining those can be frustrating. Keeping them around when they are not active might interfere with the security of your website, they may jam its performance and practically speaking they will clutter your Admin Dashboard. They only add to your frustration.
14. Use only regularly updated WordPress themes and plugins
Choosing Themes and Plugins for your WordPress site can be a daunting task as there are countless, available out there. Do not go for the most affordable or the one filled with numerous features. Do not download them from doubtful sources and websites. Instead, consider your site’s needs, plan carefully and whatever you choose, make sure you go only for official and trustworthy Themes and plugins. These come with regular updates and offer support when a technical issue arises.
Also, check the repository for old and abandoned Themes and Plugins and steer away from those too. As they are not updated regularly (check out point 12) and there is no technical support to assist you when you run into issues.
15. Apply restrictions for bots, certain IPs and countries
Some Bots are useful (site crawlers or chatbots). They are automated, and they perform repetitive tasks faster. But bots can be a nuisance too, and they can take a toll on your website’s performance. For this, you need to tweak the permissions so that you block malicious Bots from your website. Internet bot traffic if left unchecked, may cause several problems and cyberattacks. For example, malicious bots are known for contributing to DDoS attacks, scraping content from your WordPress site, getting access to your credentials and spamming. The same applies to malicious visitors from specific countries or domain addresses. They can be the source of spamming and malicious attacks.
You can block bots by using certain security plugins or even a dedicated plugin such as the Stopbadbots Plugin.
16. Monitor your site logs and file change
Monitoring your WordPress website helps you have a good idea of its condition and this way, you can detect a suspicious online behaviour early on. Constant monitoring is the key to running a healthy and reliable WordPress site. It can also inform you when certain components or features do not operate properly or when files and the database have undergone changes. Especially when it comes to fending off hackers, time does indeed matter, and active site monitoring can be a great way to help avert malicious attacks and data breaches.
17. Backup your site regularly
Backups are a life-saving solution. Most WordPress users indeed come to realise the significance of backups only after something has gone wrong. But you should not wait until a disaster has happened to recognise the need to backup your website and its data almost daily. So back up your website often, even if it is time-consuming. Doing so means that you ensure all your hard work and precious data does not vanish in a second. Do not rely on the backups performed by your WordPress Hosting provider alone. Use one of the many available services and Plugins out there, allowing you to perform both automated and full backups. These Plugins allow for scheduling of your website’s backups, so you do not have to run them manually. Depending on the complexity, and the size of your website you can opt for purchasing automated backups. So that your website, its components and its data are backed up and safe.
18. Avoid using nulled themes or plugins
Steer away from nulled Themes and Plugins. They might be less costly upon purchasing them, but the truth is they will cost you more at the end. These are usually purchased from suspicious websites, and they can be downloaded illegally. And though you might get hold of them for free they often lack features, they do not operate properly, they do not receive updates (see point 12), and you do not have access to support services. Thus, you end up using a Theme or plugin which takes a lot of effort to maintain and to operate. What is more, most of the nulled Themes and Plugins contain extra content which is malware and was placed there by the hackers who cracked them in the first place. Using those Themes and Plugins would be like inviting the hackers into your WordPress site.
19. Host one WordPress site per account
Having several WordPress sites under the same account runs a few risks. The most prominent of those is the risk of having one site hacked and then having the rest of them compromised too. What if your account credentials get compromised? Then you might be facing a severe problem. This could be averted if you diversify your assets.
20. Remove any staging or development sites under your site public directory
Staging and dev sites are the safe playground on which you can perform as many changes and tweaks as you wish. You can run continuous tests. You can be a tinkerer. You can test the compatibility of Themes and Plugins and WordPress core updates before you implement them on your live site. However, you must remove them from your site’s public directory as they can be picked up by search engine site crawlers (and especially the Google one) and they can be used as an entry point for hackers.
Strengthening your WordPress site Security is a holistic process with many steps and factors to devote your attention to. It is worth the hard work and effort you put into it. However, if you are not an expert in the field of WordPress, you should seek the professional help of WordPress Security experts. They will guide you towards choosing the right components for your website and they will help you with maintenance and security issues so you can focus on running your business or your blog.
Leave a Reply