About 30,000 websites get hacked per day globally leading to thousands lost for businesses, so safeguarding your site is a must. Every website is susceptible to security threats, from phishing and ransomware to fraud and impersonation. We’ve compiled a list of 18 WordPress security tips and tools to protect your website, customers, and your business that are free and easy to do yourself.
We have also created a free checklist that you can download to help remind you what to do whenever you are setting up a new site which will reduce the online threats to your business. Download the checklist then follow along to learn how to use the 18 WordPress security tips to use to help safeguard your website:
1. Delete Inactive Plugins
Activated plugins are executable, even if not being used on your website. They impact your site’s performance and load time and if left untended can be used by hackers to access your website or divert site visitors.
From your site’s dashboard, click on “Plugins” on the left-side column. Identify those which aren’t being actively used on your website and deactivate and delete them. If you’re not familiar with plugins or their function, this beginner’s guide to plugins, including security plugins, will help.
2. Delete Inactive Themes
Similar to inactive plugins, inactive themes also impede site performance and leave vulnerabilities hackers can exploit. WordPress recommends you have two themes on your system at any given time–the theme that is active and the most recent WordPress theme (as a backup). Learn how to choose a theme that best fits the needs of your business.
To manage themes, choose “Appearance” then “Themes” from the left-side column in the dashboard. Then, delete any inactive themes, being sure not to inadvertently delete your currently active theme and keeping one of WordPress’ default themes, such as Twenty Twenty One, as a backup.
3. Create a Custom URL for Login
Hackers automate the process of finding vulnerabilities. One of these ways is to identify the login URL of your website―such as “yoursite.com/wp-admin/”―and attempt to gain entry by guessing your username and password. Using a plugin like WPS Hide Login changes the login URL so that hackers won’t be able to find your login page easily.
Changing your WordPress login URL is easy. Check out the four steps of how to change a WordPress login URL.
4. Create a Custom Admin Username
Hackers use a method called “brute force” to bombard your login page using common usernames and passwords until they get in. It’s just as important for you to use a strong and not easily guessed username as it is for you to have a strong password. Make sure that “admin” is not your username for logging in and use acronyms and symbols to achieve a secure username instead.
If you already have a WordPress website, you can’t change your username, but you can create a new user account with a stronger username. Make sure you give the new account administrator privileges, then log in with the new username and delete your old “admin” account. When asked to assign any posts and pages associated with the old account to another account, select the new, more secure one you created.
5. Deploy WordPress Hardening
Hardening your WordPress installation requires some technical knowledge. It’s worth the investment should you decide to hire an outside expert (for example, a WordPress expert from Fiverr).
Two-factor authentication (tip number six below) is a method of hardening that makes it more difficult for someone to gain unauthorized access to the administration section of your website. Other tactics include forcing the use of secure passwords, disallowing the use of administrator login in a nonsecured connection, with no secure sockets layer (SSL), and blocking the execution of code scripts―to name a few.
Another way to harden your WordPress website is to limit the permissions of the people who need access to your site’s Dashboard by assigning the appropriate WordPress role to each user. For example, a blogger on your team may need access to write, upload media, and publish an article, but they don’t need access to your site’s plugins, menus, settings, or other tools.
To set user permissions, choose “Users” from the left side column of your dashboard. You’ll see a list of users, including the role assigned. Click on the name of the individual whose user permissions you would like to change, then choose the appropriate role from the dropdown list under “Role,” then scroll down and click “Save” to complete the process.
6. Use Two-factor Authentication at Login
Two-factor authentication, also known as 2FA, requires you to input a code sent to your email address, mobile number, or an app before gaining access to your site’s administration area after signing in with your username and password. It’s an added layer of defense against brute force attacks and protects your website by authenticating or verifying the identity of the person who is trying to log in.
Adding 2FA on WordPress requires a plugin like Wordfence, which is also a security plugin (see tip number 18 below for more details on security plugins). The makers of the popular backup plugin UpdraftPlus also created a reliable 2FA plugin, two-factor authentication, which is easy to install and set up.
7. Limit Login Attempts
Brute force attacks are the most common type of attack hackers use, accounting for 80% of all breaches worldwide. Limiting the number of times a person (or a bot) can try to log in before they are temporarily or permanently locked out greatly reduces your risk of getting hacked.
To set a login limit, use a WordPress plugin like Limit Login Attempts Reloaded. You’ll have the ability to limit the number of times someone can try to log in within a given time period, decide how long they must wait to try to login again, set up notifications to alert you to unauthorized access attempts, and more.
8. Password Protect Your WordPress Admin Directory
If multiple people on your team or third parties have access to the file directories where your WordPress installation resides, usually your web hosting provider’s platform, it’s important to password-protect your site’s wp-admin directory so that only authorized users have access. Protecting your admin directory requires technical experience, especially if you don’t have cPanel.
To do this using cPanel, navigate to “Directory Privacy.” From there, click on “public_html” or “htdocs,” whichever your hosting provider uses. Click on the “Edit” button next to “wp-admin” and enable password protection.
Once done and the page refreshes, you’ll need to create a new user. Create a user with a strong username and password, and only give these credentials to authorized users.
9. Use the Latest PHP Version
PHP: Hypertext Preprocessor (PHP) is the programming language (or code) WordPress is built with. Just like WordPress, PHP is constantly being improved and updated to new versions to eliminate issues hackers can exploit. You should always use the latest stable version of PHP recommended by WordPress if possible. At the time of this writing, PHP 7.4 is what works best for WordPress, its plugins, and themes.
Updating your site’s PHP is usually done through your web hosting provider. They may have options for you to manually upgrade the PHP your site is running on to a newer version, or you may have to contact their help desk for assistance. In either case, make sure to back up your WordPress site before upgrading in the event that compatibility or other issues arise.
10. Set Up Automatic Backups
Setting up automatic backups is a preventative step that ensures you can revert to a previous backup should your website be damaged or hacked. You can automate backups through the use of a plugin, such as UpdraftPlus.
Alternatively, you can sign up for a third-party service like ManageWP, which connects to your WordPress account via a plugin and creates backups automatically and stores them off-site. Storing backup files off-site, such as in your Google Drive, means your files won’t be stored on the same server as your website, risking infection or deletion.
Learn three free, easy ways to back up your WordPress website.
11. Save Site Backups in Separate Locations
Storing your website’s backup files in at least two separate locations gives you peace of mind; if one backup gets corrupted, you have another one to fall back on. UpdraftPlus allows you to store backups in one place, either on your server or a cloud storage solution.
For an additional fee, you can store backups in multiple places, such as your local server, Dropbox, Google Drive, and others. Alternatively, you can use the free version of UpdraftPlus or ManageWP to create automatic backups, then download backup files to your computer manually as a second or even third storage location.
Learn how to save a WordPress backup to Google Drive in four easy steps.
12. Disable File Editing
By default, WordPress allows any user with administrator rights to edit your website’s files directly. If a user without knowledge attempts to edit these files, it may crash the website altogether.
As of WordPress version 4.9, WordPress security provides safeguards to help prevent this from happening; however, we recommend disabling file editing altogether. Should a hacker gain access, they can cause your website to be permanently disabled, forcing you to start over.
Disabling file editing requires technical knowledge. You need to add the line of code displayed below, putting immediately above the “That’s all, stop editing! Happy publishing” line of text in your wp-config.php file.
define( ‘DISALLOW_FILE_EDIT’, true );
You can do this by accessing the file via the File Manager in cPanel on your web hosting platform or using a file transfer protocol (FTP) client like FileZilla. Download the file to your computer and open it in an app like Notepad, add the line of code, and save the file. Next, upload the file back to its previous location and overwrite the old file.
13. Enable a Web Application Firewall (WAF)
A web application firewall acts as a shield for your website. A WAF is a WordPress security tool that protects your site from hackers by monitoring what happens when people visit and stopping anything that looks like a threat. There are two ways to protect your website using a WAF: a plugin such as NinjaFirewall or a third-party service like Sucuri.
14. Hide Your WordPress Version
It’s always advisable to use the latest version of WordPress, however, sometimes it’s not possible if you have a custom setup. Having an older version of WordPress may leave your site vulnerable to attacks due to security holes in the code. Hackers know this. Their automated bots scour the Internet to find sites using older versions so they can use vulnerabilities to gain access.
Although you can remove the references to the WordPress version manually, it isn’t recommended because you will need to know how to code functions properly in PHP to do so. A better option is to use the Sucuri Security plugin to do this for you with just one click.
15. Make Sure You Have an Active SSL Certificate
An SSL certificate is a digital document used to encrypt the connection from the local device―computer, tablet, or smartphone―of a site visitor to the website they are visiting. Sites with SSL security display a lock symbol just to the left of the URL in the browser window, telling site visitors that the website is safe to visit and that their data will be protected.
SSL security helps prevent hackers from injecting themselves between that connection and sending the visitor to another site that may look similar to yours in an attempt to phish for information and encrypts any data the site visitor enters, such as credit card or identification information, so that even if a hacker can steal the data, it’s unusable.
The best website hosting companies include SSL certificates with hosting or domain names or make it easy for you to purchase and add one to your website. Alternatively, you can use a plugin like Really Simple SSL, which configures your site to run over SSL automatically. It will not only ensure the trust of the visitor, but it will also prevent a Google penalty should you rely on people finding your business using search.
16. Enable Domain Locking
Domain hijacking is a form of theft where your domain registration is changed to another party without your permission. To prevent this type of theft, you should lock your domain where it is currently registered, usually where you purchased it. Most registrars lock your domains automatically. However, if you’re not sure, simply check your settings and make sure your domain is locked to prevent unauthorized theft.
17. Choose Trusted Web Hosting and Domain Registrar
More than 300,000 hosting companies exist worldwide, each with its rules governing how they handle your hosting and domain. Some may not be trustworthy for a variety of reasons, so it’s important to purchase your hosting and domains from a reliable, trustworthy provider. We researched more than a dozen to find the best cheap web hosting providers―all of which have been vetted by our team.
18. Use a Security Plugin
They can monitor for file changes, remove WordPress version information, include a web application firewall (WAF), and offer an even more secure WAF if you upgrade to a paid plan. They will give you statistics as to how many hacking attempts were made, such as brute force attacks, and which IP addresses were locked out for reaching the threshold of login attempts.
Frequently Asked Questions (FAQs)
What are the most common types of WordPress security threats?
According to a 2020 Wordfence study, the three most common types of WordPress security threats are malware from pirated themes and plugins, malicious login attempts, and vulnerability exploitation. Using the tips above will help safeguard against these types of security threats.
What are the best WordPress security plugins?
There are several WordPress security plugins on the market. However, the three best security plugins available and highly rated by thousands of users are Jetpack, Wordfence, and Sucuri Security. Each plugin has unique benefits and we encourage you to choose the one that best fits the needs of your small business website.
How much does it cost to hire someone to secure my website for me?
Hiring someone to secure your website varies in price from as little as $5 to several thousand. You can use freelancers from Fiverr for as little as $5 (but up to over $50) depending on the particular services needed to secure your website. You can also find professional freelancers on sites like Upwork, which is ideal for larger or longer-term cybersecurity projects.
As the owner of your business’ website, it’s your responsibility to protect the integrity of your site, the personal information of your customers, and to prevent cyberattacks. These WordPress security tactics infuse standard security measures into your website. Implement these best practices for WordPress security to make your site more secure now and save the time and money it would take to fix issues after the fact.
You Might Also Like …
- These small business cybersecurity tips will help safeguard your team and your business online.
- These 25 tips and tricks for WordPress lessen the learning curve of building your small business website on WordPress.
- Making a good website goes beyond good design―these 21 must-haves for effective websites will improve your online marketing efforts.