If you have an online presence, you need to prioritize security. And if WordPress is your CMS, you definitely need to prioritize security.
Overall, WordPress is a secure CMS, but because it’s open-source, it suffers from various critical vulnerabilities. Thankfully, achieving WordPress security is simple when you take the right steps.
In this article, we’ll get into the details of the most common and dangerous security vulnerabilities that come with using WordPress. Then, we’ll cover all the steps you’ll need to manage a safe, secure WordPress website.
Why You Need WordPress Security
Let’s discuss the reasons why every successful website built with WordPress prioritizes security. These apply to businesses of all sizes, reputations, and industries.
It protects your information and reputation.
If attackers attain personal information about you or your website visitors, there’s no end to what they could do with the information. Security breaches open you up to public data leaks, identity theft, ransomware, servers crashing, and the list unfortunately goes on. Needless to say, any of these events is far from ideal for the growth and reputation of your business, and are usually a major waste of time, money, and energy.
Your visitors expect it.
As your business grows, the number of problems you’ll need to solve and your customers’ expectations for how you address those problems will increase. One of those problems is keeping your customers’ information secure. If you can’t provide this fundamental service from the get-go, you will undermine your customer’s trust in you.
Your customers need to trust that their information will be used and stored safely, whether it be contact information, payment information (which requires PCI compliance), or a basic response to a survey. There’s a catch-22 here: If your security measures work, your customers will never need to know. If they ever do see news about your site’s security, chances are it’s bad news and most won’t come back.
Google likes secure websites.
Keeping your WordPress website secure is a cornerstone of maintaining a high-ranking website.
Why? Because a safe website is a searchable one. Website security directly affects visibility from a search on Google (and other search engines), and has for a while. Security is one of the easiest ways to boost your search rank. You can read about what other factors affect how Google ranks your website in our Ultimate Guide to Google Ranking Factors.
Clearly, protecting your online properties should be a key concern. Every website needs to ensure safety for their visitors and users, and we’ll go over the steps to do this. But first, you might be wondering: Is WordPress secure?
Let’s take a look below.
How safe is WordPress?
WordPress is a safe content management system. However, it can be vulnerable to attacks — just like any CMS.
There’s no way around it: Websites that use WordPress are a popular target for cyberattacks. In its WordPress security report, a firewall service named Wordfence blocked a whooping 18.5 billion password attack requests on WordPress websites. That’s nearly 20 billion attacks on WordPress websites alone.
This might be less surprising, knowing that 42.7% of all websites use WordPress. Still, nearly twenty billion attacks is still quite high, even when taking into account WordPress’ market share.
But before you hard-delete your WordPress account, you should know that these numbers aren’t entirely WordPress’ fault. Or, at least, not the fault of the WordPress product itself.
WordPress employs a large security team of world-class researchers and engineers looking for vulnerabilities in its system, and regularly releases security updates to their software. As far as WordPress core goes, we’re covered. The problem lies with how WordPress is made available to its users.
WordPress is open-source software, meaning that the source code is available for anyone to modify and distribute. Because WordPress is open-source, the software is infinitely customizable and optimizable. There are thousands of plugins, themes, and developers with the skills to modify the backend code themselves. This flexibility is a defining feature of WordPress, and a huge part of what makes it so powerful and widely-used.
The downside to all this freedom is that an improperly configured or maintained WordPress website is prone to a myriad of security issues. WordPress gives a lot of power to its users, and with great power comes great responsibility. Responsibility that many are shrugging off. Hackers know this and target WordPress websites accordingly.
You can rest easy knowing the following, though: Perfect security simply doesn’t exist, especially online. As WordPress states:
“[S]ecurity...is risk reduction, not risk elimination. It’s about employing all the appropriate controls available to you, within reason, that allow you to improve your overall posture reducing the odds of making yourself a target, subsequently getting hacked.”
You can never guarantee complete immunity to online threats, but you can take steps to make them much less likely to occur. The fact that you’re reading this means you probably care about security and are willing to go the extra mile to keep you and your visitors safe. To sum all this up, WordPress is secure, but only if its users take security seriously and follow best practices.
WordPress Security Issues
So, what could happen if one chooses to push all these numbers aside and do nothing to secure their WordPress site? As it turns out, a lot. The most common types of cyberattacks on WordPress websites are:
Brute-Force Login Attempts
This is one of the simplest types of attacks. A brute-force login occurs when attackers use automation to enter many username-password combinations very quickly, eventually guessing the right credentials. Brute-force hacking can access any password-protected information, not just logins.
Cross-Site Scripting (XSS)
XSS occurs when an attacker “injects” malicious code into the backend of the target website to extract information and wreak havoc on the site’s functionality. This code could be introduced in the backend by more complex means, or submitted simply as a response in a user-facing form.
Also known as a SQL injection, this happens when an attacker submits a string of harmful code to a website through some user input, like a contact form. The website then stores the code on its database. Similarly to an XSS attack, the harmful code runs on the website to fetch or compromise confidential information stored in the database.
A backdoor is a file containing code that lets an attacker bypass the standard WordPress login and access your site at any time. Attackers tend to place backdoors among other WordPress source files, making them difficult to find by inexperienced users. Even when removed, attackers can write variants of this backdoor and continue using them to bypass your login.
Though WordPress restricts what file types users can upload to reduce the chance of backdoors, it's still very much a problem to be aware of.
Denial-of-Service (DoS) Attacks
These attacks prevent authorized users from accessing their own website. DoS attacks are most frequently carried out by overloading a server with traffic and causing a crash. The effects are worsened in the case of a distributed denial-of-service attack (DDoS), a DoS attack conducted by many machines at once.
When an attacker contacts a target posing as a legitimate company or service, this is known as phishing. Phishing attempts typically prompt the target to give up personal information, download malware, or visit a dangerous website. If an attacker accesses your WordPress account, they could even coordinate phishing attacks on your customers while posing as you.
Hotlinking occurs when another website shows embedded content (usually an image) that is hosted on your website without permission, so that the content appears like it’s their own. While more akin to stealing than a full-blown attack, hotlinking is usually illegal and gives the victim serious issues, since they have to pay every time content is retrieved from their server when displayed on another website.
For these crimes to occur, hackers need to discover holes in a site’s security. Common vulnerabilities that hackers look for when targeting WordPress websites include:
- Plugins: Third-party plugins account for the majority of WordPress security breaches. Since plugins are created by third parties and have access to the backend of your website, they're a common channel for hackers to disrupt your site’s functionality.
- Outdated WordPress versions: WordPress sometimes releases new versions of their software to patch security vulnerabilities. When fixes come out, the vulnerabilities become public knowledge, and problems with old versions of WordPress are often targeted by hackers.
- The login page: The backend login page for any WordPress website by default is the site’s main URL with “/wp-admin” or “/wp-login.php” added to the end. Attackers can easily find this page and attempt a brute force entry.
- Themes: Yes, even your WordPress theme can open your site up to cyberattacks. Outdated themes may be incompatible with the most recent version of WordPress, allowing easy access to your source files. Also, many third-party themes do not follow WordPress’ standards for code, causing compatibility issues and similar vulnerabilities.
For a deeper look at WordPress security issues, see our article on WordPress security issues you should know about.
How to Secure Your WordPress Site
- Secure your login procedures.
- Use secure WordPress hosting.
- Update your version of WordPress.
- Update to the latest version of PHP.
- Install one or more security plugins.
- Use a secure WordPress theme.
- Enable SSL/HTTPS.
- Install a firewall.
- Back up your website.
- Conduct regular WordPress security scans.
- Filter out special characters from user input.
- Limit WordPress user permissions.
- Use WordPress monitoring.
- Log user activity.
- Change the default WordPress login URL.
- Disable file editing in the WordPress dashboard.
- Change your database file prefix.
- Disable your xmlrpc.php file.
- Consider deleting the default WordPress admin account.
- Consider hiding your WordPress version.
Now that we’re past the scary part, let’s discuss what you can do to reduce the threat of a cyberattack on your WordPress website.
Website security, and by extension WordPress website security, comes down to following a set of best practices. Some of these apply to all websites in general (e.g. strong passwords and two-factor authentication, SSL, and firewalls), while others apply specifically to WordPress websites (e.g. using secure plugins and a secure WordPress theme).
To keep your site at its safest, we recommend adhering to as many of these best practices as you reasonably can. First, we’ll cover the basic best practices. Then we’ll add additional steps you can take if your site is particularly at risk or if you want to go even further.
WordPress Security Best Practices
1. Secure your login procedures.
The most fundamental step to securing your website is keeping your accounts safe from malicious login attempts. To do this:
- Use strong passwords: We used to think there would be flying cars in the future, but as of this year, people are still using “123456” as a password. Make sure that all users with accounts on your WordPress backend are using strong passwords to log in. You might want to use one of our recommended password managers to generate strong passwords and keep track of them for you.
- Enable two-factor authentication: Two-factor authentication (2FA) requires users to verify their sign-on with a second device. This is one of the simplest, yet most effective tools to secure your login. Here’s how to add two-factor authentication in WordPress.
- Don’t make any account username “admin”: Chances are, this will be the first username attackers will plug in during a brute force login attempt. If you’ve already created a user with this name, create a new administrator account with a different username.
- Limit login attempts: Placing a cap on the number of times a user enters the wrong credentials in a certain amount of time will prevent hackers from brute-forcing a login. Some hosting services and firewalls might take care of this for you, but you can also install a plugin like Limit Login Attempts for the job.
- Add a captcha: You’ve likely seen this security feature on many other websites. They add an extra layer of security to your login by verifying that you are indeed a living person. You can use plugins to add a captcha to your site. reCaptcha by BestWebSoft is one we recommend — see our guide to enabling Google reCaptcha in WordPress.
- Enable auto-logout: While you should remember to log out of your WP account when finished, auto-logout prevents strangers from snooping in your account if you forget. To enable auto-logout on your WordPress account, try the Inactive Logout plugin.
2. Use secure WordPress hosting.
When choosing the service that hosts your website, there are many factors to take into account, but security should be a top priority. Consider services that have taken steps to protect your information and promptly recover if an attack occurs. See our list of recommended WordPress hosting providers.
3. Update your version of WordPress.
Outdated versions of the WordPress software are a very common target for hackers. Make sure you regularly check for and install WordPress updates as soon as possible to eliminate vulnerabilities found in older versions.
To update WordPress to the latest version, first back up your site and check that your plugins are compatible with the latest version of WordPress, updating plugins accordingly. You can reference our guide for how to update your WordPress plugins.
After updating your plugins, follow the update instructions on WordPress’ website.
4. Update to the latest version of PHP.
Upgrading to the latest version of PHP is one of the most important steps you can take to keep your WordPress website secure. When an upgrade is ready, WordPress will notify you on your dashboard. It will then prompt you to head to your hosting account to upgrade to the latest PHP version. If you don’t have access to your hosting account, get in touch with your web developer to upgrade.
5. Install one or more security plugins.
We highly recommend installing one or more reputable security plugins on your website. These plugins do much of the security-related manual work for you, including scanning your website for infiltration attempts, altering source files that might leave your site susceptible, resetting and restoring the WordPress site, and preventing content theft like hotlinking. Some reputable plugins cover almost everything on this list. This step is not needed if you are using HubSpot's Content Management System which provides malware scanning and threat detection within the platform.
Whichever plugin(s) you decide to install, security-related or not, make sure they’re well-established and legitimate. See our list of recommended WordPress security plugins.
6. Use a secure WordPress theme.
Just like you shouldn’t install a sketchy plugin on your site, resist the urge to use just any WordPress theme that looks good. To prevent vulnerabilities caused by a WordPress theme, choose one that is compliant with WordPress standards.
To check whether your current theme meets WordPress’ requirements, copy your website URL (or the URL of any WordPress site or any theme’s live demo) into W3C’s validator. If you find your theme isn’t compliant, search for a new theme in the official WordPress theme directory. All themes in this directory are safely compatible with WordPress software. Alternatively, see HubSpot’s list of recommended WordPress themes, or search another credible theme marketplace.
7. Enable SSL/HTTPS.
SSL (Secure Sockets Layer) is the technology that encrypts connections between your website and visitors’ web browsers, ensuring that the traffic between your site and your visitors’ computers is safe from unwelcome interceptions.
Your WordPress site needs SSL enabled. If you're a CMS Hub user, SSL is free and built into the platform so you're good to go. If you are using WordPress, then depending on your use case, you may opt to do this manually or use a dedicated SSL plugin. Not only will it boost SEO, but it also plays directly into your visitors’ first impression of your website. Google Chrome will even warn users if the site they’re visiting doesn’t follow the SSL protocol, which directly reduces website traffic.
To see whether your WordPress site follows the SSL protocol, visit your WordPress site’s homepage. If the homepage URL begins with “https://” (the “s” stands for “secure”), your connection is secured with SSL. If the URL begins with “http://”, you’ll need to obtain an SSL certificate for your website.
8. Install a firewall.
A firewall sits between the network that hosts your WordPress site and all other networks, and automatically prevents unauthorized traffic from entering your network or system from the outside. Firewalls keep out malicious activity out of your site by eliminating a direct connection between your network and other networks.
We recommend installing a Web Application Firewall (WAF) plugin to protect your WordPress site. With the CMS Hub, your site will come with WAF within the platform. As with everything else on this list, carefully deliberate which type of firewall and which plugin works best for your needs before making your choice.
9. Back up your website.
Being hacked is bad. Losing all your information is even worse. Make sure you have your website information backed up by WordPress and your host in the event of an attack (or any other incident) that causes data loss. We recommend backups be automatic as well. See our list of the best WordPress backup plugins available.
10. Conduct regular WordPress security scans.
It’s a good idea to run routine check-ups on your site. Aim for at least once a month. There are multiple plugins that can scan your site for you. Here are the seven WordPress scanner plugins we recommend.
Once you’ve taken these basic steps, you can then move to more advanced measures to secure your WordPress website.
Advanced WordPress Security Best Practices
1. Filter out special characters from user input.
If any part of your website accepts a response from visitors, be it a payment form, a contact form, or even a comment section on a blog post, this is an opportunity for an XSS or database injection attack. Attackers could enter malicious code into any of these text fields and disrupt your website’s backend.
To avoid this problem, make sure you filter out special characters from user input before it is processed by your site and stored in a database. You can also use a plugin to detect malicious code. Alternatively, you can use a WordPress form plugin to automatically filter out these characters.
2. Limit WordPress user permissions.
If your WordPress site has multiple user accounts, we recommend changing the roles of each user to limit their access to only what they need. WordPress has six roles to choose for each user. By limiting the number of users with administrator permissions, you reduce the chance of an attacker brute-forcing their way into an admin account, and limit the damage that can be done if an attacker does correctly guess a user’s credentials. See our guide on how to change WordPress user permissions.
3. Use WordPress monitoring.
Having a monitoring system in place for your website will alert you of any suspicious activity that occurs on your site. Ideally, your other measures would have prevented such activity, but it’s better to find out sooner rather than later. You can use a WordPress monitoring plugin to get an alert in case there’s a breach.
4. Log user activity.
Here’s another way to get out ahead of issues before they occur: Create a log of all activity that users take on your website, and check this log periodically for suspicious activity. This way, you’ll see if another user is acting suspiciously (e.g. trying to change passwords, altering theme or plugin files, installing or deactivating plugins without permission). Logs are also useful for cleanup after a hack, showing you what went wrong and when.
This isn’t to say that all password changes or file modifications are always signs of a hacker among your team. However, if you’re employing many external contributors and giving them access permissions, it’s always a good idea to keep an eye on things.
5. Change the default WordPress login URL.
As I’ve mentioned, the default URL for the WordPress login page for any WordPress site is easy to find. Plugins like WPS Hide Login change this login page URL for you.
6. Disable file editing in the WordPress dashboard.
By default, WordPress lets administrators edit the code of their files directly with the code editor. This gives attackers an easy way to alter your files if they gain access to your account. If a plugin hasn’t already disabled this feature, you can do some light coding to disable it yourself. Add the code below to the end of the file wp-config.php:
// Disallow file edits
define( 'DISALLOW_FILE_EDIT', true );
7. Change your database file prefix.
The names of the files that make up your WordPress database begin with “wp_” by default. Hackers leverage this setting to locate your database files by name and conduct SQL injections.
A simple fix? Change the prefix to something different, like “wpdb_” or “wptable_”. It is possible to set this when installing the WordPress CMS. If your site is already live with this setting, you can rename these files. In this case, we highly recommend using a plugin to handle this process, since your database stores all your content and a misconfiguration will break your website. Look for the ability to change table prefixes among the features of your preferred security plugin.
8. Disable your xmlrpc.php file.
XML-RPC is a communication protocol that enables the WordPress CMS to interact with external web and mobile applications. Since the incorporation of the WordPress REST API, the XML-RPC is used much less frequently than it once was. However, it is still utilized by some to launch powerful attacks on WordPress sites.
This is because XML-RPC technology lets attackers submit requests containing hundreds of commands, making it easier to commit brute force login attacks. XML-RPC is also less secure than REST because its requests contain authentication credentials that can be exploited.
If you’re not using XML-RPC, you can disable the xmlrpc.php file. First, check whether your site is making use of the file. Plug your URL into this XML-RPC validator to check whether your site is currently making use of the protocol. If not, the easiest way to disable this file is with a plugin like Disable XML-RPC-API. Your WordPress security plugin may also be able to do this for you.
9. Consider deleting the default WordPress admin account.
We’ve discussed changing the “admin” username for the default WordPress admin account, but if you want to take things a step further, get rid of this default account altogether, and make a new account with the same administrator permissions. This is a good step to take if you think that your original admin username and password have been discovered.
10. Consider hiding your WordPress version.
Hiding your WordPress version will ensure hackers don’t know that your site is vulnerable. As covered previously, you must always update to the latest version of WordPress. But if you haven’t yet gotten the opportunity to do so, it’s critical to hide the potential vulnerability. Here’s a tutorial on how to hide your WordPress version.
What To Do If You’re Hacked
So, you’ve implemented some or all of the measures above, and now you want to be extra prepared in case something goes wrong. Or, something has gone wrong. Either way, here’s what to do:
1. Remain calm.
It’s natural to panic in these situations. Just remember that a security breach can happen to anyone. It’s necessary to keep a clear head so you can locate the source of the breach and begin to resolve it.
2. Turn on maintenance mode on your website.
Limiting access to your site keeps visitors away from your side and safe from the attack. Only open your website when you’re confident the situation is under control.
3. Start creating an incident report.
Record all relevant details that can help solve the issue. These include, but are not limited to:
- When you discovered the problem.
- What led you to believe you were attacked.
- Your current theme, active plugins, hosting provider, and network provider.
- Any recent changes you made to your WordPress site before the incident.
- A log of your actions while finding and fixing the issue.
Update this document as more details become available.
4. Reset access and permissions.
All account holders should also strongly consider updating passwords on their work and personal devices, as well as personal accounts, since you can’t know for sure what the attackers were able to access beyond your WordPress site.
5. Diagnose the issue.
Either search for the problem yourself with a security plugin, or, depending on the scale of the attack, hire a professional to diagnose the problem and repair your site. Regardless of what method you choose, run a security scan on your site and local files to clear any remaining harmful files or code the attackers might have left, and to restore any missing files.
6. Review related websites and channels.
If you have accounts for any other online platform linked to your website, such as a social media account or another WordPress site, check these platforms to see if they were affected. Change your passwords for these channels as well.
7. Reinstall backup, themes and plugins.
Re-install your theme and plugins (double-checking that they’re safe). If you have a backup in place, restore the most recent backup prior to the incident.
8. Change your site passwords again.
Yes, you did reset all WordPress passwords before, but these credentials could have been compromised while you were fixing the problem. You can never be too careful.
9. Alert your customers and stakeholders.
After your site is up and running again, strongly consider reaching out to your customers alerting them of the attack, especially if personal information was accessed and leaked. It’s the right thing to do, and be prepared for negative responses from customers.
10. Check that your website is not blacklisted by Google.
If your website was blacklisted by Google as a result of the attack, Google will not-so-subtly warn users about entering your website:
While blacklisting is necessary to keep users away from harmful websites, it will also scare most traffic from your legitimate site. Sucuri has a free tool to scan your website for Google blacklist status.
11. Follow the best practices above.
Taking all possible precautions to limit the possibility of another attack will give you some peace of mind. Let’s hope something like this doesn’t happen again. But if it does, you’ll be in much better shape.
Don’t take security for granted.
Cybercriminals are constantly evolving new ways to leverage companies’ online presence against them, and security engineers are always developing new methods to stop them. This is the ever-turning cycle of security on the internet, and we’re all caught in the middle. Always keep your customers’ safety in mind, so they have one less thing to worry about.
Note: Any legal information in this content is not the same as legal advice, where an attorney applies the law to your specific circumstances, so we insist that you consult an attorney if you’d like advice on your interpretation of this information or its accuracy. In a nutshell, you may not rely on this as legal advice or as a recommendation of any particular legal understanding.
Editor's note: This post was originally published in May 2020 and has been updated for comprehensiveness.