There's never a wrong time to brush up on WordPress security best practices. Overall, WordPress is a secure CMS, but because it's open-source, it suffers from a few critical vulnerabilities. Luckily, it's possible to secure your WordPress site by taking the right steps.
In this article, let's dive into the details of WordPress security dangers and vulnerabilities. Then, we'll share all the steps you need to take to manage a secure, safe site on WordPress.
Why You Need WordPress Security
Security is integral to every successful website. This applies to businesses of all sizes, reputations, and industries. Here's why.
It protects your information and reputation.
If an attacker attains personal information about you or your site visitors, there's no saying what they can do with the stolen information. Security breaches open you up to public data leaks, identity theft, ransomware, server crashes, and the list, unfortunately, goes on. As you can imagine, any of these events wouldn't reflect well on your business's reputation — not to mention they're a waste of time, energy, and money.
Your visitors expect it.
To put it simply: Your visitors expect your site to be secure. If you can't provide this fundamental service from the get-go, you will undermine your customer's trust in you. By earning this trust, you can ensure that your visitors have a positive experience with your business and will return.
It's important that your customers trust that their information is used and stored responsibly, whether that's their contact information, payment information (which requires PCI compliance), or even a basic response to a survey. There's a catch-22 here: If your security measures work, your customers will never need to know. If they ever do see news about your site's security, chances are it's bad news, and most won't come back.
Google likes secure websites.
Everyone wants to rank higher on the search engine results pages (SERPs). Higher rankings mean more visibility, and more visibility means more visitors. Luckily, one of the ways to boost the odds Google likes your site is to make it secure.
Why? Because a safe website is a searchable one. WordPress security directly affects visibility from a search on Google (and other search engines), and has for a while. Security is one of the easiest ways to boost your search rank. You can read about what other factors affect how Google ranks your website in our Ultimate Guide to Google Ranking Factors.
Clearly, protecting your online properties should be your number one concern. Your website needs to ensure your visitors are protected when they use it. But first, you might be wondering: Is WordPress secure?
Let’s take a look below.
How safe is WordPress?
WordPress is generally considered a safe content management system. However, like any CMS, it can be vulnerable to attacks if you don't invest in protecting your site.
There's no way around it: Websites that use WordPress are a popular target for cyberattacks. In its WordPress security report, a firewall service named Wordfence blocked a whooping 18.5 billion password attack requests on WordPress websites. That's nearly 20 billion attacks on WordPress websites alone.
These numbers are distressing, but keep in mind that 43% of the entire internet was built on WordPress. Still, nearly twenty billion attacks is still quite high, even when taking into account WordPress' market share.
The bad news continues: 8 out of 10 WordPress security risks fall into the "Medium" or "High" severity score according to the Common Vulnerability Scoring System.
Now that you know the facts let's take a few steps back. Before you click delete on your WordPress account, remember that these numbers are not really WordPress' fault. Or, at least, not the fault of the WordPress product. Therefore, there are definitely things you can do as a responsible user to bolster WordPress security efforts.
WordPress employs a sizable security team of world-class researchers and engineers looking for vulnerabilities in its system, so they're able to fix any issues before a hacker gets to it. The security team also regularly rolls out security updates to their software. As far as the WordPress core itself goes, we're covered. The reason WordPress sites could be vulnerable to trouble lies in how WordPress is made available to users.
As you know, WordPress is open-source software. This means that the source code is available for anyone to distribute and modify. There are some benefits associated with using open-source software — it's accessible to everyone, the software is infinitely customizable, and you can optimize it.
As a result, thousands of developers have created themes and plugins that significantly boost the functionality of this platform. Flexibility is a signature feature of WordPress and a huge part of why it's so powerful and widely used.
Of course, the freedom that WordPress offers comes with a cost. If you have an improperly configured or poorly maintained WordPress site, you're privy to a lot of security issues. WordPress gives a ton of power to its users, and with great power comes great responsibility. Unfortunately, many users are shrugging off this responsibility, and hackers know this. They target WordPress websites accordingly.
Rest easy knowing this: Perfect security simply doesn't exist, especially online. As WordPress states:
"[S]ecurity...is risk reduction, not risk elimination. It's about employing all the appropriate controls available to you, within reason, that allow you to improve your overall posture reducing the odds of making yourself a target, subsequently getting hacked."
You can never guarantee complete immunity to online threats, but you can take steps to make them much less likely to occur. The fact that you're reading this means you probably care about security and are willing to go the extra mile to keep you and your visitors safe.
TLDR: WordPress is secure, but only if its users take security seriously and follow best practices.
What are some common WordPress Security issues?
So, what happens if you ignore the statistics and do nothing to secure your WordPress site? As it turns out, a lot can happen. Here are some of the most common types of cyberattacks that WordPress sites face.
Brute-Force Login Attempts
The brute-force login attempt is one of the simplest forms of attack. It occurs when a hacker uses automation to enter as many username-password combinations very quickly, eventually guessing the right credentials. Brute-force hacking can access any password-protected information, not only logins.
Cross-Site Scripting (XSS)
Next is the XSS attack. This type of attack occurs when an attacker "injects" malicious code into the backend of the target website to extract information and wreak havoc on the site's functionality. The code can either be introduced in the backend by more complex means or submitted simply as a response in a user-facing form. Stay vigilant of this.
Also known as SQL injection, this form of attack happens when an attacker submits a string of harmful code to a website through some user input, like a contact form. The website then stores the code in its database. Like with an XSS attack, the harmful code runs on the website to fetch or compromise confidential information stored in the database.
Another common type of attack is a backdoor. A backdoor is a file that contains code allowing an attacker to bypass the standard WordPress login, ultimately accessing your site at any time. Attackers tend to place backdoors among other WordPress source files, making them difficult to find by inexperienced users. Even when removed, attackers can write variants of this backdoor and continue using them to bypass your login.
Though WordPress restricts what file types users can upload to reduce the chance of backdoors, stay aware of keeping your website safe from this type of attack.
Denial-of-Service (DoS) Attacks
Next is a common type of attack: The Denial-of-Service attack. These attacks prevent authorized users from accessing their own websites. DoS attacks are most frequently carried out by overloading a server with traffic and causing a crash. The effects are worsened in the case of a distributed denial-of-service attack (DDoS), a DoS attack conducted by many machines at once.
You might already be familiar with phishing. It occurs when an attacker contacts a target posing as a legitimate company or service. Phishing attempts typically prompt the target to give up personal information, download malware or even visit a dangerous website that could harm their computer. If an attacker accesses your WordPress account, they could even coordinate phishing attacks on your customers while posing as you. As you can imagine, it's not great for your business reputation.
Hotlinking occurs when another website shows embedded content (usually an image) that is hosted on your website without permission so that the content appears like it's their own. While more akin to stealing than a full-blown attack, hotlinking is usually illegal and gives the victim serious issues, since they have to pay every time content is retrieved from their server when displayed on another website.
So, how do these crimes occur? A hacker needs to find a hole in your site's security. Once they do, they can begin to wreak havoc. Here are some common vulnerabilities that hackers keep an eye out for when targeting WordPress sites:
Plugins: Third-party plugins cause the majority of WordPress security breaches. However, some are excellent add-ons that enhance your site's functionality, so don't write them all off — just be mindful. Since plugins are created by third parties and have access to the backend of your website, they're a common channel for hackers to disrupt your site's functionality.
Outdated WordPress versions: WordPress sometimes releases new versions of its software to patch security vulnerabilities. When fixes come out, the vulnerabilities become public knowledge, and problems with old versions of WordPress are often targeted by hackers. You can avoid this issue by keeping your site up to date.
The login page: The backend login page for any WordPress website by default is the site's main URL with "/wp-admin" or "/wp-login.php" added to the end. Attackers can easily find this page and attempt a brute-force entry. By keeping your passwords varied and complex, you can avoid the odds a hacker will accurately guess yours.
Themes: Yes, even your WordPress theme can open your site up to cyberattacks. Outdated themes may be incompatible with the most recent version of WordPress, allowing easy access to your source files. Also, many third-party themes do not follow WordPress' standards for code, causing compatibility issues and similar vulnerabilities. Once again, do your research before you add a theme to your site.
For a deeper look at WordPress security issues, see our article on WordPress security issues you should know about.
How to Secure Your WordPress Site
- Secure your login procedures.
- Use secure WordPress hosting.
- Update your version of WordPress.
- Update to the latest version of PHP.
- Install one or more security plugins.
- Use a secure WordPress theme.
- Enable SSL/HTTPS.
- Install a firewall.
- Back up your website.
- Conduct regular WordPress security scans.
- Filter out special characters from user input.
- Limit WordPress user permissions.
- Use WordPress monitoring.
- Log user activity.
- Change the default WordPress login URL.
- Disable file editing in the WordPress dashboard.
- Change your database file prefix.
- Disable your xmlrpc.php file.
- Consider deleting the default WordPress admin account.
- Consider hiding your WordPress version.
Now that we're past the scary part let's discuss the various ways you can reduce the threat of a cyberattack on your WordPress site.
Website security, and by extension WordPress website security, comes down to following the best practices. If you do so, there's no guarantee you'll never experience an issue, but the odds of having a problem are significantly lower. Some of these best practices apply to all websites in general (e.g., strong passwords and two-factor authentication, SSL, and firewalls), while others apply specifically to WordPress websites (e.g., using secure plugins and themes).
To maintain your site's safety, it's essential you adhere to as many of the best practices as possible. To begin, let's cover the best basics. Then, we'll share some additional steps you can take if you are particularly concerned about your site's safety.u can take if your site is particularly at risk or if you want to go even further.
WordPress Security Best Practices
1. Secure your login procedures.
This is step one because it really is a huge part of keeping your site safe. The most fundamental step to securing your website is keeping your accounts safe from malicious login attempts. To do this:
Use strong passwords: Use strong passwords: We used to think there would be flying cars in the future, but as of this year, people are still using "123456" as a password. It's essential that all users with access to the backend of your WordPress site use strong passwords to log in. Even one weak password could spell trouble for all other users. You might want to use one of our recommended password managers to generate strong passwords and keep track of them for you.
Enable two-factor authentication: Two-factor authentication (2FA) requires users to verify their sign-on with a second device. This is one of the simplest yet most effective tools to secure your login — and it works. Here's how to add two-factor authentication in WordPress.
Avoid making any account username "admin": Admin is likely the first username attackers will plug in during a brute force login attempt. If you've already created a user with this name, create a new administrator account with a different username.
Limit login attempts: By putting a cap on the number of times a user can enter the wrong credentials, you're protecting your site. If people attempt to log in too many times, the CMS will lock them out, which stops a brute-force login from occurring. Some hosting services and firewalls might take care of this for you, but you can also install a plugin like Limit Login Attempts for the job.
Add a captcha: If this sounds familiar, it's because you've likely seen this security feature on many other websites. They add an extra layer of security to your login by verifying that you are indeed a living person. You can use plugins to add a captcha to your site. reCaptcha by BestWebSoft is one we recommend — see our guide to enabling Google reCaptcha in WordPress.
Enable auto-logout: Last but certainly not least, stay vigilant about logging out, especially if you're using a public computer. Auto-logout prevents strangers from snooping on your account if you forget. To enable auto-logout on your WordPress account, try the Inactive Logout plugin.
2. Use secure WordPress hosting.
Next, let's talk about the role your hosting provider plays in WordPress security. When choosing the service that hosts your website, there are many factors to take into account, but security should be first and foremost. Do your research to learn more about what steps the business takes to protect your information and promptly recover if an attack occurs. See our list of recommended WordPress hosting providers.
3. Update your version of WordPress.
Outdated versions of WordPress software pose a huge target. To avoid this issue, ensure that you regularly check for and install WordPress updates as soon as possible to eliminate vulnerabilities.
To update WordPress to the latest version, first back up your site and check that your plugins are compatible with the latest version of WordPress. You may also have to update your plugins accordingly. You can reference our guide for how to update your WordPress plugins.
After updating your plugins, follow the update instructions on the WordPress website.
4. Update to the latest version of PHP.
Upgrading to the latest version of PHP is one of the most crucial steps you can take for WordPress security. Once an upgrade is ready, WordPress notifies you on your dashboard, so keep an eye out. Then, you will be prompted to head to your hosting account to upgrade to the latest PHP version. If you don't have access to your hosting account, get in touch with your web developer to upgrade.
5. Install one or more security plugins.
Luckily, you don't have to do it all yourself when it comes to site security: You can also rely on a security plugin. We highly recommend installing one or more reputable security plugins on your website. (Emphasis on reputable!)
These plugins do much of the security-related manual work for you, such as scanning your website for infiltration attempts, altering source files that might leave your site susceptible, resetting and restoring the WordPress site, and preventing content theft like hotlinking. Some reputable plugins cover almost everything on this list. Of course, this step won't be needed if you're using HubSpot's Content Management System, which provides malware scanning and threat detection within the platform.
Whichever plugin(s) you decide to install, security-related or not, make sure they're well-established and legitimate. See our list of recommended WordPress security plugins, and use your discretion before downloading anything not on this list.
6. Use a secure WordPress theme.
Just like you shouldn't install a sketchy plugin on your site, resist the urge to use just any WordPress theme that looks good. Why? Because it might be unsafe, ultimately leaving your site susceptible to major issues. To prevent vulnerabilities caused by a WordPress theme, choose one that is compliant with WordPress standards.
To check whether your current theme meets WordPress' requirements, copy your website URL (or the URL of any WordPress site or any theme's live demo) into W3C's validator. If you find your theme isn't compliant, search for a new theme in the official WordPress theme directory. All themes in this directory are safely compatible with WordPress software. Alternatively, see HubSpot's list of recommended WordPress themes, or search for another in a credible theme marketplace.
7. Enable SSL/HTTPS.
SSL (Secure Sockets Layer) is the technology that encrypts connections between your website and visitors' web browsers, ensuring that the traffic between your site and your visitors' computers is safe from unwelcome interceptions.
Your WordPress site needs SSL enabled. If you're a CMS Hub user, SSL is free and built into the platform, so you're good to go. If you are using WordPress, then depending on your use case, you may opt to do this manually or use a dedicated SSL plugin. Not only will it boost SEO, but it also plays directly into your visitors' first impression of your website. Google Chrome will even warn users if the site they're visiting doesn't follow the SSL protocol, which directly reduces website traffic.
To see whether your WordPress site follows the SSL protocol, visit your WordPress site’s homepage. If the homepage URL begins with “https://” (the “s” stands for “secure”), your connection is secured with SSL. If the URL begins with “http://”, you’ll need to obtain an SSL certificate for your website.
8. Install a firewall.
A firewall sits between the network that hosts your WordPress site and all other networks and automatically prevents unauthorized traffic from entering your network or system from the outside. They work to keep out the malicious activity by eliminating a direct connection between your network and other networks.
We recommend installing a Web Application Firewall (WAF) plugin to protect your WordPress site. With the CMS Hub, your site will come with WAF within the platform. As with everything else on this list, carefully deliberate which type of firewall and which plugin works best for your needs before making your choice.
9. Back up your website.
Being hacked is upsetting. It feels like a violation of your digital space, and if you lose all of your data as a result, it's even more distressing. However, you can avoid that happening by making sure your website is backed up by WordPress and your hosting provider. In the event of an attack (or any other incident) that causes data loss, you'll be able to regain access to it. We recommend backups be automatic as well. See our list of the best WordPress backup plugins available.
10. Conduct regular WordPress security scans.
Last but certainly not least, we recommend you run routine check-ups on your site. Aim for at least once a month. And no, you don't have to do it yourself — there are some security plugins that can do it for you. Here are the seven WordPress scanner plugins we recommend.
Once you've taken these basic steps, you can then move to more advanced measures to secure your WordPress website.
Advanced WordPress Security Best Practices
1. Filter out special characters from user input.
If any part of your website accepts a response from visitors, whether that is a payment form, a contact form, or even a comment section on a blog post, there's an opportunity for an XSS or database injection attack. Attackers could enter malicious code into any of these text fields and disrupt your website's backend.
This is unfortunate because it's important you have these tools on your site to gain information from legitimate users.
To avoid this problem, make sure you filter out special characters from user input before it is processed by your site and stored in a database. You can also use a plugin to detect malicious code. Alternatively, you can use a WordPress form plugin to automatically filter out these characters.
2. Limit WordPress user permissions.
Many WordPress sites have multiple user accounts. However, we recommend changing the roles of each user to limit their access to only what they need. WordPress has six roles to choose from for each user.
By limiting the number of users with administrator permissions, you reduce the chance of an attacker brute-forcing their way into an admin account and limit the damage that can be done if an attacker does correctly guess a user's credentials. See our guide on how to change WordPress user permissions.
3. Use WordPress monitoring.
It's imperative you have a monitoring system in place for your website. This will alert you of any suspicious activity that occurs on your site. Ideally, your other measures would have prevented such activity, but it's better to find out sooner rather than later. You can use a WordPress monitoring plugin to get an alert in case there's a breach.
4. Log user activity.
Here's another way to get out ahead of issues before they occur: Create a log of all activity that users take on your website, and check this log periodically for suspicious activity. This way, you'll see if another user is acting suspiciously (e.g., trying to change passwords, altering theme or plugin files, or installing or deactivating plugins without permission). Logs are also useful for cleanup after a hack, showing you what went wrong and when.
This isn't to say that all password changes or file modifications are always signs of a hacker among your team. However, if you're employing many external contributors and giving them access permissions, it's always a good idea to keep an eye on things.
Many WordPress plugins create activity logs, and there are several dedicated logging plugins for WordPress, like WP Activity Log or the free Activity Log plugin.
5. Change the default WordPress login URL.
As we've mentioned, the default URL for the WordPress login page for any WordPress site is too easy to find. Luckily, there's a way to alter it to boost your security. Plugins like WPS Hide Login change this login page URL for you.
6. Disable file editing in the WordPress dashboard.
By default, WordPress lets administrators edit the code of their files directly with the code editor. This gives attackers an easy way to alter your files if they gain access to your account. If a plugin hasn’t already disabled this feature, you can do some light coding to disable it yourself. Add the code below to the end of the file wp-config.php:
// Disallow file edits
define( 'DISALLOW_FILE_EDIT', true );
7. Change your database file prefix.
The names of the files that make up your WordPress database begin with "wp_" by default. You guessed it: Hackers can leverage this setting and locate your database files by name and conduct SQL injections.
Here's some good news: There's a simple fix. Just change the prefix to something different, like "wpdb_" or "wptable_". You can even set this up when installing the WordPress CMS. If your site is already live with this setting, you can rename these files. In this case, we suggest using a plugin to handle this process, since your database stores all your content, and a misconfiguration will break your website. Look for the ability to change table prefixes among the features of your preferred security plugin.
8. Disable your xmlrpc.php file.
XML-RPC is a communication protocol that enables the WordPress CMS to interact with external web and mobile applications. Since the incorporation of the WordPress REST API, the XML-RPC is used much less frequently than it once was. However, it is still utilized by some to launch powerful attacks on WordPress sites.
This is because XML-RPC technology lets attackers submit requests containing hundreds of commands, making it easier to commit brute force login attacks. XML-RPC is also less secure than REST because its requests contain authentication credentials that can be exploited.
If you’re not using XML-RPC, you can disable the xmlrpc.php file. First, check whether your site is making use of the file. Plug your URL into this XML-RPC validator to check whether your site is currently making use of the protocol. If not, the easiest way to disable this file is with a plugin like Disable XML-RPC-API. Your WordPress security plugin may also be able to do this for you.
9. Consider deleting the default WordPress admin account.
We've discussed changing the "admin" username for the default WordPress admin account, but if you want to take things a step further, you may consider deleting this default account altogether.
From there, you can create a new account with the same administrator permissions. This is a good step to take if you think that your original admin username and password have been discovered and you want to avoid it happening again in the future.
10. Consider hiding your WordPress version.
Hiding your WordPress version will ensure hackers don't know that your site is vulnerable. As covered previously, you must always update to the latest version of WordPress. But if you haven't yet gotten the opportunity to do so, it's critical to hide the potential vulnerability. Here's a tutorial on how to hide your WordPress version.
What To Do If You’re Hacked
So, you’ve implemented some or all of the measures above, and now you want to be extra prepared in case something goes wrong. Or, something has gone wrong. Either way, here’s what to do:
1. Remain calm.
It's natural to panic in an uncertain situation where you feel like you don't have any control. However, it's important to attempt to remain as calm as possible. Unfortunately, a security breach can happen to anyone — even those who have worked so diligently to safeguard their site. Keep a clear head so you can locate the source of the breach and begin to resolve it.
2. Turn on maintenance mode on your website.
Next, it's time to limit access to the site. Doing this keeps visitors away and, therefore, safe from attack. It's imperative you do not reopen your site until you are confident the situation is completely under control.
3. Start creating an incident report.
Your next step is to gather the facts which you will use on an incident report. These can also ultimately act as clues that will help solve the problem. Take note of:
When you discovered the problem.
What led you to believe you were attacked.
Your current theme, active plugins, hosting provider, and network provider.
Any recent changes you made to your WordPress site before the incident.
A log of your actions while finding and fixing the issue.
Update this document as more details become available.
4. Reset access and permissions.
Change all account passwords on your WordPress site to prevent any further website changes. Next, force-logout any users still logged in.
It's highly recommended that all account holders should update passwords on their work and personal devices, as well as personal accounts since you can't know for sure what the attackers were able to access beyond your WordPress site. Yes, it's a hassle, but it can help ensure the impact of the attack is siloed.
5. Diagnose the issue.
In some cases, you can search for the problem yourself with the help of a security plugin. However, depending on the scale of the attack, you may need to hire a professional that diagnoses the issue and repairs your site. Regardless of what method you choose, run a security scan on your site and local files to clear any remaining harmful files or code the attackers might have left and to restore any missing files.
6. Review related websites and channels.
Do you have accounts for any other platform linked on your website? If so, you should take precautions to lock those down, too. For instance, if your website links to your Instagram account, make sure the hacker did not post on your account on your behalf. It's essential that you change the passwords for any linked accounts as well.
7. Reinstall backup, themes and plugins.
Re-install your theme and plugins (double-checking that they're safe). If you have a backup in place, restore the most recent backup prior to the incident.
8. Change your site passwords again.
When it comes to WordPress security, there's no such thing as too careful. You already reset your passwords, but the credentials could have been compromised while you were fixing the problem. You can never be too careful. Therefore, consider changing them again.
9. Alert your customers and stakeholders.
After your site is up and running again, strongly consider reaching out to your customers, and alerting them of the attack, especially if personal information was accessed and leaked. It's the right thing to do but be prepared for negative responses from customers.
10. Check that your website is not blacklisted by Google.
It's possible that your website was blacklisted by Google as a result of the attack. If that is the case, Google will not-so-subtly warn users about entering your website:
While blacklisting is necessary to keep users away from harmful websites, it will also scare most traffic from your legitimate site. Sucuri has a free tool to scan your website for Google blacklist status.
11. Follow the best practices above.
Taking all possible precautions to limit the possibility of another attack will give you some peace of mind. Let's hope something like this doesn't happen again. But if it does, you'll be in much better shape because you'll have so much more knowledge of how to handle everything.
Don’t take security for granted.
Unfortunately, Cybercriminals are constantly evolving and learning new ways to leverage companies' online presence against them. Luckily, security engineers are always developing new methods to stop them. This is the ever-turning cycle of security on the internet, and we're all caught in the middle. Always keep your customers' safety in mind, so they have one less thing to worry about.
Note: Any legal information in this content is not the same as legal advice, where an attorney applies the law to your specific circumstances, so we insist that you consult an attorney if you’d like advice on your interpretation of this information or its accuracy. In a nutshell, you may not rely on this as legal advice or as a recommendation of any particular legal understanding.
Editor's note: This post was originally published in May 2020 and has been updated for comprehensiveness.