Ultimate WordPress Security Guide and Checklist
If there is one thing every WordPress website should take seriously, it is security. Taking the proper security measures not only helps protect your data and your customer’s data, but also ensures that Google or other search engines do not block your site.
If your website is determined to release malware, Google will block you, and a hacker can easily cause this to happen.
For these reasons, you need to do everything possible to protect your website. Luckily, there is a lot of information when it comes to improving your website’s security.
WordPress itself has no major security issues, and if regularly updated, should always be a safe platform. However, because WordPress is the most popular CMS that over 44% of the internet relies on to build sites, hackers and other bad actors have been targeting it.
As such, you need to take some simple steps to secure your website today.
While the number of plugins and options in WordPress is usually a good thing, in this case, it can cause a lot of confusion, which is why this guide exists. Today, we will go through a full checklist of steps you should take to secure your website.
Why Security in WordPress Matters
At the end of the day, a website is a business. And when a business has a security breach, it not only costs them money but can ruin their reputation.
For this reason, a website needs to be secure at all times to protect the sensitive data it carries.
For example, imagine a simple eCommerce site. Think about the user data it stores. Credit card information, mailing addresses, phone numbers, and more could be stored on a single database.
If this information was stolen, not only would it negatively affect your brand and reputation, but it could potentially ruin someone’s life.
As such, governments around the world actually require certain security measures to be in place. And even if you do not live in one of those countries, all it takes is for a single visitor from one to make you liable to hefty fines or worse.
The laws and security measures you must adhere to are constantly changing and are different throughout the world. As such, it is important to always have your website secure to avoid any problems. Unfortunately, it is easy to overlook something, which is why this checklist exists.
It will showcase the steps you need to take to secure a fresh WordPress install.
The Fundamentals
Let’s start off with the fundamentals of WordPress security. These are simple things to do that don’t take a great deal of time but can have a major impact on the safety of your website.
Without these steps in place, carrying out more advanced options is pointless because it would be built on a weak foundation.
With that in mind, let’s start covering how to improve security in WordPress.
1. Update Your Theme, Plugins, and WordPress Core Files
Updating your WordPress site, plugins, and theme should be done regularly. Hackers often target out-of-date installs with known security vulnerabilities, which makes them an easy target even if you have other security measures in place.
Luckily, all of this can be set up to be done automatically, and WordPress does a great job of notifying you when an update is available.
To view if there are updates available, log into your WordPress site. On the left-hand admin panel, click on Dashboard and select the Updates option.
Take note if there is a small red number next to the Updates option. This number represents the number of updates available for the plugins, themes, and WordPress core files. If you see a red number, it is time to update.
In this section, you can see all of the available updates. At the top is the WordPress Updates section. This tells you your current version of WordPress. As long as it says “You have the latest version of WordPress,” you are good to go.
Below this, you will find a section for plugins and themes. If there are any updates available, simply select the plugin or theme and click on the corresponding “Update” button. While this is easy to do manually, many users forget about it, thus you should consider setting up automatic updates.
You can do this for plugins, themes, and WordPress core files.
It’s worth pointing out that even if you do not actively use a plugin or theme, you should keep it up to date. Even an inactive plugin can create an opening that hackers can exploit. Thus, the best advice is to always delete plugins and themes your site does not have activated.
Not only do they eat up space on the server but are a security vulnerability.
2. Use & Enforce Strong Passwords
I’m sure you have heard about the importance of strong passwords before, and I’m going to say it all again. Your website could use the best security plugins on the market, and they are all useless if you are using weak or common passwords.
These passwords are easy to crack or guess, and with Brute Force attacks being the most common method, strong passwords are one of the best defenses.
By default, WordPress provides a password generator that can generate a strong password for your account. You can also create your own and WordPress will inform you that the password is strong or weak.
If you enter a weak password, you will need to confirm that you are using one.
Unfortunately, this does not stop users from actually using one. Instead, you will need to enforce strong passwords with a plugin.
For example, one such plugin would be the Password Policy Manager. This gives you the power to prevent users from creating weak passwords and even force them to change existing ones.
It also adds other great password protections like a password expiration date. Essentially, this forces the user to regularly update their password, which is recommended on a six-month basis. You can also enforce different rules for different user roles.
Many beginners avoid strong passwords because they are difficult to remember, but doing so undermines your website’s entire security. If remembering a password is difficult, consider using a password manager to easily log in while keeping a strong password.
It is also worth pointing out the importance of unique passwords. Again, many beginners like to use the same password for multiple websites. Unfortunately, if one of those accounts is compromised, hackers typically try that information on other popular platforms like Amazon and so on.
Thus, not only should your password be strong, but it should also be unique to each site.
3. Pick A Good Web Hosting Company
Your website is only as safe as the server it is stored on, which means the web hosting company you choose will have a massive impact on the security of your site. Luckily, most web hosts today have powerful security measures in place that can help prevent some of the most common attacks.
For example, as a GreenGeeks customer, you don’t have to worry about brute-force attacks.
All of our hosting accounts come equipped with WordPress Protect.
Essentially, a brute force attack is when a hacker tries to break into your login area by continually guessing passwords until they gain access. Our system detects multiple failed logins and begins to throttle the connection they come from.
As a result, the attack can no longer be carried out, and your website will suffer no downtime or performance problems. And this is just one of the security measures we have in place to keep the websites we host safe. We also ensure your files, PHP versions, and other files are up to date.
Most importantly, the sites we host are regularly backed up in the event a disaster strikes. If your website is compromised, we can help you get things working again, and locate any back doors that may have been left behind.
Thus, not only does web hosting directly impact the performance of your website, but it also impacts the security. So, make sure to pick a quality web hosting company, otherwise, your website will suffer greatly from it.
4. Enable Two-Factor Authentication (2FA)
Two-factor authentication, or 2FA, is one of the most popular security measures to protect accounts. As such, most websites support it and allow users to enable it on their accounts.
It is safe, easy to use, and most importantly, adds an extra layer of defense to the login area.
Normally, when you log in, you will enter a username or email address and enter your password. With 2FA enabled, users must enter this info, and then they will be asked to enter a one-time password. This password can come from an SMS message, email, or via an authenticator app.
Essentially, this means that even if your login credentials were compromised, they would still need the one-time password which would normally require your smartphone. Unfortunately, 2FA is not built into WordPress, You will need to install a plugin for it, such as setting up Wordfence.
While there are many plugins that can help you add this feature, the WP 2FA plugin might be the simplest to use.
It gives you the ability to force certain user roles to enable 2FA or to make it for all accounts to do so. It supports most authenticator apps like Google Authenticator, so users won’t have any trouble setting it up.
It’s also worth mentioning that there is actually an even more secure version called Multi-Factor Authentication (MFA). This is really only something to consider for an admin account, but it’s identical to 2FA. Instead of only using one extra security code, you use multiple.
For example, after inputting your login credentials, you will need a security code from an authenticator app, as well as one from an email address.
5. Install An SSL Certificate
An SSL certificate is a file stored on your web server that ensures that the domain stored on that server matches the domain name in the file. This enables a visitor to make a secure connection to you. SSL ensures that bad actors cannot read or modify data transferred between the visitor and your web server.
In other words, it enables your website to encrypt the connection between the visitor and the website.
Luckily, SSL certificates have become a standard, and are mandatory for websites to have installed today. If not, web browsers will inform the user that the connection is not secure, which would scare off most users.
You can identify an SSL certificate if the website has “HTTPS” in the URL.
So, how do you get an SSL certificate in WordPress? Well, that depends on your web hosting company. For example, here at GreenGeeks, we provide free SSL certificates automatically for our customers. A website cannot function without one today, thus we build it into our plans.
In the event your website is older and did not have an SSL certificate installed from the get-go, simply contact your web host and they will be able to add one for you. It’s a simple thing to do and can help secure data on your website.
Not to mention that not having one will ruin your website’s SEO efforts as search engines like Google do not want to recommend websites that aren’t viewed as “secure.”
6. Change the Admin Username
When WordPress is first installed on your web server, it will create a default admin account. And the username of that admin account is “Admin.” While this might not sound particularly concerning, let me say it another way. Hackers, now know what your admin username is.
At least, this is how it used to be. WordPress has identified this issue, thus fresh installs of WordPress today actually require you to pick a unique admin username. However, if you used a 1-click WordPress installation, you might still run into this problem.
Not to mention that if your site is on the older side and you never actually changed the username, it may still be set to Admin.
As such, you should change the default admin username as soon as possible. However, you actually cannot change the WordPress username by default. Instead, you will need to get slightly creative to fix this problem, but rest assured it is actually pretty easy.
There are a few methods you could use to change the admin username in WordPress.
The first is to simply create a new admin account with a unique username and delete the old one. You may think you might lose something, but you won’t. Data is saved to the web server and not the account, thus this is safe to do, especially if you just created a new site.
In the event you have some posts created by that admin account, you will just need to spend some time changing the author to the new account.
The second method is to access your website’s database and change the username within it. It’s a bit more complex but will get the same result.
The final method is to just use a plugin. This is a common issue, thus there are several plugins that can be used to change the username in WordPress.
7. Only Give Users Access to What They Need
WordPress utilizes the User Role system to determine what each user has access to. The admin account has access to everything on a website with no restrictions. As such it is the most powerful user role in the system and should only be in the hands of the site owners.
However, it is not the only user role. By default, the user role hierarchy includes:
I won’t explain what each one does here, but if you are interested, we have a full guide for this. If the wrong user gets assigned a role with too much power, they can seriously damage your site and open the door for malicious attacks.
For example, on paper it might seem like a good idea to allow contributors to edit posts so they can make corrections, but what stops this outsider from adding profanity, SEO redirections, and more to a post without your knowledge? Nothing.
It’s also important to point out that many plugins add their own user roles to the system with plugin-specific power.
It is highly recommended to create custom user roles that give users the bare minimum access they need. If they are missing something, they can just contact you for access.
While you can use code to customize what each user role has access to, the easier option would be to use a plugin. One of the best options would be the User Role Editor plugin. As the name suggests, it allows you to edit what a user role can do and even create new ones.
Advanced Security Solutions
The next options are a little bit more involved, but I use the term “advanced” a bit loosely as anyone can do these steps. They typically require setting up a plugin or adding a line of code somewhere.
In any case, let’s get right into it with the entry you have probably been expecting.
8. Install A Security Plugin
Many people often rush to install a security plugin, and while this is a great thing to do, without some of the other steps we’ve mentioned so far, doing so would leave holes in your website’s security. However, I think this is a really good time to install a security plugin.
When it comes to security plugins in WordPress, there is no shortage of options to choose from.
On one hand, this is great because you have a ton of options available, but on the other hand, this is a problem because you have a ton of options to choose from. You’ll have to sift a bit to find a tool that fits for what you’re looking.
While you are free to pick any security plugin, I would personally recommend the Wordfence Security plugin.
First and foremost, the plugin is free to use. You’ll get a full security system for your site with all of the bells and whistles for free.
When it comes to features, this plugin is loaded. Let’s start with the Wordfence Firewall. It will block malicious traffic from entering your website and also block brute-force attacks before they happen. There is also a malware scanner that examines all of your core files.
It also has several features that boost the security of your login area like enabling CAPTCHA security to block bots, or 2FA which we talked about earlier. You can also block IP addresses of individual users, or IP addresses from countries.
Overall, it is a terrific plugin that offers a slew of security functions for WordPress.
9. Setup Backups
So far, we have talked about ways to prevent an attack from happening, but how do you recover when one is successful?
Sadly, even if you do everything right, there’s still a chance your security will be compromised at one point or another and perhaps one of the strongest tools at your disposal is a backup.
A backup is a copy of your website that is typically stored in a different location. Many web hosts will automatically back up your website, so this might be something you already have taken care of, which is the case for GreenGeeks customers.
However, it is always recommended to never just rely on a web host. Instead, you should have an additional backup solution at your disposal.
Luckily, WordPress has a ton of great backup plugins to choose from. These plugins typically offer you multiple storage locations in the cloud or their own personal servers. In other cases, the plugin will produce a backup and zip it for you to store on your computer or hard drive.
Most of backup plugins allow you to choose exactly what files you want to backup and support automatic backups. You can choose the frequency of the backups and how many backups are stored at once.
The most important thing you need to remember is to never store your backup on your web server.
If your website is compromised, that means a hacker would have access to every file including the backup. Instead, it should be stored either in the cloud or on another device to ensure they are always accessible. And most importantly, make sure they are up to date.
Luckily, cloud storage has become quite cheap today with several free options to choose from. Some plugins will automatically send your backups to platforms like Dropbox, Google Drive, or Microsoft OneDrive.
Just make sure to zip your backup otherwise, it may be too big to actually store at a reasonable price point.
10. Update Your PHP Version
The WordPress platform is written using the PHP language. Just like updating your core files, plugins, and themes, the PHP version must also be updated. These updates often include security fixes that help protect your website, thus it is important to keep up with them.
However, what makes this a bit more advanced is that you can’t actually update the PHP version in WordPress.
Instead, you need to choose your PHP version from your web hosting account. It isn’t difficult to do, but some beginners may struggle to find it.
Simply log into your web hosting account and access the cPanel. From there, locate the Software section and select the Select PHP Version option.
There is a long list of PHP extensions that you do not need to worry about as a beginner. Instead, right at the top is your current PHP version. You can use the drop-down to select the latest version.
It is worth noting that most web hosts will not have your website on the latest PHP version. For this reason, even if your account was just set up, you probably can change it to the latest version of PHP.
The main reason is that the latest version can sometimes break WordPress applications when it is brand new. This happens if a developer doesn’t take into consideration changes within the PHP environment.
As such, always have a backup in place and be ready to revert the change as needed.
11. Change the Default Database Prefix
If you have ever taken a moment to look at your WordPress files, you may have noticed they all share a “wp-” prefix on every file. This is done by default when WordPress is installed. As you might have guessed, if it is the default option, that means hackers know what they are looking for.
As such, changing this prefix can help secure your WordPress files by making them harder to identify.
This isn’t hard to do and requires you to change the table prefix in the PhpMyAdmin area of your cPanel. For clear directions, check out our full guide.
You can use letters, numbers, and underscores when creating a new prefix. While you could create a very long and convoluted prefix, you shouldn’t.
Remember you will probably need to access these files, thus making them hard to identify is a double-edged sword. Instead, just swapping them from “wp-” to something simple like “q223” or something arbitrary like that will get the job done.
While this makes it more difficult to locate key files quickly, it won’t absolutely stop hackers from finding the files.
12. Hide the WordPress Version From the Frontend
Have you ever viewed a website and noticed a small disclaimer at the bottom telling users what version of WordPress or whatever CMS they are using? This might seem harmless, but it is actually a huge security flaw.
Let’s say your website hasn’t been updated and is using an older version of WordPress. Well, telling a hacker exactly what version of WordPress you are using allows them to quickly search for security exploits in these older versions.
Clearly, this isn’t a good idea to do. It actually isn’t WordPress that displays this information by default. Instead, it is your theme.
Luckily, if you do notice that your theme is doing this, there is a simple way to fix it. All you need to do is access that theme’s functions.php file and add the following line of code to it:
remove_action(‘wp_head’, ‘wp_generator’);
This will simply remove the version message being displayed. In rare cases, this message may be locked behind paying for the Pro version of a theme. In this case, your options are to either pay for it or find another theme.
13. Change the Login URL of WordPress
The login area of WordPress is like the front door of your house. And I’m willing to bet you do not leave your front door unlocked when you go to the store. Similarly, you need to lock down your login area in WordPress.
The problem is that everyone knows what the default login URL is in WordPress, but as you might’ve guessed by now, we can change it.
While you can edit the code on the backend of WordPress to adjust this, the far easier way is with the WPS Hide Login plugin. With this, you simply enter a new login URL and set up a redirection for when users try to access the old one.
For example, instead of www.YourDomain.com/login, you could make it www.YourDomain.com/door. You can make it anything at all but avoid using existing pages to do so.
As for the redirection, just send them to a 404 page and make no mention of what the actual login URL is.
If you are looking for more details, feel free to check out our full guide on how to hide your login area URL.
14. Remove PHP Error Messages
If a PHP website runs into an error, it actually displays what that error is on the website. Naturally, since WordPress is written in PHP, it also displays these messages. While this is helpful for developers trying to identify a problem, it really isn’t information that a regular user needs to see, let alone a hacker.
As I have said in several of the other tips on this list, giving hackers more information to work with just isn’t a good idea.
These messages should not be on by default but can get turned on if you activate debug mode. Luckily, you can fix this problem quite easily by adding a few lines of code.
While there are several ways to accomplish this, I think the simplest solution is to add the following lines to the wp-config file:
ini_set(‘display_errors’,’Off’);
ini_set(‘error_reporting’, E_ALL );
define(‘WP_DEBUG’, false);
define(‘WP_DEBUG_DISPLAY’, false);
This will end the debug mode and block any PHP errors from being visible on your website. If you do need to see the errors, you can still see them by viewing the PHP errors in your cPanel.
This is a great resource when troubleshooting problems but does require some coding knowledge to actually take advantage of.
15. Switch from an FTP to an SFTP
When accessing files for your website, there are multiple ways, and one of the most popular options is to use File Transfer Protocol (FTP).
In simple terms, this allows you to transfer files between two devices, thus you can easily upload or download files from your web server.
Secure File Transfer Protocol, or SFTP, is simply a more secure variation of an FTP.
The main difference between the two of them is that an SFTP uses a secure one-way channel to connect the devices. Essentially, this makes it impossible for anyone else to use this connection to view, download, or edit files. Thus, it is far more secure.
In some cases, your web host will actually run an SFTP server, which is what we do at GreenGeeks. This ensures that your data is always safe from prying eyes for the best experience possible.
This is just another example of how important your web host is to the security of your WordPress website.
WordPress Security FAQ
While we have covered a lot of WordPress security tips today, it is only natural that you may have some lingering questions. Here are some of the most frequently asked questions when it comes to WordPress security.
Many banks, investment firms, and other highly sensitive businesses employ this measure to protect accounts from being accessed if the user steps away from a computer. It is not necessary for most standard websites but can enhance security.
CAPTCHA is a security system designed to ensure that the current user is a human. It does this by asking the user to solve some kind of puzzle like identifying text, locating something in an image, or something along those lines. It is effective at what it can do but can annoy users.
For this reason, it is best to keep it simple if implemented on your WordPress site. Most security plugins include it.
Generally speaking, premium plugins offer more features than their free counterparts, which makes them a better option in most cases. While there are great security plugins you can use for free, the premium version usually offers better protection, as such, it is usually worth that cost.
Begin by changing all of your passwords on the website. Then use a backup before the hack to restore your website and begin scanning for malware with a security plugin. You can also contact your web hosting company for assistance as many have malware scanners that you can request.
Absolutely! WordPress by itself is quite secure and constantly patches any security vulnerabilities. The reasons a website is hacked usually have nothing to do with the CMS they choose. It is often third-party tools or human error that are to blame.
No. In most cases, most compromised accounts will belong to normal users as a result of weak passwords, or passwords that were compromised on a different site. Hackers aim for any vulnerability and not just at the top.
No. The security measures in this guide focus on protecting your site and the accounts associated with it. Protecting your content is a different form of security and if you are interested, check out our full guide on how to protect your content with a copyright.
WordPress Security Checklist
With our list complete, let’s take a look at everything you should do to secure your WordPress site:
- Update Plugins, Themes, & WordPress Core
- Use Strong Passwords
- Choose A Great Web Host
- Enable 2FA
- Install An SSL Certificate
- Change the Admin Username
- Properly Assign User Roles
- Install A Security Plugin
- Setup A Backup
- Update Your PHP Version
- Change The Database Prefix
- Hide What WordPress Version You Are Using
- Change The Login URL
If you can do all of this, your website is safe from 99.9% of threats. You can never be 100% safe, but with this, you can sleep easy knowing your WordPress website is safe and secure. This gives you more time to worry about your next piece of content.
Improve Your WordPress Security Today
As you can see, there are a lot of steps websites can take to secure your WordPress site today. While it can seem a bit overwhelming at first, realistically, you could probably go through this checklist in under an hour without much trouble.
Most of the steps include changing default WordPress install information, which are often things experienced hackers look for. Probably the most time-intensive thing on this list would be choosing an excellent security plugin and getting it set up.
However, if you follow my recommendation of using Wordfence, you won’t have any trouble.
Just keep in mind that you should also consider the user experience when adding some of these features. You can easily hinder the experience, which can make many users look elsewhere to get their content. Always test everything from the perspective of a regular visitor.
Which security plugin do you use in WordPress? Has your website ever been hacked?