There are some simple, some free, some more difficult and some commercial solutions out there for making WordPress more secure. The question is not IF you will get hacked, but WHEN. The more you can do to secure your web site, the better.
Update 11 May 2017: After miserable experiences with SiteLock’s sales staff,
I can no longer recommend them. I recommend a secure host, iThemes Security Pro and CloudFlare as an alternative if you’re looking for malware scanning and a web application firewall (WAF).
Below are minimal steps that you should take to help secure WordPress, in order of importance:
- Keep WordPress, plugins and themes updated – There are a number of ways that you can do this:
- If you are working with a web site that isn’t too complex and/or doesn’t need to be babysat, WP Update Settings is a great plugin. It allows you to configure what to update: WordPress minor updates, major update, plugins and/or themes. It also has the option to notify you of updates. Configure as needed.
- You can update your plugins manually if you prefer. It may help to use a monitoring services such as the free tiers of services such as ManageWP or InfiniteWP (I personally like the interface of InfiniteWP).
- You can also modify your
wp-config.phpto enable automatic WordPress core major and/or minor updates.
- Secure your /wp-admin and wp-login.php files – This is the single most common point of attack. Renaming these entry points can dramatically reduce your risk of brute force attack:
- Don’t use easy admin usernames. Bots doing brute force attacks will often try common/obvious usernames first. Some examples of often-exploited username: admin, administrator, yourdomain.com, yourdomain, superadmin, webmaster, developer
- Don’t use weak passwords / enforce strong passwords – Don’t use easy-to-guess passwords like ‘123456’ or ‘buffalo’. These are easy to recover using standard dictionary attacks. Some options:
- If you are creating your own logins, you can use the password generator or if you want something easier to remember, the usual rules apply. For example, this of a phrase like “My cat likes to catch little mice.” Your password could me something like: Mc@tL2CLm1ce. Be creative.
- If your system allows user registration, you could consider a plugin such as Force Strong Passwords or iThemes Security.
- Make sure your web site is hosted on a reputable host – According to this WP Security White paper, 41% of web sites were hacked through a security vulnerability on their hosting platform. Some examples of known, reputable hosts are: WP Engine, InMotion, HostGator, SiteGround and GoDaddy.
- Change your security salts – WordPress security keys help improve security by encrypting information stored in cookies. Located in
wp-config.php, some providers change them by default. If they are the default (they will say, “”), you will want to change them:
- Two-step authentication – You can use a plugin such as the Google Authenticator, which will require you to enter a code that changes periodically. You will have to install an app on your smartphone to get the code each time you login. There are other two-step authentication plugins available. I find this to be somewhat of a nuisance if you login frequently, but it does provide an excellent level of security.
- Delete plugins and themes that you’re not using – Although the plugins may be disabled, they still present a potential threat if there is an unpatched bug in the code. If you do not plan on using them, it is good practice to delete them.
- Only download plugins and themes from reputable sources – Downloading from untrusted sources presents the possibility that the plugin has not been updated for awhile (and thus may contain security holes) or may even contain malicious code injected into them for an attacker to wreak havoc. Some commonly-trusted sources include ThemeForest/CodeCanyon and the WordPress Plugin Repository.
- Require HTTPS for Admin and Logins – If your site has HTTPS support (check out my HTTPS guide if you don’t), you can require that WordPress logins be done via HTTPS:
- Disable the Plugin and Theme Editor – To disallow users who successfully login from editing sensitive files, it is a good idea to disable these features if you don’t have a need for them.
- Consider changing your table prefixes – The default WordPress table prefix is
wp_. In the event that someone is successfully able to insert SQL injection attacks into your site, they will already know the default WordPress table names to wreak havoc.
UPDATE (12/28/2016): WordPress Table Prefix: Changing It Does Nothing to Improve Security
- Protect /wp-includes/ – Files in this folder do not need to be accessed directly by the browser. As such, an extra security precaution (to protect against a newly-discovered exploit) is to remove public access to this folder. See this guide for instructions (it will require you to have access to and edit the
.htaccessfile in the root of your web site).
- Consider disabling XML-RPC – XML-RPC is user for pingbacks, trackbacks and to allow apps (such as mobile or other blogging clients) to remotely access your site. It is sometimes used for attacks. If you do not have a need for this, you can disable it. You can always re-enable it if something breaks.
- Hide the WordPress version number –
- Backup your site – There are many plugins and services to backup your site locally or remotely (preferred).
- CodeGuard – This is a very robust and automatic backup solution that is easy to use. It requires a monthly subscription.
- Duplicator – This is one of the more popular free plugins and allows you to store a copy of your site locally. There is also Duplicator Pro, which support remote storage as an option.
- iThemes BackupBuddy – This is one of the more popular commercial plugins, though it doesn’t have the easiest to use interface. It includes 1GB of online storage space, or you can use your own. If you prefer a one-time fee, they also offer BackupBuddy Gold if you contact sales. I like BackupBuddy Gold because there is no recurring fee, which can add up if you have multiple sites.
- Scan your web site – There are plugins and services that will scan your web site for malicious code. Some are limited to external scans (scanning only what the browser sees) like Sucuri. More robust solutions such as iThemes Security Pro and SiteLock will scan the contents of the files on your site as well. My personal preference is iThemes Security Pro because of relative value (it’s an annual fee unless you go Gold, however, it ends up being cheaper per month than SiteLock).
- iThemes Security – An all-in-one security plugin that covers most of your security needs. This is my favorite security plugin that I’ve used. There is a iThemes Security Pro available, but it requires an annual subscription. If you prefer to pay a one-time fee, they also have iThemes Security Pro Gold. iThemes Security Pro adds the following features:
- Scheduled Malware Scanning
- Built-in Two-Factor Authentication
- reCAPTCHA Protection, User Logging, Password Expiration and more…
- WordFence Security – This is an excellent security solution as well that I used for years. A pro version is also available. One thing that stands out about WordFence is its reporting – you can see where most of your attacks are coming from (for example, the majority of my attack attempts come from Ukraine). Knowing this information, you could use a plugin like IP Geo Block.
- Block Back Queries (BBQ) – I like this plugin because it silently sits in the background and adds additional additional security by blocking malicious malformed requests. I have successfully used it in conjunction with both iThemes Security and WordFence. A feature-limited free version is available.