WordPress Security – 9+ Steps To Hack-Proof Your Website

As a previous web hosting company owner, I managed hundreds of servers and thousands of WordPress installations. I’ve seen hackers do many nasty things.

Not only at a loss of hours to repair the damage done, but millions of lost revenue and trust by a website’s visitors.

My key takeaway is you must reduce your risk now and secure your WordPress website. If you don’t take WordPress security seriously, it’s not a matter if you’ll get compromised, but when.

Unfortunately for most, security is only considered after a website is hacked. Don’t be one of those individuals and properly spend the time and money to secure your WordPress now.

Is WordPress Secure?

The short answer is yes WordPress is secure.

Though the data shows an alarming 90% of all compromised websites are WordPress-based. While that may be true, WordPress has a huge bullseye target on its back.

The reason is WordPress is the most popular website platform by a huge margin. Over 42% of all websites on the Internet use WordPress. Wix is a far distant second.

Since WordPress is a big hacker target, security is critical you get right.

WordPress itself isn’t an insecure platform. If anything WordPress core code, with a few exceptions, has been very secure. Since it has a wide acceptance it also means hackers and security professionals have looked very closely at the open-sourced code. WordPress has been a subject of much security peer review.

The problem with WordPress is more to do with the extendability and flexibility of the WordPress platform itself. There are literally thousands of free and commercial WordPress plugins and themes to choose from. Not all of them were created with the utmost security in mind.

Not to mention, WordPress can be configured in many different ways where it is possible to do something foolish and set it up an insecure WordPress blog.

Let’s discuss the specific steps of what you can do to make sure your WordPress is secure.

Many of my recommendations are WordPress specific, but some (like the use of strong passwords) can apply to any website.

What I discuss will not 100% eliminate a chance of getting hacked. After all, the classic saying in computer security is the only secure computer is a computer unplugged and locked in a safe. What I suggest will severely reduce your risk to close to zero where a hacker will choose easier targets.

Unfortunately, there are far too many other websites that can be easily hacked.

1. Find A Secure WordPress Host

You can have the most secure WordPress installation but if your web host is compromised, it’s game over man! Game Over!!

Your choice in WordPress Hosting matters.

Server hardening is the first and critical step in WordPress security.

It should be said, all of the large WordPress hosts are secure to some degree, but it is a black box to you as the customer. You really don’t know the security methods used other than what they tell you. For obvious reasons, a web host will never reveal all of their security measures partly to thwart attacks from the very hackers they are trying to block.

Though there are some tell-tail signs a web host isn’t taking security seriously. Here are some warning signs you should look out for with your choice of WordPress host:

• Outdated Software – Such as control panel, older versions of PHP, and operating system.
• Lack Of Transparency – No notifications when outages or security breaches occur. You only discover them after the fact.
• No Status Page – There’s no status page to alert you the state of their services.
• One Data Center – As a business risk, no web host should have all of their eggs in one basket (data center). Not only for security reasons but for other factors such as environmental (hurricanes, earthquakes, fire, etc.).
• No DDoS Attack Mitigation – Hackers can overwhelm the network capacity of a web host by commanding their bot networks to attack a server. This is known as a Distributed Denial-of-Service (DDoS) attack. There are network routing methods that can migiate such DDoS attacks and if your web host doesn’t offer this could be considered a possible risk.
• Constant Downtime – While directly not a security issue, it shows how well operations and hardware intrastructure is managed. A good system administrator should not be seen or heard.
• Password Strength – If your web host’s control panel doesn’t require a certainly level of complexity of your chosen password. That’s a possible warning sign of other areas of lax security.

Type Of Web Hosting Also Matters

Your choice in the type of web hosting matters as well. Shared web hosting is the cheapest but can also be the least secure.

With shared hosting, all it takes is one insecure website that can be compromised. A hacker can then overwhelm that website which slows down all of the websites hosted on the same server. This is the best-case scenario.

In the worst case, it could allow the hacker to ‘root‘ the webserver compromising all accounts on the server. The hacker gains access not only to the compromised account but all accounts on the web server. There are root toolkits hackers use to automate this process. Fortunately today, ‘rooting’ is a rare occurrence but it does happen.

The next level up from shared hosting is getting a VPS(Virtual Private Server) or cloud hosting. In the WordPress universe, this is typically known as managed WordPress hosting.

A VPS has the added benefit of more control of what services to run. Don’t need email hosting because you use Google Workspace? A VPS typically can control the services needed to run your website. This gives fewer attack vectors for a hacker. A shared host doesn’t have that option since you are sharing the webserver in some cases thousands of other customers.

A VPS for all intent and purposes is like a dedicated server but done via software to divvy a real server. Since VPSes are created via software they can be hacked.

VPSes are not as secure as dedicated hardware. A dedicated server is the ultimate in security but comes with other issues (such as redundancy) outside the scope of securing a WordPress install.

For most website owners, a VPS or managed WordPress hosting is a good enough compromise in security with more reliability and redundancy.

It may cost more than basic WordPress hosting, but in the end, you’ll know your WordPress software will be more secure.

2. Run A WordPress Site Health

You must get a lay of the land and know the current state of your WordPress installation.

The creators of WordPress are fully aware of the security risks. In recent versions, they’ve added a Site Health option.

To Access Site Health in WordPress under the ‘Tools‘ menu and select ‘Site Health‘.

You get a rundown of your overall WordPress setup and recommended changes to better secure your installation.

In the Info tab, you can get versions of the software installed such as:

• WordPress core
• PHP
• PHP configuration
• Web server
• Operating system and release
• MySQL
• Theme

It’s a quick rundown of your WordPress set up by your web host. Though it’s not 100% complete. To get a complete audit of PHP, I recommend using the WordPress plugin phpinfo() WP.

It runs the php_info() function to give you a full rundown of the PHP you are using, modules installed and any PHP caching to improve performance.

Take that list and compare what’s available currently. Check to see if the version currently used has a known security risk.

In your research of installed software, contact your web hosting provider if there are newer versions you can use. If not then that’s perhaps a warning sign of how secure is your web host service.

3. Keep WordPress Updated

One of the easiest things you can do to keep your WordPress secure is to keep your WordPress core, WordPress theme, and plugins all updated.

It should be said to first backup your website before anytime you update WordPress.

To see a list of updates needed, in WordPress view the administration menu ‘Dashboard‘ section and select ‘Updates‘. You should see something similar below.

WordPress Core

If there’s any part of this I would recommend automating are the WordPress core updates. WordPress can update automatically when minor versions are released.

Your WordPress Theme

Your choice of WordPress theme not only matters from what the users experience but can affect the security of your WordPress installation.

WordPress themes have been the source of attacks. Some WordPress themes have special functionality or libraries that a hacker attacks

Installed WordPress Plugins

Outdated or insecure WordPress plugins is the #1 method a hacker will gain access.

By very nature, the more WordPress plugins installed, the less secure your WordPress. I’m very picky about which WordPress plugins I’ll install. This is not only for security reasons but also for performance.

It is recommended to keep your WordPress installation at an absolute bare minimum of plugins and customizations.

That being said, you should always keep your WordPress plugins with the current version. It is an easy vector for a hacker to spot a known vulnerability, and then scan the Interwebs for WordPress installations with that known security flaw.

Any WordPress plugins you no longer use should be disabled and then removed. Keeping disabled plugins can cause a security risk since the files can be still accessed from your website.

Separate WordPress Installations By Purpose

It’s no surprise of WordPress’s extendability can make it a performance pig.

A simple way to secure WordPress is to isolate by installation. While my public website may be hacked because of an outdated plugin, my membership area is still functioning because it lacked that very plugin.

For this very website, I have 3 different WordPress installations based upon purpose:

• larryludwig.com – Public facing content that’s indexable by Google with a focus on performance
• welcome.larryludwig.com – Landing pages for paid traffic using OptimizePress and is blocked by Google since I do not want these landing pages indexed by Google.
• members.larryludwig.com – Private membership website and my courses

The needs for each subdomain section are much different.

Each is a separate WordPress installation and runs only the plugins needed to manage that website. I’ve found this is a much better way to secure WordPress. It gives the public-facing part of my website the least amount of plugins to not only make it more secure but faster-loading for SEO.

Depending upon your web host, this type of setup may cost more. Though many hosting plans already include multiple website hosting.

4. Malware Scanning

Malware is the most often WordPress hack. Unlike website defacements, where it’s apparent your WordPress blog has been compromised, malware in most cases is hidden from public view.

Personally, in my years as a web host operator, I saw hundreds of WordPress installations with malware. In almost all cases, the website owner was unaware.

Malware can break your blog but can infect website visitors, attack other websites, or worse yet steal personal information stored in your WordPress.

You need a service like Sucuri that will detect, alert and help remove malware.

Sucuri will check multiple times a day via a server file scan if your WordPress installation has been compromised. It scans your WordPress installation for any known installed malware. Plus if you do get compromised included in Sucuri’s monthly fee is free malware removal.

Sucuri also includes a WordPress plugin that has some free features including options to harden your WordPress installation.

5. Backup WordPress

I can’t recommend enough for having a solid backup strategy in place for your website. Often backups are an afterthought until it’s too late. Even if your web host offers free backups, no one cares more about your data than you do!

It’s critical to have multiple backups of your WordPress installation. Ideally at least 30 days’ worth of backups. I’ve seen cases where malware was installed months ago and the client does not have a clean backup that does not include that malware.

If your WordPress website is important (of course it is duh) I recommend BlogVault. It’s an easy-to-use WordPress plugin that backups your files off-server in their cloud service. To restore a backup of WordPress is easy to do and allows you to be back and running quickly.

BlogVault includes a firewall, uptime monitoring, and automated WordPress updates. While it’s nice BlogVault has this all-in-one package, I personally prefer Sucuri and Cloudflare for these respective features.

6. Use Strong Passwords

Don’t use the Spaceballs password ‘12345’ for your WordPress login.

Unfortunately, the reality isn’t too far off. According to the firm Lookout, the 10 most common passwords are:

1. 123456
2. 123456789
3. Qwerty
4. Password
5. 12345
6. 12345678
7. 111111
8. 1234567
9. 123123
10. Qwerty123

I recommend using a password manager for all passwords. Not only should your password be random characters, but I also recommend the following password parameters:

• 16-24 characters in length
• Unique and not not used with another service
• Includes uppercase, lowercase, numbers and special characters (ie: &,%, $, !, etc.)
• Not stored in any publically accessable area.

Get A Password Manager

Instead of writing down passwords on a Post-It note on your monitor, I recommend using a password manager. 1Password is the one I use and trust. 1Password can not only store your passwords but can automatically generate passwords for you. It supports every major operating system and smartphone device. It automatically syncs your passwords between devices.

It’s an easy tool to set up and a must-have for any user online. I store every password I use online with 1Password. With my former web hosting company, I used 1Password to manage over 1,600 passwords!

Set Up 2 Factor Authentication

Amping up WordPress login security to eleven is easy.

You want to increase security by not only something you know (ie a password) but another possible attribute. The two other options for authenticating an individual are:

• A physical attribute — Your eye, palm, fingerprint, or face
• Something on your person that’s transportable — Keyfob, USB device, rfid card, or phone

I’m a fan of using two-factor authentication by phone application. While it isn’t the most secure method, it is more secure than other popular methods of by email authentication, or SMS text. a dedicated keyfob or USB device is the most secure because can also be most time-intensive. For the purpose of securing a WordPress blog, a two-factor app on your smartphone should be enough.

Google has a free app for iPhone and Android but I do not recommend it. If you were to lose or get damaged all of your 2F keys are gone. That means you must have to reset all of your accounts using two factor. So I do not recommend this app.

Authy Desktop is what I recommend. While 1Password does also support two-factor, I prefer having my passwords and two-factor information in separate applications/services. Should one service get compromised the other in theory should be secure.

You’ll need WordPress to support Two Factor Authentication. Fortunately, there is a free WordPress plugin that supports the basics oddly enough called Two Factor Authentication.

The premium version adds:

• 30-day trusted devices
• Turn on-off per user
• Emergency codes

7. Install A Web Application Firewall

Gone are the days a hacker would manually attack a website to find an insecure server. Instead, hackers have literally millions of bots (already compromised websites and personal computers) that are constantly scanning the Internet for insecure software.

It has been reported by Statista, the number of bots in 2016 was 51.8% of all online traffic!

One can assume that is much higher today. Worst yet, these bots can sometimes appear to be users on your website giving you a false sense of website audience or click fraud. They can not only falsify your web analytics but can jam up your email list.

Without hesitancy, I recommend and use Cloudflare to better secure your WordPress installation.

To better protect WordPress, it’s best to prevent hackers from ever knocking at your door. If you have an unknown vulnerability (which is always possible) blocking access is the first line of defense.

There are plenty of WordPress security plugins like WordFence or JetPack that do the work of Cloudflare but at the WordPress level.

Though I personally rather have security higher up the network chain than tax my WordPress installation. In my opinion, you are best to have WordPress focus on serving your web pages, then perform tasks like security checking. It hinders the performance of your WordPress unnecessarily.

Plus today with the millions of computers a hacker may have access to, an attack is very widely distributed. In plain English, many WordPress plugins that try to thwart attacks are useless in brute force attacks. It is not uncommon for a hacker to use one IP address and you’ll not see that same IP address used again until days later.

WordPress plugins that block logins after 3 attempts from the same IP address are less than useless.

What Cloudflare Offers

Cloudflare has a free option, though I recommend at least getting the ‘Pro’ option which is only $20 per month.

Cloudflare offers these services:

• DNS Hosting
• DDoS Protection
• Web Application Firewall (WAF) (in Pro edition)
• Managed Rules (in Pro edition)
• Page Caching
• Minification of HTML, CSS and JavaScript
• Free SSL encryption

Enable Firewall Rules

Cloudflare gives you many options to better secure your WordPress installation.

As you can see this 24-hour window of this very website, I’ve blocked a significant amount of traffic.

Here is my recommended option to set up with Cloudflare.

Allow Bots

The first rule is making sure I allow known bots to monitor and analyze my own website so they aren’t blocked by mistake by Cloudflare. At the moment, this list is for excluding Ahrefs, and Pingdom since these are bots I DO want to access my website. Cloudflare is fully aware of bots like GoogleBot and Bing so you do not need to set up special rules for those bots to index your website.

Block ‘Bad Actor’ Countries

Not every country is friendly to commerce. Some countries are more prone to hacker networks and bots. Also, I have no desire to work with some countries where language is a barrier because my content is in English.

The second step in my Cloudflare firewall setup is to outright block countries I do not want access to my website. Do not pass go, and go directly to jail! Sorry, not sorry. My Cloudflare rule is as follows:

(ip.geoip.country in {"RU" "KP" "NG" "IR" "AF" "IQ" "UA" "VE" "CU" "TR" "BD" "PK" "NP" "RO" "EE" "LV" "SY" "EG" "HT" "SO" "YE" "ZW" "CG" "CD" "ER" "CF" "KE" "BR"})

This firewall rule blocks the following countries from accessing my website:

• Russian Federation
• North Korea
• Nigeria
• Iran
• Afghanistan
• Iraq
• Ukraine
• Venezuela
• Cuba
• Turkey
• Bangladesh
• Pakistan
• Nepal
• Romania
• Estonia
• Latvia
• Syria
• Egypt
• Haiti
• Somalla
• Yemen
• Zimbabwe
• Congo (Brazzaville)
• Congo (Kinshasa)
• Eritrea
• Central African Republic
• Kenya
• Brazil

Surprisingly, most of my attacks are coming from Venezuela and Cuba. Two countries where it’s almost 100% chance they aren’t interested in blogging or how to start a blog.

It should be noted this is a personal decision. Your mileage may vary depending upon your audience and security needs. Adjust accordingly.

For example, I get little traffic from mainland China, yet China is a big source of bot traffic. In my case instead of outright blocking China, I placed them in my Cloudflare ‘Bot Test’ rule (see next section).

My friend Steve, on the other hand, has lots of traffic from that area of the world. He would be foolish to block. One could argue not to even bot test since that can delay first-time visitors. In Steve’s case might be better suited to use Cloudflare’s Managed Rules (see below) to thwart most attacks from China.

With my previous blog Investor Junkie, GDPR became a thing.

I decided instead of dealing with the headaches of GDPR compliance, blocked all European Union (EU) countries. Not only was the EU a very small part of my website traffic, but there were also US FATCA laws that many of the financial firms must comply with.

This made them visiting my blog moot since the firms would not accept foreign resident applications anyways. The only visitors I got were onlookers of US investing or expats. Neither audience I was able to help with.

Block Bots

The second rule I created is for the countries that I will accept traffic but it is a high risk for bot traffic. I would much rather have a lower analytics count than bots traversing my website.

(ip.geoip.country in {"IN" "CN"})

Within Cloudflare, it uses the newer firewall rule called Managed Challenge. The user (or bot) gets shown a web page like this below if it’s the first time visiting your website.

If it’s a bot they don’t get through. If it’s a person, it redirects to the webpage they requested. While this interstitial page is a turn-off for real people (it will increase the bounce rate), that’s the downside I’m willing to take for high-risk countries.

Enable Managed Rules

Cloudflare has thousands of pre-built firewall rules to block hackers and attacks from visiting your website. These rules scan for attacks and if detected will either:

• Default – Keep the default rule that Cloudflare has in place
• Block – Block visitor from accessing the web page
• Disable – Turn off the rule
• Simulate – Does not do anything when detecting the event and logs the event.
• Challenge – use Cloudflare’s test to determine if it’s a user or a bot

For each rule, you can adjust from the default.

I’ve modified the rules to my own liking and issues with my website setup. From my experience firewalls and Cloudflare in particular, not all rules accurately detect an attack. Be aware false positives can occur and should monitor your traffic reports in Cloudflare.

8. Enable SSL

Today if aren’t using SSL it not only puts your website at risk, it also hurts your SEO rankings. Google has stated the use of SSL is a ranking factor. If your website isn’t using SSL you should enable it now. Fortunately, there are many free options such as using Cloudflare or many web hosts using Let’s Encrypt for SSL certificates.

The important fact is to get it SSL enabled.

I have a simple tutorial on how to install an SSL certificate for WordPress.

9. Log Capture and Analysis

Last, but not least, is creating a breadcrumb trail of WordPress events.

Out of the box, WordPress does not have such capability. If you are running a WordPress website that stores private information, you want to ensure PCI compliance and audit trail of events for your WordPress website.

WP Activity Log allows you to capture and send to a remote log server every important event that occurs within WordPress such as:

• Login of users to wp-admin
• Installation, updates and removal of WordPress plugins or themes

WP Activity Log is a plugin I use on my membership system and when I use WooCommerce. It’s a must-have WordPress plugin if security is of the utmost importance. It allows a paper trail of all of the events that occur on your WordPress installation.