Illustration of WordPress security at work

Guide to WordPress security

SecurityCategory
26 min read
Art Martori

A great-looking, high-performing website can be the key to success online, and WordPress checks all the boxes. It's almost infinitely scalable and capable of nearly endless functionality. However, as with any website, WordPress requires security measures to keep it online and running at its best.

This WordPress security guide will empower you to thwart bad actors seeking to exploit the website you so lovingly crafted. Implement the strategies included here, and you'll likely leave hackers and attackers tooting their sad trombones as they look for an easier target.

Launch your business in minutes with GoDaddy Airo™

Quick navigation

Ready to dive in? Here's what we'll cover:

Is WordPress a secure platform? Are WordPress websites vulnerable to attacks?

When it comes to the overall security of WordPress, it might be helpful to imagine it as an old-fashioned safe. If you keep that safe maintained and run it as intended, then yeah, it's going to keep out the bad guys. But if you let your safe get rusty or, worse, leave it unlocked, then it's not going to be very secure.

While a WordPress site might get targeted by bad actors — just like any website application — security incidents most often stem from negligence. Also consider that WordPress is supported by an entire community striving to keep it secure.

If you'd like to keep track of the security measures and updates in WordPress, check out the security section of their blog.

A panel of industry experts watch over the platform’s core; release cycles are stable and regular, and security best practices are firmly established for developers across both themes and plugins.

WordPress is an increasingly locked-down platform. Standard procedures for keeping safe as a WordPress site owner are also now widely understood.

All that said, it remains worth your while to regularly keep up to speed with security issues and developments in both the platform’s core and the wider ecosystem of themes and plugins.

Back to Top

Why you need to secure your WordPress website

Even if you're only dabbling with WordPress, your site can still be a target for hacks and attacks. Imagine sending friends and family to that WordPress website you're so proud of building, only to find your pages displaying odd messages for prescription medication or online gambling.

That's called SEO spam, and it's one of the most common types of infection. It doesn't matter if you're small time — hackers only care about gaining access to a site in order to further their schemes.

Sounds embarrassing, right?

Well, now imagine you're running a business and store sensitive data on your WordPress website, like customers' payment information or other types of personal details. If a hacker gained access to that, you could face serious legal repercussions, not to mention the damage to your business reputation.

Thankfully, it's not a huge chore to make your WordPress website more secure from hacks and attacks. Simply by skimming this guide, you're setting yourself apart from less responsible website owners who are headed for Hacktown.

Back to Top

How to secure WordPress

Securing a WordPress website is achievable through a combination of software applications and your own best practices. But keep in mind, even the most advanced WordPress plugin won't save you if your security posture is lax. Similarly, even the strongest, security-first mindset could use a little reinforcement from technology.

In this section, we'll look at some of the best WordPress security plugins, as well as best practices you should employ to keep your site secure.

Back to Top

Security plugins

For the new WordPress user, you probably ask yourself, “Do I need a WordPress security plugin?” The answer is a resounding “YES,” especially if you’re not code-savvy enough to tackle the Hardening WordPress section of the WordPress Codex.

Security is a big deal. WordPress security plugins help you protect your investment of time and money to create your website.

In not protecting your investment, you risk losing parts of your website or all of it. Whether it is a website geared to selling items online, or an informational website to get people to come to your brick-and-mortar location, it needs to be up to help you succeed in your online endeavor.

Features to look for in WordPress security plugins 

Before listing some of the top WordPress security plugins, you really need to understand the features that you want to look for when choosing the right security plugins to lock down your WordPress site.

  • Includes a strong malware scanner – There are so many ways to be hacked, and if the scanner on your WordPress security plugin doesn’t scan for several types of hacks, then it is useless in helping to detect anything that doesn’t belong on your website.
  • Includes a Web Application Firewall or some type of reliable firewall – Or at least a way to purchase the service. Some plugins might not offer this feature for free, but a firewall really helps in blocking malicious bots from reaching your website. It prevents your website from bigger problems like being hit with tons of bots at the same time, which exhausts your website’s resources and can take your site down.
  • Emphasizes strong password and logins – Your security plugin should help educate you a little bit on what you need, especially basic things like having a strong username, password, and the ability to log in in more security. A security plugin that has two-factor authentication can help you implement a more secure way to log in on your website.
  • Can help repair files that might be compromised – You probably don’t have the time to edit malware out of the files on your website. If your security plugin can compare some of the WordPress core files, as well as free WordPress.org plugins, to their originals, and even provide a way to restore those files, it can save you a lot of time.
  • Checks your website against Google’s Safe Browsing list – Google is the number-one search engine in the world, and if your website has malware or may be labeled as hacked content, then you could be losing traffic. Google actually labels websites that have been found with malicious hacks or suspicious content.
  • The plugin actually works! – Yes, some people choose older plugins that are no longer compatible with their current version of WordPress. If your WordPress security plugin isn’t working, then you’re sitting there with a sign that welcomes an eventual bot attack or hacking.

Below are five of the best WordPress security plugins available. Some of these can be stacked together, but others should be used alone. It’s important to read each plugin’s description and review their features to pick one you’re comfortable with.

  • Sucuri Security
  • Wordfence
  • iThemes Security
  • Shield Security
  • All In One WP Security Firewall

As a note, all of the plugins listed below have hundreds of thousands of users who have attested to their trustworthiness.

*The features and information listed below were verified to be correct at the time of publication 

Sucuri Security

Sucuri Security is a highly popular WordPress security plugin with the following features:

  • Monitors user activity
  • Monitors files and if they’ve been changed
  • Has hardening settings to block bots from adding malicious files to your site
  • Offers a website firewall for premium users (paid upgrade)
  • Has blocklist monitoring in case you’ve been blocklisted from places like Google, McAfee, Norton and more

Wordfence

Wordfence has more than 2 million active installs across the world. This plugin offers a means to purchase their strong premium Web Application Firewall, and features like:

  • Blocks bad bots and fake Googlebots
  • IP or country blocking (paid feature)
  • Live monitoring or real-time blocking
  • Options to throttle or block users or bots in ways that may be suspicious or a potential risk to your website
  • Two-Factor authentication
  • Enforces users to create strong passwords
  • Brute force login security
  • Scans files against WordPress core files, WordPress themes, and WordPress plugins
  • Located at WordPress.org
  • Scans for malicious code like trojans, backdoors and more
  • Has support for WordPress multisite

iThemes Security

iThemes Security, formerly known as Better WordPress Security, was created by adding a bunch of features from different WordPress security plugins to make one huge plugin. The intention was to prevent having to stack myriad WordPress plugins while providing a means for the WordPress user to go through a security checklist. This plugin offers many different options to help guide users through securing their WordPress website.

Shield Security

Shield Security has a lot of different options for securing and hardening websites. Here are some of the features:

  • Two-factor authentication
  • Renaming WordPress login URL
  • Brute force protection
  • File integrity checking
  • User monitoring
  • Email reporting
  • Firewall
  • User management
  • Help with reducing comment spam
  • Hack protection
  • Option for auto-repairing compromised files for WordPress core, or plugins or themes from WordPress.org
  • IP manager
  • Lockdown on areas like hiding WordPress version, blocking XML-RPC, prevent file editing, and more

All in One WP Security Firewall

All in One WP Security Firewall is designed with many of the same features as iThemes security. Why All In One over iThemes Security? Some web hosting and plugin setups cannot handle iThemes but might be able to handle All In One. My suggestion is to install and test each plugin to see what works best for you.

In the end, the important thing is to choose a WordPress security plugin that actually works! 

These are just a handful of the great WordPress security plugins available to help protect your website. Do your research, pick one or more security plugins to try, and start taking a more proactive approach to WordPress website security.

Back to Top

Best practices

While the plugins listed above can go a long way in securing your WordPress website, they're by no means the only measures to implement. Your behavior and habits are just (if not more) important in keeping a site secure, so let's explore best practices for keeping the baddies away from your WordPress site.

Get behind a website application firewall (WAF)

A WAF protects your website by comparing incoming traffic to a database of known bad actors. This database is continually updated, meaning you get protection even from emerging threats. With a WAF in place, your WordPress site is less likely to fall victim to hacks and attacks like DDoS and malware.

Update core files, plugins and themes

WordPress updates almost always involve security patches. This should always be the first step in securing a site — and the steps couldn’t be simpler. All you have to do is log in to the wp-admin dashboard, hover over the dashboard button on the sidebar, and then in the dropdown menu click Updates.

WordPress dashboard

Select the items you want to update — which should be every one listed. You can make this process even easier by enabling automatic updates for core files, plugins and themes. If you're using a managed WordPress solution, it likely includes this function. You can also enable automatic updates for plugins from the Plugins section of wp-admin.

And if you don't mind going under the hood, you can set up automatic updates by adding this line of code to the wp-config.php file:

// Enable automatic updates for all

define( 'WP_AUTO_UPDATE_CORE', true );

add_filter( 'auto_update_plugin', '__return_true' );

add_filter( 'auto_update_theme', '__return_true' );

Automatic updates can drastically change how a theme or plugin works. It actually might break some occasionally, but this might be favorable compared to leaving vulnerabilities in the site.

Use a non-standard URL for logging in

By default, the login page for WordPress websites usually ends with /wp-login.php or /wp-admin. While this is easy for users to remember, it also presents the risk of bots combing for sites with these URL structures, and then attempting to gain unauthorized access.Fortunately, plugins like WPS Hide Login allow you to customize the URL for your login page, making it a much less attractive target.

Remove unused plugins and themes

One of the greatest features of WordPress is its ability to download and run plugins, potentially improving the functionality of your website. That being said, it is possible to have too much of a good thing.

The quality of code across plugins and themes can vary, as some are created by businesses and others by hobbyists — and neither are perfect.

With each plugin installed on your WordPress site, the more likely the site is to be hacked, as new vectors are opened with each installation. It is not enough to simply deactivate plugins that you aren’t using. You actually have to delete them in order to remove the vulnerable code from the server.

Removing unused items is equally important for performance and should be part of any WordPress security scan. The fewer active plugins, the safer and faster the site will run.

Install an SSL certificate

It should be painfully obvious by now that every website should have an SSL certificate. Put simply, SSL secures traffic, protects users against phishing, and can boost Google rankings.

With the certificate installed, you can change the WordPress Address and Site Address in WordPress by going to General Settings and changing the protocol from HTTP to HTTPS. Click Save Changes and the installation is complete.

Enforce strong passwords

The most commonly used passwords typically range from 123456 to password — which are painfully obvious, insecure and pretty much guarantee that the account will be accessed by an unauthorized user.

A strong password contains a mixture of at least eight digits, punctuation, and upper- and lowercase characters.

You should never use the same password twice. It is also important your password doesn’t include words that can be found in a dictionary or a proper noun, as they are especially prone to the appropriately named dictionary attack.

Use captcha on forms

A hacker doesn’t need to compromise login access to deface sites and spread malware.

If your WordPress site has a contact form without a Captcha, you can bet that eventually it will be used to send as many spam and malicious emails as your server can handle. Additionally, Captcha tools also prevent the brute force attack of your admin accounts.

Limit login attempts

The plugin Limit Login Attempts will keep your admin page protected with a customizable limit to the failed logins that are allowed before a user is blocked from submitting a login form. You can also add an allowlist in case a user tends to forget their password.

Some hosting providers already offer this as a built-in feature, so it’s a good idea to do your research before attempting the installation.

Turn off file editing

You might notice WordPress allows you to edit your theme and plugin files directly from the admin panel. This exposes a vital vulnerability that can have unintended consequences.

It’s best to disable it to prevent hackers or other users from defacing the site intentionally or otherwise.

Thankfully, the remedy involves another change to your wp-config.php file. Just add this to the file on its own line:

// Disable file editing

define('DISALLOW_FILE_EDIT', true);

Change security keys

The security key stored in your wp-config.php file encrypts login session stored in your cookies. Changing these keys will invalidate all sessions, logging all users out of the dashboard, but also preventing hackers from hijacking open sessions.

Changing these keys is as simple as copying and pasting.

First, use the WordPress security key generator API to get your new secret keys, and then copy them. You’ll find a block of code that looks similar, which you can replace with the new block that you have copied. It will look like this:

define('AUTH_KEY',         'HeW#zltmGurr@u{B97hDiOr;3@<1>-^bbtua-:bC&K4`]*r 6V<-s-GtTq?lLL|h');

define('SECURE_AUTH_KEY', 'B >t.QYHTKXRv/)ewR 5$iswZrLM}kAE#15?:2lu]zPd!KuB78?4fopw3QsHtx#4');

define('LOGGED_IN_KEY',    'gI:T2,v7|E[.Q&[yGK|$a+s1;&$8-[?|6dE+FX|9|Ex|N[EPiQ0YzoXas=.7`4;&');

define('NONCE_KEY',        'Z_-$xVrv0+VqtoVl#8|s/zeOlm^h# zHh(3me1X/S(l[(h;-+KI&cyDuLbm<!DR.');

define('AUTH_SALT',        '-~i[ahut&xhfTLlnk+u^[GC2?:324X/Lo*<i{|K75j)6HI<y1<Vc$|(,-xZ+{ O]');

define('SECURE_AUTH_SALT', 'B|M9s9a*iwp44|ldOHJlG9.#-Hb$t?kY|st;D9 )]FALOWt[/fYrtanxrjoxfD(z');

define('LOGGED_IN_SALT',   'z_ Drd6Rip3upj:P*|2UsToIkVtaG|Nk3JKO yNq=xQZpVy7u!d@.TO8P:b5#s*H');

define('NONCE_SALT',       '5/af{*Wq82Gzq56&$b)<]X=-3#NW3x++~ D|PD-oCs=(#_y-~Z=w[]W9#jBfgJ *');

Secure core files with an .htaccess

Utilizing the .htaccess file is probably one of the most powerful tools in WordPress security.

We’ll start with securing the core files from being accessed from the browser, as these do nothing for a legitimate viewer and are usually only accessed from the browser to find and exploit vulnerabilities.

As a quick fix, you can add this block of code from the WordPress team before or after the BEGIN/END wordpress tags:

# Block the include-only files.

RewriteEngine On

RewriteBase /

RewriteRule ^wp-admin/includes/ - [F,L]

RewriteRule !^wp-includes/ - [S=3]

RewriteRule ^wp-includes/[^/]+.php$ - [F,L]

RewriteRule ^wp-includes/js/tinymce/langs/.+.php - [F,L]

RewriteRule ^wp-includes/theme-compat/ - [F,L]

Disable XML-RPC

Most users don’t utilize the functionality behind XML-RPC, which lets you make blog posts and interact with some plugins. This type of functionality is good if you have an automated feed that posts new content to the site, but it’s highly sophisticated and rarely taken advantage of.

In most cases, just disable it to deny hackers a way to brute force user passwords. In order to disable it, you’ll just need to add another block of code to your .htaccess file:

#disable xmlrpc

order allow,deny

deny from all

Audit file permissions

According to WordPress, developers and admins should avoid 777 file permissions at all costs. Holding files with this type of permission allows anyone on the machine to read, write and execute any file with 777 permissions.

Instead, WordPress suggests that you use 755 permissions for folders and 644 permissions for files.

Because WordPress files constantly update, change and make new additions, regularly audit the website files, looking for bad permissions in order to maintain a secure environment.

If you want to quickly run an audit, you can run this command from SSH to view all files in the current working directory that do not follow the WordPress guidelines for file permissions:

find . -type f ! -perm 0644; find . -type d ! -perm 0755

Disable PHP error reporting

Disabling PHP error reporting prevents hackers from gaining vital information about your website and the environment it’s on.

A common technique in hacking is to view a file displays an error in order to identify the operating system, website path on the server, and even what applications are running.

As an example, suppose you access a file on the website that returns this error:

Warning: Cannot modify header information – headers already sent by (output started at /home/jchilcher/public_html/wp-content/plugins/twitter-profile-field/twitter-profile-field.php:28) in /home/jchilcher/public_html/wp-includes/option.php on line 571.

This error already tells me the server is using Linux with cPanel, and it’s the main domain for this cPanel account and the website is using the twitter-profile-field plugin. I now know where to start looking for vulnerabilities and where to exploit them.

The fix to this problem is as easy as the rest. Create or modify the php.ini for the site and ensure that the directive display_errors is off. You can do this by adding the line:

display_errors = Off

Once your settings have gone into effect, any error that would normally display on a page will be gone.

Have a backup plan

Lastly, here's the most important yet neglected task involved with WordPress security: a backup plan. If the worst-case scenario becomes a reality and your website becomes a host to malware, you should already have a plan on how you will get the website back.

In most cases, those who refuse to regularly back up their sites end up regretting it. Without a clean backup, your hacked site might never be clean again without having to start all over.

Back to Top

How to identify vulnerabilities how to prevent them

WordPress often releases updates to its core files, and they usually include fixes for the latest security issues. Your installed themes and plugins will also need updates, and you’ll be notified of available new versions via your WordPress dashboard:

There are a couple big reasons for staying on top of WordPress security updates:

  • You’ll be protected against any recent threats that present a danger to your site or visitors.
  • Any incompatibilities between plugins, themes and the WordPress core are likely fixed, creating a more stable system.

In short, it just makes good sense to keep your WordPress core files, themes and plugins up to date. However, protecting your site involves much more than simply applying updates.

You’re about to learn how to check and update your WordPress website in two steps. Before you begin, you’ll want to back up your website, in case something goes wrong, and you need to restore it.

Step 1: Find the WordPress updates page

First, log in to your WordPress backend. Go to the Dashboard section, and then click Updates. This offers a handy, at-a-glance guide for any themes, plugins or core files that need updating.

Here, you’ll see a reminder of when you last checked for updates, along with a prompt to check again. You can also find your currently installed WordPress version and an overview of any themes or plugins that have available updates.

This is where you can reinstall the latest version of WordPress if you need to, for example, if you’ve had to migrate a site or install a backup. If you use a translated version of WordPress, you’ll also get the option to install either the U.S. version or one in your own language.

Once you’ve become acquainted with this screen, the next step is to actually perform the updates.

Step 2: Update WordPress core, themes and plugins (as necessary)

Before actually updating WordPress, it’s important to mind a few important things. These make the whole update process run much more smoothly. Here’s what you should remember:

Create a full backup before updating your site, in case anything goes wrong.

If you can, update WordPress using a staging or local site first, and then migrate it once you’re happy the change has been successful.

Update the WordPress core first, then your themes, and finally your plugins. That way, it will be easier to determine the cause of any errors.

To carry out an update, go to Dashboard, and then click Updates. Take a look at what’s displayed there. Depending on what you find as you get through your WordPress security updates, you might need to get the latest version of:

  • WordPress — Simply click Update Now. If you don’t see it, you’re likely running the latest version.
  • Themes — If updates are available, you’ll see the information displayed under Themes. Check the appropriate boxes, and then click Update Themes. You’ll be notified when it’s done, and then prompted to return to the Themes or Updates pages.
  • Plugins — Check the boxes for the plugins you’d like to update, and then click Update Plugins. It should only take a few moments.

Keep in mind, you can either update everything at once, or individual items as needed. The former option is more efficient, although the latter will make it easier to figure out the cause of any sudden problems. It’s not a bad idea to perform one update at a time, testing your site in between and looking for errors or compatibility issues.

Back to Top

How to run a security scan

Malware is not new to WordPress, but it still makes its mark on user sites every day. This software is specifically designed to intrude on your website and gain unauthorized access to your files. It’s usually accidentally installed via a corrupted file, although certain advertisements can also contain malware.

The effects of malware are wide-ranging.

It can compromise your login data, steal personal information, create spam, or hijack your computer. Some hackers even use malware to launch Direct Denial of Service (DDoS) attacks, so making sure your site is clean should be a top priority.

The first step is to scan your site for any pre-existing malware. While some plugins such as Wordfence Security include a malware scanner, there are also dedicated services you can turn to, such as GoDaddy’s Website Security, powered by Sucuri.

Next, you’ll want to eradicate the malware itself. Fortunately, most of the services we’ve mentioned will do this for you. Finally, you’ll also want to change your passwords, so you don’t get compromised again.

Back to Top

Importance of strong password two-factor authentication

The process of logging into WordPress can present one of the most attractive vectors for hacks and attacks. However, a strong password paired with two-factor authentication (2FA) can mitigate much of the potential risk.

Strong passwords

The simplest website security measure you can take is to use strong, unique passwords. This means skipping your dog’s name, kid’s name, birthdays and common words, including the word “password.”

When creating your passwords, make sure they include:

  • More than eight characters
  • A mix of uppercase and lowercase letters
  • At least one number
  • At least one special character

You should also make sure that every password you create is unique. Do not use the same password for multiple websites or online profiles, and do not use your WordPress password for anything else — especially for a social media profile.

I know managing all of the different passwords can be tough, especially when you avoid any common words and add in numbers and special characters, but there is an easy solution. Use a password manager like LastPass or 1Password to manage all of your unique passwords and provide you with one master password.

Two-factor authentication

Two-Factor authentication is a security measure that has come sharply into focus recently. Many large online companies, such as Google and Facebook, use this technology to help protect your accounts.

Essentially, 2FA is an extra layer of security.

When you log into your account, you’ll be asked to verify your identity through a second device, such as your mobile phone or 2FA hardware. Without that authorization, you’ll be locked out. This is vital technology for anyone who values their site’s security – and it’s easy to implement for WordPress users.

One recommendation for getting started with 2FA is the Two Factor Authentication plugin. This tool uses the Google Authenticator app to generate passcodes on your device and is simple to set up. Some larger security plugins also include 2FA as a premium feature, such as Wordfence Security, and Automattic’s Jetpack offers a secure, free authentication option.

Back to Top

Importance of limiting the number of WordPress users and admins

When it comes to the principle of least privilege (more on that in a sec), Michiel Heijmans, formerly of Yoast, said it well:

“Contrary to popular belief, not every user accessing your WordPress instance needs to be categorized under the administrator role. Assign people to the appropriate roles and you’ll greatly reduce your security risk.”

Types of WordPress user roles

The first step is to understand the different user roles and capabilities, and how they relate to business functions. This is where our principle of least privilege comes in: grant users only the permissions they need to execute their business function.

Let's look at the roles available in WordPress. Although it is possible to customize WordPress user roles with code adjustments or plugins, these are the five default user roles for a single WordPress site.

Administrator

The WordPress Administrator has full access and control over the WordPress Dashboard. The administrator can install plugins, adjust themes, add users, manage widgets, and publish posts and pages.

An Administrator can do everything related to creating, managing and deleting the WordPress site. In instances when there are multiple WordPress sites, there is a role for Super Administrator who has control over the entire network.

Ideally, a WordPress Administrator is a web developer with knowledge of WordPress plugins and potential plugin conflicts. They also know what the marketing and editorial departments need in terms of site menus and sidebars, since managing the menus and sidebars are administrative functions by default.

Editor

The WordPress Editor is the site content manager. They can set up categories, assign authors, and publish posts and pages. They can also delete content.

Author

WordPress Authors can write and publish their own content, including files and images, but cannot publish anyone else’s content. Authors can also delete posts, but only their own.

Contributor

WordPress Contributors can write their own content but cannot publish it to the site. Contributors cannot upload files or images. Contributors cannot delete or edit anything they’ve contributed.

Subscriber

Subscribers are the most limited out of all user roles. Aside from being able to manage their own user profile, the rest of their access to the site is read-only.

Back to Top

Ready to dial in your WordPress security?

Nice work getting through our WordPress security guide. Hopefully you learned a lot and are ready to act on those lessons. As mentioned before, GoDaddy's Website Security covers much of what we've just learned.

And if you're managing multiple websites for clients, check out The Hub by GoDaddy Pro. It saves busy professionals hours each month by letting them handle in bulk security-related tasks like scans and backups.

Again, great job improving your security posture. Your diligence and efforts contribute to a safer internet for everyone.

Disclaimer: All trademark rights belong to their respective owners. Third-party trademarks are used here for demonstrative and educational purposes only, use does not represent affiliation or endorsement.