How to Improve Your WordPress Website Security
If you’ve been paying attention to the news lately, you’ve probably noticed the rash of ransomware attacks that have sprung up. While hackers attacking businesses isn’t necessarily a new development, it seems as if the bad actors are getting bolder and more prevalent in our digital business world. It’s enough to make anyone think twice about their own business’s online security.
But what exactly is ransomware, anyway? And can it really affect your website? After all, it seems like most of the business that get hit are large corporations that can afford to pay off these hackers to the tune of millions of dollars.
Unfortunately for people running a small online business, they aren’t immune to these sorts of attacks simply by being small. In fact, hackers often attack large numbers of websites to further perpetuate their malicious programs. And WordPress isn’t immune to these attacks: Back in 2016, the TeslaCrypt ransomware infected numerous WordPress websites to propagate its code to website visitors, resulting in thousands infected.
But how do you improve your WordPress website security? Quite a lot, actually. While there are no easy fixes when it comes to website security, there are several things that—when focused on—improve your odds considerably.
In this guide, we’ll run through all the major points in addition to covering several smaller strategies you can employ to maximize your website’s security. While we’ve visited the topic of security before, we haven’t covered it in this amount of detail.
So grab yourself a big double-double, get comfortable, and let’s dive in. First topic: web hosting.
1) Choosing the Right Web Host
Most people don’t think too much about their web host’s security. If they’re particular savvy, they may check to make sure they’re getting SSL with their hosting package. But most people are focused more on things like bandwidth, storage space, and price. But who you host your WordPress website with plays a massive role in how secure your website is.
Generally speaking, it works like this: Added security features cost more to implement. So, the more security features a web host offers, the more expensive the hosting is. Conversely, the more affordable the web host is, the more likely they’re skimping on things like security.
While this isn’t a hard and fast rule, it’s important to not just go for the cheapest possible hosting. By doing this, you could be putting your website and business at risk. Instead, look for added security features that round out the hosting. As the saying goes, you get what you pay for.
With that said, there are a few features you can look out for when choosing your web host. Let’s take a closer look at each one of these to understand how they affect your website’s security.
Secure Socket Layer, or SSL, is a network protocol that controls encryption between a web server and a web browser. In simple terms, it’s how a website forms a secure, encrypted connection between itself and its visitors. SSL is what enables people to do things like access their bank account or purchase goods and services online.
When you’re looking at web hosting services, be sure they support SSL. More over, check to see what their SSL policies are and how difficult it’ll be to deploy a certificate to your website. Also be sure that, should you add additional domains to your hosting account, you’ll be able to configure SSL for each one.
If you already have hosting, and you’re unsure of whether your website supports it or not, there’s an easy way to check. These days, most modern browsers will alert you to a website that doesn’t support it. They’ll also typically show a little padlock icon in the address bar when SSL is enabled.
Web Application Firewall
Regardless of who’s hosting your website, somewhere between you and your website, there exists at least one firewall. Often times, these are physical units sitting in a data center somewhere that actively filters, monitors, and controls the traffic moving between you and the rest of the web.
As effective as hardware firewalls are, they’re designed to control all network traffic. To monitor your website and the various protocols and connections it uses, you need something a little more specific: a web application firewall.
While the nature of the internet necessitates the use of physical firewalls in data centers across the world, many web hosts don’t enable web application firewalls on their servers.
DDoS Protection and CDNs
One of the most common website attacks is called a distributed denial-of-service attack, or DDoS. These attacks involve overloading the web server with fake traffic to render a website unavailable. When your website is a target of these kinds of attacks, it can cause serious damage to your website in both the short and long term.
One of the best ways to combat DDoS attacks is by using a content delivery network, or CDN. A CDN is a network of distributed servers used to provide the content of your website to different users in different locations all over the world.
The main purpose of a CDN is to provide better performance for your website visitors—regardless of where they are. However, thanks to a CDN’s nature of redistributing traffic as needed, they’re an excellent defense against DDoS attacks. By preventing excess traffic from putting strain on a single server, your website doesn’t experience any downtime from these kinds of attacks. Meaning your users won’t experience any outages and neither will you.
Like your personal computer, web servers are vulnerable to malware. When shopping for a web host, it’s a good idea to choose one that offers complimentary malware scanning as part of its service.
2) Keep Your Software Updated
Like your computer’s operating system and the applications that run on it, websites run on software. And this software requires regular updates. Not only do these updates improve performance and add new features to your website, but they patch security flaws and vulnerabilities. Keeping all the software on your website updated goes a long way toward protecting you from bad actors.
WordPress is the open-source software of the web, meaning anyone can freely examine and contribute to its codebase. This means that literally anyone can view its code and potentially find vulnerabilities. That fact, coupled with its immense popularity, makes WordPress a big target for hackers, data thieves, malicious code distributors, and bad actors, in general.
Thankfully, the open-source community behind WordPress constantly finds and fixes these bugs, flaws, and vulnerability to prevent issues. But to take advantage of these patches, you need to keep your WordPress software updated. In fact, security is arguably the biggest reason to ensure timely and consistent updates to your WordPress software. Not doing so is putting your website at risk.
WordPress Plugins and Themes
The plugins and themes you choose to install with WordPress also require updates. And keeping them updated is no less important than keeping your core WordPress software updated.
Unfortunately, ensuring every one of the plugins you use stays up to date is challenging. While WordPress updates all come from a single source, depending on how many plugins you use, you might need updates from dozens of different developers. And unfortunately, not all developers are created equal.
The best strategy is to do your homework when choosing what themes and plugins you install on your website. Often times, developers abandon their themes and plugins and never update them again. Not only does this lead to incompatibilities with your site, but it can pave the way for security vulnerabilities, too.
Here are a few tips for researching plugins and themes:
- Check to see how old it is and when it was first released
- Find out what version is currently available and how long ago that was released
- Make sure the developer still maintains a demo site and provides support
- Check around to see what recent reviews say about it
And don’t assume that premium themes or plugins are automatically exempt from these considerations. Websites can remain up and functioning long after the developer has abandoned their project, leaving you to spend your hard-earned money on a plugin that may not even work.
The WordPress platform, including all of its themes and plugins, is built using a programming language called PHP. And like WordPress, PHP is open source, meaning it’s vulnerable to the same sort of targeted hacking.
Thankfully, PHP is updated often with new patches and fixes for vulnerabilities that developers (and hackers) find in the code. But you need to apply those updates, otherwise your website becomes vulnerable.
Unlike WordPress and its plugins and themes, PHP is something that’s updated on the actual web server. Some hosts update PHP for you; others don’t. Either way, you’ll want to make sure it stays current to prevent hackers from taking advantage of any vulnerabilities.
3) WordPress Security Measures
While choosing great hosting and keeping all of your software up-to-date goes a long way toward keeping your website protected, there are other things you can do to help raise the bar on your website’s security.
Lock Down WordPress Logins
Your login page is often the first point of entry that hackers use to gain access to WordPress websites and data. Unfortunately, WordPress’s default settings don’t make this job any easier. But there are ways to make it much harder for bad actors to use your login page as a way to break in.
1) Strong Passwords
Passwords are the first line of defense. While a skilled hacker can certainly get around a strong password, using a weak one is inviting attacks from anyone and everyone. Use random numbers, letters, and characters for your login passwords—the more random, the better. Most modern browsers have a password manager built in, so there’s never a reason to use your birthday or a pet’s name.
2) Limit Login Attempts
By default, WordPress allows unlimited login attempts, which is how many hackers break in. By using scripts or malicious code to generate usernames and passwords, they attempt to log in with configure malicious code to attempt logging in with different passwords until it finds the right one. This is called “brute forcing” your password.
By using a plugin or custom code, you can limit how many attempts users have to log in. If they fail to log in, they’ll be blocked from attempting for a certain amount of time.
3) Change Your Login URL
By default, WordPress uses the same login URL for every installation. In other words, if you don’t change this setting, your login page is accessible by adding
wp-admin to the end of your URL. This is essentially showing hackers where the front door to your website is. By hiding your front door, you’re making it that much more difficult for the bad guys to get in.
4) Block Users Using Invalid Usernames
Often times, when someone with bad intentions targets a website, they find the login page and then use a script to start testing username and password combinations. Many of the strategies listed here help prevent and deter these people, but these bad actors also know that persistence pays off. Fortunately, you can use plugins to block IP addresses of users who are testing your login page with invalid usernames. By blocking the offending person’s IP, you’re essentially slamming the door shut on them and not giving them the opportunity to find a weak spot in your security.
5) Use reCAPTCHA
For one final level of protection for your login page, you should consider using a plugin to add reCAPTCHA to your login and registration pages. While these can seem a little annoying to a legitimate user needing to log in, it’s important to understand that this useful bit of technology stops brute force scripting attacks in their tracks.
Using reCAPTCHA in addition to the aforementioned strategies will ensure that your login page is as secure as possible and no one but the people that should be logging in can do so.
6) Two-Factor Authentication
Finally, it’s also a good idea to consider using two-factor authentication, or 2FA for short. This is an added level of security that protects you even if your password is somehow compromised. If someone does manage to get your password, they’ll still be unable to log in without the authentication code generated from your personal device. While you’ll need a plugin to enable this, it goes a long way toward securing your website.
As we discussed above, thanks to its power and capabilities, PHP can be a source of vulnerabilities for WordPress. It requires special attention to prevent hackers from using it to take advantage of your website.
1) Disable PHP Execution in Uploads Folder
One way to do this is by disabling PHP in certain folders—specifically, the uploads folder. By preventing the running of PHP in folders where it isn’t needed, you’re limiting the scope of possible attacks on your site. The best way to do this is by adding an
.htaccess file with special code to your uploads directory.
2) Disable File Editing in WordPress
By the same token, you’ll also want to disable file editing from within WordPress. While this may seem like a useful feature at times, it makes your site much more vulnerable. If someone were to get past your login security, they would have full access to all the files on your site. In other words, they would have the ability to write malicious PHP code to steal your data or turn your website into a malware propagating machine. By disabling this feature completely, you prevent this from ever being a possibility.
Secure Your Web Host’s File System
Lastly, but certainly not least, there are steps you should take to ensure your web server’s file system is as secure as possible. One of the best ways to do this is by disabling directory browsing for your website.
It works like this: By default, a web server is set up to go to an index file, whether it’s an
index.html file or
index.php file. However, if this file doesn’t exist, a web server redirects the browser to the actual directory, showing the user a list of other directories and files on the server. Hackers can use this functionality to peruse your server and examine files, searching for vulnerabilities to exploit.
Likewise, WordPress produces log files that you can use to get information about your website for troubleshooting. And likewise, hackers can use these log files to glean information about your web server that may allow them to find a vulnerability.
By disabling access to directory browsing and log files, you give hackers far less information to work with. And that’s precisely what you want: For people with bad intent to have as little information as possible about your website.
The Best Security Plugins for WordPress
Thanks to WordPress’s robust plugin ecosystem, there are several plugins that exist to help improve your WordPress website security and make security hardening less of a headache. But, while many of the practices and methods we’ve looked at so far are covered by these plugins, there are things that they simply can’t do.
For example, plugins won’t help you with things like:
- Installing and managing SSL certificates
- Setting up web application firewalls
- Scanning for malware
For complete security, you’ll want to use these plugins with the other methods and strategies we’ve looked at—especially when it comes to web hosting.
With that said, let’s take a look at what a few of the best WordPress security plugins have to offer.
WP Cerber is an all-in-one security suite for WordPress. It offers a plethora of features, including blacklisting and whitelisting users, creating custom login URLs, and many of the things covered in this guide. It’s an incredibly comprehensive security plugin.
This plugin also boasts malware scanning and firewall settings, though it’s important to understand that these are limited to the files within WordPress: The plugin itself can’t do much for security beyond your WordPress installation.
WP Cerber does offer a limited free version, the full package is a little pricey at $99 per user per year, but for the features it provides, it’s well worth the cost.
- Excellent reporting dashboard
- Easy blocking of PHP files
- Effective anti-spam protection
- Automated malware scans only available in paid version
- Can be a little intimidating for less advanced users
- It can be a little expensive for smaller sites
All in One Security and Firewall
All in One WP Security and Firewall is another comprehensive security plugin for WordPress. With over half a million downloads and nearly a five-star rating on the plugin repository, it’s difficult to find bad things to say about this plugin.
Features with this plugin include user account security, user login security, and file system security. Many of the things covered above are easy to configure, such as disabling WordPress file editing, disabling access to log files, and modifying
.htaccess files to prevent malicious code execution.
- This is a free plugin
- Considerable features in a fairly user-friendly package
- Frequently updated
- No two-factor authentication
- Some advanced features can temporarily break your site if not configured properly
iThemes Security is the highest rated security plugin for WordPress, and for good reason: It boasts an endless amount of security features in an easy-to-use package. Nearly everything we’ve covered in this easily accomplished with the pro version of this plugin.
That said, while iThemes Security Pro is no slouch when it comes to security, the benefits will cost you. The individual license, which covers a single website, comes in at $80 per year, though if you have multiple sites, you can get a 10-site license for $127.
- Incredible number of features
- Easy to use “secure site” setting
- Built in two-factor authentication
- The pro version is expensive
- Advanced features such as 2FA and Site Scanner only available in Pro version
- You may need to edit
.htaccessfiles manually to enable certain functions
With more than four million installs, Wordfence is one of the most popular WordPress security plugins in the world. It’s another complete solution, with a built in endpoint firewall, malware scanning, and plenty of tools and features to manage WordPress logins and user accounts.
Wordfence is the only security plugin that offers a complete endpoint firewall solution, built from the ground up to support WordPress. While this won’t protect you on the web host level, it’s one of the best ways to secure traffic coming into your WordPress site, since the firewall is built around the software and understand how it interacts with network traffic.
While the plugin offers a premium version, the free version isn’t as clipped as other free plugins, offering most of the features you get in the pro version. The difference in using the pro version, however, is gaining access to Wordfence’s legendary real-time IP black list, along with real-time firewall rule updates and malware signature updates.
- The only plugin with a true endpoint firewall
- Automated daily malware scanner
- Live traffic feature for monitoring visitors to your website
- Scheduled site scan only available in pro version
- Hiding the login page is not possible
- You need to upgrade to the pro version to get real-time updates such as an IP blacklist and firewall rule updates
Wrapping Up: Improve Your WordPress Website Security
We’ve covered a lot of ground in this guide. By now, you should have a pretty good idea what it takes to lock down your WordPress website and ensure a secure web presence for yourself and your business or blog.
That said, if you’d rather have a professional manage your security, consider taking a look at our WordPress services. We offer managed WordPress updates and security lockdowns so that you don’t have to worry about your website falling victim to a ransomware attack. With your updates and security in our hands, you can focus on doing what you do best: keeping your visitors and customers happy.
Join Our Newsletter
Stay up to date on the latest WordPress tips and news