Wanna know how to make your WordPress site secure?
Well, we all know how popular WordPress CMS is. It is used by 43.2% of websites, which is over 835 million WordPress websites across the globe in 2024.
Due to its immense popularity for website creation using plugins and themes from the directory. Beginners can quickly create and run websites without much technical knowledge. But because it’s so famous, there are also a lot of security risks.
Don’t worry, no need to panic!
You will learn about these security risks in a few moments.
After that, you will learn the best way to deal with them.
So without wasting time, let’s hop in.
Key Takeaways
- Always keep a backup of your site for restoring
- Most easy security risk is setting a weak password
- Always update your WordPress core to avoid security breach
- Never use any theme or plugins from an unknown developer
- Use powerful hosting with an authentication feature
- You can secure your site without using a plugin or using a plugin
What are the common security threats in WordPress?
There are a lot of common security holes that WordPress websites can fall into. WordPress has a lot of different features and functions, which can make it easy for hackers to break in. At least 30,000 WordPress sites are hacked every day and 1 in 4 WordPress plugins on popular websites may have vulnerabilities resulting in a security breach.
The fact that WordPress is easy to use is both a strength and a weakness. New users may not take the right security steps because the interface is so simple.
Check out some common security threats to WordPress websites:
Weak Passwords:
Passwords that are easy to guess leave websites open to brute-force attacks. Weak passwords are the reason that 8% of WordPress sites get hacked.
Outdated Software:
If you don’t update WordPress core, themes, and plugins, your website could be open to known vulnerabilities. Attackers can get into and control a website without permission by taking advantage of flaws in the core of WordPress.Outdated plugins are to blame for 52% of WordPress security holes. WordPress core files cause 37%, and themes are at fault for 11%.
Vulnerable Plugins and Themes:
Poorly coded plugins and themes can introduce security vulnerabilities to the website. Popular themes and plugin developers regularly release updates that include critical security patches and bug fixes.
Cross-Site Scripting (XSS):
XSS attacks can happen when user input isn’t checked properly, which lets attackers add harmful scripts to web pages. This vulnerability is found mainly in plugins and themes where hackers load pages with insecure JavaScript.
Cross-Site Request Forgery (CSRF):
Attackers can take illegal acts on behalf of authenticated users when there are CSRF vulnerabilities.
SQL Injection:
This kind of attack happens when poor SQL code is inserted into input fields. Which could let attackers get into or change the website’s database.
Brute Force Attacks:
Brute force attacks are a common threat to WordPress sites. Hackers try to get in without permission by trying over and over again with different usernames and passwords. Some common Brute Force attacks are Simple Brute Force Attacks, Dictionary Attacks, Credential Stuffing, and Rainbow Table Attacks.
File Inclusion Exploits:
This type of attack occurs when a website allows an attacker to include a file, usually a script, on the server.
Phishing:
Attackers may attempt to trick users into providing sensitive information by impersonating a legitimate website.
Hijacking:
Attackers may attempt to hijack user sessions or take control of the website’s administrative functions.
Malware:
Malicious software can be injected into a website to steal data, disrupt operations, or carry out other harmful activities.
Denial-of-Service (DDoS) Attacks:
Distributed denial of service (DDoS) attacks can cause a website to become unavailable or delayed due to an excess of traffic.
If for instance you get hacked, you can follow how to fix a hacked WordPress site.
What are the mistakes to avoid when securing a WordPress website?
Some common mistakes to avoid when securing a WordPress website include:
Ignoring Security Plugins and Best Practices:
Websites can be left open to a variety of dangers if security plugins aren’t included and standard practices aren’t followed.
Not Enabling SSL/HTTPS:
Attackers can more easily intercept sensitive information if SSL/HTTPS is not enabled, which exposes data exchanged between the website and its users.
Not Regularly Backing Up Your Site:
If you don’t back up your website regularly, it might be hard to fix problems like security breaches.
Not Limiting Login Attempts:
If a website lets people try to log in as many times as they want, it can be attacked using brute force.
Not Changing the Default Username:
When you use the usual “admin” login, hackers may find it easier to get into your website.
Not Using a Web Application Firewall (WAF):
A website can be attacked in many ways if it doesn’t have a WAF. These include SQL injection and cross-site scripting (XSS) attacks.
Not Monitoring User Activity:
Regularly monitoring user activity cannot help identify and address potential security threats.
Great, now we know about the vulnerabilities and the mistakes. It’s time to jump into our main topic.
How to make your WordPress site secure?
You can secure your WordPress site either by using a plugin or without a plugin.
We will learn both ways.
How to secure a WordPress site without a plugin?
Securing a WordPress website without using a security plugin is possible by following a set of best practices.
Here are some steps to secure a WordPress website without using a plugin:
Before applying these steps, make sure we back up our site.
Update to the latest version now
Make sure you are running the most recent WordPress version.
To check that, go to the Dashboard and click Updates on the left side of the menu. If it indicates that your WordPress version isn’t current, we suggest updating it as soon as you can. Also, update your Plugins and Themes as well.
Update your Plugins and Themes
Protect .htaccess file:
The .htaccess file needs to be kept safe because it has private setup data and rules that tell the web server how to act. If someone gets into the .htaccess file, they can use it to do many bad things, like move traffic, block access to certain parts of the website, or run harmful code.
If you have Yoasts’s SEO installed it will give you access to .htaccess instantly.
Go to your Yoast’s SEO -> Tools -> File Editor -> .htaccess file.
Now type Enter and add the code below and then click Save Changes to .htaccess.
#Protect .htaccess
<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</files>
Protect wp-config.php:
Add the following code to the .htaccess file to protect the wp-config.php file:
# Protect wp-config.php
<files wp-config.php>
order allow,deny
deny from all
</files>
Secure wp-includes folder: Add the following code to the .htaccess file to secure the wp-includes folder:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>
Change Your Default WordPress Login URL
Add the following code to the .htaccess file:
RewriteRule ^newlogin$ /wp-login.php [NC,L]
Replace “newlogin” with your desired login URL.
Save the changes to the .htaccess file.
Block Login attempts:
Go to your WordPress dashboard
Appearance -> Theme Fie Editor -> functions.php
Copy and paste the code below to restrict login attempts
function block_login_attempts() {
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
$allowed_attempts = 3;
$ip_address = $_SERVER['REMOTE_ADDR'];
$login_attempts = get_transient('login_attempts_' . $ip_address);
if ($login_attempts >= $allowed_attempts) {
wp_die('Too many login attempts. Please try again later.');
} else {
set_transient('login_attempts_' . $ip_address, $login_attempts + 1, 60 * 60);
}
}
}
add_action('wp_login_failed', 'block_login_attempts');
Stop direct access to PHP files for plugins and themes
This will stop people from directly accessing PHP files.
Add the following code to the .htaccess file:
# Restrict Direct Access to Plugin and Theme PHP files
RewriteCond %{REQUEST_URI} !^/wp-content/plugins/file/to/exclude\.php
RewriteCond %{REQUEST_URI} !^/wp-content/plugins/directory/to/exclude/
RewriteRule wp-content/plugins/(.*\.php)$ - [R=404,L]
RewriteCond %{REQUEST_URI} !^/wp-content/themes/file/to/exclude\.php
RewriteCond %{REQUEST_URI} !^/wp-content/themes/directory/to/exclude/
RewriteRule wp-content/themes/(.*\.php)$ - [R=404,L]
Do not let people look through your directories.
That’s a great way to stop Directory Browsing.
Add the following code to the .htaccess file:
# Disable directory browsing
Options All -Indexes
Keep SQL Injection from happening on your WordPress site.
This code below keeps SQL Injection from getting into your WordPress database.
Add the following code to the .htaccess file:
#Protect from SQL Injection
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (< |%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]
Use a robust and secure web host.
Make sure your hosting company is reliable and offers security features.
Adding security questions and two-factor authentication is an important choice to stop the hacker from doing more damage.
So far applying these methods manually can secure your WordPress files from security breaches.
How to secure WordPress using a plugin?
We will use a free plugin called Solid Security to secure your WordPress website from different security breaches.
To secure a WordPress website using the Solid Security plugin, you can follow these steps:
Install the Plugin:
From your WordPress dashboard, navigate to Plugins -> Add New.
Search for “Solid Security” and click “Install Now” on the Solid Security plugin. Once installed, click “Activate.”
Configure the Plugin Settings:
After activating the plugin, navigate to the Solid Security settings.
You will be asked to choose the type of your website to provide the security settings.
Configure the settings according to your security needs. This may include setting up brute force protection, login security, and vulnerability scanning.
Enable Brute Force Protection:
Solid Security offers local and network brute force protection.
Configure the plugin to ban IP addresses and login attempts based on the lockout rules you specify. Network protection goes further by banning IPs seen trying to break into other sites.
Increase User Login Security:
Configure the plugin to increase user login security. This may include implementing two-factor authentication, strong password requirements, and login attempt limiting.
Scan for Vulnerable Plugins and Themes:
Enable the plugin to scan for vulnerable plugins and themes. Regularly apply updates to ensure that your website is not exposed to known security vulnerabilities.
Monitor Suspicious Activities: Configure the plugin to monitor suspicious activities on your website. Set up email alerts for any security issues that are detected.
Following these steps, you can secure your WordPress website using the Solid Security plugin.
It is important to regularly monitor your website for security issues and to stay informed about the latest security threats and best practices.
If you want to use other WordPress security plugins, you can check 17+ best WordPress Security plugins.
Bottom Line
Securing a WordPress website is not that critical.
You just learn how to make your WordPress site secure.
Hackers are always trying to find new ways to attack your WordPress site. But as WordPress updates with its new version, its core becomes stronger and less vulnerable to attacks. You can apply either the manual method or use the plugin to enable security features. But applying anything secure your web host and take a backup.
Frequently Asked Questions
-
How Often Should I Perform a Security Check On My WordPress Website
You should regularly perform a scan every week. Perform a security scan after updating your WordPress core, themes, and plugins to ensure that no new vulnerabilities have been introduced. Regularly review your website’s activity logs for any irregular events that may indicate potential security threats.
-
What Are Some Recent Security Updates In WordPress
WordPress released version 6.4.3, which contains two security patches:
1. PHP File Upload Bypass vulnerability via a plugin installer that could allow an attacker with admin privileges to upload malicious PHP files.
2. Remote Code Execution (RCE) vulnerability through a Property Oriented Programming (POP) chain, which could allow an attacker with admin privileges to execute arbitrary code.
Also, these two security fixes for WordPress 6.4.3 included 21 bug fixes for the core software and the block editor.
-
How To Choose A Secure Password For A WordPress Website
To choose a secure password for a WordPress website, use a mix of characters, avoid common words and patterns, make it long, consider using a password generator, avoid reusing passwords, and enable 2FA for an extra layer of security.
-
How To Choose A Secure WordPress Theme
To choose a secure WordPress theme, consider the following tips:
Get it from a reputable source that thoroughly checks themes for security.
Look for themes that receive regular updates and are well-maintained.
Consider using security plugins and tools to test the theme for vulnerabilities.
Prioritize themes from well-known and trusted developers.