16 Steps To Secure Your WordPress Site
WordPress is a common target for attackers. Reports on WordPress security show that 13,000 WordPress sites are attacked on a daily basis.
With an estimated 43% of websites running on WordPress, it presents a large opportunity for malicious hackers to find vulnerabilities to exploit.
Securing your WordPress site is important to prevent your website and your business from becoming one of the many statistics of websites that are compromised each year.
Each of the following steps can be used to secure your WordPress website and reduce the potential that you will be impacted by the latest cyber threat to emerge.
1. Maintain Updates For WordPress, Plugins, Themes, and PHP
New vulnerabilities are continually identified and reported. The National Vulnerability Database (NVD) has received over 18,000 reports of new vulnerabilities in the first half of 2024 alone.
Updates are often issued to address these vulnerabilities and the time between a vulnerability being disclosed and the vulnerability being exploited is often shrinking.
Configuring automatic updates for your plugins, themes, WordPress version, and PHP software can help to minimize the threat of exploitation.
2. Install Security Plugins
Security plugins include a range of features to improve the security of your site including:
- Scanning your site for potential malware
- Detecting and blocking unusual activity
- Improving the security of your accounts
- Automating backups of your data
Many security plugins offer a free-to-use version with many of the core features you need for website security already included.
3. Use Trusted Plugins and Themes
Many plugins offer incredibly useful features which can improve the appearance and performance of your site.
However, vulnerabilities have been found in many popular WordPress plugins, and some plugins have been found to be a direct way for hackers to introduce malware into websites.
Where you choose to install plugins to your site, it is important to consider several factors such as:
- Who has developed the plugin
- Have they developed anything else that is highly rated
- Does the plugin have many positive reviews
- Are there any current reports of vulnerabilities for this plugin or others by the developer
Conducting some checks on the plugin before installation can take a little time, but can be worthwhile for the long-term security of your WordPress site.
4. Ensure Your SSL Certificate Is Up To Date
The SSL connection made between your website and your users ensures the security of your data as it is being transferred using encryption.
This process prevents the data transfer from being manipulated or read by any devices between your site and your clients.
The SSL certificate defines the security measures that are used as part of this encryption process and forms a critical part of your WordPress site’s security.
SSL certificates are often automatically managed by a website hosting provider, but it can be useful to use an SSL Checker website to verify the security of your communications.
5. Configure A Web Application Firewall
Websites are regularly targeted for attack by hackers. The methods used in many attacks have identifiable indicators that can be detected by a Web Application Firewall (WAF).
Where these malicious activities are identified a WAF can block the attempts to attack your website and cut off the connection from the attacker, safeguarding your site from further attacks.
Several security plugins include a WAF as a feature, but dedicated solutions for this security service are also available.
6. Restrict Access To The Login Page
The WordPress login page is a frequent target for attacks. The default setup for WordPress uses a standard location for the login page which can be found by attackers.
Setting up access restrictions around the login page can be done in several ways:
- Limit access to a set IP Address
- Where you can access WordPress from a set location and IP Address you can limit access to one IP Address which prevents access from other locations
- Limit access using unique cookies
- Unique cookies can be configured for your WordPress instance, to ensure that only devices and browsers which use these cookies can access the page
- Move the default login location
- The standard login portal for WordPress can be moved to reduce the number of attacks, which target the default page
These configuration steps can be carried out using several security plugins or specific plugins such as “WPS Hide Login” to relocate the WordPress login location.
7. Configure Multi-Factor Authentication
Where your login pages may be identified by an attacker, reducing the potential for your user accounts to be compromised is critical.
While password security and login restrictions can help, in the unfortunate event that credentials are compromised a Multi-Factor Authentication system can further secure your accounts.
Google offers a method to incorporate 2FA into your website using the Google Authenticator app.
There are also several free WordPress security plugins that offer 2FA as an included feature, allowing you to simply configure 2FA with just a few clicks.
8. Prevent Methods Of Username Enumeration
The default configuration of WordPress includes several methods to determine usernames that are used for logging into your WordPress accounts.
This can be an issue as it allows attackers to conduct more targeted attacks against your login portal using a known and valid set of usernames, so only the password needs to be determined.
While there are methods to manually configure your website to avoid different methods of username enumeration, security plugins can also be used to prevent this type of attack.
9. Reduce Version Information Disclosure
The default implementation of WordPress can disclose a range of version information related to your instance of WordPress, Plugins, and Themes.
Where the version information is identified, attackers will often search through vulnerability databases for known issues that impact your versions, and then conduct further targeted attacks using known vulnerabilities in your website.
Reducing the version information that is disclosed by your site can therefore reduce the potential for targeted attacks.
However, this should not be considered as an alternative to configuring automated updates and maintaining the latest versions of available software.
Version information for your WordPress version can be removed using online guides, but can also be removed using the features of several security plugins.
10. Change Default Administrator Accounts
Similar to default login pages, the default administrator username is a common target by attackers.
Changing the default username which is enabled within WordPress removes a potential attack path that makes use of a known username and increases the likelihood of attackers attempting to log in with the ‘admin’ account.
Changing this information can be carried out in the Users section of your WordPress dashboard.
11. Change Standard Database Formats
Another targeted default implementation within WordPress is the default database configuration.
Where attackers can leverage a vulnerability that allows database interaction, changing the default settings and naming format, reduces the possibility of further compromise and data extraction.
Changing the database information can lead to performance issues if not completed correctly so using the built-in features of a security plugin is recommended to automate the process.
12. Update File Permissions
Files have permissions associated with them to define who can read them, change them, or run them.
There are many default files that are present with the setup and installation of a WordPress site, many of which can be configured with further restrictions to limit who can access them.
Changing the standard permissions of files can be done using the .htaccess file and using online guides, or can be automated through several freely available security plugins.
13. Secure Your Contact Forms
Any forms that are configured on your WordPress website can be subject to large-scale attacks.
This process can submit thousands of requests into your contact forms and produce thousands of messages which must then be filtered through, organized, and removed.
Setting up security measures around each of your contact forms can prevent this large-scale submission and protect your business from spam.
Google reCAPTCHA provides a freely available option to protect your site from this type of attack.
14. Setup Restrictions On XMLRPC
XML-RPC is a WordPress feature that is used for several legitimate purposes, however, it can also be used by hackers, to gather information about your site, determine usernames, make multiple login attempts, and perform other attacks.
Often these interactions bypass several other security measures you may have in place for your site.
It is common that the legitimate reasons for XML-RPC are not used by your site and it can be disabled without any negative impacts to your WordPress site.
Restricting this feature can be done manually through editing the .htaccess file, or can be done using one of the freely available WordPress security plugins.
15. Conduct Regular Security Tests
Even with each of the recommended security measures put in place for your website, it is important to check for anything that may be overlooked and protect your site against issues that have not been accounted for.
Conducting a regular vulnerability test of your website can identify the few remaining security issues that you may be impacted by and help guide you toward methods to resolve these issues.
Using security scanning tools such as WPScan regularly can help to verify that your WordPress site remains secure from any ongoing issues. Tools such as Tenable Nessus also have features to conduct scans against web applications, and further information on setting up Nessus scans is provided here.
16. Maintain Data Backups
In a worst-case scenario where your site has suffered from a security breach, being able to restore your WordPress site to a previous point before the breach occurred is important.
This will ensure you don’t lose your data and your site can return to a point before any compromise or potential changes occur.
When security breaches do occur, it can be difficult to determine exactly what has been changed. Restoring to a previous data backup can remove any concerns that unknown changes are still present within your site.
However, it is also important to identify the cause of the original security breach to ensure it doesn’t happen again and to change any necessary settings, accounts, or plugins that may have led to the breach.
Maintaining Your Site Security
Websites often represent the public face of many businesses and where security issues do occur, it can sometimes become an insurmountable issue, which has both financial and reputational impacts leading to a business closure.
As your WordPress site will be continually accessible over the internet, it is important to take the necessary steps to improve your security and minimize the potential for any attackers to compromise your site, your data, and your client’s data.
Protecting your WordPress site can often be automated through several useful security plugins, but it is important to be aware of the risks that your site may face and to actively implement solutions to resolve these risks.
Andrew Lugsden
Security Consultant at Forge Secure Limited
Working within the Cyber Security industry for over ten years to provide consultancy, security testing, and compliance services.