2022 Latest WordPress 5.9x Security Guide

If you are serious about your website, then you need to pay attention to WordPress SecurityBest Practices. We have a number of actionable steps you can take to protect your website from security breaches. Below we share all the important WordPress security tips to help you protect your website from hackers and malware.

We believe security is more than just eliminating risk. It’s also about reducing risk. As a website owner, there are many things you can do to improve your WordPress security.

While the core WordPress software is very secure and is audited regularly by hundreds of developers, there is still a lot of work to do to ensure your site is safe.

For your convenience, we have created a table of contents to help you easily navigate our ultimate WordPress security guide.

WordPress Security Guide

Why is website security important?

A hacked WordPress website can cause serious damage to your business revenue and reputation. Hackers can steal user information, passwords, install malware, and even distribute malware to your users.

Worst case scenario, you might find yourself paying ransomware to hackers just to regain access to your website.

In March 2016, Google reported that more than 50 million website users had been warned that the sites they were visiting might contain malware or steal information.

Additionally, Google blacklists approximately 20,000 malware sites and approximately 50,000 phishing sites each week.

If your website is a business, then you need to pay special attention to your WordPress security.

Similar to how business owners have a responsibility to protect their brick-and-mortar building, as an online business owner, you have a responsibility to protect your business website.

Keep WordPress updated

WordPress is an open source software that is regularly maintained and updated. By default, WordPress automatically installs minor updates. For major releases, you need to initiate the update manually.

WordPress also comes with thousands of plugins and themes that you can install on your website. These plugins and themes are maintained by third-party developers who release updates regularly.

These WordPress updates are crucial for the security and stability of your WordPress website. You need to make sure your WordPress core, plugins, and themes are up to date.

Strong passwords and user permissions

The most common WordPress hacking attempt uses stolen passwords. You can fix this by using a stronger password that is unique to your site. This applies not only to the WordPress admin area, but also to FTP accounts, databases,WordPress Hostingaccounts and the domains using your websiteCustom email address.

Many beginners do not like to use strong passwords because they are difficult to remember. The benefit is that you no longer need to remember passwords. You can use a password manager. See our article onHow to Manage WordPress PasswordsGuide.

Another way to reduce your risk is to not allow anyone to access your WordPress administrator account unless youAbsolutely must do thisIf you have a large team or guest authors, make sure you understand theUser roles and capabilities, and then add new user accounts and authors to your WordPress site.

The Role of WordPress Hosting

YourWordPress HostingThe service plays the most important role in the security of your WordPress website. A good service like Bluehost or SitegroundShared HostingService providers take extra steps to protect their servers from common threats.

Here’s how a good web hosting company works behind the scenes to protect your website and data.

• They continuously monitor their networks for suspicious activity.
• All good hosting companies have tools to prevent large-scale DDOS attacks
• They keep server software, php versions, and hardware up to date to prevent hackers from exploiting known security holes in older versions.
• They are ready to deploy disaster recovery and incident plans to protect your data in the event of a major incident.

On a shared hosting plan, you share server resources with many other customers. This creates the risk of cross-site contamination, where hackers can use neighboring sites to attack your website.

useManaged WordPress HostingServices can provide a more secure platform for your website. Managed WordPress hosting companies offer automatic backups, automatic WordPress updates, and more advanced security configurations to protect your website.

We recommendWPEngineAs our preferred managed WordPress hosting provider, they are also one of the most popular in the industry.

WordPress Security in Easy Steps (No Coding)

We know improving WordPress security can be a scary idea for beginners. Especially if you’re not technical. But guess what — you’re not alone.

We have helped thousands of WordPress users strengthen their WordPress security.

We’ll show you how to improve your WordPress security in just a few clicks (no coding required).

If you can click, you can do it!

Installing a WordPress Backup Solution

Backups are your first line of defense against any WordPress attack. Remember, nothing is 100% secure. If a government website can be hacked, so can yours.

Backups allow you to quickly restore your WordPress site in case something bad happens.

You can use many free and paidWordPress Backup PluginThe most important thing you need to know about backups is that you must regularly save full-site backups to a remote location (not your hosting account).

We recommend storing it on a cloud service like Amazon, Dropbox, or a private cloud like Stash.

Depending on how often you update your site, your ideal setup might be daily or real-time backups.

Thankfully, this can be accomplished by usingUpdraftPlusorBlogVaultThey are both reliable and most importantly, easy to use (no coding required).

Best WordPress Security Plugins

Once backed up, the next thing we need to do is set up an auditing and monitoring system to track everything that happens on your website.

This includes file integrity monitoring, failed login attempts, malware scanning, and more.

Thankfully, this is all possible with the best free WordPress Security PluginsSucuri Scanner to solve.

You need to install and activateFree Sucuri Security plugin.

Upon activation, you need to go to the Sucuri menu in your WordPress admin. The first thing you will be asked to do is generate a free API key. This will enable audit logging, integrity checks, email alerts, and other important features.

The next thing you need to do is click on the Hardening tab from the settings menu. Go through each option and click on the Apply Hardening button.

These options help you target key areas that hackers often use in their attacks. The only paid upgrade for hardening option is the Web Application Firewall, which we’ll explain in the next step, so skip it for now.

We also cover many of these “hardening” options later in this article for those who want to do this without using plugins or requiring extra steps (such as “database prefix changes” or “changing admin usernames”).

After the hardening section, the default plugin settings are good enough for most websites and do not require any changes. The only thing we recommend customizing is the “Email Alerts”.

The default alert settings might fill your inbox with emails. We recommend receiving alerts for key actions like plugin changes, new user signups, etc. You can configure alerts by going to Sucuri Settings » Alerts.

This WordPress security plugin is pretty powerful, so explore all the tabs and settings to see everything it does, like malware scanning, audit logs, failed login attempt tracking, and more.

Enable Web Application Firewall (WAF)

The easiest way to protect your website and feel confident in your WordPress security is to use a Web Application Firewall (WAF).

A website firewall blocks all malicious traffic before it reaches your website.

DNS-level website firewall– These firewalls route your website traffic through their cloud proxy servers. This allows them to send only genuine traffic to your web server.

Application-level firewall- These firewall plugins inspect traffic after it reaches your server but before most WordPress scripts are loaded. This approach is not as effective as a DNS-level firewall in reducing server load.

For more information, see ouroptimal WordPress Firewall PluginList.

usUse and recommend SucuriAs the best web application firewall for WordPress.

The best part about Sucuri Firewall is that it also comes with a malware cleanup and blacklist removal guarantee. Basically, if you get hacked while on their watch, they guarantee that they will fix your site (regardless of how many pages you have).

This is a very strong guarantee because it’s expensive to fix a hacked site. Security experts typically charge $250 per hour. You can get the entire Sucuri security stack for $199 per year.

Improve your WordPress security with Sucuri Firewall »

Sucuri isn’t the only DNS-level firewall provider. Another popular competitor is Cloudflare.

Moving Your WordPress Site to SSL/HTTPS

SSL (Secure Sockets Layer) is a protocol that encrypts data transfer between your website and the user's browser. This encryption makes it harder for someone to sniff and steal information.

Once SSL is enabled, your website will use HTTPS instead of HTTP, and you will also see a padlock symbol next to the website address in your browser.

SSL certificates are usually issued by a certificate authority and can cost anywhere from $80 to hundreds of dollars per year. Due to the increased costs, most website owners choose to continue using the insecure protocol.

To solve this problem, a non-profit organization called Let's Encrypt decided to provide website owners withFree SSL Certificate. Their projects are supported by Google Chrome, Facebook, Mozilla and more companies.

It’s easier than ever to start using SSL for all your WordPress sites. Many hosting companies nowFor your WordPress websiteFree SSL Certificate.

If your hosting company doesn't offer it, you can get it fromDomain.comBuy it. They have the best and most reliable SSL deal on the market. It comes with a $10,000 security warranty and the TrustLogo security seal.

WordPress Security for DIY Users

If you’ve done everything we’ve mentioned so far, you’re in great shape.

But as always, there’s more you can do to strengthen your WordPress security.

Some of these steps may require coding knowledge.

Change the default "admin" username

In the past, the default WordPress administrator username was “admin.” Since the username made up half of the login credentials, this made it easier for hackers to perform brute force attacks.

Thankfully, WordPress has changed this and now requires you toInstall WordPress, select Custom Username.

However, some one-click WordPress installers still set the default administrator username to "admin". If you notice this, thenSwitch your web hostMight be a good idea.

Since WordPress does not allow you to change your username by default, there are three methods you can use to change your username.

1. Create a new admin username and delete the old one.
2. Using the Username Changer Plugin
3. Update username from phpMyAdmin

We are inHow to Correctly Change Your WordPress Username (Step by Step)All three aspects are covered in the detailed guide.

Notice:We are talking about a username called "admin", not the admin role.

Disable file editing

WordPress comes with a built-in code editor that allows you to edit your theme and plugin files directly from the WordPress admin area. In the wrong hands, this feature can pose a security risk, which is why we recommend turning it off.

You can do this bywp-config.phpYou can do this easily by adding the following code in your file.

Disable PHP file execution in certain WordPress directories

Another way to strengthen WordPress security is to disable PHP file execution in directories that are not needed, such as /wp-content/uploads/.

You can do this by opening a text editor like Notepad and pasting the following code:

Next, you need to save this file as.htaccess and useFTP ClientUpload it to the /wp-content/uploads/ folder on your website.

For more detailed instructions, see our guide,Learn how to disable PHP execution in certain WordPress directories

Alternatively, you can use the free Sucuri we mentioned aboveThe enhanced functionality in the plugin does this in one click.

Limit login attempts

By default, WordPress allows users to try multiple login attempts. This makes your WordPress site vulnerable to brute force attacks. Hackers try to crack your password by trying different combinations to log in.

This can be easily fixed by limiting the failed login attempts a user can make. If you are using a web application firewall as mentioned earlier, this is automatically taken care of.

However, if you do not have a firewall set up, continue with the steps below.

First, you need to install and activateLogin LockDownPlugins.

After activation, visitSettings » Login Lockpage to set up the plugin.

Add two-step authentication

Two-factor authentication technology requires users to useTwo-step authenticationMethods to log in. The first is a username and password, the second step requires you to authenticate using a separate device or app.

Most of the top online sites like Google, Facebook, Twitter, allow you to enable it for your account. You can also add the same functionality to your WordPress site.

First, you need to install and activateTwo-step authenticationplugin. Upon activation, you need to click on the Two-Factor Authentication link in the WordPress admin sidebar.

Next, you'll need to install and open an authenticator app on your phone. There are several available, such as Google Authenticator, Authy, and LastPass Authenticator.

We recommend usingLastPass AuthenticatororAuthy, as they both allow you to back up your accounts to the cloud. This is very useful in case your phone is lost, reset, or you buy a new one. All your account logins will be easily restored.

We will be using LastPass Authenticator for this tutorial. However, the instructions are similar for all authentication apps. Open your authenticator app and click the “Add” button.

You will be asked whether you want to scan the site manually or scan a barcode. Select the Scan Barcode option and then point your phone's camera at the QR code displayed on the plugin settings page.

That's it, your authentication app will now save it. The next time you log into your website, you will be asked for the 2-step verification code after entering your password.

Simply open the authenticator app on your phone and enter the code you see on it.

Changing the WordPress Database Prefix

By default, WordPress uses wp_ asWordPress DatabaseThe prefix for all tables in . If your WordPress site uses the default database prefix, it will be easier for hackers to guess what your table names are. That’s why we recommend changing it.

Notice:This could break your site if not done correctly. Only proceed if you are comfortable with your coding skills.

Password Protect WordPress Admin and Login Pages

Typically, hackers can request your wp-admin folder and login page without any restrictions. This allows them to try out their hacking skills or run DDoS attacks.

You can add additional password protection at the server-side level which will effectively block these requests.

Disable directory indexing and browsing

Hackers can use directory browsing to find out if you have any files with known vulnerabilities, so they can exploit those to gain access.

Others can also use directory browsing to view your files, copy images, find out your directory structure and other information. This is why it is strongly recommended that you turn off directory indexing and browsing.

You need to connect to your website using FTP or cPanel's File Manager. Next, find the .htaccess file in your website's root directory.

After that, you need to add the following line at the end of your .htaccess file:

Options -Indexes

Don’t forget to save and upload the .htaccess file back to your site.

Disabling XML-RPC in WordPress

XML-RPC is enabled by default in WordPress 3.5 because it helps connect your WordPress site with web and mobile applications.

Due to its powerful nature, XML-RPC can significantly amplify brute force attacks.

For example, traditionally if a hacker wanted to try 500 different passwords on your website, they would have to make 500 separate login attempts which would be caught and blocked by a login lockout plugin.

But with XML-RPC, hackers can usesystem.multicallThe function tries thousands of passwords, for example 20 or 50 requests.

That's why if you don't use XML-RPC then we recommend that you disable it.

Tip: The .htaccess method is the best as it uses the least resources.

If you are using a web application firewall as mentioned earlier, this can be handled by the firewall.

Automatically Log Out Idle Users in WordPress

Logged-in users sometimes walk away from their screens, which creates a security risk. Someone could hijack their session, change their password, or make changes to their account.

This is why many banking and financial websites automatically log out inactive users. You can implement similar functionality on your WordPress website, too.

You will need to install and activateInactive LogoutAfter activation, visitSettings » Inactivity Logoutpage to configure plugin settings.

Simply set the duration and add a logout message. Don’t forget to click on the save changes button to store your settings.

Scan WordPress for Malware and Vulnerabilities

If you have WordPress security plugins installed, then these plugins will regularly check for signs of malware and security vulnerabilities.

However, if you notice that your site traffic or search rankingsIf your WordPress site drops suddenly, you may need to run a scan manually. You can use a WordPress security plugin, or use one of theseMalware and security scanners.

Running these online scans is very simple, you just enter your website URL and their crawler will go through your site looking for known malware and malicious code.

Now remember that most WordPress security scanners can only scan your site. They cannot remove malware or clean a hacked WordPress site.

This brings us to the next section, cleaning up malware and hacked WordPress sites.

Fixing a Hacked WordPress Site

Many WordPress users don’t realize the importance of backups and website security until their site is hacked.

Cleaning up a WordPress site can be difficult and time-consuming. Our first suggestion is to let a professional handle it.

Hackers installedback door, if these backdoors are not properly fixed, then there is a high chance that your website will be hacked again.

Allows like Sucuri Having your website fixed by a professional security company like this will ensure that your website is safe to use again. It will also protect you from any future attacks.

Bonus Tips: Identity Theft and Online Protection

As small business owners, it is vital to protect our digital and financial identities, as failure to do so can result in significant losses. Hackers and criminals can use your identity to steal your websitedomain name, hack into your bank account, or even commit crimes that you may be held accountable for.

In 2020, the Federal Trade Commission (FTC) reported 4.7 million incidents of identity theft and credit card fraud.

That's why we recommend using something like AuraIdentity theft protection services(We use Aura ourselves).

They offer device and wifi network protection with a free VPN (Virtual Private Network) that secures your internet connection with military-grade encryption no matter where you are. This is extremely useful when you are traveling or connecting to your WordPress admin from a public place like Starbucks, so you can work online securely and privately.

Their Dark Web Monitoring service uses artificial intelligence to continuously monitor the dark web and alert you if your passwords, social security numbers, and bank accounts have been stolen.

This allows you to act faster and better protect your digital identity.

WordPress security is a very important topic for every website owner. Google blacklists around 10,000+ websites for malware every day and around 50,000 websites for phishing every week.

That’s all, we hope this article helped you learn about the top WordPress security best practices and discover the best WordPress security plugins for your website.