Follow These 13 WordPress Security Best Practices to Avoid Being Hacked

Welcome to the world of WordPress, where building a website is as easy as a few clicks. However, with great simplicity comes the responsibility of ensuring your site’s security.

WordPress is the most popular content management system (CMS) that powers over 40% of all websites. However, with great popularity comes increased threats from hackers looking to exploit vulnerabilities. Securing your WordPress site should be a top priority to prevent attacks and keep your site and users safe.

In this guide, we’ll delve into the essential aspects of WordPress security and explore simple yet effective ways to safeguard your website against potential threats.

Use a Trusted Web Host with Automatic Updates

Why is Choosing the Right Host Important?

Your web host provides the server environment where your WordPress site resides. A good host will have security measures in place to protect all sites on their servers. This includes:

• Automatic WordPress core, plugin, and theme updates
• Malware scanning and removal
• Firewalls and access controls
• Server hardening to prevent unauthorized access
• Regular backups in case your site is compromised

With automatic updates enabled, any security vulnerabilities that are discovered in WordPress core or popular plugins/themes will be patched by your host right away. This prevents your site from being an easy target while waiting for you to manually update.

How to Pick a Secure WordPress Hosting Provider?

When choosing a hosting provider, look for the following security features:

• Automatic updates – As mentioned above, this is crucial.
• Malware detection and removal – The host should scan sites and have a plan in place if malware is found.
• SSL certificate – Having an SSL certificate encrypts data and shows the green padlock icon.
• Firewall – Controls access and blocks suspicious traffic.
• Server hardening – Removing unnecessary software, closing unused ports, restricting file permissions, etc.
• backups – Allows you to restore your site if hacked.
• DDoS protection – Mitigates attacks meant to take down your site.
• 24/7 monitoring and support – So issues can be detected and addressed promptly.

Some of the most secure and reliable WordPress hosting providers include SiteGround, Bluehost, Kinsta, and WP Engine.

Limit Admin Users and Use Strong Passwords

Why Should You Limit Admin Access?

The admin user account has unrestricted access to your entire WordPress site. If a malicious actor gains access to an admin login, they can damage or take over your site.

To limit exposure, you should:

• Have only a few trusted users with admin access
• Create separate accounts with limited permissions for other users like authors, editors, etc. They only get access to what they need.
• Avoid using the default ‘admin’ username which is easy to guess. Pick a cryptic username only known to site owners.

As we covered previously, these types of user roles each have different levels of access and permissions. You may be wondering, what exactly are WordPress user roles and why do they matter?

Understanding the capabilities of administrators, editors, authors and more is key for site security and dividing tasks. Check out this overview of WordPress roles and permissions to learn more before assigning them.

How to Create Strong Passwords?

A strong password is your first line of defense. Here are some tips:

• Length – Use at least 12 characters, the longer the better.
• Complexity – Include upper and lowercase letters, numbers and symbols. Avoid dictionary words.
• Generator – Use a password generator tool to create a random secure password.
• Manager – Use a password manager like LastPass to generate and store passwords securely.
• 2FA – Enable two-factor authentication for all users. This adds an extra layer of security.
• Unique – Each account should have a unique password that is changed periodically.
• Phrases – Use passphrases like “C@tLovesTuna!” which are easy to remember but hard to crack.

Also make sure to revoke old admin accounts if someone no longer needs access.

Install Trusted Plugins and Themes from WordPress.org

Why You Should Avoid Pirated Plugins and Themes

Pirated plugins and themes that offer paid features for free may seem tempting. However, they pose a major security risk and should always be avoided.

Problems with Pirated plugins and themes:

• They often contain backdoors and malicious code allowing hackers access.
• No way to get security updates since they violate copyright.
• Lack of support if issues arise.
• Unethical and illegal.

Instead, only use plugins and themes from the official WordPress.org repository. These are rigorously vetted, updated regularly, and safe to use. Even free plugins from WordPress.org are held to high standards.

Tips for Choosing Secure Plugins

When installing WordPress.org plugins, follow these guidelines:

• Check user reviews and ratings. Avoid plugins with many negative reviews.
• Install only what’s needed. Too many unused plugins just create vulnerabilities.
• Favor popular established plugins that are updated frequently.
• Check when the plugin was last updated. Avoid outdated unsupported plugins.
• Make sure the plugin is compatible with your WP version.
• Download plugins directly from WordPress.org, not other sites.
• Enable auto-updates so plugins stay up-to-date.
• Delete abandoned plugins no longer supported by the developer.

The same criteria goes for choosing safe, well-supported themes from the WordPress.org repository as well.

Use Two-Factor Authentication for All Accounts

What is Two-Factor Authentication?

Two-factor authentication (2FA) adds an extra layer of security beyond just a password. It requires two forms of identity verification before granting access:

1. Something you know – Typically the password.

2. Something you have – Such as an authenticator app that generates time-sensitive codes.

So even if someone has the password, they still cannot log in without the randomly generated authentication code from the app.

Why is 2FA Important for WordPress?

2FA makes it much harder for hackers to access accounts, even if they manage to obtain the password through phishing, brute force attacks, or a data breach.

By enabling 2FA, you add critical protection:

• For admin accounts – Protects full site access if a password is compromised.
• For other accounts like editors – Prevents unauthorized content changes.

It takes just minutes to set up but adds tremendous account security.

How to Enable Two-Factor Authentication in WordPress

There are a few different plugins that can add 2FA capability in WordPress:

• Google Authenticator – Free and easy to set up. Users install the app and scan the QR code.
• Duo Security – Supports iOS, Android, landlines etc. Integrates with hosts.
• Authy – Works with SMS, tokens, and authentication apps.

Once installed, users will be prompted for the secondary one-time passcode at login. Most 2FA plugins also support using backup codes in case you lose access to your device. For maximum WordPress security, require 2FA for every account without exception.

Perform Automatic Security Scans and Audits

Why are WordPress Security Scans Important?

WordPress security scanning tools automatically detect vulnerabilities, malware, and other issues impacting the safety of your site. They are an invaluable tool to identify security gaps before they can be exploited by hackers.

Some of the checks performed during scans:

• Missing software updates
• Weak user passwords
• Suspicious code injections
• Phishing and spam content
• Malware infections
• Blacklisted URLs/domains
• SSL certificate issues
• File permission problems

Advanced scans simulate hacker attacks to reveal vulnerabilities that real bad actors could use to penetrate your site.

Tips for Effective WordPress Security Scans

Here are some best practices for security scanning:

• Schedule regular scans – At least weekly, more often for high-risk sites. Ongoing scanning is essential.
• Use both free and paid tools – For comprehensive scanning from all angles.
• Scan remotely – Simulates external attacks to uncover obscure vulnerabilities.
• Apply fixes promptly – Don’t ignore any medium or high-risk issues uncovered.
• Check the basics – WordPress Hardening practices, file permissions, error logging etc.
• Compare results – Rescan after fixes to ensure issues were properly addressed.

Some popular automated scan tools include Wordfence, Sucuri, VirusTotal, WPScan, and Nmap.

Leverage a Web Application Firewall (WAF)

What is a WAF and How Does it Work?

A web application firewall (WAF) monitors and filters all traffic to your site at the network edge. It blocks malicious requests and protects against web app attacks like:

• SQL injections
• Cross-site scripting (XXS)
• Local file inclusion (LFI)
• Remote code execution (RCE)
• Parameter tampering
• Volumetric DDoS attacks

WAFs identify and block these based on rules that model malicious behavior. They also protect against emerging threats through machine learning and anomaly detection.

Why Use a WAF to Protect WordPress?

The open nature of WordPress can leave it vulnerable to sophisticated attacks targeting web apps. WAFs provide an added layer of protection by:

• Blocking known attack patterns and techniques
• Masking security flaws in code
• Preventing bot abuse
• Providing virtual patching for some vulnerabilities
• Hiding backend server details from attackers

Leading WAF solutions like Cloudflare, Sucuri, and Wordfence Threat Defense specialize in protecting WordPress sites. Using a WAF is highly recommended.

Tips for Choosing the Right WAF

Here are some factors to consider when selecting a WAF for WordPress:

• WP expertise – Specialized WP rules and integrate well with WordPress.
• Ease of setup – Quick and easy installation.
• Rule customization – Can modify and add your own rules.
• Monitoring – Alerts for malicious requests and activity trends.
• Support – Responsive customer support.
• Scalability – Can handle increased site traffic.
• Cost – Overall value for money. Can start low cost and scale up.

Limit Login Attempts to Prevent Attacks

Why Limit Login Attempts?

Brute force attacks try to guess passwords by repeatedly trying different combinations at high speeds. Limiting login attempts thwarts this.

Benefits include:

• Stops brute force credential stuffing using leaked passwords.
• Prevents attackers from rapidly trying out commonly used passwords.
• Locks out IP addresses or users after a specified number of failed logins.
• Can require CAPTCHA after certain login attempts.
• Reduces load on the server from login bombardment.

This significantly slows down and deters password-guessing exploits.

Tips for Limiting WordPress Login Attempts

Plugins like iThemes Security and WPS Hide Login allow configuring login attempt limits, lockout periods, whitelisted IP addresses, and more robust login security policies.

When implementing login attempt limits, we recommend:

• 3-5 max attempts are allowed before lockout.
• Lockout duration of 30-60 minutes for IP or username.
• Require CAPTCHA after 2-3 failed attempts.
• Log and notify admins of lockouts and repeated failures.
• Limit login URLs to prevent discovery. -Ban persistent attackers at the firewall level.

Brute force attacks are among the most common – so limiting login attempts is a very effective hardening technique.

Avoid Using “admin” as a username

Dangers of the Default Admin Username

Every WordPress site starts with a default admin user with unlimited privileges. This is unfortunately also a very well-known and predictable username that attackers target.

Having an admin with the easy-to-guess username of “admin” makes the site much more vulnerable to password-cracking attempts. Even very strong passwords can eventually be compromised when the username is obvious.

How to Hide Admin Username

To avoid this issue, you can take steps like:

• Change the default admin username to something more obscure.
• Create a new strong username only known by site owners for admin access.
• Map the “admin” username to a low-privilege account.
• Set up an admin role under a random username and a standard user role under “admin”.
• Use a plugin like WPS Hide Login to mask the admin username.

Taking any of these steps removes the predictability advantage attackers gain from knowing the admin username. This significantly improves WordPress security and reduces attack surface.

Use Only What is Needed When Installing Apps

The Risks of Unnecessary Apps and Settings

WordPress is highly flexible with thousands of plugins and add-on features available. While having many options is beneficial, too much-unneeded functionality creates security and performance issues.

Each installed item that isn’t essential increases vulnerabilities by:

• Expanding the attack surface area hackers can exploit.
• Draining server resources like memory and CPU.
• Creating more points of failure.

You want your site to be as lean and fast as possible. Limiting what gets added to just core necessities is smart WordPress security practice.

Tips for Reducing Install Footprint

When installing plugins, themes, and other applications, adhere to these guidelines:

• Carefully audit to remove any unused, outdated, or abandoned apps.
• Delete all sample content, media, pages, posts, and comments that come with themes and plugins.
• Disable features in apps and WP core that aren’t needed. Reduce performance drag.
• Don’t use plugins just to add styling or scripts – customize child themes instead.
• Consolidate multiple plugins with similar functions into a single plugin when possible.
• Limit plugins and themes to popular well-supported ones from WordPress.org.

Keeping your WordPress site lean, mean, and only running what’s essential will optimize both security and speed.

Regularly Update Everything

Why Are Updates Important?

The WordPress core, themes, plugins and other code used on your site all contain vulnerabilities discovered over time. Vendors issue updates to address these.

Without timely updates:

• Known security flaws remain unpatched.
• New features and improvements aren’t added.
• Performance and compatibility declines.

Not updating frequently is asking for trouble. It leaves an open invitation for hackers to breach your site using published exploits.

Tips for Managing WordPress Updates

• Enable automatic background updates where possible, especially for WordPress core.
• Have a testing environment to checkout updates before deploying to production.
• Prioritize plugin updates based on severity and your usage.
• Review release notes – don’t blindly update without understanding changes.
• Stagger updates – don’t update everything at once, in case of issues.
• Always backup before updating.
• Monitor for issues post-update to catch any new problems.

Staying up-to-date takes effort but is crucial for WordPress security and maintenance. Falling behind increases risk significantly.

Review Error Logs Regularly

Why are Error Logs Important?

WordPress and web server error logs record various events happening on your site. These include:

• Failed login attempts
• File change notifications
• PHP errors and warnings
• Database issues
• Malformed requests
• Triggered firewall rules

Reviewing logs helps identify security issues and suspicious activity. For example, a flood of 404 errors could signal someone probing URLs to find vulnerabilities. Frequent login failures may indicate a brute force attack. PHP exceptions might reveal a hack attempt via code injection.

Best Practices for Error Log Review

• Check frequently – Daily or weekly reviews are good. Set calendar reminders if needed.
• Scan for anomalies – Sudden spikes in errors, new repeating messages etc.
• Correlate across logs – Compare Apache, database, plugin logs to connect related events.
• Keep an audit trail – Don’t delete logs, archive them for future reference.
• Understand entry meanings – Research error codes and messages to interpret properly.
• Fix underlying issues – Debug and resolve the source problem, not just the symptom.
• Use log monitoring tools – For alerts on critical errors and aggregated statistics.

Error logs provide a wealth of diagnostic data that can alert you to security issues – if you remember to regularly review them.

Limit File Permissions and Owners

Why File Permissions Matter for Security

The permissions assigned to folders, files, and other objects dictate who can access them on the server. Excessive permissions provide openings for malicious actors.

For WordPress, best practices are:

• WP core files – Read only for all users. Usually 644 for files, 755 for folders.
• wp-config.php – 400 permission, owned by root user.
• Uploads folder – 755 permission so content can be managed by admin but not accessed directly.
• Plugins/themes – 555 so they inherit permissions from parent.
• Database – Owned by separate database user, not admin or root. Restrict external access.

Tight file permissions that follow the principle of least privilege for each object is important for locking down WordPress.

How to Check and Reset File Permissions

If permissions have drifted from their tight default settings, you can check and reset them using:

• cPanel – File Manager interface lets you view and bulk edit permissions.
• FTP client – Right click on files or folders to view and modify permissions.
• SSH – Use chmod and chown commands to recursively set permissions across directories.
• WordPress plugins like WP Security Audit Log can audit and fix permissions.

Periodically checking that your WP file and folder permissions match security best practices is recommended. Never leave default 777 full read/write/execute access!

Use Trusted WordPress Security Plugins

Benefits of Security Plugins

The WordPress Security category has over 400+ plugins aimed at protecting sites from various threats:

• Penetration prevention – Brute force protection, firewall, masking wp-login, etc.
• Vulnerability checks – Scans files, plugins, and themes for issues. Checks permissions, security