1. Secure your login procedures.
This is step one because it really is a huge part of keeping your site safe. The most fundamental step to securing your website is keeping your accounts safe from malicious login attempts. To do this:
- Use strong passwords: Use strong passwords: We used to think there would be flying cars in the future, but as of this year, people are still using “123456” as a password. It’s essential that all users with access to the backend of your WordPress site use strong passwords to log in. Even one weak password could spell trouble for all other users. You might want to use one of our recommended password managers to generate strong passwords and keep track of them for you.
- Enable two-factor authentication: Two-factor authentication (2FA) requires users to verify their sign-on with a second device. This is one of the simplest yet most effective tools to secure your login — and it works. Here’s how to add two-factor authentication in WordPress.
- Avoid making any account username “admin”: Admin is likely the first username attackers will plug in during a brute force login attempt. If you’ve already created a user with this name, create a new administrator account with a different username.
- Limit login attempts: By putting a cap on the number of times a user can enter the wrong credentials, you’re protecting your site. If people attempt to log in too many times, the CMS will lock them out, which stops a brute-force login from occurring. Some hosting services and firewalls might take care of this for you, but you can also install a plugin like Limit Login Attempts for the job.
- Add a captcha: If this sounds familiar, it’s because you’ve likely seen this security feature on many other websites. They add an extra layer of security to your login by verifying that you are indeed a living person. You can use plugins to add a captcha to your site. reCaptcha by BestWebSoft is one we recommend — see our guide to enabling Google reCaptcha in WordPress.
- Enable auto-logout: Last but certainly not least, stay vigilant about logging out, especially if you’re using a public computer. Auto-logout prevents strangers from snooping on your account if you forget. To enable auto-logout on your WordPress account, try the Inactive Logout plugin.
2. Use secure WordPress hosting.
Next, let’s talk about the role your hosting provider plays in WordPress security. When choosing the service that hosts your website, there are many factors to take into account, but security should be first and foremost. Do your research to learn more about what steps the business takes to protect your information and promptly recover if an attack occurs. See our list of recommended WordPress hosting providers.
3. Update your version of WordPress.
Outdated versions of WordPress software pose a huge target. To avoid this issue, ensure that you regularly check for and install WordPress updates as soon as possible to eliminate vulnerabilities.
To update WordPress to the latest version, first back up your site and check that your plugins are compatible with the latest version of WordPress. You may also have to update your plugins accordingly. You can reference our guide for how to update your WordPress plugins.
After updating your plugins, follow the update instructions on the WordPress website.
4. Update to the latest version of PHP.
Upgrading to the latest version of PHP is one of the most crucial steps you can take for WordPress security. Once an upgrade is ready, WordPress notifies you on your dashboard, so keep an eye out. Then, you will be prompted to head to your hosting account to upgrade to the latest PHP version. If you don’t have access to your hosting account, get in touch with your web developer to upgrade.
5. Install one or more security plugins.
Luckily, you don’t have to do it all yourself when it comes to site security: You can also rely on a security plugin. We highly recommend installing one or more reputable security plugins on your website. (Emphasis on reputable!)
These plugins do much of the security-related manual work for you, such as scanning your website for infiltration attempts, altering source files that might leave your site susceptible, resetting and restoring the WordPress site, and preventing content theft like hotlinking. Some reputable plugins cover almost everything on this list. Of course, this step won’t be needed if you’re using HubSpot’s Content Management System, which provides malware scanning and threat detection within the platform.
Whichever plugin(s) you decide to install, security-related or not, make sure they’re well-established and legitimate. See our list of recommended WordPress security plugins, and use your discretion before downloading anything not on this list.
6. Use a secure WordPress theme.
Just like you shouldn’t install a sketchy plugin on your site, resist the urge to use just any WordPress theme that looks good. Why? Because it might be unsafe, ultimately leaving your site susceptible to major issues. To prevent vulnerabilities caused by a WordPress theme, choose one that is compliant with WordPress standards.
To check whether your current theme meets WordPress’ requirements, copy your website URL (or the URL of any WordPress site or any theme’s live demo) into W3C’s validator. If you find your theme isn’t compliant, search for a new theme in the official WordPress theme directory. All themes in this directory are safely compatible with WordPress software. Alternatively, see HubSpot’s list of recommended WordPress themes, or search for another in a credible theme marketplace.
7. Enable SSL/HTTPS.
SSL (Secure Sockets Layer) is the technology that encrypts connections between your website and visitors’ web browsers, ensuring that the traffic between your site and your visitors’ computers is safe from unwelcome interceptions.
Your WordPress site needs SSL enabled. If you’re a CMS Hub user, SSL is free and built into the platform, so you’re good to go. If you are using WordPress, then depending on your use case, you may opt to do this manually or use a dedicated SSL plugin. Not only will it boost SEO, but it also plays directly into your visitors’ first impression of your website. Google Chrome will even warn users if the site they’re visiting doesn’t follow the SSL protocol, which directly reduces website traffic.
To see whether your WordPress site follows the SSL protocol, visit your WordPress site’s homepage. If the homepage URL begins with “https://” (the “s” stands for “secure”), your connection is secured with SSL. If the URL begins with “http://”, you’ll need to obtain an SSL certificate for your website.
8. Install a firewall.
A firewall sits between the network that hosts your WordPress site and all other networks and automatically prevents unauthorized traffic from entering your network or system from the outside. They work to keep out the malicious activity by eliminating a direct connection between your network and other networks.
We recommend installing a Web Application Firewall (WAF) plugin to protect your WordPress site. With the CMS Hub, your site will come with WAF within the platform. As with everything else on this list, carefully deliberate which type of firewall and which plugin works best for your needs before making your choice.
9. Back up your website.
Being hacked is upsetting. It feels like a violation of your digital space, and if you lose all of your data as a result, it’s even more distressing. However, you can avoid that happening by making sure your website is backed up by WordPress and your hosting provider. In the event of an attack (or any other incident) that causes data loss, you’ll be able to regain access to it. We recommend backups be automatic as well. See our list of the best WordPress backup plugins available.
10. Conduct regular WordPress security scans.
Last but certainly not least, we recommend you run routine check-ups on your site. Aim for at least once a month. And no, you don’t have to do it yourself — there are some security plugins that can do it for you. Here are the seven WordPress scanner plugins we recommend.
Once you’ve taken these basic steps, you can then move to more advanced measures to secure your WordPress website.
Advanced WordPress Security Best Practices
1. Filter out special characters from user input.
If any part of your website accepts a response from visitors, whether that is a payment form, a contact form, or even a comment section on a blog post, there’s an opportunity for an XSS or database injection attack. Attackers could enter malicious code into any of these text fields and disrupt your website’s backend.
This is unfortunate because it’s important you have these tools on your site to gain information from legitimate users.
To avoid this problem, make sure you filter out special characters from user input before it is processed by your site and stored in a database. You can also use a plugin to detect malicious code. Alternatively, you can use a WordPress form plugin to automatically filter out these characters.
2. Limit WordPress user permissions.
Many WordPress sites have multiple user accounts. However, we recommend changing the roles of each user to limit their access to only what they need. WordPress has six roles to choose from for each user.
By limiting the number of users with administrator permissions, you reduce the chance of an attacker brute-forcing their way into an admin account and limit the damage that can be done if an attacker does correctly guess a user’s credentials. See our guide on how to change WordPress user permissions.
3. Use WordPress monitoring.
It’s imperative you have a monitoring system in place for your website. This will alert you of any suspicious activity that occurs on your site. Ideally, your other measures would have prevented such activity, but it’s better to find out sooner rather than later. You can use a WordPress monitoring plugin to get an alert in case there’s a breach.
4. Log user activity.
Here’s another way to get out ahead of issues before they occur: Create a log of all activity that users take on your website, and check this log periodically for suspicious activity. This way, you’ll see if another user is acting suspiciously (e.g., trying to change passwords, altering theme or plugin files, or installing or deactivating plugins without permission). Logs are also useful for cleanup after a hack, showing you what went wrong and when.
This isn’t to say that all password changes or file modifications are always signs of a hacker among your team. However, if you’re employing many external contributors and giving them access permissions, it’s always a good idea to keep an eye on things.
Many WordPress plugins create activity logs, and there are several dedicated logging plugins for WordPress, like WP Activity Log or the free Activity Log plugin.
5. Change the default WordPress login URL.
As we’ve mentioned, the default URL for the WordPress login page for any WordPress site is too easy to find. Luckily, there’s a way to alter it to boost your security. Plugins like WPS Hide Login change this login page URL for you.
6. Disable file editing in the WordPress dashboard.
By default, WordPress lets administrators edit the code of their files directly with the code editor. This gives attackers an easy way to alter your files if they gain access to your account. If a plugin hasn’t already disabled this feature, you can do some light coding to disable it yourself. Add the code below to the end of the file wp-config.php:
// Disallow file edits
define( ‘DISALLOW_FILE_EDIT’, true );
7. Change your database file prefix.
The names of the files that make up your WordPress database begin with “wp_” by default. You guessed it: Hackers can leverage this setting and locate your database files by name and conduct SQL injections.
Here’s some good news: There’s a simple fix. Just change the prefix to something different, like “wpdb_” or “wptable_”. You can even set this up when installing the WordPress CMS. If your site is already live with this setting, you can rename these files. In this case, we suggest using a plugin to handle this process, since your database stores all your content, and a misconfiguration will break your website. Look for the ability to change table prefixes among the features of your preferred security plugin.
8. Disable your xmlrpc.php file.
XML-RPC is a communication protocol that enables the WordPress CMS to interact with external web and mobile applications. Since the incorporation of the WordPress REST API, the XML-RPC is used much less frequently than it once was. However, it is still utilized by some to launch powerful attacks on WordPress sites.
This is because XML-RPC technology lets attackers submit requests containing hundreds of commands, making it easier to commit brute force login attacks. XML-RPC is also less secure than REST because its requests contain authentication credentials that can be exploited.
If you’re not using XML-RPC, you can disable the xmlrpc.php file. First, check whether your site is making use of the file. Plug your URL into this XML-RPC validator to check whether your site is currently making use of the protocol. If not, the easiest way to disable this file is with a plugin like Disable XML-RPC-API. Your WordPress security plugin may also be able to do this for you.
9. Consider deleting the default WordPress admin account.
We’ve discussed changing the “admin” username for the default WordPress admin account, but if you want to take things a step further, you may consider deleting this default account altogether.
From there, you can create a new account with the same administrator permissions. This is a good step to take if you think that your original admin username and password have been discovered and you want to avoid it happening again in the future.
10. Consider hiding your WordPress version.
Hiding your WordPress version will ensure hackers don’t know that your site is vulnerable. As covered previously, you must always update to the latest version of WordPress. But if you haven’t yet gotten the opportunity to do so, it’s critical to hide the potential vulnerability. Here’s a tutorial on how to hide your WordPress version.