Website hacks are becoming more common, and you can’t assume your site is immune. Fortunately, there are things you can do to have a more secure WordPress site.
Those proactive measures will make it harder for hackers to do damage to your site and disrupt its operations.
Here are 10 steps to take:
1. Research Before Installing Plugins
A study from Imperva looked at the state of web application vulnerabilities in 2018. It showed there was a 30% increase in WordPress vulnerabilities in 2018 compared to 2017, and that the total number was 542. Moreover, it revealed that 98% of those security issues were related to plugins.
WordPress does not have minimum security standards for its plugins and allows any developer to create and publish them.
With that in mind, one of the easiest and most essential things you can do before installing a WordPress plugin is to read reviews about it. Only install the ones from developers that got favorable feedback and that have a long-standing history on WordPress.
If a developer or company has only one WordPress plugin available and released it last month, those things could be red flags because they make it difficult to verify a developer’s trustworthiness.
User reviews can help give context to the star ratings a plugin receives. The number of active installations can also give you valuable guidance. If a plugin has a high number of active installations, that’s an indicator that people in the WordPress community think it’s reliable.
It’s also a good idea to check tech news sources to determine if there are any warnings against installing a plugin that seems like a solid choice. Many cybersecurity blogs publish findings of risky WordPress plugins.
2. Work With a WordPress Hosting Company Known for Security
A quick Google search gives you have dozens of choices for WordPress hosting reviews.
If security is a top-of-mind concern, prioritize doing business with the companies that mention security as one of their advantages. The best options target security at both the server and application level.
For example, you may find some hosting providers that have server firewalls to safeguard against exploits. Others automatically update your plugins to the latest versions to prevent you from unknowingly using one that has a security flaw.
Working with a hosting company that prizes security protects your site data, plus any information from site visitors that you collect such as email addresses for your mailing list.
That means you can think of your hosting company as an entity that helps your site be a long-term investment. If you get hacked once or more, people will likely lose trust and may stop visiting your site.
There is also really no excuse for not installing an SSL certificate on your site these days, with many providers of WordPress hosting with free SSL certificates available.
Before you pick a hosting company, don’t be afraid to specifically ask what its representatives will do to help you have a secure WordPress website. Some companies also have specific sections of their websites that break down the security measures they take.
3. Change the Prefix of the WordPress Database Table
An SQL injection attack is one of the most common ways that a hacker can gain access to your WordPress database. A cybercriminal does so by inserting malicious code into SQL statements and typically those associated with forms.
When you install WordPress, the database has 12 tables that all have the “wp” prefix. Hackers know about that common element and use it to help them carry out SQL attacks and other issues that could take down your site. The database stores all the elements of your website, including its themes. If you don’t change the database prefix, it becomes substantially more straightforward for even novice hackers to exploit your site.
Fortunately, you can alter the prefix used by the WordPress database table and make it harder for hackers to break in. It’s easiest to change the WordPress database table prefix before installing WordPress, but you can do it after the fact, too. The new table name can have letters, numbers and underscores. Treat it like a password and come up with something hard to guess and not known by anyone but you.
4. Enable Two-Factor Authentication (2FA) for Your WordPress Account
Hackers also commonly target WordPress sites with brute force attacks. They involve using trial and error and dedicated tools to figure out your password in a matter of seconds, often flooding it with traffic in the process. However, you can limit the progress made with a brute force attack by setting up two-factor authentication on your WordPress account.
2FA works by asking for something you know (a password) and something you have (a code sent to your phone). Then, even if hackers figure out your password, they won’t have the second necessary element. Well-known sites like Amazon and Microsoft have 2FA available for users, and it’s advantageous that WordPress does too.
Even though 2FA requires going through an extra step, you could find it’s worth taking the additional time because it’s a relatively quick thing you can do to keep your WordPress site locked down against unauthorized access attempts.
WordPress also allows you to generate a set of 10 single-use access codes to use in place of the typical 2FA codes. You could use one if your phone gets lost or stolen, for example. It’s best to print out the codes and keep them in a safe place, such as a locked box. Gaining access with one of the backup codes is as easy as entering it in the field that asks you for the 2FA code.
5. Be Careful of Unsolicited Emails From SEO Specialists or Website Support Experts
Once your website goes live, it’s almost inevitable that you’ll start receiving emails from people who claim to have the know-how needed to help your website rank better in search engines or achieve other goals you have. They’ll often attempt to appeal to you by mentioning things like reasonable prices or decades of experience.
Not all of these people who send you unsolicited messages are scammers trying to get your information, of course. But, some of the communications you receive may have some telltale warning signs characteristic of scams in general.
For example, much like the sense of urgency lottery scammers use to get people’s bank information, illegitimate SEO companies often send messages alleging your website is broken, vulnerable to attacks or other urgent-sounding problems.
Before you get carried away trying to fix said problems, find out as much as you can about the individual or company contacting you from outside sources.
6. Use a WordPress Audit Trail Plugin
Many people who have successful WordPress sites realize it’s too time and labor-intensive to manage adding content or editing it without help. So, they hire teams of people to assist them in taking care of those duties and often give full access to each person.
A plugin that creates an audit trail can boost your efforts to have a secure WordPress site because it gives you information about everything that people with access to your site do while working with it.
For example, it can tell you the times a person logs in and the IP address they use to do so. Limiting access to your login page by IP address can be a good first line of defence too.
Some audit plugins also give notifications of failed login attempts. It’s normal to see those occasionally, but if the plugin tells you they’re happening in batches of dozens or hundreds at a time, that could be a sign of an attempted brute force attack.
Your auditing plugin could also give alerts about innocent activity from your users that could compromise cybersecurity. For example, maybe one of your WordPress bloggers who regularly contributes content to the site changes a password to something easier to remember.
Whenever an auditing plugin shows something suspicious, the best approach to take is to get to the bottom of what’s going on without making hasty accusations. You may also discover some shortcomings about the practices used by your team that require a group discussion explaining why something they do is a cybersecurity risk.
7. Never Install a Nulled WordPress Theme
If you’re on a modest budget, it’s probably tempting to build a WordPress site that looks fantastic without requiring too many financial resources. Some WordPress users go to sites that feature nulled WordPress themes. They are hacked or cracked versions of premium themes you can get for free. At first, stumbling across a site with nulled themes may make you think you’ve hit a gold mine.
But, nulled themes frequently have malicious code that could damage your site or keep track of your administrator credentials when you type the information to log in. Remember the earlier tip about how a security-focused hosting provider could be a wise long-term investment for your WordPress site because it helps you stay protected from attacks.
The advice to steer clear of nulled themes is similar. They’re usually available for free, which might leave you wondering, “What’s the catch?” There’s no guarantee that a nulled theme will compromise your site, but there’s a reason why someone’s illegally offering a premium theme for no money, and it may not merely be because they’re good-hearted. Premium, legally obtained themes support your investment.
8. Disable File Editing
WordPress provides a way to either edit the code for your theme or your plugin. You get to the theme editor by going to Appearance > Editor or access the plugin editor through Plugins > Editor.
Turning off both of those editing functions after publishing your site makes it more difficult for hackers to get into the back end of your site and wreak havoc. First, access the wp-config.php file. It’s in the root of your file directory and contains the base configuration information for your site. Then, paste the following command into it:
define(‘DISALLOW_FILE_EDIT’, true);
9. Check for WordPress Updates Frequently
WordPress has a default setting that allows it to automatically download minor updates. You’ll need to take the initiative to download the larger updates, though, and it’s something you should do to maintain tight WordPress security.
See if you have the latest WordPress version — and download a newer one if necessary — from your Dashboard. It has a WordPress Updates section that tells you the date of the most recent check for an update and has a Check Again button. Using that button will show you the version number and whether it’s the newest option. You’ll also see an option to download an update if there’s one available.
10. Delete Your WordPress Version Number From the Header and RSS
When hackers know what WordPress version you have, they can more readily plan how to orchestrate the most destructive attacks against you and other users. The version number is ordinarily part of your site’s source view as well as in the bottom corner of the Dashboard.
But, you can locate the functions.php file in your Dashboard and add the following function to it:
function remove_wordpress_version() {
return '';
} add_filter('the_generator', 'remove_wordpress_version');
Doing that removes the version number from the header and RSS. Scroll to the end of the functions.php file, paste in the code and save your change.
Start Making Your WordPress Site Safer From Hackers
These 10 tips show that you don’t have to be a cybersecurity guru to have a secure WordPress website. While working your way through this list, you’ll make actionable moves to keep cybercriminals at bay.
One thought on “10 Ways to Ensure the Security of Your WordPress Website”
Good stuff! 🙂