I’ve been in WordPress for well over a decade and spent a big chunk of time in security repairing hacked sites. I was pretty darn good at it for one reason: I knew WordPress and what it should look like as if it was my digital home on the web. If there was silly string hanging from the chandelier and a big purple sofa in the living room that didn’t come as a part of core, it was pretty easy to see.
Still, there are many people coming into WordPress all the time, and sometimes people think the security part of it is hard. Securing WordPress is actually pretty easy. It’s all about making good decisions about your site. And to make good decisions, you have to be informed.
The most secure site in the world
The most secure site in the world doesn’t exist. Well, if it DOES, it’s on a server disconnected from the internet, encased in cement and buried 6 feet underground. Security is a continuum, balanced with usability. the most secure site in the world is unusable. The most usable site in the world is usable to everyone.
So its your job as a site owner to decide where your site will live on that continuum. Are you going for intensely secure? Just secure enough? Or somewhere in between?
WordPress security is one of the places where you don’t really have to aim for perfect. You can be protected with some general guidelines.
Backup your WordPress site
Every 8 hours, backup your site somewhere off of the server. Backup your log files off server, too. You can back up less frequently if your content is fairly static. For this site, I don’t have any commerce or any interactivity; it’s just my blog. So I only back up every 24 hours which is plenty. If I had commerce or a forum running here, I’d backup more frequently.
Your hosting provider should be providing backups, but some don’t. Find out; don’t assume. And it’s always good to have your own backups for a variety of reasons beyond security, anyway. There are plugins and processes you can enable for backups.
Only one site per cPanel/server-based user
If there’s any mistake I’ve seen the most, it’s this. And to this day, I still interact with WordPress people who want to challenge me on this principle of isolating your WordPress sites from one another. I’ve cleaned more sites with 2+ sites in a cPanel where they forget about site #7 and that ends up infecting the whole lot.
Or I’ll run into an agency that puts all 30 of their clients in one cPanel and then gives every customer administrator access. Only takes one re-used password and the whole cPanel and every single site is infected. The minor cost savings of all of those sites in one location ends up costing them a lot more to get the entire set of sites cleaned up and secured.
Strong Unique Passwords
Most of the attacks I see anymore on my sites are brute force attempts or attempts to exploit very old vulnerabilities on plugins that have been patched for a long time. A strong password that is unique will definitely help make those brute force logins fail.
Two Factor Authentication
The probability of your unique strong password falling into the hands of an attacker are pretty low, but they are not zero. Two-factor authentication can help you here. You’ll need a plugin for that. I personally hate 2FA, it’s a pain, but there are ways to set it so that it’s not such a pain.
Block generic attacks
Cloudflare & brute force login protection are really all you need. Hiding the login isn’t going to help you.
Many of those brute force attacks are coming through xml-rpc, a protocol that is generally only used by Jetpack. If you’re not using Jetpack, you can easily disable this. Most security plugins have a method of doing so. Of course, test your site to ensure that you haven’t lost any unforeseen functionality.
Keep it clean
Remove any unused themes, plugins. There’s just no reason to keep code around that isn’t being used. If you have themes or plugins you’re not using, don’t just deactivate them, delete them from your server.
Every once in a while, look around. Is there a user you don’t recognize? Maybe a post you never saw before? Get to know what WordPress looks like and then review the site to ensure it looks like WordPress and doesn’t have anything extraneous around.
No nulled plugins or themes
Never used a nulled plugin or theme. You’re just infecting your own site. There’s a reason these nulled code bases are free, and it’s because you’re the product. Or, rather, your site is, and it will soon be serving up the malware of your nulled product provider. Only install known code from either WordPress.org or a plugin/theme you’ve purchased from a reputable author.
Research your plugin vendors
Research your plugin vendors. A quick look at WPScan’s or Patchstack’s vulnerability databases and you’ll see a pattern of vendors that have more issues than others. You’re inviting plugin vendors into your digital home. Make sure you’re not inviting a teenager who likes raiding the fridge and leaving the front door unlocked.
WordPress security is easy
If you follow these general principles, you’re going to be okay. WordPress core hasn’t had a major vulnerability in quite some time, and even theme and plugin security is getting stronger all the time thanks to the work of many open source security researchers. If you’re on a good hosting provider with solid performance, you’ll be just fine.
If you’d like to be notified of new posts, get on the list!