If you’re working with or using WordPress, then you should always think about your site’s security. WordPress isn’t any more or less secure than any other platform, but the number of users, plugins and third party add-ons make it a common target for attackers. Don’t worry though, there are some basic steps you can take to keep your site safe (even if you’re not very tech-savvy)!
Table of contents
- 1. Don't use 'admin' as a username
- 2. Use a complex password
- 3. Add two-factor authentication
- 4. Employ least privileged principles
- 5. Hide
- 6. Use WordPress security keys for authentication
- 7. Disable file editing
- 8. Hide your login and limit login attempts
- 9. Be selective with XML-RPC
- 10. Hosting & WordPress security
- 11. Stay up to date
- 12. Put more security layers in place
- 13. The best security plugins & themes
- 14. Don't forget logs & monitoring
- Closing thoughts on WordPress security
1. Don’t use ‘admin’ as a username
Most WordPress ‘hacks’ and attacks don’t do anything more sophisticated than try and brute-force their way into your admin area by guessing your password. That’s much easier for them to do if they don’t also have to guess your admin username! Avoiding using common words (like admin) for your usernames can make brute-force attacks much less effective.
If you’re working with an older site that already has an ‘admin’ user, it might be time to delete that account and transfer any content or access to a more secure username!
2. Use a complex password
Having a better password can make it much harder to guess or to brute-force. An easy tip to remember is CLU: Complex. Long. Unique.
But longer, unique passwords can be hard to remember, right? That’s where tools like 1Password and LastPass come into play, as they each have password generators. You type in the required length, and it generates a password for you. You save the link, save the password, and move on with your day. Depending on how secure you want the password to be, it’s sensible to set a long password (20 characters is good) and decide on things like the inclusion of less usual characters like
3. Add two-factor authentication
Even if you’re not using ‘admin’ and have a strong, randomly generated password, brute-force attacks can still be a problem. Don’t worry though, two-factor authentication can help protect your site.
The principle is that, rather than just entering your login details, you also need to confirm that you’re you by entering a one-time code from another device you own (usually through an app on your phone). That’s much harder for attackers to fake!
Two popular plugins for handling authentification in WordPress are the Google Authenticator and Rublon Plugin (which takes a slightly different approach). Just make sure that you don’t lose your backup codes, or you might find yourself locked out.
4. Employ least privileged principles
The WordPress.org team has put together a great article in the WordPress Codex regarding Roles and Capabilities. We encourage you to read it and become familiar with it because it applies to the following step.
The concept of Least Privileged is simple. Only give permissions to:
- those that need it,
- when they need it and
- only for the time they need it.
If someone requires temporary administrator access for a configuration change, grant it, but then remove it upon completion of the task. The good news is you don’t have to do much here, other than employ best practices.
Contrary to popular belief, not every user accessing your WordPress instance needs to be categorized under the administrator role. Assign people to the appropriate roles, and you’ll greatly reduce your security risk.
.htaccessfile are critical to your WordPress security. They often contain your system credentials and expose information about your site’s structure and configuration. Ensuring that attackers can’t gain access to them is vital.
Hiding these files is relatively easy to do, but doing it wrong might make your site inaccessible. Make a backup and proceed with caution. Yoast SEO for WordPress makes this process somewhat easier for you. Just go to “Tools > File Editor” to edit your
For better WordPress security, you will need to add this to your
.htaccess file to protect
<Files wp-config.php> order allow,deny deny from all </Files>
That will prevent the file from being accessed. Similar code can be used for your
.htaccess file itself:
<Files .htaccess> order allow,deny deny from all </Files>
6. Use WordPress security keys for authentication
‘Authentication keys’ and ‘salts’ are basically a set of random variables, unique to your website, which improve the security (encryption) of information in cookies.
wp-config.php file has a dedicated area where you can provide your own variables (simply get a new set of keys from here and paste them in).
7. Disable file editing
If a hacker gets in, the easiest way for them to change your files would be to go to “Appearance > Editor” in WordPress. To improve your WordPress security, you could disable the editing of these files via that editor. Again, you can do this from within your
wp-config.php file by adding this line of code:
You will still be able to edit your templates via your favorite (S)FTP application. You just won’t be able to do it via WordPress itself.
8. Hide your login and limit login attempts
Brute-force attacks usually target your login form. So changing where that lives can make it harder for attackers to get in. The All in One WP Security & Firewall plugin has an option to simply change the default URL (from
/wp-admin/) to something more secure.
Next to that, you can also limit the number of attempts to log in from a certain IP address. There are several WordPress plugins to help you protect your login form from IP addresses that fire a multitude of login attempts your way.
9. Be selective with XML-RPC
XML-RPC is an application program interface (API) that’s been around for a while. It’s used by a number of plugins and themes, so we caution the less technical to be mindful of how they implement this specific hardening tip.
While functional, disabling can come at a cost. This is why we don’t recommend disabling for everything, but being more selective on how and what you allow to access it. In WordPress, if you use Jetpack you’ll want to be extra careful here.
There are a number of plugins that help you be very selective in the way you implement and disable XML-RPC by default.
10. Hosting & WordPress security
Even if you’re meticulous when it comes to the security of your website, if it’s hosted by a company that isn’t just as meticulous, you may as well not have done anything at all.
If an attacker can gain access to your website hosting, they can take complete control of everything. That means it’s really important that you choose (or move to) a host that takes hosting seriously. Cheaper hosting options often don’t come with good security or backups, or might not offer support to help you clean up a hacked site.
Shared hosting (which is common on cheap packages) is often particularly risky, as attackers might be able to gain access to your site via another compromised site on the same system. That’s why we always recommend serious users to spend a little more on hosting and use a company with a great reputation for specialized WordPress hosting (for example GoDaddy or WP Engine).
11. Stay up to date
Staying up to date is an easy statement to make, but we realize how hard this can be for website owners in the day-to-day. Our websites are complex beings. They have many different things happening at any given time. And sometimes it’s difficult to apply the changes quickly. That’s why it’s not uncommon for websites to end up running out-of-date code. Both in their plugins and core software. Unfortunately, this makes them particularly vulnerable to known exploits.
It’s critical that updating your themes, software, plugins, and other components is part of an ongoing routine. Otherwise, you’re leaving the door open to attackers. If you’re a user of the Yoast SEO plugin, just follow these easy steps to update your Yoast SEO plugin.
12. Put more security layers in place
The best security solutions prevent attackers from ever getting anywhere near your website. That’s why we recommend that most sites run some kind of WordPress firewall plugin. These plugins look for known attackers and common attack patterns and stop them before they have a chance to compromise your site.
It’s also worth considering that many Content Delivery Systems now include firewall functionality; combining performance optimization with protection. Cloudflare, in particular, does a great job of blocking ‘bad traffic’ and even has rules and scans specifically developed to protect WordPress sites.
13. The best security plugins & themes
Most WordPress users tend to apply themes and plugins to their sites at will. We recommend being mindful of testing different themes or plugins, especially if you’re not using a test server. Most plugins and a lot of themes are free, and unless the developer has a solid business model to accompany these free giveaways, the security might not have been the highest priority during development. In other words, if a developer is maintaining a plugin just because it’s good fun, chances are he or she did not take the time to do proper security checks.
For this reason, we teamed up with Sucuri years ago to make sure every one of our plugins is checked for security before release. And we have an agreement with them for ongoing checks as well. If you are creating a free theme or plugin, you might not have the resources to add solid checks like that.
How to pick the right plugin
If you want to be taken by the hand in selecting the right WordPress security plugin for your website, please read this in-depth article Tony Perez did on the subject: Understanding the WordPress Security Plugin Ecosystem.
First, let me focus on the basics of plugin selection here. As explained above, free plugins and themes could be a possible vulnerability. When adding a plugin (or theme for that matter), always check the rating of that plugin on WordPress.org. Keep in mind that one 5-star rating won’t tell you anything, so always check the number of ratings. Depending on the niche, a plugin should be able to get multiple reviews. If more people think a plugin is awesome and take the time to rate it, you may feel more secure in using it too.
Compatibility of the plugin
There is one other thing you want to check. If a plugin hasn’t been updated for two years, WordPress will tell you that. Now, this doesn’t necessarily mean it’s a bad plugin. It could also mean there hasn’t been a need to update it, simply because the plugin still works. The ratings will help you decide if that’s the case. And have a look at the compatibility with the current WordPress version, which is also shown on the plugin page at wordpress.org. Having said that, Sucuri strongly recommends against using any plugins that haven’t been updated for that long. You should take their word for it.
Based on ratings and compatibility, you can pick your plugins thoughtfully and be mindful about your WordPress security at the same time.
Yoast recommends Sucuri
I’ve already mentioned our friends at Sucuri. Owners and managers Daniel and Tony have done a tremendous job on our plugins and have helped on several hacked websites in the past.
Sucuri is a globally recognized website security company known for its ability to clean and protect websites and bringing peace of mind to website owners, including us here at Yoast.
We teamed up with Sucuri because we take security very seriously. It’s not and never should be an afterthought. There is a variety of ways to address WordPress security, and we found that security was best addressed remotely at the edge beyond the application. What Daniel and Tony have built is a product/service that lets you get back to running your business. They are the security team we lean on when we need help the most. And they can help you out too. For instance, if you use WordPress, definitely read their WordPress guide on how to clean a hacked WordPress site.
Webinar Sucuri: how do websites get hacked?
If you’re wondering why websites get hacked and what type of attacks there are, watch Sucuri’s webinar on this subject:
Failing to take the necessary precautions for your WordPress security, and leveraging the experts can lead to malware infections, branding issues, Google blacklists and possibly have huge impacts on your SEO (something dear to our hearts). Because of this, we turn to Sucuri for our needs, as they turn to us for website optimization.
Moreover, Sucuri created an infographic on what to do when your site does get hacked:
A lot of the suggestions in this article can be dealt with by installing and configuring the free Sucuri Scanner plugin for WordPress or hiring Sucuri to handle your website’s security. At Yoast, we don’t think this is an ‘extra’, but consider it an absolute necessity. For us, security is not a DIY project, which is why we leave it to the professionals. Visit their website at sucuri.net for more information or check your site now to make sure you haven’t been infected with malware or have been blacklisted.
If you are serious about your website, you are serious about your security. Get the complete security package of Website Security Stack right here:
14. Don’t forget logs & monitoring
So far, we’ve seen how to secure a WordPress site. However, since WordPress security is not an absolute (sites are always evolving by changing functionality and users) there is another aspect to WordPress security: logging and monitoring. Audit logs or activity logs are a chronological record of events and changes that happened on your website. In the audit logs you can find information on who logged into your site, installed or updated a plugin, changed the content, changed the site’s settings, and more.
Spot attacks before they happen
By keeping an audit log on your WordPress site you ensure user accountability, ease troubleshooting of technical issues, and spot attacks before or as they happen, allowing you to take evasive action to stop them. Audit logs are also used for forensics, to find out what went wrong in the unfortunate case of a successful hack. To keep an audit log on your WordPress site you need to install a plugin such as WP Security Audit Log.
There are several other things you should keep an eye on. For example, if you use Sucuri you’ll get a weekly traffic report with details on what was blocked and allowed. You can learn a lot from it, as well as from your website’s analytics and traffic patterns.
Closing thoughts on WordPress security
If you’ve come this far in this article, you will have no more excuse not to improve WordPress security for your website. Much like adding posts and pages, checking your WordPress security should be a routine for every WordPress site owner.
Also bear in mind that this isn’t the full list of things you can do to secure your website. I am aware that one should, for instance, create regular backups to keep your site secure. However, I trust this article about WordPress security gives you a practical list of things you can and should do to secure at least the first layer of defense of your website. Remember, WordPress security isn’t an absolute, and it’s up to us to make it harder for the hackers!
I would also like to thank Tony Perez for his input and several additions to this article.
Read more: 5 things to do after a hack »