WordPress is the most popular web content platform. In fact, nearly 30% of all websites are powered by WordPress. This includes everything from personal blogs to government websites with heavy site traffic. It’s not hard to see why, as WordPress is totally customizable while being very simple to use.
Because so many use it, security is one of WordPress’s primary concerns. Your WordPress website can be vulnerable to hackers due to a number of WordPress security issues.
Seemingly silly things like faulty passwords and skipped updates can leave the door wide open to cyber thieves. Luckily, many WordPress security issues can be quickly fixed if you know what to look for and take the time to do things right.
Here are 7 ways to protect your website from WordPress security issues:
#1: Don’t Skip WordPress Updates
The WordPress development team works hard to find security flaws and correct them. These fixes are delivered to users in regular core version updates.
Minor updates happen automatically but major overhauls, such as the upcoming WordPress 5.0, have to be manually updated by the user. Many choose to ignore these core version updates, as they can sometimes break website elements, which then need to be fixed with haste. Hackers love when you do this, as it makes their jobs much easier.
Core version updates aren’t the only thing you should keep up with. Your WordPress plugins and themes should be updated regularly, as well. In fact, plugins are even more dangerous to ignore than WordPress core updates. 63% of reported WordPress security issues are caused by incompatible plugins or themes, while only 37% are due to missing core files.
Reputable WordPress plugins and themes release updates shortly after WordPress core version updates. As a general rule, don’t use any questionable plugins/themes from third parties and your website will be safe.
#2: Use A Secure Web Host
The web host you choose can have an effect on your WordPress website’s security. Shared servers are inexpensive but pose a possible WordPress security issue. Hackers can more easily find their way into your website by first going through the other less secure websites on the shared server.
To solve for these WordPress security issues, opt for managed WordPress hosting if possible. Many of these web hosts even update and backup your website automatically!
#3: Rename Your WordPress Login Page
Renaming your WordPress login page is an easy way to protect yourself. This makes it inaccessible unless you have the direct URL. If you’re not a developer, you can use the Rename wp-login.php plugin to do so—just make sure you bookmark the changed URL.
This is an effective WordPress security method as long as your website only allows a few administrator accounts. However, if your WordPress website has a high number of users (like a store page) you should make admins and users use different login pages (and only hide the admin login).
#4: Keep Your Password Strong
Brute force attacks are one of the most common hacking methods. Put simply, hackers use programs to manually enter ID and password combinations until they guess right.
This method is time-consuming and imprecise. If you have a strong password then it could take decades for a hacking program to guess correctly. But if you have a weak password (like “password”), your WordPress website could be hacked in a matter of minutes. Strengthen your password by making it longer (10 characters and above) and by adding numbers and special symbols.
Creating a strong password is simple and very important. Up to 8% of WordPress security issues occur due to weak passwords. Install a plugin that limits login attempts like Login Lockdown for added protection against brute force attacks. Additionally, software tools like LastPass can help you manage passwords and even generate secure passwords for you if you can’t think of one.
Lastly, be sure to change your password frequently and never reuse the same one twice.
#5: Try WordPress Security Plugins
WordPress does a pretty good job of protecting itself but you can add to that protection by installing security plugins. These plugins handle all manner of tasks including scanning, blocking threats, adding firewalls, tracking logins, and more.
The most popular WordPress security plugin is Wordfence. This freemium plugin includes a firewall and malware scanners designed specifically for WordPress. Sucuri is another popular freemium option. It includes file monitoring and malware scanning.
#6: Use Two-Factor Authentication
Two-factor authentication requires users to confirm their identity twice to login. This usually means that you’ll need to use SMS, which uses your phone number, authenticator apps (which generate time sensitive passwords), and push-based notifications (which sends prompts to all your devices upon login).
Every method makes logging in slightly more cumbersome, but the security benefits should not be overlooked. With two-factor authentication, you can always get back into your website long as you have one of your devices.
Just be careful if you use SMS. A hacker could gain access to your WordPress website without knowing the password if they get access to your phone.
#7: Maintain Regular WordPress Backups
Each week, Google purges around 70,000 websites for malware and phishing.
While keeping your WordPress website secure will help protect you from hackers, anything can happen. This is why it’s advised to have a backup plan.
WordPress plugins such as Vaultpress can create backups for a specified time period. Some WordPress backup plugins also come with additional features security features, such as Vaultpress’ ability to scan your site for malware.
It’s important that you don’t store all of your backups in your hosting account. Hackers can easily get access and destroy these, too. So instead, store your backups in the cloud on an unrelated account. Or even better, store them on a physical device, like a hard drive that isn’t connected to the internet at all.
Final Thoughts: A Little Security Goes A Long Way
Setting up WordPress security tools can be a hassle. That’s why many users don’t do it. But it’s important not to ignore this process, as rough 73% of the most popular WordPress sites are vulnerable to attack by some method.
Learn from other user’s mistakes and keep up with your security software. You’ll thank yourself for it later!
What are your best tips for protecting against WordPress security issues? Let us know in the comments!
Hi, Maddy
excellent work with this post. Very insightful and good tips.
Personally, I find 3 things the most valuable:
1. keeping core, plugins and themes updated
2. 2-factor authentication
3. Having backup ready
This should give you pretty good protection.
I’ll make sure to share this post. Keep up the good work!
With a small trick in your htaccess file you don’t need to rename wp-login.php but make it accessible only to your static IP address(es).
Here is the snippet for Apache 2.4:
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^xxc\.xxx\.xxc\.xxc$
RewriteRule ^(.*)$ – [F]
Where xxx.xxx.xxx.xxx is one of your static IP addresses.
Renaming the wp login is ineffective and is not recommended by the vast majority of WordPress security experts. Even iThemes security advises against this outdated idea.
Agree +100, security through obscurity is not worth the effort.
Excellent points.Must be considered by every site owner.In addition to these I would recommend the following
1) Use a strong username.Never use common usernames like ‘admin’.
2) The number of invalid login attempts should be limited.
3) Never use any plugin from untrustworthy sources.
WordPress is indeed known for being one of the most user-friendly website platforms, but out of the box also a popular target for hackers and spammers. I agree that updating it, using a security plug. ins, a two factor authentication and maintaining a regular back ups would be best to avoid any security issues. Great content, keep posting.