What are the top ten steps you can take to protect your WordPress site? What security hardening measures will have the greatest impact on your website’s safety? Security is always a hot topic in the WordPress community, and questions like these are important for a good reason. WordPress powers almost half of the internet, and its leading position makes it a high-priority target for hackers.
Thousands of WordPress websites fall victim to cyberattacks every day. It’s a drop in the bucket of the total number of WordPress sites, but if it happens to you? That’s huge. Some site owners suffer long-term consequences from data loss, data theft, and fraud due. Poor security policies and risk management set up disasters like this. What does it mean to have solid security policies as a WordPress site owner? What are the main risks, and how can you manage them?
The key is to set up secure foundations and then keep building on them with consistent security practices. This guide will teach you how to do that and secure your WordPress site today.
In this guide, we’ll take a deep dive into WordPress security. You’ll learn about the most dangerous cyber attacks targeting WordPress. You’ll learn how to minimize your risk of falling victim to them. We will provide you with our top ten WordPress security recommendations and explain how to implement them. Then you’ll be able to defend yourself against today’s most sophisticated and malicious attacks.
Is WordPress Secure? Yes!
In short, yes, the core WordPress platform is secure.
As a mature, twenty-year-old open-source software project, WordPress is one of the most time-tested and secure website-building frameworks.
A community of developers and security experts maintains WordPress core. Moreover, the codebase is publicly available. That means security researchers are free to analyze it. Under public scrutiny, any bugs that passed the initial testing phases of a new release tend to be discovered quickly. WordPress receives regular updates and swiftly patches any vulnerabilities found in WordPress core. This constant adaptation increases the platform’s security and quality overall.
What Makes a WordPress Site Insecure?
When people build sites with WordPress, security may not be at the top of their minds. Careless customization combined with bad security practices (or none at all) introduces significant security risks to the whole WordPress ecosystem.
Site Owners Who Don’t Run Updates
Regular updates and support from WordPress developers make WordPress highly secure. However, WordPress’s popularity has a lot to do with the ease of customizing it with plugins and themes. These third-party add-ons may or may not be as well supported and tested as WordPress core. They also need to be updated when new versions roll out. For a WordPress site with 12-24 plugins, there may be several new updates available every week. Leaving known vulnerabilities unpatched and failing to perform regular updates significantly increases the probability your WordPress website will be hacked.
WordPress core receives updates throughout the year too. Typically there will be four major releases. Security and maintenance releases will also emerge as they are needed. As of 2023, about 60% of WordPress sites use the latest (6.1) version of WordPress core. 40% do not, and that’s not good for their security. As of December 2022, WordPress versions 3.7 – 4.0 are no longer supported and may not receive security patches.
Site Owners and Hosts Who Don’t Update PHP
A more worrying statistic is that many WordPress sites use a version of PHP lower than 7.4. PHP is part of your host’s server environment. It is the language WordPress runs on. In early 2023, 55% of all WordPress sites were hosted on PHP 7.4. That’s the last major release of the PHP 7 branch. It’s the highest version of PHP officially supported by WordPress at this time, although many WordPress hosts offer PHP 8. Well-managed WordPress hosts will maintain the security of PHP 7, but it has reached its end-of-life for official support. WordPress plugins will require PHP 8 more and more over time. Sites that do not keep pace with WordPress and PHP development run a higher risk of being hacked.
Why WordPress Security Matters
WordPress website security matters! Now is always the best time to start taking it seriously if you do not have consistent security practices. The growing sophistication and volume of cyber attacks make website security extremely important, especially for WordPress website owners. Attackers do not simply choose what websites to hack into. Modern cyber attacks are highly automated, and thousands of WordPress sites can be targeted at once. WordPress’s popularity and the number of sites that have not been updated make it a large and easy target.
Whether you are running a blog, a business website, or an online store, you are entrusted with the safety of your customers and their data. A data breach can put your business at risk and significantly damage your reputation. Poor security practices can result in serious financial losses.
A recent study showed that most small-to-midsized businesses (SMBs) think they’re not targets for hacking, but they are wrong. Attacks are on the rise and specifically targeting them. On average, small companies that experience a digital security breach end up paying costs above $100,000.
The Five Most Common WordPress Security Issues
The most common threats WordPress faced in 2022 that exploit internal site vulnerabilities were cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks, as well as SQL injections (SQLi). Common payloads or damage done to hacked and infected sites include backdoors and malicious redirects. Finally, the most common attacks do not involve a software vulnerability at all. These are brute force login attempts, password stuffing, card skimming, carding, and distributed denial-of-service (DDoS) attacks.
Let’s take a look at these threats and dig into the solutions that will prevent them from penetrating your WordPress site.
Password Stuffing, Brute Force Login, and DDOS Attacks
Brute force and DDoS attacks are highly distributed bot-driven cyber attacks. They try to break into a website or take it offline by having the server hosting it overloaded with web requests. Both types of attacks often involve a network of bots (also known as a botnet) controlled by the attacker.
Brute force login attacks, also known as password-guessing attacks, use a network of (typically hacked) computers to test thousands of random combinations of letters, numbers, and symbols in order to discover a valid login name and password for a targeted site.
Password stuffing is a type of brute force attack that uses actual passwords stolen elsewhere to gain access to your site. If you or your site’s users have used the same login credentials on another site that’s been compromised, password stuffing may be successful on your site.
When an attacker attempts thousands of logins per minute, it may have the effect of a DDoS attack. DDoSes throw so many requests at your server that it is overloaded. Sometimes DDoS attacks are performed simply to take sites offline in this way.
When it comes to WordPress and WooCommerce, carding attacks are a good example of a brute-force attempt to stuff stolen credit card account numbers into an e-commerce site to make fraudulent purchases. Carding attacks may also have a DDoS effect.
Cross-Site Scripting and Request Forgery
Cross-site scripting and cross-site request forgery, also known as XSS and CSRF, are cyber attacks that try to run malicious scripts on your website that will exploit your visitors’ computers. Using your site, these attacks send unauthorized requests from it on your user’s behalf. The goal is to defraud your site’s visitors and steal sensitive information or money from them. Cross-site scripting and request forgery are considered two of the most dangerous cyber attacks targeting WordPress websites.
Backdoors and Web Shells
Backdoors and web shells are two related types of malicious software that are often uploaded to hacked websites as a payload in the initial breach. Both enable a deeper level of damage: malware infection. Both are tools malicious hackers use to dig deeper into your server and web apps or to conduct fraud and further attacks on other sites.
Backdoors are software that gets injected into a website to allow the attacker to gain unauthorized access to its critical areas by bypassing normal authentication methods. Web shells, in turn, are malicious file management utilities used by the hacker to upload more malicious payloads into the compromised website.
Backdoors can often sneak past website owners and even antivirus software. A backdoor will allow the hacker to return and re-infect or further exploit a website at a later date, even if all the necessary security measures have been taken. Similarly, if a web shell is not removed, the attacker will remain in control of the website.
One of the most common goals of an attacker is to infect your visitors with malware. One of the most common ways to achieve this goal is to redirect unsuspecting users from trusted websites that the attackers have gained control over.
Hackers can place malicious redirects anywhere on hacked websites which can make them difficult to locate and remove. Often, website owners have to reinstall WordPress (which is simple) or restore their whole website from a backup (which can be more challenging) in order to clear it of malicious redirects after they’ve patched the vulnerability that made this exploit possible.
As a type of SEO spam, pharma hacks have been one of the most notorious attacks affecting WordPress websites. Attackers fill a compromised WordPress website with spam keywords for popular drugs in an attempt to get it ranked high in search engines and then redirect visitors to fraudulent portals selling regulated pharmaceuticals. Most of the time, attackers place malicious redirects in an Apache
.htaccess file or create a seemingly harmless .ico file for this purpose.
SQL Injection Attacks
An SQL injection attack, also known as SQL insertion (SQLi), is a type of data injection attack exploiting insufficient user input validation that allows an attacker to manipulate the website’s database in a malicious way. Both SQL injections and cross-site scripting take advantage of so-called input vulnerabilities that may affect certain areas of your WordPress website. Input vulnerabilities arise when a plugin accepts user-submitted data or content but doesn’t screen it for malicious code. That code may execute queries on your database to steal private data or damage it.
Top 10 WordPress Security Recommendations
When it comes to WordPress website security, a mindful approach to reducing the attack surface is key. Knowing the most common WordPress vulnerabilities and types of cyber attacks will help you significantly improve your website security. The following 10 most important WordPress security recommendations are the core knowledge you need to secure any WordPress site. Most of these recommendations are relatively easy to follow and do not require any paid security solutions.
Perform Regular Updates and Don’t Install Any Software from Unverified Sources
One of the most important WordPress security recommendations is to perform regular core, theme, and plugin updates. Make sure all software you install comes from verified, trusted sources. As WordPress is written in PHP, make sure you use a supported PHP version from the latest major release. At this time, it’s PHP 7.4 with only beta support for PHP 8.
The default WordPress features rarely satisfy all the needs of business owners, so they extend the platform’s capabilities by installing more plugins and themes. Third-party themes and plugins increase the attack surface, making WordPress sites vulnerable to more security threats.
Major problems can come from using unofficial, pirated versions of paid plugins and themes. These always come from highly questionable sources. Using obsolete versions of WordPress and failing to patch vulnerabilities is also extremely risky.
Use a Security Plugin Like iThemes Security Pro
The best way to keep your website secure is to turn on automatic updates for core, themes, and plugins. iThemes Security Pro can easily keep track of all available software updates and install new versions of WordPress core as well as themes and plugins. If you manage multiple WordPress websites, iThemes Sync Pro allows you to perform all admin tasks from a single interface and take advantage of uptime monitoring and SEO metrics tracking.
Most WordPress hosting solutions, such as managed cloud WordPress hosting plans offered by Nexcess, also take care of all software updates for you and even come with built-in tools such as Visual Comparison to help you track any potential plugin conflicts and other issues prior to performing any updates. Nexcess also provides you with a catalog of premium WordPress solutions. It offers Kadence WP as the built-in block theme with custom blocks to help you design the website of your dreams while ensuring its security.
Create a Strong Backup Strategy
A strong backup strategy is absolutely essential for WordPress security. Performing regular backups of your WordPress site prepares you for easy recovery in the event of a breach, failed update, or any other issue that may arise.
It is best to have at least ten days or even two weeks’ worth of full WordPress backups that include your WordPress database, website files, and any other related content. Keeping weekly and monthly backups can be highly beneficial in addition to daily and hourly backups.
Be sure to follow the principle of data redundancy. Keeping working copies of your WordPress website in more than one place. This will help you recover your information in case anything happens to one backup archive
You can use the backup solutions provided by your hosting provider, including cPanel and Acronis backups, to save copies of your website on daily, weekly, and monthly cycles. a WordPress backup plugin can help you create a more flexible backup schedule. BackupBuddy is a world-class data protection and recovery plugin for WordPress. It can help you create a strong backup strategy, and easy access to one-click restores whenever you need them.
Perform Regular Vulnerability and Malware Scanning
Vulnerability scanning and file integrity monitoring are one of the best tools you can use to protect all the critical areas of your WordPress website. The built-in WordPress Site Health interface is a great tool to start with. If you need more WordPress security recommendations tailored to your website, the iThemes Pro Site Scan will provide you with a comprehensive report on your WordPress website security.
Prevention is key, but so is early attack detection and mitigation. The main purpose of most malware is to stay undetected for as long as possible. It’s not uncommon to have WordPress websites hacked for weeks until their owners notice. iThemes Security Pro offers advanced file change monitoring that will alert you anytime there is any suspicious activity going on within your WordPress website files.
Performing regular malware scans will help identify a malware infection early. That’s key to blocking the bad guys and cleaning your WordPress website before irreversible damage is done. If you are looking for great free malware scanners, ImunifyAV by CloudLinux has proven to be extremely reliable and user-friendly.
Keep File Permissions Secure and Protect wp-config.php
WordPress file permissions can greatly affect the overall security of your WordPress website. Incorrect permission settings can put the whole system at grave risk, especially if you maintain your own server and run multiple sites on it. Configuring your WordPress file permissions securely is absolutely essential.
One of the most vulnerable areas of your WordPress website is its main configuration file:
wp-config.php. The critical data stored there, including the WordPress database connection information, makes
wp-config.php a high-priority target for attacks trying to seize control over your website.
One of the key WordPress security recommendations that you can implement right now is setting permissions for your website’s
wp-config.php file to at least 640. If you are unsure what file permissions other websites’ files should have, iThemes Security Pro’s File Permission Checks tool will help you find out.
Cross-account compromises are facilitated by insecure file permissions and poor user isolation
Hackers actively exploit poor user isolation, combined with insecure file permissions, to perform dangerous cross-account attacks. These are known as “symlink hacks” or “Anonymous Fox” WordPress hacks.
By using one hacked website as an entry point, an attacker can create cross-account symbolic links to other websites’ configuration files, such as
wp-config.php, to expose sensitive information and gain control over all websites on the given server. This hack is only possible if your
wp-config.php file is readable by other users on the same server.
Some WordPress security recommendations suggest moving
wp-config.php, which could help, but this won’t really address all risks. Keep file permissions secure and ensure all websites are isolated from one another on the same server. One of the best ways to achieve that is to use CageFS, provided by the CloudLinux operating system.
Configure a Web Application Firewall
Another key WordPress security recommendation is to use a web application firewall, or better yet, multiple defense systems like a host-based and a cloud-based WAF. A web application firewall serves as the first line of defense against all known cyber-attacks, filtering out any malicious traffic based on a constantly updated ruleset.
WAFs scan all web traffic for any suspicious requests based on a number of patterns set up by the rules we define. This ensures a high level of protection against DDoS and brute force attacks, as well as SQLi and XSS.
A cloud-based WAF such as Cloudflare WAF can mitigate a wide range of attacks while decreasing the load on the origin server. The requests that make their way to the server hosting your WordPress website are then subjected to another round of checks by a host-based WAF such as ModSecurity. Both solutions are completely free and are considered the industry standard for WordPress security.
Set up HTTP Security Headers
HTTP security response headers are one of the most valuable tools you have to increase the security of your WordPress website. Similarly to web application firewalls, HTTP response headers can block access to critical areas of your website and prevent any activity that may endanger your customers and their data.
The most important HTTP security headers for WordPress include:
- Content Security Policy (CSP). A robust solution that can help mitigate cross-site scripting and clickjacking, and other dangerous cyber attacks targeting WordPress websites. Using CSP helps you define the list of resources that can load content from your website, as well as the list of resources your website can load content from.
- Set-Cookie. The Set-Cookie response header controls how cookies are sent from the server to the user’s browser. Configuring the SameSite attribute can help defend your WordPress website against cross-site request forgery and clickjacking.
- Strict Transport Security (HSTS). The HSTS response header ensures that your WordPress website can only be accessed via HTTPS, which enables end-to-end encryption between the server and the browser.
Most of the time, you can configure HTTP security headers for your WordPress website in your local
.htaccess file. Please note that most WordPress hosting providers set up HTTP response headers for you, so you may need to consult with your host’s support team to see whether you need to redefine any rules locally.
Disable PHP Execution in the Uploads Folder and Turn Off Directory Indexing
When it comes to WordPress, hackers tend to hide malware in folders that do not normally store any executable code. One such folder is the uploads directory in
wp-content. Disabling PHP execution in the uploads folder is a good idea. This can help limit the scope of a malware infection and speed up malware remediation.
If you have Apache HTTP available for use, create a
.htaccess file in wp-content/uploads and add the rule below to it. This will block any PHP scripts from being loaded from the uploads folder. That’s a common location where an attacker may place malicious code.
In addition to blocking PHP execution, disabling directory indexing on your website is another important item on the list of our WordPress security recommendations. If directory indexing is not disabled, the browser will load the list of files present in the requested directory if it’s missing an
Attackers broadly exploit this ability, especially when it comes to cross-account symlink attacks outlined earlier in the guide. You can block directory indexing globally or on a per-directory basis by using the following rule in
Change Your WordPress Database Prefix and the Default Admin Username
Unless you change the default installation process, WordPress will automatically use the standard
wp- prefix for its database and create a default
admin user. Since this is public knowledge, brute force and data injection attacks assume it.
Remove the default admin user and change the WordPress database prefix to something similar to
wp2789_. You can do it by renaming all database tables using phpMyAdmin or through the MySQL command line interface. Make sure to update the database prefix in
Restrict Access to XMLRPC and WordPress Login
When it comes to brute force and DDoS attacks,
xmlrpc.php and the WordPress login page are the two areas of WordPress websites that attackers target most. If access to these two interfaces is unrestricted, your WordPress site will likely suffer from poor performance and frequent downtime. Moreover, there is every possibility that, eventually, a hacker will be able to crack your admin account and wreak havoc on your website.
XMLRPC is an application programming interface (API) that allows WordPress to communicate with other systems, and it has been part of WordPress since the platform’s inception. However, as WordPress heavily relies on the REST API, XMLRPC is rarely used and can usually be disabled completely without any negative consequences. You can add the rule below to your website’s
.htaccess file or simply the xmlrpc.php file’s permissions to zero for this purpose.
Restricting access to your WordPress admin panel is another one of our key WordPress security recommendations. While changing the address of the WordPress login makes it much more difficult to discover, getting the login page password protected or defining an exclusive range of IP addresses that can access it will effectively eliminate the risk of an attacker getting unauthorized access to the WordPress backend.
Use Strong Passwords and Configure Multi-factor Authentication
The importance of using strong passwords can not be overstated. However, some WordPress website owners tend to forget that the WordPress admin panel is not the only attack vector. A great number of WordPress sites get hacked as a result of an attacker gaining access to their web hosting control panel accounts.
With many hosts, your WordPress website’s account name corresponds to an actual user created on the host server. It is easy to guess or publicly visible. Combined with its password, credential pair may allow you to connect to your site via SSH and SFTP. It is how you access your hosting control panel. If this account is compromised, an attacker may gain full access to not only your site but your entire hosting account, email, and even your domain names or DNS records.
Adopt strong password policies and multi-factor authentication for both your WordPress admin users and your website’s hosting control panel account. If possible, disable password authentication for SSH entirely in favor of key-based authentication methods.
iThemes Security Pro enables you to set up passwordless authentication for your WordPress admin panel using passkeys with biometric logins. This, combined with multi-factor authentication set up for your hosting account, ensures full protection against brute force attacks and secures your website even if your login credentials have been compromised.
Implement the Best WordPress Security Recommendations with iThemes Security Pro
As the most popular content management system in the world, WordPress is a high-priority target for hackers everywhere. To exploit data breaches and distribute malware, attackers employ a wide range of sophisticated techniques such as database injections, cross-site scripting, and cross-site request forgery. Unless your WordPress site is protected from these common security threats, it may become an easy target.
With the myriad of WordPress security recommendations floating around, it can be tricky to understand how to keep your website secure, especially when there are multiple strategies to mitigate each cyber attack. Making WordPress security more accessible is what iThemes strives for. Let iThemes Security Pro and BackupBuddy be your personal security assistants! They offer more than 50 ways to protect your WordPress site from the most hazardous cyber attacks out there today.
The Best WordPress Security Plugin to Secure & Protect WordPress
WordPress currently powers over 40% of all websites, so it has become an easy target for hackers with malicious intent. The iThemes Security Pro plugin takes the guesswork out of WordPress security to make it easy to secure & protect your WordPress website. It’s like having a full-time security expert on staff who constantly monitors and protects your WordPress site for you.
Kiki has a bachelor’s degree in information systems management and more than two years of experience in Linux and WordPress. She currently works as a security specialist for Liquid Web and Nexcess. Before that, Kiki was part of the Liquid Web Managed Hosting support team where she helped hundreds of WordPress website owners and learned what technical issues they often encounter. Her passion for writing allows her to share her knowledge and experience to help people. Apart from tech, Kiki enjoys learning about space and listening to true crime podcasts.