Every year, the number of data compromises is only setting new records. According to the Identity Theft Resource Center’s 2021 Data Breach Report, there were 1,862 data breaches in 2021 alone. Is there anything a website owner can do about it? Totally! Don’t wait till something bad happens – there are easy ways you can take today to secure your WordPress website.
To make your life easier, we put together this simple WordPress security checklist so you know exactly what steps to take to protect your data. This list will include both simple and advanced tips as well as plugin recommendations for users of all levels. Even a few things from this checklist can go a long way in protecting your website.
Potential WordPress Vulnerabilities
Since WordPress is a free, open-source CMS, there will be always potential threats. Naturally, you won’t be able to protect your website from all of them. What you can do, though, is to make sure you’ve done everything you can to minimize the risk.
Every day, Google blacklists thousands of websites for phishing and malware. And even if you have no intention to spread potentially dangerous software, you can still get backlisted. How? Google may blacklist your website when it suspects that your website is being used to spread malware.
The pages on your site can be hacked and may be programmed to download malware automatically. And you might not even notice it. A good example of such malware is the pharma hack, one of the SEO spam attacks that used legitimate websites to sell illicit drugs. The pharma hack was inserting bad code in outdated versions of WordPress websites and plugins; it quickly became a big problem for website owners.
Now, when you know some of the WordPress vulnerabilities that can harm your website, let’s do a simple security check. Do you think your WordPress site is secure enough? The easiest way to find it out is to use a free or paid WordPress plugin that scans your website to find the potential vulnerabilities. Currently, some of the most popular tools are:
SiteCheck quickly shows if the site is blacklisted, infected with some kind of malware, or needs to be updated.
Hacker Target is great at checking vulnerable plugins and themes. This plugin will also let you know if you are using an outdated WordPress or PHP version or if your web server configuration should be updated.
For a more in-depth scan, you can try using Detectify, an enterprise-ready service that checks more than 500 vulnerabilities, including WordPress-specific ones.
WordPress Security Checklist
☐ Secure WP Hosting
Reliable hosting providers use modern, up-to-date hardware or cloud that positively affects the speed of your website. They also offer protection from various attacks. And if the attack does happen, some hosts even offer to fix your website for free.
☐ Use the Latest PHP Version
Using an outdated software stack is never a good idea. WordPress certainly has its challenges with updates but staying updated is vital for security.
☐ Always Use the Latest WordPress Version
We can’t stress enough how important it is to use the latest WP version. If you go to a website like CVE Details and search for WordPress, you’ll see pages of potential security vulnerabilities. This list might look overwhelming at first, but you’ll quickly notice that most of the vulnerabilities are fixed fairly quickly in new versions of WordPress. Since most of the threats on this list do not have known workarounds, the only way to fix them is to always use the latest WordPress version.
☐ Update Your Plugins and Themes
WordPress certainly has its challenges with updates but staying updated is vital for security. Nobody likes to deal with incompatibility issues, we get it. But you know what’s worse than having a plugin that stops working after the update? Losing all your information due to a security breach.
You can always turn on auto-updates but there is a better way: clone your website to a staging or dev environment, run your updates there, and then verify everything is good before updating. This way, you’ll have more control over your website. And, of course, always make a backup of your website before updating anything.
☐ Hide Your WP Version and Other Sensitive Info About Your Website
The less people know about your WordPress site setup, the better. If you are comfortable with editing your functions.php file, you can hide some things like your WP version yourself. Or, even better, use a plugin like WP Hardening that will do it for you.
☐ Hide WP Admin
Another thing you can easily hide is the default admin login for your website. Any hacker knows that by adding “/wp-admin” to your URL they can get direct access to your login page. To make it harder for them, change this URL to something only you know by using a plugin like WPS Hide Login.
☐ Limit the Login Attempts
One of the simplest yet most effective ways to protect your website from brute-force login attempts is to limit them. Any good security plugin has this built-in feature, in addition to two-step authentication, unauthorized logins monitoring, and an ability to block IP addresses.
☐ Add Basic HTTP Authentication to Your Website
HTTP authentication can add an extra layer of security to your website by asking for a username and password even before showing the login page. Of course, this won’t work for an online store or a membership site, but it can be a great addition to a site with only a few registered users. This method is also frequently used to protect staging and development websites.
WordPress had a nice REST API, which can be both a blessing and a curse. On the bright side, it allows developers to build all kinds of integrations with third-party resources. At the same time, there are some potential dangers associated with exposing your data via the API. Among the things you can do to make sure you use WP API safely are:
Always use a secure, encrypted connection (HTTPS)
Give your entities access only to the parts of the application they really need
Usually, these are the main steps a WordPress user can take in order to protect their website from attacks and bots. If you don’t feel comfortable with editing and moving things yourself, there are advanced security plugins for WordPress that can do all the work for you. And if you want to harden your WordPress security even more, here are a few more ideas:
☐ Update your WordPress Security Keys
☐ Disable XML-RPC
☐ Check your core files and server permissions
☐ Use the latest HTTP security headers
☐ Improve the security of your WordPress database
☐ Define clear user roles
☐ Disable file editing in WP admin
☐ Disable hotlinking
☐ Move your wp-config.php file
☐ Use SFTP and SSH
☐ Prevent DDoS attacks
☐ Change WordPress Database Prefix
☐ Use two-factor authentication
Superb WordPress Development Services from GetDevDone
Are you still worried that your WordPress website may not be secure enough? Let our expert WordPress developers put your mind at rest. With 16+ years of industry experience and thousands of successfully completed WP projects, we know everything about the world’s most popular CMS.
Contact us with any WordPress-related request, from building a unique theme or tweaking your current one to satisfy your business needs to Core Web Vitals optimization and plugin development.
Choose the best WordPress backup plugin to keep your data safe and sound In this post, we talk about the main reasons to back up your WordPress website. You will learn about the consequences of not making copies of your database and files regularly and get familiar with the principal backup types and methods. We […]
A crisis is not only a bad time when people are suffering and business growth is stalled or starts going in reverse. A crisis also creates new opportunities. One of the economic sectors that the current COVID-19 pandemic is likely to boost rather than kill is e-commerce. The reason should be obvious. With half the […]
Alas, we’re not living in an ideal world where everyone respects other people’s right to private property and privacy. We’re talking about hackers now — cybercriminals who’re constantly looking to exploit weak security spots in websites to steal data or pull off their dirty tricks. According to a report published last year, the majority of […]