{"id":13601,"date":"2022-03-02T11:35:21","date_gmt":"2022-03-02T11:35:21","guid":{"rendered":"https:\/\/getdevdone.com\/blog\/?p=13601"},"modified":"2024-12-12T17:10:04","modified_gmt":"2024-12-12T17:10:04","slug":"wordpress-security-checklist-easy-ways-to-protect-your-website","status":"publish","type":"post","link":"https:\/\/getdevdone.com\/blog\/wordpress-security-checklist-easy-ways-to-protect-your-website.html","title":{"rendered":"WordPress Security Checklist: Easy Ways to Protect Your Website"},"content":{"rendered":"\n<p>Every year, the number of data compromises is only setting new records. According to the Identity Theft Resource Center&#8217;s 2021 Data Breach Report, <a href=\"https:\/\/www.idtheftcenter.org\/post\/identity-theft-resource-center-2021-annual-data-breach-report-sets-new-record-for-number-of-compromises\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">there were 1,862 data breaches in 2021<\/a> alone. Is there anything a website owner can do about it? Totally! Don\u2019t wait till something bad happens &#8211; there are easy ways you can take today to secure your WordPress website. <\/p>\n\n\n\n<p>To make your life easier, we put together this simple WordPress security checklist so you know exactly what steps to take to protect your data. This list will include both simple and advanced tips as well as plugin recommendations for users of all levels. Even a few things from this checklist can go a long way in protecting your website.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"potential-wordpress-vulnerabilities\"><strong>Potential WordPress Vulnerabilities<\/strong><\/h2>\n\n\n\n<p>Since WordPress is a free, open-source CMS, there will be always potential threats. Naturally, you won\u2019t be able to protect your website from all of them. What you can do, though, is to make sure you\u2019ve done everything you can to minimize the risk.&nbsp;<\/p>\n\n\n\n<p>Every day, Google blacklists thousands of websites for phishing and malware. And even if you have no intention to spread potentially dangerous software, you can still get backlisted. How? Google may blacklist your website when it suspects that your website is being used to spread malware.<\/p>\n\n\n\n<p>The pages on your site can be hacked and may be programmed to download malware automatically. And you might not even notice it. A good example of such malware is the pharma hack, one of the SEO spam attacks that used legitimate websites to sell illicit drugs. The pharma hack was inserting bad code in outdated versions of WordPress websites and plugins; it quickly became a big problem for website owners.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"security-check\"><strong>Security Check<\/strong><\/h2>\n\n\n\n<p>Now, when you know some of the WordPress vulnerabilities that can harm your website, let\u2019s do a simple security check. Do you think your WordPress site is secure enough? The easiest way to find it out is to use a free or paid WordPress plugin that scans your website to find the potential vulnerabilities. Currently, some of the most popular tools are:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/sitecheck.sucuri.net\/?cjevent=7d30dda692b311ec80dfe2c90a82b839&amp;cj_aid=13948096&amp;cj_pid=8092889&amp;cj_cid=4761150\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">SiteCheck<\/a> quickly shows if the site is blacklisted, infected with some kind of malware, or needs to be updated.<\/li>\n\n\n\n<li><a href=\"https:\/\/hackertarget.com\/wordpress-security-scan\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Hacker Target <\/a>is great at checking vulnerable plugins and themes. This plugin will also let you know if you are using an outdated WordPress or PHP version or if your web server configuration should be updated.<\/li>\n\n\n\n<li>For a more in-depth scan, you can try using <a href=\"https:\/\/detectify.com\/cms-security\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Detectify<\/a>, an enterprise-ready service that checks more than 500 vulnerabilities, including WordPress-specific ones.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"wordpress-security-checklist\"><strong>WordPress Security Checklist<\/strong><\/h2>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"1024\" height=\"600\" src=\"https:\/\/s3.amazonaws.com\/newblog.psd2html.com\/wp-content\/uploads\/2022\/03\/02113013\/Image-1.png\" alt=\"\" class=\"wp-image-13667\" srcset=\"https:\/\/s3.amazonaws.com\/newblog.psd2html.com\/wp-content\/uploads\/2022\/03\/02113013\/Image-1.png 1024w, https:\/\/s3.amazonaws.com\/newblog.psd2html.com\/wp-content\/uploads\/2022\/03\/02113013\/Image-1-300x176.png 300w, https:\/\/s3.amazonaws.com\/newblog.psd2html.com\/wp-content\/uploads\/2022\/03\/02113013\/Image-1-768x450.png 768w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"secure-wp-hosting\"><strong>\u2610&nbsp; Secure WP Hosting<\/strong><\/h3>\n\n\n\n<p>Reliable hosting providers use modern, up-to-date hardware or cloud that positively affects the speed of your website. They also offer protection from various attacks. And if the attack does happen, some hosts even offer to fix your website for free.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"use-the-latest-php-version\"><strong>\u2610 Use the Latest PHP Version<\/strong><\/h3>\n\n\n\n<p>Using an outdated software stack is never a good idea. WordPress certainly has its challenges with updates but staying updated is vital for security.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"always-use-the-latest-wordpress-version\"><strong>\u2610&nbsp; Always Use the Latest WordPress Version<\/strong><\/h3>\n\n\n\n<p>We can\u2019t stress enough how important it is to use the latest WP version. If you go to a website like <a href=\"https:\/\/www.cvedetails.com\/vulnerability-list\/vendor_id-2337\/product_id-4096\/Wordpress-Wordpress.html\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">CVE Details<\/a> and search for WordPress, you\u2019ll see pages of potential security vulnerabilities. This list might look overwhelming at first, but you\u2019ll quickly notice that most of the vulnerabilities are fixed fairly quickly in new versions of WordPress. Since most of the threats on this list do not have known workarounds, the only way to fix them is to always use the latest WordPress version.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"update-your-plugins-and-themes\"><strong>\u2610 Update Your Plugins and Themes<\/strong><\/h3>\n\n\n\n<p>WordPress certainly has its challenges with updates but staying updated is vital for security. Nobody likes to deal with incompatibility issues, we get it. But you know what\u2019s worse than having a plugin that stops working after the update? Losing all your information due to a security breach.&nbsp;<\/p>\n\n\n\n<p>You can always turn on auto-updates but there is a better way: clone your website to a staging or dev environment, run your updates there, and then verify everything is good before updating. This way, you\u2019ll have more control over your website. And, of course, always make a backup of your website before updating anything.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"change-your-passwords\"><strong>\u2610 Change Your Passwords<\/strong><\/h3>\n\n\n\n<p>Did you know that <a href=\"https:\/\/www.schneiderdowns.com\/our-thoughts-on\/most-common-passwords-of-2021\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">it takes less than a second to crack the most common passwords<\/a> like <em>12345<\/em> or<em> password? <\/em>Even if your current WordPress password is way more sophisticated, make it a habit to change it once in a while. It\u2019s a good habit to have!<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"hide-your-wp-version-and-other-sensitive-info-about-your-website\"><strong>\u2610 Hide Your WP Version and Other Sensitive Info About Your Website<\/strong><\/h3>\n\n\n\n<p>The less people know about your WordPress site setup, the better. If you are comfortable with editing your functions.php file, you can hide some things like your WP version yourself. Or, even better, use a plugin like <a href=\"https:\/\/wordpress.org\/plugins\/wp-security-hardening\/?utm_medium=Dashboard&amp;utm_campaign=PluginDownloads\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">WP Hardening<\/a> that will do it for you.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"hide-wp-admin\"><strong>\u2610 Hide WP Admin<\/strong><\/h3>\n\n\n\n<p>Another thing you can easily hide is the default admin login for your website. Any hacker knows that by adding \u201c\/wp-admin\u201d to your URL they can get direct access to your login page. To make it harder for them, change this URL to something only you know by using a plugin like <a href=\"https:\/\/wordpress.org\/plugins\/wps-hide-login\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">WPS Hide Login<\/a>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"limit-the-login-attempts\"><strong>\u2610 Limit the Login Attempts<\/strong><\/h3>\n\n\n\n<p>One of the simplest yet most effective ways to protect your website from brute-force login attempts is to limit them. Any good security plugin (such as <a href=\"https:\/\/wpsecurityninja.com\/\" target=\"_blank\" rel=\"noopener\" title=\"\">WP Security Ninja<\/a>, for instance) has this built-in feature, in addition to two-step authentication, unauthorized logins monitoring, and an ability to block IP addresses. If you\u2019re aiming for full-blown <a href=\"https:\/\/www.dataguard.com\/frameworks\/iso-27001\/\" target=\"_blank\" rel=\"noopener\" title=\"\">ISO 27001 accreditation<\/a>, this could form part of the audit process, and is a best practice to implement across your IT assets, not just your website.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>\u2610 Use Geolocation to Monitor IP Activity<\/strong><\/h3>\n\n\n\n<p>In addition to securing your website from malware and unauthorized access, ensuring that you know where users are accessing your platform from can further enhance security. By&nbsp;<a href=\"https:\/\/www.abstractapi.com\/guides\/ip-geolocation\/how-to-geolocate-an-ip-address-in-php\" target=\"_blank\" rel=\"noopener\" title=\"\">geolocating an IP address in PHP<\/a>, you can monitor unusual activity patterns, like repeated login attempts from unexpected locations. This form of geographical tracking not only acts as a security measure but also helps in providing a personalized experience for users depending on their geographic location.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"add-basic-http-authentication-to-your-website\"><strong>\u2610 Add Basic HTTP Authentication to Your Website<\/strong><\/h3>\n\n\n\n<p><a href=\"https:\/\/wordpress.org\/plugins\/wp-basic-authentication\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">HTTP authentication<\/a> can add an extra layer of security to your website by asking for a username and password even before showing the login page. Of course, this won\u2019t work for an online store or a membership site, but it can be a great addition to a site with only a few registered users. This method is also frequently used to protect staging and development websites.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"install-an-ssl-certificate-and-use-https\"><strong>\u2610 Install an SSL Certificate and Use HTTPS<\/strong><\/h3>\n\n\n\n<p>A good SSL certificate costs money. Still, it\u2019s better to <a href=\"https:\/\/www.wpbeginner.com\/beginners-guide\/how-to-get-a-free-ssl-certificate-for-your-wordpress-website\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">get at least a free one<\/a> than not to use it at all. And if you are an advanced WordPress user and want to take it a step further, you can also update your wp-config file by adding this line:<\/p>\n\n\n\n<p>define(&#8216;FORCE_SSL_ADMIN&#8217;, true);<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"secure-your-wordpress-api\"><strong>\u2610 Secure Your WordPress API<\/strong><\/h3>\n\n\n\n<p>WordPress had a nice REST API, which can be both a blessing and a curse. On the bright side, it allows developers to build all kinds of integrations with third-party resources. At the same time, there are some potential dangers associated with exposing your data via the API. Among the things you can do to make sure you use WP API safely are:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Always use a secure, encrypted connection (HTTPS)<\/li>\n\n\n\n<li>Give your entities access only to the parts of the application they really need<\/li>\n\n\n\n<li>Use security plugins like <a href=\"https:\/\/wordpress.org\/plugins\/disable-wp-rest-api\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Disable WP REST API plugin<\/a> or <a href=\"https:\/\/wordpress.org\/plugins\/rest-api-toolbox\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">REST API Toolbox<\/a>&nbsp;<\/li>\n\n\n\n<li>Keep your API <a href=\"https:\/\/restfulapi.net\/statelessness\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">stateless<\/a><\/li>\n\n\n\n<li>Hash the passwords in your WordPress database<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"next-steps\"><strong>Next Steps<\/strong><\/h2>\n\n\n\n<p>Usually, these are the main steps a WordPress user can take in order to protect their website from attacks and bots. If you don\u2019t feel comfortable with editing and moving things yourself, there are advanced security plugins for WordPress that can do all the work for you. And if you want to harden your WordPress security even more, here are a few more ideas:<\/p>\n\n\n\n<p>\u2610 Update your WordPress Security Keys<\/p>\n\n\n\n<p>\u2610 Disable XML-RPC&nbsp;<\/p>\n\n\n\n<p>\u2610 Check your core files and server permissions<\/p>\n\n\n\n<p>\u2610 Use the latest HTTP security headers<\/p>\n\n\n\n<p>\u2610 Improve the security of your WordPress database<\/p>\n\n\n\n<p>\u2610 Define clear user roles<\/p>\n\n\n\n<p>\u2610 Disable file editing in WP admin<\/p>\n\n\n\n<p>\u2610 Disable hotlinking<\/p>\n\n\n\n<p>\u2610 Move your wp-config.php file<\/p>\n\n\n\n<p>\u2610 Use SFTP and SSH<\/p>\n\n\n\n<p>\u2610 Prevent DDoS attacks<\/p>\n\n\n\n<p>\u2610 Change WordPress Database Prefix<\/p>\n\n\n\n<p>\u2610 Use two-factor authentication<\/p>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity advgb-dyn-c3f4f0ad\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"superb-wordpress-development-services-from-psd2html\">Superb WordPress Development Services from GetDevDone<\/h2>\n\n\n\n<p><em>Are you still worried that your WordPress website may not be secure enough? Let our <a href=\"https:\/\/getdevdone.com\/wordpress-development-services.html\" target=\"_blank\" rel=\"noreferrer noopener\" title=\"expert developers \">expert WordPress developers <\/a>put your mind at rest. With 16+ years of industry experience and thousands of successfully completed WP projects, we know everything about the world\u2019s most popular CMS.<\/em><\/p>\n\n\n\n<p><em><a href=\"https:\/\/getdevdone.com\/contact-us.html\" target=\"_blank\" rel=\"noreferrer noopener\">Contact <\/a>us with any WordPress-related request, from building a unique theme or tweaking your current one to satisfy your business needs to Core Web Vitals optimization and plugin development. <\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>WordPress is a secure platform out of the box. Still, you can make it even more secure by applying several tried-and-true methods. Read this post to learn about those. <\/p>\n","protected":false},"author":6,"featured_media":13666,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"advgb_blocks_editor_width":"","advgb_blocks_columns_visual_guide":"","footnotes":""},"categories":[744,752],"tags":[763,772,814],"class_list":["post-13601","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-best-practices","category-wordpress-development","tag-maintenance","tag-security","tag-wordpress"],"acf":[],"aioseo_notices":[],"author_meta":{"display_name":"Valerie Muradian","author_link":"https:\/\/getdevdone.com\/blog\/author\/valeri"},"featured_img":"https:\/\/s3.amazonaws.com\/newblog.psd2html.com\/wp-content\/uploads\/2022\/03\/02112953\/Intro-preview-300x300.png","coauthors":[],"tax_additional":{"categories":{"linked":["<a href=\"https:\/\/getdevdone.com\/blog\/category\/best-practices\" class=\"advgb-post-tax-term\">Best practices<\/a>","<a href=\"https:\/\/getdevdone.com\/blog\/category\/wordpress-development\" class=\"advgb-post-tax-term\">WordPress development<\/a>"],"unlinked":["<span class=\"advgb-post-tax-term\">Best practices<\/span>","<span class=\"advgb-post-tax-term\">WordPress development<\/span>"]},"tags":{"linked":["<a href=\"https:\/\/getdevdone.com\/blog\/category\/wordpress-development\" class=\"advgb-post-tax-term\">Maintenance<\/a>","<a href=\"https:\/\/getdevdone.com\/blog\/category\/wordpress-development\" class=\"advgb-post-tax-term\">Security<\/a>","<a href=\"https:\/\/getdevdone.com\/blog\/category\/wordpress-development\" class=\"advgb-post-tax-term\">WordPress<\/a>"],"unlinked":["<span class=\"advgb-post-tax-term\">Maintenance<\/span>","<span class=\"advgb-post-tax-term\">Security<\/span>","<span class=\"advgb-post-tax-term\">WordPress<\/span>"]}},"comment_count":"0","relative_dates":{"created":"Posted 4 years ago","modified":"Updated 1 year ago"},"absolute_dates":{"created":"Posted on March 2, 2022","modified":"Updated on December 12, 2024"},"absolute_dates_time":{"created":"Posted on March 2, 2022 11:35 am","modified":"Updated on December 12, 2024 5:10 pm"},"featured_img_caption":"","series_order":"","featured_image_urls":{"thumbnail_723x315":"https:\/\/s3.amazonaws.com\/newblog.psd2html.com\/wp-content\/uploads\/2022\/03\/02112953\/Intro-preview-400x315.png","thumbnail_723x315-2x":"https:\/\/s3.amazonaws.com\/newblog.psd2html.com\/wp-content\/uploads\/2022\/03\/02112953\/Intro-preview.png","thumbnail_723x315-3x":"https:\/\/s3.amazonaws.com\/newblog.psd2html.com\/wp-content\/uploads\/2022\/03\/02112953\/Intro-preview.png","thumbnail_770x510":"https:\/\/s3.amazonaws.com\/newblog.psd2html.com\/wp-content\/uploads\/2022\/03\/02112953\/Intro-preview.png","thumbnail_770x510-2x":"https:\/\/s3.amazonaws.com\/newblog.psd2html.com\/wp-content\/uploads\/2022\/03\/02112953\/Intro-preview.png","thumbnail_770x510-3x":"https:\/\/s3.amazonaws.com\/newblog.psd2html.com\/wp-content\/uploads\/2022\/03\/02112953\/Intro-preview.png"},"featured_post_color":"#e88080","author_avatar":"https:\/\/secure.gravatar.com\/avatar\/5beb6f0817cc101d7122d201f933d94a4c68077bd00f26e4a1771c421a6b2fab?s=96&d=mm&r=g","author_position":"Web Developer & Content Writer","reading_time":"<span class=\"span-reading-time rt-reading-time\"><span class=\"rt-label rt-prefix\"><\/span> <span class=\"rt-time\"> 6<\/span> <span class=\"rt-label rt-postfix\">min read<\/span><\/span>","prev_post":{"slug":"how-you-can-add-favicon-to-your-wordpress-site","name":"What Is a Favicon and How You Can Add One to Your WordPress Site"},"next_post":{"slug":"war-in-ukraine","name":"War in Ukraine"},"related_posts":["how-we-redeveloped-website-for-agency","top-wordpress-backup-plugins-to-ensure-your-website-data-safety","how-to-change-logo-on-wordpress-website"],"_links":{"self":[{"href":"https:\/\/getdevdone.com\/blog\/wp-json\/wp\/v2\/posts\/13601","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/getdevdone.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/getdevdone.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/getdevdone.com\/blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/getdevdone.com\/blog\/wp-json\/wp\/v2\/comments?post=13601"}],"version-history":[{"count":22,"href":"https:\/\/getdevdone.com\/blog\/wp-json\/wp\/v2\/posts\/13601\/revisions"}],"predecessor-version":[{"id":24823,"href":"https:\/\/getdevdone.com\/blog\/wp-json\/wp\/v2\/posts\/13601\/revisions\/24823"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/getdevdone.com\/blog\/wp-json\/wp\/v2\/media\/13666"}],"wp:attachment":[{"href":"https:\/\/getdevdone.com\/blog\/wp-json\/wp\/v2\/media?parent=13601"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/getdevdone.com\/blog\/wp-json\/wp\/v2\/categories?post=13601"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/getdevdone.com\/blog\/wp-json\/wp\/v2\/tags?post=13601"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}