Do you run a WordPress blog or a multi-site? How well is it protected from the online fraud? Although WordPress is known as one of the safest and the most-trusted content management systems in the world, there are still more than 30,000 sites being hacked daily.
I bet you do not want to be one of them. Forewarned is forearmed. So, in order to guarantee that every piece of content on your site is protected and every login attempt is under control, we have decided to write this post containing ultimate explanations, instructions, and a list of tools that eliminate any WordPress themes security risks.
Table of contents:
- What is WordPress Security
- WordPress Security Risks
- Simple Tricks to Secure Your WordPress Website
- Free WordPress Security Plugins
- WordPress Security Checklist
What is WordPress Security
WordPress security is a continuous process that should be managed by the site administrators with special a caution. Talking about security, we suggest how well it is protected from any sort of risks that one can face online. How vulnerable is your site when it comes to the hacker attacks or spam? In order to guarantee that your WordPress blog or site is 100% secure, you need to implement the proper security controls in order to reduce the risk of being affected to the minimum.
What are the main elements of WordPress security? We can highlight three core domains - technology, people, and the process of implementation of security solutions into a web project. Each of them is equally important in terms of safety of your blog. Leaping ahead, the top recommendation is to be extremely watchful when you implement a new technology and provide access to your site's security to new people.
Building a blog or a website on the basis of WordPress CMS, the first and major decision that needs to be made is the proper choice of the web host for your site. There is a range of options available. The choice of hosting providers also grows at the fast speed. There is a range of hosting providers that specialize in WordPress hosting specifically. We reviewed and compared those in the earlier posts.
Whether you choose shared, VPS, dedicated or managed web host, it's advised to jump into the technical specifications of each of them. Different hosts are intended to be used for different purposes, offer varying storage space, additional services, security, and pricing plans.
WordPress Security Risks
There are always two sides of a coin. WordPress is popular for the regular system updates, each of which delivers a bunch of new and cool features to the site administrators. As a rule, every consecutive update delivers enhanced features and bug fixes with the intention to keep your website safe.
The first and foremost thing that you need to keep in mind is that your WordPress installation should be downloaded from WordPress.org ONLY. This is the one and only official resource that delivers the latest versions of the content management system and releases updates (each of which is due to the detailed inspection).
The most vulnerable parts of your WordPress site are the extensions that you install to boost its power. The themes and plugin that you install on your site are being often exploited cybercriminals and hackers. The case is that the developers of tools and templates for WordPress sites aren't security experts and can write their digital products with the vulnerable code unintentionally. in order to prevent the risk of being hacked, theme and plugins developers release updates for their products. So, if you notice that the extension that you are going to add to your WordPress site is no longer supported or isn't compatible with the latest WordPress version, then you should better play safe and look for a more secure alternative.
Your WordPress web server and the software on it can be at risk also. The vulnerabilities that you need to take proper care of mainly depend on what type of WordPress web server you selected for your site. If you choose managed hosting, then you will only take care of the regular updates from the web host provider's side and install those to your host in time. If you use shared web hosting services, then be ready that your website is more vulnerable to face risks. The case is that on shared web hosts you share space with other web resources that may be hacked potentially. If any of the sites that share space of the shared web host were hacked, then you may the IP address of your own website being black-listed by spa lists. If you discover that you face any sort of the email deliverability issues, then it's better to look up at what's going on with the help of blacklist lookup tools (like MxToolBox or Domain Health Check).
Do you run several blogs on the same server? Play wise and keep them in different databases, each of which is managed by a different user. This is best achieved with the initial WordPress installation. Otherwise, if a scammer hacks one of your blogs, it will be almost impossible to alter the rest of your online projects.
Simple Tricks to Secure Your WordPress Website
You may think that there is nothing special on your blog and hackers will better save their time and efforts for a different place on the web. However, that's not true! The majority of site breaches occur not because someone wants to steal your data. That's your server that is of the greatest value to the scammers. Web servers that can be used as the email relay for spam are not the rare thing on the modern-day web. Of course, there are scammers and competitor parties that look for the way to harm your business. Anyway, you need to protect your site from scammers and hackers. The following list of tricks will help you keep your site on the safe line.
Does your site use HTTPS protocol? If you are still on HTTP, you face the risk of losing a bunch of clients, as well as face the higher risks of hacking attacks. If you take care of the online security of your clients and want to ensure that everything that they share with you will be 100% confident and protected, then HTTPS protocol is the sure-fire way to guarantee their online privacy. Moreover, HTTPS sites rank higher in search engines. These get more SEO benefits either. The popular web browsers put warning on websites that do not use HTTPS protocol. Don't you want this to happen to your site? Switch to HTTPS and consider the following WordPress security tricks.
1. Secure the Login Page
Everyone knows how to reach the traditional login page of any WordPress site. In order to prevent the brute attacks, consider replacing the /wp-login.php or /wp-admin with a custom URL that only the members of your team will know.
Instead, you can use something like /my_new_login or /my_new_registration.
Additionally, install WordPress security plugins that include the lockdown feature for failed login attempts. There are several of the most popular and reliable solutions listed below in this guide. As the site administrator, you can specify the number of the failed login attempts that should be locked or the IP range that shouldn't be permitted to the login page of your site.
2. Use 2-factor Authentication
This is another good security measure that is made up of the two components that a user needs to manage in order to access your site's backed. A site administrator can decide on these two options on his own. For example, this can be the traditional login and password request, which is accompanied by a secret question.
P.S. there is a free 2-factor authentication WP plugin provided in a list below.
3. Keep the Software Updated
It seems quite obvious. Still, make sure that you use the latest version of the software on your site. This deals with both the WordPress version that you use and themes or extensions that you installed on it additionally. WordPress releases bug fixes and system updates rather often. The purpose of them doing so is to protect your site from hackers who exploit bugs that have been fixed already. If you do not update your software, themes, extensions or whatsoever, you automatically make your site more vulnerable and grow the risk of being hacked.
4. Secure Your Password
A weak password that duplicates your username or sounds similar to the email address multiplies the risk of the hackers attacks to end up successfully. In order to prevent this, use more complicated passwords that contain both lowercase and uppercase letters, numbers, and special characters. Don't make it short. Opt for the passwords that contain more than 10 symbols.
5. Encrypt Data with SSL
Secure Socket Layer is one of the most proven ways to protect the admin panel of your site. Thanks to SSL, you can feel confident in the secure data transfers between a user's web browser and the web server, making it impossible for the hackers to access your info.
You shouldn't have any difficulties when you decide to get an SSL certificate for your site. As a rule, most of the reliable hosting providers include it on the list of the features that a site administrator will receive after the subscription.
Additionally, websites that are protected by the SSL certificate rank higher in search engines rather than websites that do not feature any. Google gives preference to the more secure online projects, thus growing the chances that your website will get a steady traffic flow.
6. WP-admin Directory Protection
This is the heart of your site. This is another vulnerable place that hackers are itchy to access. In order to protect it from breaching, it's strongly recommended to protect your wp-admin directory with a password. In such a way, a website administrator will be asked to submit 2 passwords when he needs to access your site's backend. One of them is the password to the login page, whereas the second one is responsible for the admin panel of your site.
7. Set User Roles Wisely
If you run a multi-author blog, then you will need to specify what kind of content different users will be able to access and manage once they enter the admin panel of your site. You can use free WordPress plugins for this purpose. Several of the most useful suggestions are listed below. These will help you to specify user roles on your site and restrict access to the vulnerable data.
As the administrator of your site, you need to rename the admin username in a way that is not so easy for the hackers to guess when they try to access the admin panel of your site
8. Back up Your Site Regularly
You may run the most secure website with the 2-step authorization and tons of security plugins for a range of purposes. However, you never know what kind of risk your web resource may face tomorrow or what issues the web host may undergo. Whatever happens, you need to feel certain that all data and site settings are protected. This is when the regular site backups will come into play. Even if your site crashes or gets attacked by scammers, you can always restore it with the help of a backup.
9. Do not Leak Secret Info in the Error Messages
Using error messages on your site is good in terms of usability and user-friendliness. However, when you reveal the error message on your site, make sure that you do not reveal the secret data like API keys, database passwords or whatsoever. Do not reveal the full exception details either. Keep the error details in secret and display only those pieces of data that your site visitors should be aware of. This will help you keep your WordPress more resistant to SQL injections.
10. Keep Your Current WordPress Version Number in Secret
Do not help hackers to attack you! If they know the exact version of the software that powers your site, they will be able to tailor-build the perfect attack for your web project. In order to prevent this from happening, hide your WordPress version using the free WordPress security plugins that we reviewed below. Just in case your site got hacked, use Sucuri. The link to it is also on the list below!
Free WordPress Security Plugins
Here comes the time for WordPress security plugins reviews. There are thousands of security plugins available at wordpress.org. We have handpicked 15 of the most popular solutions that are trusted by millions of WordPress users and can safeguard different aspects of your online presence. Let's get started.
Jetpack is the all-in-one WordPress plugin. With its help, you can create a unique design for your site, promote it and protect like a pro. All of the core features are included in the free version of the software. These are 100+ free themes, lazy loading images, brute force attack protection, stats & related content, automated social media posting, and email support. If you need more features, then you can go premium.
Jetpack is more than just a good WordPress security plugin. There are a number of the great malware protection tools inside of its pack. However, it also includes free WordPress themes that can be customized code-free. There is a series of online marketing tools for post scheduling.
- hundreds of themes for all kinds of websites;
- unlimited and high-speed content delivery network;
- lazy image loading;
- integration with all the major WordPress apps;
- tools to measure, promote, and monetize your site;
- spam filtering;
- real-time backups;
- malware and code scanning;
- secure logins with the 20factor authentications, and more.
Price: free; premium plans start at $39 yearly
Wordfence is one of the most popular WordPress security plugins with more than 2 million of the active install. This is an open-source solution that includes a plethora of the reliable features to scan and protect your WordPress site from any sort of the malware attacks. None of the malicious IP addresses won't be left unspotted owing to the WordPress firewall and security scanner.
- Live Traffic monitors visits and hack attempts that are not shown in other analytics platforms in real time.
- Comment spam filter is available in both free and premium versions of the plugin.
- Scans file contents, posts, and comments to check the content safety of your site.
- Checks your site and alerts to any issues.
- Repairs files and overwrites them with the original version.
- Checks if your site or IP address have been blacklisted for any sort of malicious activities.
Price: free; premium plans start at $29.86 yearly
As the name implies, using this plugin, you can limit the number of login attempts to your site through both the normal login and auth cookies. It's set as the default settings that WordPress allows an unlimited number of the user login attempts to a website. This makes it quite easy to crack the existing user passwords. The plugin will make it way more difficult for the scammers to hack your site while blocking the number of the wrong login attempts to the dashboard of your WordPress project.
- Limits the number of retry attempts when logging in (for each IP);
- Limit the number of attempts to log in using auth cookies in the same way;
- Informs user about remaining retries or lockout time on login page;
- Optional logging, optional email notification;
- Handles server behind a reverse proxy.
Installing this plugin on your site, you will access 30+ ways to protect your WordPress site from any sort of online vulnerabilities. Once getting it installed and activated, you will get the automatic scan of your site for the possible attacks and vulnerabilities. This makes you feel safe that all content is 100% protected. The plugin includes both free and pro features. You can go premium if you need extra tools like 2-factor authentication, malware scan scheduling, password expiration, import/export settings, etc. iThemes Security supports the multi-site mode. It also bans those users who tried to break into other sites. The automatic report of the IP addresses that failed to login to your site and a whole lot of other security features are integrated.
- Prevents brute force attacks by banning hosts and users with too many invalid login attempts;
- Scans your site to instantly report where vulnerabilities exist and fixes them in seconds;
- Bans troublesome user agents, bots, and other hosts;
- Strengthens server security;
- Enforces strong passwords for all accounts of a configurable minimum role;
- Forces SSL for admin pages, page or post (on supporting servers);
- Turns off file editing from within WordPress admin area;
- Detects and blocks numerous attacks to your filesystem and database. etc.
Price: free; premium plans start at $80 per year
Use this plugin to add some extra security and firewall to your WordPress site. This is an ultimate tool that will keep you informed and updated about the current security level of your site. It takes control of all aspects of your online project, from the failed login attempts to the database issues. Whenever anything goes wrong, the site administrator receives an automatic notification.
- user account security;
- user login security;
- user registration security;
- database security;
- file system security;
- HTACCESS and WP-CONFIG.PHP file backup & restore;
- blacklist functionality.
The plugin is free to all WordPress users, still, it includes some premium features. This is the globally recognized WordPress security plugin that provides a set of pro-security features that complement the existing site exposure.
- Security Activity Auditing
- File Integrity Monitoring
- Remote Malware Scanning
- Blacklist Monitoring
- Effective Security Hardening
- Post-Hack Security Actions
- Security Notifications
- Website Firewall (premium)
Price: free, with premium features
The Worker is a multi-site solution that allows you to manage dozens of online projects from a single place. The plugin is intended to help you automate the workflow, thus remaining more focused on completing the tasks that are of the primary importance. This is a fast, secure and free solution that lets you handle an unlimited number of websites from a single place.
- bulk actions;
- working cloud backup;
- safe updates;
- client support;
- Google Analytics integration;
- performance and security checks;
- uptime monitor;
- cloning and migrating, etc.
Price: free, with premium features
<iframe src="https://player.vimeo.com/video/220647227?color=ffffff&title=0&byline=0&portrait=0" width="640" height="360" frameborder="0" webkitallowfullscreen mozallowfullscreen allowfullscreen></iframe>
<p><a href="https://vimeo.com/220647227">Manage Explainer Video</a> from <a href="https://vimeo.com/managewp">ManageWP</a> on <a href="https://vimeo.com">Vimeo</a>.</p>
Bulletproof Security is an open source software that is responsible for the smart protection of your WordPress site from any sort of vulnerabilities. It is free yet featuring premium functions. It is quick and easy to install with the 1-click Setup Wizard. Using this plugin, you will be provided with the secure login monitoring, advanced frontend, and backend maintenance modes, UI skin changer, etc. By the way, there are 3 skins that you can choose from.
- Setup Wizard AutoFix;
- MScan Malware Scanner;
- .htaccess Website Security Protection (Firewalls);
- Hidden Plugin Folders|Files Cron (HPF);
- Login Security & Monitoring;
- JTC-Lite (Limited version of BPS Pro JTC Anti-Spam|Anti-Hacker)
- Idle Session Logout (ISL)
- Auth Cookie Expiration (ACE)
- DB Backup, etc.
Price: free, with premium features
The purpose of this plugin is to protect your WordPress site from the brute force attacks. It limits the number of the failed login attempts. The user and intruder activities are tracked by means of the email/mobile/desktop notifications that are delivered immediately when a suspicious activity is noticed.
- Limit login attempts when logging in by IP address or entire subnet.
- Monitors logins made by login forms, XML-RPC requests or auth cookies.
- Log users, bots, hacker and other suspicious activities.
- Cool notifications with powerful event filters.
- Immediately block an IP or a subnet when attempting to log in with non-existent or prohibited username.
- Restrict user registration or login with a username matching REGEX patterns.
- Disable WP REST API or restrict access to your own security rules.
The plugin provides you with the complete control of all actions that take place on your site. It supports WordPress multisite feature, which lets you keep an audit log on everything happening on your WordPress projects. The tool stores explicit information about the ID address from which a user accessed your site, the user roles, the actions that he made, etc. The real-time user activity monitoring is included to reveal what's happening on your site at this particular moment.
- Post, Page, and Custom Post Type changes;
- Tags and Categories changes;
- Widgets and Menus changes;
- User profile changes;
- User activity sessions;
- WordPress core and settings changes;
- WordPress multisite network changes;
- Plugins and Themes changes;
- WordPress database changes, etc.
Price: free, premium plans start at $89 for a single site license
The backup and security plugin by BlogVault provides the 100% confidence that your WordPress resource fully protected from any sort of online malware. Thanks to the regular backups that are stored on the cloud, you will be able to access all valuable pieces of data whenever it's needed. The plugin also provides WooCommerce backups, which is especially useful for the data-rich web projects.
- Automatic Daily and Real-Time Backups
- 365-day Backup history
- Backup to Cloud & Dropbox
- Automatic Daily and Real-Time Scans
- One-click Malware Removal
- Perform theme and plugin updates
- One-click Migrations
Price: free, premium plans start at $89 per year
Using the plugin, you can change user roles on your site (except Administrator). You can add new roles and customize their capabilities with just a few clicks. If there are roles that aren't assigned to any of the users, then you can simply go ahead and remove them. Multiple roles can be assigned to the same user simultaneously. Multi-site support is provided also.
- Block selected admin menu items for a role.
- Hide selected front-end menu items for no logged-in visitors, logged-in users, roles.
- Block selected widgets under “Appearance” menu for a role.
- Show widgets at front-end for selected roles.
- Block selected meta boxes (dashboard, posts, pages, custom post types) for a role.
- “Export/Import” module, etc.
Price: free, premium plans start at $29 per year
The plugin records IP addresses and timestemp of all failed login attempts to your site. In case the toll records a certain number of failed login attempts that happened within a short period of time from the same IP range, it automatically disables all requests from that range. The IP block can be handled via the administration panel. Specific IP addresses can be released manually either.
- site login attempts tracking;
- failed login attempts record;
- IP range block;
- manual IP address release.
The plugin is intended to protect your site from malicious URL requests. The tool checks all incoming traffic to clock the bad requests, thus keeping your WordPress site safe and secure.
- Strong firewall security;
- Plug-n-play functionality;
- No configuration required;
- Works with SSL/HTTPS;
- Works on any WP-capable server;
- .htaccess NOT required.
More features are included in the premium plan.
Price: free & pro versions available
Using this plugin, you will add the two-step authentication to your WordPress site using the Google Authenticator app for Android/iPhone/BlackBerry. The two-factor authentication can be enabled on the per-user basis (for the site administrator, for example).
- per-user two-factor authentication;
- Android, iPhone, and BlackBerry compatible.
WordPress Security Checklist
With all that being said, let's wrap up. WordPress is rather secure at its core. However, you should always be ready for any sort of security issues that your site can face. In order to sleep well at night and be 100% confident that your site is doing OK, take a look at the following checklist. Note them done or simply bookmark this page in order to never miss a thing.
- Limit access to the valuable and vulnerable pieces of data. Restrict the administrative access to the backend of your site, while also reducing the number of the possible entry points to the minimum.
- Install only those apps and extensions that you will really use on your site. Remove all unnecessary installations.
- Back up your site regularly. In order for you not to miss a thing, use trusted WordPress security plugins that will back up your site's content regularly. On doing so, you will be able to restore all elements, settings, and content of your site if it's damaged or hacked.
- Use the latest version of WordPress and update all of its elements regularly. Stay current with the news in the WordPress community.
- Download themes and plugins from the trusted sources. Do not get your WordPress installation from anywhere except for wordpress.org.
- Monitor your site and user behavior on it.
- Safeguard the login and admin panels of your site while blocking any sort of suspicious activities.
- Choose the web host wisely. Shared web hosting may be the cheapest yet hardly the safest solution for your site.
Do you agree with the tips and suggestions that we highlighted in this post? Do you have anything to add? Please share your thoughts and ideas on how to avoid WordPress security risks via comments.