Worried about the security of your WordPress site?
You probably should be 👮.
According to WP White Security “more than 70% of WordPress installations are vulnerable to hacker attacks.”
Luckily, there is a lot you can do to harden your WordPress site against common hacks and security vulnerabilities.
In this post, we’ll first take a look at some plugins you can run on your site to help protect yourself. I’ll then go through a few basic tips for keeping your site secure.
Top WordPress Security Plugins
The most downloaded WordPress security plugin, WordFence has been used more than 1 million times. It includes blocking features, scanning, login security, a firewall, monitoring, and caching features. This has become my go to security plugin as it is so feature packed that it allows you to not have to install some other plugins.
A comprehensive, user-friendly, all in one WordPress security and firewall plugin for your site. For just security, this really is a great plugin that is comparable to WordFence. It doesn’t include caching like WordFence, but it does have comment spam features.
A simple plugin, Login Lockdown limits the number of login attempts from a given IP range within a certain time period.
Modern two-factor that people love to use: strong authentication without passwords or tokens; single sign on/off; magical user experience.
Akismet checks your comments against the Akismet Web service to see if they look like spam or not.
The Sucuri Security WordPress Security plugin is free to all WordPress users. It is a security suite meant to complement your existing security posture. It offers it’s users four key security features for their website, each designed to have a positive affect on their security posture:
- Security Activity Auditing
- File Integrity Monitoring
- Remote Malware Scanning
- Blacklist Monitoring
- Effective Security Hardening
- Post-Hack Security Actions
- Security Notifications
- Website Firewall (add on)
BulletProof Security Feature Highlights include:
- One-Click Setup Wizard
- jQuery UI Dialog Form Uninstall Options: BPS Pro upgrade uninstallation or complete BPS plugin uninstallation
- .htaccess Website Security Protection (Firewalls)
- Login Security & Monitoring
- Idle Session Logout (ISL)
- Auth Cookie Expiration (ACE)
- DB Backup: Full|Partial DB Backups | Manual|Scheduled DB Backups | Email Zip Backups | Cron Delete Old Backups
- DB Backup Logging
- DB Table Prefix Changer
- Security Logging
- HTTP Error Logging
- FrontEnd|BackEnd Maintenance Mode
- UI Theme Skin Changer (3 Theme Skins)
Protect your WordPress site by hiding vital areas of your site, protecting access to important files, preventing brute-force login attempts, detecting threats, obscuring threats, recovering from issues, and more. A lot of the features require an upgrade to the pro version, which is part of why this is so far down my list.
A Brute Force Attack aims at being the simplest kind of method to gain access to a site: it tries usernames and passwords, over and over again, until it gets in. Brute Force Login Protection is a lightweight plugin that protects your website against brute force login attacks using .htaccess.
After a specified limit of login attempts within a specified time, the IP address of the hacker will be blocked.
- Limit the number of allowed login attempts using normal login form
- Limit the number of allowed login attempts using Auth Cookies
- Manually block/unblock IP addresses
- Manually whitelist trusted IP addresses
- Delay execution after a failed login attempt (to slow down brute force attack)
- Option to inform user about remaining attempts on login page
- Option to email administrator when an IP has been blocked
- Custom message to show to blocked users
Tips to keep your WordPress site secure
Make your password a good one
One big possible vulnerability of many WordPress sites is simply their password. Choose something good that can’t be guessed by a bot that is set to try millions of passwords and also choose something that isn’t related to yourself that a hacker could figure out.
You’d be amazed how many people set their passwords as stuff like password, 123456, or simple words. Despite how obviously bad those passwords are, other multi-word passwords aren’t really a whole lot better. You’d be better off not using actual words at all, and certainly not words or numbers related to yourself like important birthdays, addresses, or phone numbers.
Your password should really be a long line of random numbers, letters, and characters.
Longer is better.
If you’re having trouble, you could just use the Norton Password Generator.
Chose a good username
While having a good password is key, you should also take into account your username. If you have a public login page or one that isn’t hidden that well, you should not be using “admin” or “Admin” as your username. Doing so is essentially giving hackers one half of the puzzle to figuring out your login.
Instead, just pick something random. Your probably best off with something unrelated to yourself and could even follow the password points listed above when choosing a username.
The username doesn’t have to show in WordPress, as you can set your WordPress profile to display a nickname.
Possibly move your login page
Having a good username and password is key, but to make your site even more secure, you could hide your login page by giving it an address other than /wp-login.php or /wp-admin. There are several plugins that will do this.
This point isn’t really viable for sites that let users register and login.
Be mindful of comments and user registration
You probably don’t think of comments as a security issue, but they really can be. Many sites that have comments let users register, which can be a security issue by itself. If your site also holds the comments on your site, that can also be a security issue.
Both in the case of user registration and comments, WordPress is susceptible to spammers. If you suddenly receive 2,000+ registrations and comments in a day, all from spammers, it can be enough to take down your site (depending on hosting and security).
To avoid that, you should certainly be using some sort of spam plugin. I use Akismet by Automattic, which typically comes installed with WordPress.
Run updates (but check them first)
A lot of time updates are for security measures. The developer has identified a possible vulnerability in the theme or plugin and has updated it to close that threat. If you then do not run the update on your site, you leave your site open to attack.
This is pretty straightforward, however, I do suggest looking at what an update will be before running it. Some updates change the theme or plugin so much, it requires a lot of work to get things back to how they were or, in some cases, it might not be possible. Also, some updates end up breaking things. It is best to check out what the update will be and see if there are any issues with it prior to running it.
Delete unused themes and plugins
If you have unused themes and plugins on your site, they could be additional ways for hackers to get in, especially if they are not updated. It is best to just delete them. Deactivating is not deleting, you need to actually delete them. This also should save space on your hosting account, which could make your site run faster.
Only download plugins and themes from reputable sources
Many “free” download sites inject malicious code into their files. You don’t want that on your site, as it could wreck the whole thing. It is best to stay away from those “free” sites unless they are very reputable, like the downloads on WordPress.org or if a major theme developer with a good reputation on Themeforest (ad) is giving away something for free.
I hope this post has been helpful in helping you to identify some of the top WordPress plugins to keep your site secure, as well as giving you some tips about site security.
5 of the best WordPress security plugins by Torquemag.io
Statistics Show Why WordPress is a Popular Hacker Target by WP White Security
Top 10 Essential WordPress Security Plugins by WP Mayor