WordPress Security Guide

WordPress is a fantastic platform to build a website on and an exemplary content management system, but it can be vulnerable to malicious attacks from hackers. So chances are if you administer a WordPress site, you’ve seen the dreaded “malware detected” message pop up in Google Webmaster Tools at some point. Or even worse, you went to your site unaware of the hack and downloaded some nasty malware onto your computer.

How Do I Prevent My WordPress Site from Being Hacked?

wordpress security guide

First, you’ll need to accept that there is no perfect security solution for a WordPress site (or for any type of site really). There are just too many moving parts in themes and plugins, that there will be some type of security hole on the site just waiting to be exploited. Because of this, you’ll want to be sure to take full backups of your site at least once a week depending on your change frequency. These backups should include all of you files and the site’s database, and be in held in a secure location outside of your site’s files. This way if your site does get hacked, restoring it to its original glory should be relatively easy. Your hosting company should also be taking regular backups of your site as part of your standard hosting services, so be sure to ask them if your aren’t backing up your site.

The second way to keep your site free from hackers is to take the time to perform the standard upkeep that comes with a WordPress site. This means making sure your WordPress themes are updated with the latest versions from their developers, making sure plugins are updated (depending on the plugin, updates can be released often) and that your overall WordPress install is kept up-to-date as well. Updates are crucial, but you should also make sure all plugins and themes that aren’t being used for the site have been completely removed. If they aren’t contributing to the site, there’s no reason to keep that potential security hole around.

The third tip for securing your WordPress site is perhaps the most obvious of them all, but you really need to use strong passwords. Your password should not be easy for you to remember, in fact, it should be next to impossible for you to remember. We’d recommend using a password around 18 characters long, with a mixture of letters, cases, numbers and symbols; combined so that there are no complete English words found in the password. This needs to be done for every password associated with your WordPress install, so anything at the server or database level needs a strong password, any secondary users need a strong password, as do any of the plugins that may require accounts. Use a service like LastPass and keep a record of your passwords in a very safe place.

The fourth thing you really need to do to keep your WordPress site secure is to lock your server down. This is especially true if you’re on a dedicated hosting server, where hosting companies tend to leave you alone to fend for yourself. Make sure you lockdown your cPanel and hosting root accounts so that only specific IP addresses can connect to them, some hosts will also let you set security questions to make absolute certain only the correct people are accessing the account. Each host’s security features will be different, but it’s imperative to utilize everything they offer to keep the site as secure as possible. Along these same lines, you can also use a service like Cloudflare to secure your site. Cludflare acts as a buffer between any traffic to your site and your site, blocking out visitors its networks knows are malicious. It also caches your site so that it loads up quicker!

how cloudflare works

If you have the technical expertise, our fifth set of security recommendations can really help give you the peace of mind of having a secure site. Many of these strategies can also be implemented via WordPress plugin, speaking of which…

Our final WordPress security tip is to leverage the very useful security plugins that WordPress developer community has made. Most of these plugins are completely free to use and are a quick and easy way to secure your site.

From experience, here are the best WordPress security plugins:

  • Better WP Security – a daunting, feature-packed security plugin that does pretty much anything you can imagine and maybe more. The big drawback of this plugin is that you need to have at least a moderate amount of working knowledge for how a website works. Things can get technical when installing the plugin and some compatibility issues may pop up when using it, so be sure to have a backup of your site very handy. The potential trouble is definitely worth the work though as the plugin is quite advanced in how it secures your site.
  • Bulletproof Security – As long as you’re on an Apache Linux server, is a fast .htaccess based security plugin that can protect you from various attacks. Pretty much every type of hack can be thwarted using this plugin. Bulletproof does lack the login security features seen in the other suites in this list though.
  • 6Scan Security – Billed as the “automatic” security scanner for WordPress, 6Scan finds and automatically repairs vulnerabilities in your site. The plugin is probably the most comprehensive of those on this list, but most of the advanced features come as part of a paid subscriptionThe plugin also takes automatic backups of your site.
  • Wordfence Security – the easiest security plugin to use but maybe not the most robust. If you’re having trouble with the three security plugins above, use this one. You can block people trying to break into your login page, perform scans for both malicious code and more importantly, the vulnerabilities within your, and set up a firewall of sorts. Very little technical knowledge is necessary for this one, you just need to install it and configure a couple things, but do be sure to monitor how it interacts with any caching plugins you may be using. There is also a paid version that allows for slightly more robust monitoring.
  • Login Lock – You’d be amazed at just how many people try to break into your site with automated login bots that try to guess your password. Use this plugin to block them from your site after X amount of login failures. Most comprehensive security plugins have started including this feature in their suites, but be sure to install this one if they don’t! Also, be sure to test your site after installing this one as it has been causing some redirect issues with up-to-date versions of WordPress.
  • BackUpWordPress – as we’ve mentioned, it’s important to make a backup copy of your WordPress site available to you in case you’ve been hacked, and no plugin does backups better than this one. Select the frequency and location for your backups and then let it go ahead and do its thing.

wordpress security

While it’s impossible to completely ensure your site stays hacker free, following the above will GREATLY reduce the chance of it ever happening!

2014-11-21T20:12:19-06:00 By |Web Presence Management|3 Comments

About the Author:


  1. Anders Vinther August 16, 2012 at 10:07 am - Reply

    I recently had some security problems with my WordPress sites, and ended up doing a lot of research into securing WordPress sites…

    I have written up my experiences in a WordPress Security Checklist which can be downloaded for free on http://www.wpsecuritychecklist.com.

    My checklist has a few more items on it and includes step by step instructions on how to get the job done…

    Hopefully the checklist can help other people securing their WordPress sites…

  2. Kyle Claypool August 16, 2012 at 2:13 pm - Reply

    Thanks, Anders! Looks like a solid resource!

  3. rapped September 17, 2012 at 11:23 am - Reply

    One thing you might mention is taking advantage of two-factor authentication where you will have to “Confirm your phone”. You would receive a text message with a specific OTP code to be entered into the system. If you don’t want to do this every single time, you can designate your smartphone, PC, or tablet as a trusted device and Facebook will allow you to telesign in without the text code. Should an attempt to login from an unrecognized device happen, it would not be allowed.

Leave A Comment