WordPress Security: 19 Tips To Protect Your Website In 2022

Why Do You Need to Secure WordPress?

Did you know that an average of over 30,000 new websites are hacked every single day?

According to Sucuri, 90% of the infected websites use the WordPress CMS.

On December 9th, 2021, 1.6 million WordPress sites were hit with 13.7 million attacks in 36 hours from 16,000 IPs.

Did that get your attention?

Before you disavow WordPress forever, there are a few things you need to consider. First, WordPress is the most popular CMS, powering 455 million websites. In other words, over 37% of ALL websites use WordPress. That makes WordPress a big target for hackers.

Second, WordPress is an easy target for hackers because of weak passwords, plugins, and other vulnerabilities. These vulnerabilities are because many website owners don’t know how to protect their websites. Most of them don’t even think about securing their WordPress websites.

If you are one among them, you are in danger. Not only do you risk a security breach. After it gets hacked, restoring your WordPress website can be a time-consuming and expensive process.

In addition, the consequences of getting hacked are far from pleasant. A breached website may experience significant data, assets, and credibility losses. Furthermore, if your website manages customer information, the incident can jeopardize their personal data and billing information.

It’s predicted that by 2025 the cost of cybercrime damages can reach up to $10.5 trillion per year. Surely you don’t want to be part of that statistic. So let’s help you do better and protect your online presence from the bad guys out there.

This post will go over WordPress security and share nineteen ways to protect your WordPress site from hackers, comment spammers, and malware. These tips are for people who have never had a website before and more experienced website owners and WordPress users. In addition, we’ve noted the skill level required to execute each tip.

But first, let’s take a closer look at common WordPress security vulnerabilities and how they affect your WordPress website.

What Are Common WordPress Security Vulnerabilities?

Based on WPScan Vulnerability Database, here are some of the most common types of WordPress security vulnerabilities:

• Cross-site request forgery (CSRF) – forces the user to execute unwanted actions in a trusted web application.
• Distributed denial-of-service (DDoS) attack – incapacitates online services by flooding them with unwanted connections, thus rendering a site inaccessible.
• Authentication bypass – allows hackers to gain access to your website’s resources without verifying their authenticity.
• SQL injection (SQLi) – forces the system to execute malicious SQL queries and manipulate data within the database.
• Cross-site scripting (XSS) – injects malicious code that turns the site into a transporter of malware.
• Local file inclusion (LFI) – forces the site into processing malicious files placed on the server.

What Is A “Hack?”

A “hacked” website has been compromised by an unauthorized user (a hacker) in some way. WordPress sites can be hacked in many different ways. Still, the most common type of compromise is when an unauthorized user gains access to your WordPress control panel and installs malware or spammy links on your pages.

When this happens, it’s almost impossible for you to remove these bad things from your website unless you have experience with WordPress development.

What Is Comment Spam?

Comment spam is an unsolicited message sent to WordPress websites. Spammers often comment on WordPress blogs and articles linking back to their website. They hope to drive traffic, earn money from pay-per-click ads, or build cheap link popularity.

Comment spam is dangerous because it can clog up your website’s comment threads, making it difficult for people to have genuine discussions on your blog. Clicking on a spammy link by accident can also lead to malware infections.

Perhaps more worrisome, comment spam can lower your website’s authority ranking. As a result, search engines like Google will demote blog posts containing spammy comments.

What Is Malware?

• Malware (short for malicious software) refers to any malware you don’t want on your computer, such as viruses, key-loggers, trojan horses, etc. The list goes on and on. WordPress sites can get infected by malware almost exactly like a personal computer, usually through an unpatched security vulnerability.
• Viruses are a form of malware that can spread to other WordPress sites, much like how the flu virus spreads from one person to another.
• Key-loggers are a type of malware that records the keys you press on your keyboard, allowing someone to steal your usernames and passwords.
• Trojan horses are a type of malware that disguise themselves as something else (usually a useful program) to trick you into installing them on your computer.

How To Know If Your WordPress Website Is Infected With Malware

If you’re not sure whether your WordPress website has been infected with malware, there are a few telltale signs to look for. One of the most common is if your site is suddenly slow or unresponsive. A sluggish website could be because the malware uses all your server’s resources, preventing your pages from loading correctly.

Curious? You can check your website for malware using a variety of free tools. Just enter your web address (domain name), and you’ll receive a report.

Another sign of infection is if you see strange ads or links on your website that you didn’t put there yourself. Finally, if you receive emails from WordPress about failed login attempts, but you haven’t been trying to log in, someone else is likely trying to hack into your site.

If you believe your WordPress website may be infected with malware or have any other WordPress security questions or concerns, we are here to help!

Here Are 19 WordPress Security Tips You Should Follow Immediately:

Tip #1: Select Your Hosting Partner Carefully (Basic)

The Internet is full of cheap & “affordable” hosting providers. These providers are hell-bent on offering you some of the most amazing hosting plans in the market. But before you choose one, take a pause & think it over for a moment.

Your website hosting is the most crucial part of your website. But, can you seriously risk your website security to save a few bucks? Instead, you should carefully evaluate different WordPress hosting options and select a trusted WordPress hosting service provider.

Tip #2: Eliminate the “Admin” Username (Basic)

WordPress sets the default username as admin, and many website owners never bother to change it. As a result, admin is the first username hackers will try when they launch an attack against your site. If that name is present, they only need to guess the password.

As such, you should never use that particular username for your WordPress website.

Tip #3: Use Strong Passwords (Basic)

The most common reason for compromised WordPress website security is hacked passwords. So it’s critical to create strong & complex passwords & alter them at regular intervals. Creating strong passwords means using a combination of letters, numbers, and symbols that are hard to guess.

WordPress has a built-in way to help generate secure passwords, so make sure you take advantage of it! People often avoid strong passwords as they are difficult to remember. But this is a mistake. Instead, try using some of the best Password Managers to do the job.

And when you set your passwords, don’t stop at the WordPress admin area; repeat the process for WordPress hosting accounts, your email addresses & FTP accounts.

Tip# 4: Set Minimal User Permissions (Basic)

However, it’s not just about your passwords but also those of other people on your site. First, make sure everyone only has permission to do what they need to do to minimize their risk. For that, it makes sense to get familiar with WordPress user roles to understand what they do and what each user role is allowed to do.

For example, you don’t want to give a one-time guest blogger admin access. A Contributor role is likely a lot more appropriate. You may want to set your default user role to Subscriber (under Settings > General > New User Default Role) to be on the safe side.

Tip #5: Install WordPress Security Plugins (Basic)

WordPress websites are highly vulnerable to malware attacks. If you do not keep a manual watch on the source code of your website, you might not even know that your code is infected.

Unfortunately, you need to know coding to determine this. But, there is a better & easier option. WordPress security plugins are specifically designed to identify & eliminate malicious codes & malware from your website.

The best part is, they work round the clock & you won’t have to do anything. Some of the best examples of WordPress security plugins are Succuri & Wordfence.

Tip #6: Avoid Nulled Themes (Basic)

Nulled WordPress themes are unauthorized versions of the original premium themes. In most cases, these themes are sold at a lower price to attract users. However, they usually have a ton of security flaws.

Often, nulled theme providers are hackers who hacked the original premium theme and inserted malicious code, including malware and spam links. Moreover, these themes can be backdoors to other exploits that endanger your WordPress site.

Using nulled themes is both morally unethical & illegal. Furthermore, since nulled themes are distributed illegally, their users cannot receive any support from the developers. This lack of support means that if they cause any issues to the site, you’ll have to figure out how to fix them and secure your WordPress site by yourself.

To avoid that, we recommend picking a WordPress theme from its official repository or trusted developers. Look for options in official theme marketplaces such as ThemeForest if you want to buy a premium theme.

Tip# 7: Remove Unused Themes and Plugins (Basic)

Keeping unused plugins and themes on the site can be potentially harmful, especially if the plugins and themes haven’t been updated. Outdated plugins and themes can increase the risk of cyberattacks as hackers can use them to access your site.

To delete unused themes, open your WordPress admin dashboard and navigate to Appearance -> Themes. Next, click on the theme you want to delete, and a pop-up window will appear and show the theme details. Next, click the Delete button on the bottom-right corner.

Tip #8: Perform Regular Security Scans (Intermediate)

Usually, malware and malicious code can go unnoticed for a long time unless you regularly scan your website. By scanning your site, you can ensure you stay safe and always protect your website.

Most new WordPress website owners neglect to install a WordPress security scanner right away. Unfortunately, this means that malware or a malicious code injection can go unnoticed.

The best time to scan your website for malicious code and malware is now. Unfortunately, many users won’t notice something is wrong with their website until it is too late. Even if your site is not hacked or affected, you should still learn to scan your WordPress site for malicious code. It will help you protect your website against future attacks.

Tip #9: Keep WordPress And Plugins Up To Date (Intermediate)

One of the best ways to protect your WordPress site from potential hackers is keeping WordPress and your plugins up to date. Hackers are constantly looking for vulnerabilities in WordPress so they can exploit them. Still, if you keep everything updated, then you’re one step ahead of them.

In addition, make sure you only use trusted plugins from reputable developers. There have been cases where hackers have taken over legitimate plugins and used them to inject malware into people’s websites. A simple way to find out if a plugin is reputable is to see when it was last updated and how many times it has been downloaded.

Tip #10: Use Two-Factor Authentication (Intermediate)

Two-factor authentication adds an extra layer of security for your WordPress website. When you log in, not only will WordPress ask for your password, but they’ll also require something else before logging you in.

For example, this could be by entering the code sent to your phone via SMS or email after typing in your username and password. It’s straightforward to set up two-factor authentication on WordPress sites today, so don’t hesitate to do so if possible!

Tip #11: Back Up Your WordPress Site Regularly (Intermediate)

Last but not least, back up your WordPress site regularly! Making regular backups is probably the most important tip on this list. When disaster strikes your WordPress site, it’s straightforward to restore if you have a backup.

The easiest way is by backing up your database and files separately. Then, in the event of a malicious attack on your site, you only need to restore one or the other depending on what went wrong. Several WordPress backup plugins will automatically back up your site at regular intervals.

Tip #12: Limit Login Attempts (Intermediate)

WordPress allows its users to make an unlimited number of login attempts on the site. However, this is a perfect opportunity for hackers to brute force their way using various password combinations until they find the right one.

That’s why placing a limit on failed login attempts is essential to prevent such attacks on the website. Limiting failed attempts can also help monitor any suspicious activities on your site.

Most users only need a single try or a few failed attempts, so you should be suspicious of any questionable IP addresses that reach the attempt limit.

One way to limit the login attempts to increase WordPress security is by using a plugin.

Tip# 13: Use the Latest Version of PHP (Advanced)

PHP is what WordPress runs on. It’s present on the server of every website built with the CMS. Just like WordPress, the programming language is constantly under development. New versions come with performance enhancements but also vulnerability fixes.

For that alone, you must run the latest version. In addition, each new PHP version also only receives support and updates for two years. The currently supported versions are 7.4, 8.0, and 8.1, so we recommend that you use one of these. Unfortunately, only a little more than half of the WordPress sites follow that advice.

Tip #14: Change the Default WordPress Database Prefix (Advanced)

The database holds and stores all crucial information required for your site to function. Due to this reason, hackers often target the database with SQL injection attacks. This technique injects malicious code into the database and can bypass WordPress security measures and retrieve the database content.

SQL injections comprise 80% of cyber-attacks executed on WordPress websites, making it one of the biggest threats. Hackers execute this attack because many users forget to change the default database prefix wp_. Fortunately, most WordPress security plugins allow you to change your database prefix without coding skills.

Tip #15: Enable the Lockdown Feature (Advanced)

Enabling URL lockdown protects your login page from being accessed by unauthorized IP addresses and brute force attacks. To do that, you need a web application firewall (WAF) service such as Cloudflare or Sucuri.

Using Cloudflare, it’s possible to configure a zone lockdown rule. It specifies the URLs you want to lockdown and the IP range allowed to access them. Anyone outside the specified IP range won’t be able to access them.

Sucuri has a similar feature called URL path blacklist. Essentially, you add the login page URL to the blacklist so that no one can access it. Then, you allow authorized IP addresses to access the login page.

Tip #16: Disable XML-RPC (Advanced)

XML-RPC is a WordPress feature that allows users to access and publish content via mobile devices, enable trackbacks and pingbacks, and use the Jetpack plugin on their WordPress website.

However, XML-RPC has some weaknesses that hackers can exploit. The feature lets them make multiple login attempts without being detected by the security software, making your site prone to brute force attacks.

Hackers can also use the XML-RPC pingback function to perform DDoS attacks. It allows attackers to send pingbacks to thousands of websites at once, crashing the targeted sites.

To determine whether XML-RPC is enabled, run your site through the XML-RPC validation service and see whether you receive an error or a success message. If you get a success message, the XML-RPC function is running.

Tip #17: Secure Your Wp-Config File (Advanced)

The wp-config.php file contains essential information about your WordPress site, including your database name, username, and password. By default, this file is located in the root folder of your WordPress installation. However, you can move it to a different location and protect it with a .htaccess file. Moving this file makes it harder for hackers to access. You should consider it if you’re running a WordPress site.

Tip #18: Use SSL/HTTPS (Advanced)

SSL (Secure Socket Layer) or TLS (Transport Layer Security) is a protocol that helps secure communications between a web server and a browser. When enabled, it will encrypt all data sent between the two parties so that no one can eavesdrop on the conversation.

SSL Certificates are especially important when transmitting sensitive information, such as passwords or credit card numbers. WordPress and many WordPress hosting providers offer a free SSL certificate through Let’s Encrypt, so there’s no reason not to use it!

Tip #19: Use A Firewall (Advanced)

A firewall helps protect your WordPress site from unwanted traffic and attacks. It essentially acts as a shield between your website and the Internet, blocking any malicious packets before they can reach your server. There are many different firewalls available, both free and paid. If you’re running a WordPress site, I would highly recommend using one!

Securing Your WordPress Site from Hackers

Every WordPress security attack is different. Hackers can access your sites by using various ways like password guessing, inserting malicious codes into your files, brute force attacks, etc.

You must always be ready for any attack to secure your WordPress sites from hackers or intruders. You never know who is going to hack or crack your website files.

Taking backups, keeping your websites safe from malicious codes, installing essential security tools can save you a lot of time, money, and effort. However, NEVER take your WordPress security lightly, as prevention is always better than the cure.

Be sure to implement the WordPress security tips mentioned in this guide to harden the security of your WordPress sites. We are here to help!

To summarize, here are 19 simple ways to help you protect your WordPress site from hackers, spammers, and malware:

1. Carefully select your hosting partner
2. Eliminate the “admin” username
3. Use strong passwords
4. Set minimal user permissions
5. Install WordPress security plugins
6. Avoid nulled themes
7. Remove unused themes and plugins
8. Perform regular security scans
9. Keep WordPress and plugins up-to-date
10. Use two-factor authentication (2FA)
11. Back up your WordPress site regularly
12. Limit login attempts
13. Change your database prefix
14. Use the latest version of PHP
15. Enable the lockdown feature
16. Disable XML-RPC
17. Protect your WP-config file
18. Use SSL/HTTPS
19. Use a firewall

Need Help with WordPress Security?

Here at PixoLabo, we offer a full range of WordPress consulting and design services for businesses and product brands, including custom web design and development, e-commerce solutions, search engine optimization, and WordPress optimization.

And if you are still not sure if your WordPress website was compromised, don’t worry! Our expert team will listen to you, answer your questions, and determine if your website suffered a malicious breach or attack, and restore and secure it for you. That is one of our specialties, after all!

Did You Secure Your WordPress Site?

Did you suffer from a recent attack on your WordPress website? Was your WordPress site hacked, infected with malware, or experienced another form of website intrusion? If so, how did you restore your WordPress website? And how did that go for you? Or do you have any other WordPress security questions or concerns?

Please feel free to comment below so our audience can benefit and grab our feed, so you don’t miss our next post! And feel free to share these essential WordPress security tips with your audience!

Thank you! We appreciate your help to end bad business websites, one pixel at a time

By Gregor Saita

Co-Founder / CXO

@gregorsaita