WordPress is one of the most popular content management systems (CMS) on the internet. As of 2023, WordPress powers more than 43% of the total websites on the internet.
Due to its robust features and easy-to-use interface, many of the top brands use WordPress to power their websites. However, because of its popularity, WordPress is a prime target for hackers, malicious code distributors, and data thieves. Therefore, it’s important to take the necessary steps to ensure your WordPress site is secure.
In this blog post, we share a complete WordPress security checklist that can help you to protect your website from potential security threats. So, let’s get started.
Table of Contents
- 1: Always Use the Latest WordPress
- 2: Use Strong Passwords
- 3: Change the Default WordPress Login URL
- 4: Limit Login Attempts
- 5: Enable Two-Factor Authentication
- 6: Install Security Plugins
- 7: Use SSL Certificates
- 8: Backup Your Website Regularly
- 9: Use Secure Hosting
- 10: Remove Unused Themes and Plugins
- 11: Disable File Editing
- 12: Use a Content Delivery Network (CDN)
- 13: Disable Directory Browsing
- 14: Disable XML-RPC API
- 15: Implement Firewall Rules
- Final Thoughts on WordPress Security Checklist
1: Always Use the Latest WordPress
WordPress is constantly updating its software to fix bugs and vulnerabilities. Therefore, it’s important to keep your website updated with the latest version of WordPress. This will ensure that your website is protected from the latest security threats.
Each new WordPress version prompts developers to rectify glitches, introduce new functionalities, boost performance, and enhance existing features to align with the latest industry benchmarks.
Managed WordPress hosting providers automatically update your site to major WordPress versions. To manually update the WordPress version, All you need to do is visit WordPress Dashboard » Updates page and install the latest version.
2: Use Strong Passwords
Strong passwords are the first line of defense against hackers and unauthorized access to your WordPress website. According to a study, 81% of WordPress hacking-related breaches used either stolen or weak passwords.
That’s why avoid using simple passwords on your website, such as “12345” or “password”. Use a strong password that combines unique characters like letters, numbers, and symbols that are difficult to guess.
To change your WordPress admin password, Login to your website and go to Users » Your Profile from your WordPress menu.
Go ahead and click on the “Generate Password” option and WordPress will automatically create a strong password for you. After that, click the “Update Profile” button to save your new password.
If you have difficulty remembering a strong password, use a password manager to create and store strong passwords for your WordPress site. I use 1Password to create a strong password for my websites.
3: Change the Default WordPress Login URL
The Default WordPress login page can be reached by adding /login/, /admin/, or /wp-login.php at the end of your WordPress site’s URL. And, hackers can use your website’s default login URL to try to gain access to your website by guessing usernames and passwords.
Even if you are using a strong password, changing the login URL can really play in your favor in preventing unauthorized access to your site. The easiest way to change the default WordPress login URL is very easy, all you have to do is install the “WPS Hide Login” plugin on your website.
Then open WPS Hide login plugin settings, here you can set a new Login URL path in the Login URL field. Then click on the “save changes” button. Please copy your new login URL and make a bookmark, because your old login URL will no longer work.
4: Limit Login Attempts
What if hackers know your WordPress site login URL? They may use a brute force attack to try to guess your admin password. By default, WordPress allows users to enter different usernames, and passwords as many times as they want. That’s why hackers use automated software to keep guessing your login information.
Therefore, you can limit the number of login attempts made from a specific IP address in a set amount of time. Any user who crosses the login limit can be temporarily or permanently banned as a safety precaution.
You can install the “Limit Login Attempts Reloaded” WordPress plugin to set maximum login attempts on your site. This plugin allows you to set the number of login attempts, and how long an IP address will be locked out. Even if someone exceeds the limit, you’ll get notified by email, etc.
5: Enable Two-Factor Authentication
Two-factor authentication (2FA) is an additional layer of security that requires users to provide two forms of authentication to access your WordPress site. WordPress Two-factor authentication is the easiest way to prevent unauthorized access.
If someone stole your site admin passwords, they can’t log in without entering a security code. Enabling 2FA on your WordPress site can be a very easy task, all you have to do is install the “Wordfence Login Security” plugin.
This plugin allows you to use email, an authenticator app, and backup Security Keys methods as a two-factor login option. I recommend you use the authenticator app method. All you have to do is install Google Authenticator, 1Password, or any other 2FA app on your phone.
Each time you log in to your WordPress website, you’ve to enter the authentication code generated by the app on your phone. One more thing, download two-factor login backup keys. If somehow you lost your phone, you can still log in using backup keys.
6: Install Security Plugins
Installing WordPress Security plugins can add an extra layer of security to your website. A good WordPress security plugin offers
- Malware scanning
- DDoS attacks
- Monitors uptime
- Automatically bans bad IPs
- Security hardening
- Active security monitoring
- Post-hack actions
- Website Firewalls
- Blocklist monitoring, etc.
Some popular security plugins for WordPress include Wordfence, iThemes Security, and Sucuri Security. I recommend you use the iThemes Security plugin, it offers 30+ full security measures to protect your website from potential threats.
7: Use SSL Certificates
SSL certificates are used to encrypt data that is transferred between the user’s web browser and the website. Using SSL certificates can help prevent hackers from intercepting and reading data that is transmitted between the user and the website.
SSL certificates are also important for SEO, as Google has stated that SSL certificates are a ranking factor. Right now, most of the hosting providers offer free SSL certificates with all hosting plans. If you have a problem configuring SSL on your WordPress site, you can use the “Really Simple SSL” plugin to manage all SSL-related issues.
8: Backup Your Website Regularly
Any website can fall prey to hackers, data loss, database errors, or server disasters. That’s why you need to Backup your WordPress website regularly. And You should also save your website backup files to a remote location, and not your hosting account.
If somehow hackers get access to your website and inject malware. Regular website backups can help you recover your website in case of a security breach or other disaster.
There are many WordPress backup plugins available, Most of them are easy to use and will back up your site automatically on a remote cloud server. I use the most popular UpdraftPlus plugin, which helps me to Backup my complete website automatically every day and saves it on my cloud storage.
Instead of using the UpdraftPlus plugin, you can also consider using BlogVault, and Jetpack Backups plugins to create an automatic backup of your website.
9: Use Secure Hosting
A secure hosting provider will have strong security measures in place to prevent security breaches. Look for a hosting provider that offers automatic updates, a strong security track record, offers AWF, malware scanning, DDoS protection, free SSL, daily backup, etc.
Take your time to research your hosting options and choose a reputable provider that can not only protect your site from potential security threats but also improve performance.
If you are unsure about hosting security, move your WordPress site to Kinsta, CloudWays, or WPX hosting. They provide the best secure WordPress hosting with free site migrations. So, you don’t have to worry about losing data during hosting migration.
10: Remove Unused Themes and Plugins
If you have installed tons of unused plugins & themes on your WordPress website. Then, make sure to remove them completely. Not only unused themes, and plugins, are Slowing website loading times down due to database bloat but Adding points of vulnerability to your website.
Therefore, it’s important to remove any themes and plugins that you are not using. And one more thing, don’t download third-party nulled themes & plugins on your website. Most of the nulled themes & plugins contain malware that can ruin your years of hard work.
11: Disable File Editing
By default, WordPress allows users to edit files directly from the WordPress dashboard. However, if somehow a hacker gains access to your WordPress dashboard, they can use this feature to upload malicious code to your website theme & plugin files.
By, Disabling file editing is another way to improve the security of your WordPress site from potential danger. To disable file editing on your site, you can use the iThemes Security plugin or you can add the following code to your wp-config.php file:
define( 'DISALLOW_FILE_EDIT', true );
12: Use a Content Delivery Network (CDN)
Using a CDN can help you to improve your site’s overall performance and increase the overall security of your WordPress site. A CDN works by caching your website’s content on servers around the world. This can improve the speed of your website and reduce the load on your web server.
Additionally, a CDN offers a Web Application Firewall (WAF), which can help hide your origin IP address, and protect your website from distributed denial of service (DDoS) attacks, which are a type of attack where hackers try to overwhelm your web server with traffic.
There are a lot of options when it comes to choosing a CDN, I recommend you use Cloudflare CDN. It’s free and over 7.59 million active websites use Cloudflare. If you are looking for a premium CDN service, then BunnyCDN is the best option for your WordPress site.
13: Disable Directory Browsing
By default most of the popular web servers like Apache, NGINX, and LiteSpeed have directory browsing enabled. Directory browsing allows users to view the contents of directories on your web server.
If a hacker gains access to directory browsing, they can view the files on your server and exploit vulnerabilities in your site’s plugins, media files, themes, or even your hosting server.
This is why you need to disable directory browsing in WordPress. The easiest way to check whether directory browsing is enabled is by simply visiting the /wp-includes/ folder link like this: https://example.com/wp-includes/.
If you get a 403 Forbidden message, then directory browsing is already disabled. However, if you see a list of files and folders instead of a 403 Forbidden message, then this means that directory browsing is enabled.
To disable directory browsing, you can install the iThemes Security plugin and with a single click, you can disable it instantly. Otherwise, you can add the following code to your .htaccess file:
14: Disable XML-RPC API
XML-RPC is a remote procedure call (RPC) protocol API used by WordPress since 2012. WordPress’ XML-RPC feature allows third-party services to access and modify content on the site. Most of the time XML-RPC API is used by the Jetpack plugin and WordPress mobile app. If you are not using any of these services, I advise you to disable XML-RPC.
To disable XML-RPC API, you can use the iThemes Security plugin or you can add the following code to your .htaccess file:
# Block WordPress xmlrpc.php requests <Files xmlrpc.php> order deny,allow deny from all </Files>
15: Implement Firewall Rules
Implementing specific firewall rules is another way to improve your overall WordPress security. Firewall rules can filter out unwanted traffic, block specific IP addresses or countries, allow only known good bots, and prevent attacks from reaching your web server.
You can use Cloudflare CDN, to implement firewall rules on your website. If you’re using Cloudflare’s free plan, you can add 5 rules and the pro plan comes with 20 rules.
Note: It’s important to review your website’s traffic and adjust your CloudFlare firewall rules accordingly. Cloudflare maintains a list of known bad IP addresses that can be used to block requests from malicious sources. So, make sure you enable the “Known Bad IPs” firewall rule.
Final Thoughts on WordPress Security Checklist
In conclusion, WordPress is a powerful CMS platform for building websites, that’s why it’s also a target for hackers and malware. Here are quick facts you need to know about WordPress Security:
- The WordPress vulnerabilities report shows that 52% are attributed to outdated plugins, 37% to WP core files, and 11% to themes.
- Due to popularity, WordPress sites face more than 90,000+ attacks every minute.
- Sucuri’s report of 2021 shows over 95.6% of infections detected by Sucuri were on websites running WordPress.
As you can see, your website is probably targeted by hackers. That’s why you need to install an all-in-one Security plugin like iThemes Security, WordFence, or Sucuri to protect your site as securely as possible. You can also follow our WordPress security checklist outlined in this blog post. So, you can be aware of potential security threats.
If you have any other questions related to WordPress security, let me know in the comment section.
Read more about:
- How to Reduce Initial Server Response Time?
- How to Serve Images in Next-gen Formats?
- How to Remove Unused CSS on WordPress?
Thank you. Have a nice day.