WordPress security: how to protect and secure your site?

Tick, tock. Tick, tock. Tick, tock. With every second that ticks by on your watch, 2,800 attacks are targeting WordPress sites.

Your website has been hacked? You probably think it only happens to other people. And then, one day, it happens to you.

Fortunately, there are solutions to avoid this, although no website can claim 100% protection.

By the end of this article, you will know how to strengthen the security of your WordPress site, thanks to 15 practical and detailed tips, with supporting screenshots.

Is WordPress a secure CMS?

With 65% market shareWordPress is the most used CMS (Content management system) across the planet, far ahead of its main competitors Shopify (4,4%) and Wix (2%).

Even more telling, perhaps: 43% of the 10 million most visited websites on the Internet run on WordPress.

From this dominant position stems a major drawback: due to its widespread adoption by WordPress website creatorsThis CMS is the target of numerous malicious attacks.

Despite the sand, it remains a secure CMS. In its analysis of vulnerabilities within the WordPress ecosystem, security expert Patchstack reports that 96% of security vulnerabilities originate from third-party code (third-party extensions and themes), compared to 4% within the WordPress Core. 

In total, plugins are believed to be responsible for 82% of the vulnerabilities identified, with hackers most often taking advantage of them to inject malicious content into their code.

WordFence goes further indicating that the most widespread security threat to WordPress security comes from malware originating from cracked plugins and themes (we are talking about nulled plugins, in English).

These types of extensions and themes are highly sought after by webmasters who do not want to pay for the premium version(s) of a theme or extension.

Furthermore, beyond themes and extensions, security issues also arise due to poor practices by webmasters.

What type of attacks can a WordPress site suffer?

As you can see, WordPress remains a prime target for hackers and other bots (bots) malicious. 

These threats attack it in various ways. In its security report cited above, WordFence Security identifies the following five common attacks:

1. Directory traversal attacks (Directory Traversal attacks) represent the most widespread threat, accounting for 43% of detected vulnerabilities.
2. SQL injections (21%), which target your database.
3. Downloading malicious files (11%).
4. The site-to-site script (8%). With the cross-site scripting (or XSS), malicious code is injected into the content of your pages.
5. Authentication bypass vulnerabilities (Authentication Bypass, 3%), which exploit an authentication mechanism (e.g., website login) that is too weak.

And unfortunately, the threats don't stop there. The following vulnerabilities can also affect a WordPress site:

• backdoors (backdoors), which give remote access to your site without you realizing it.
• Brute-force connection attempts (brute force attacks). Here, bots attempt to connect to your website by testing different combinations of passwords and usernames.
• Malicious redirects, to unauthorized pages.
• Denial of service attacks (DoS, Denial of Service Attack), which make your site unavailable by, for example, blocking your server.
• pharma hacks, which redirect your site to pages selling pharmaceutical products like Viagra, for example.

Finally the white paper dedicated to security on WordPress indicates that a "Incorrect security configuration" "exposure of sensitive data", or even CSRF type attacks (Cross Site Request Forgery) represent potential threats to your WordPress site.

Why do you need to secure a WordPress site?

Given all these attack risks, it's important to strengthen the security of your WordPress website. full WordPress audit will allow you to identify existing security vulnerabilities and implement best practices to protect your site.
Indeed, a hacked website has several negative consequences: 

• A waste of time to fix the security problemThis is the most frequent complaint among victims of hacking. according to the findings of a Sucuri investigationBecause of this wasted time, you cannot dedicate yourself to higher value-added, business-generating tasks.
• Damage to your brand imageNo internet user likes visiting a hacked website. It doesn't inspire confidence and discourages them from returning in the future. Your reputation and that of your team are also affected.
• A degradation of the user experience (UX). A visitor appreciates being able to easily and quickly find what they are looking for on a website. If this aspect is not met, a user is likely to turn to the competition.
• A negative impact on your organic search engine ranking (SEO). Access to an unsecured site can be blocked by search engines, especially Google. Google may even remove your website from its SERP (search engine results page) if you are a victim of SEO spam (spamdexing, in English).
• A decrease in your revenueIf you are a freelancer or a web agency specializing in WordPressIf you offer products and/or services on an online store like WooCommerce, you will no longer be able to make sales when your site becomes inaccessible. 
• A threat to your personal informationA hacker can compromise your website to steal your personal information and the banking details of your customers and team members. You risk being asked to pay a ransom (ransomware) and also to a possible theft of your identity.

Unfortunately, hacking doesn't just happen to other people. However, there's no need to panic. 

Now, discover how to properly secure your WordPress site using proven tips and best practices.

15 tips to secure your WordPress site

Use HTTPS

This is probably the first thing to do to strengthen WordPress security: use the HTTPS protocol (Hypertext Transfer Protocol Secure (Secure Hypertext Transfer Protocol).

As stated in Google's documentationHTTPS "protects the integrity and confidentiality of data during the transfer of information between the user's computer and the website."

Its use is predominant. HTTPS provides reassurance by demonstrating that the connection to your site is secure., by displaying a padlock in your browser's address bar.

It is therefore essential to ensure the protection of data circulating on your site (banking, personal), especially if you are selling online.

Conversely, insecure sites (using HTTP) are "penalized" by the main browsers (Chrome, Firefox, Safari, Opera) which display a warning message when a visitor tries to access them:

To switch your WordPress site to HTTPS, You must first obtain an SSL certificate (Secure Sockets Layer (Secure socket layer). This certificate is what allows the famous padlock to be displayed on your browser.

Most hosting providers offer one for free in their package, most often via the Let's Encrypt certificate authority.

To activate this certificate, go to your hosting interface in the security section:

To finish securing a WordPress site with HTTPS, Remember to implement 301 redirects. and to resolve potential mixed content issues (content always loaded via HTTP and not HTTPS). The extension Really Simple SSL It can even handle this for you automatically. 

Choose strong passwords

The figure is staggering. During the first half of 2021, 86 billion password attacks were blocked by the WPScan tool. 

Automated attacks of this type are constantly increasing, particularly because they are a fairly simple way for a hacker to access your site.

To secure WordPress, start by making life difficult for malicious software and bots. by avoiding passwords that are too obvious to guess.

Examples include: "123456", "123456789", "qwerty", "password", "111111", and "iloveyou". the easiest and fastest passwords to crack. 

To protect yourself, apply the following best practices: 

• Do not choose passwords related to your pet.Your family, your date of birth, your name, your first name, your children, colors, cars, or even countries. In short, anything too obvious should be avoided.
• Use numbers, special characters, uppercase and lowercase letters  in your password. An example of a strong password? Xuiop5209MLoP654$M*
• Your WordPress password must be unique : you must not use it to connect to other tools or applications.
• Avoid words found in the dictionary, targets of "dictionary attacks", precisely.
• To create strong passwords, usea free generator, or a more comprehensive paid manager like Dashlane ou 1Password. 
• Transfer your passwords securely via email with a service like One Time.

By extension, a password often implies a username. In this regard, never use an "admin" username; it's far too easy to guess! 

Install WordPress security plugins

Strengthening WordPress security then involves using security plugins. You can do this in two ways.

The first approach involves using plugins tailored to a specific use case:

• Limit Login Attempts Reloaded combating brute-force attacks.
• BBQ Firewall It specifically protects your site against SQL injection attacks.
• Login Lockdown limits the number of login attempts to the WordPress administration.   

This list is not exhaustive and gives you a first glimpse of what you can do. These extensions will be very effective, but if you want to use them together, you will need to activate them one by one. 

To make things easier for you, there is a second way to do it: install a free, general-purpose WordPress security plugin.

This toolbox will contain several security solutions in one, so you don't have to activate different plugins. 

There are three main, very strong players in the WordPress ecosystem in this regard: 

• IThemes Security.
• WordFence Security.
• Sucuri.

All three offer the advantage of free versions. Otherwise, their features are quite similar.

For example, you will benefit from protection against brute-force attacks., a security scanner, IP address and user blocking, two-factor authentication, WordPress secret key updates, file permission settings, etc. 

To decide, consult the details of the options offered and take your budget into account: some major features are only available with the Pro version of the extension in question.

For example, WordFence offers a firewall (Web Application Firewall, WAF) from its free version, whereas Sucuri only offers it in its premium version.

Update your WordPress site regularly

Using a third-party plugin remains very important to strengthen the security of your WordPress installation, but it will not be enough, as you might suspect.

You'll also need to get involved, starting by regularly updating your WordPress site, to Use the latest version of WordPress Core, your plugins, and your themes..

To do this, WordPress has a very practical mechanism: it automatically notifies you on your dashboard as soon as an update is available. 

Go to the Dashboard > Updates menu to get an overview of what you still need to accomplish. 

Click on the box corresponding to the extension or theme you are interested in, then on the "Update extensions" button:

Performing updates is crucial to ensure WordPress website maintenance This allows us to correct detected bugs and security flaws, while ensuring your site remains efficient.

We recommend that you pay attention to two things: 

• When upgrading to a new major version of WordPress, Wait a few days before proceeding with the update on your back officeIndeed, bugs are often fixed within hours and days of deployment. It's best to wait a little while to avoid encountering any incompatibilities.
• Remember to back up WordPress before performing a major update to the WordPress core. (for example, upgrading from WordPress 5.8 to WordPress 5.9). More details on this in the following tip.

Also, update your PHP version to a recent version. If your hosting provider uses the cPanel interface, you can do this in the "Software" section by selecting "Select a PHP version".

Back up your site frequently

So here's an excellent webmaster practice for securing WordPress: back it up as often as possible!

A backup includes saving your files and your database.This last element is the most important part of your WordPress site, as it lists all your site's content (posts, pages, comments, options, etc.). Don't forget it when configuring it!

Having backups of your WordPress site will allow you to restore it in case of hacking. 

You can back up your site using an FTP client (File Transfer Protocol) like Filezilla, but the operation remains technical and perilous if you are not an experienced technician. 

Ultimately, the easiest method for a novice is to activate a dedicated backup plugin, which will take care of everything automatically for you.

The most popular one on the official directory is called UpdraftPlusVery easy to configure, it allows you to schedule your backups and export them to third-party services such as Google Drive, Dropbox or Amazon S3.

Other good points: UpdraftPlus allows you to restore a backup from the plugin interface, and its free version is quite complete to get started.

In addition to a WordPress security plugin, cover your bases by also using a backup module offered by your hosting provider (if they offer one). This way, you'll kill two birds with one stone.

Choose secure hosting

Speaking of hosting providers, they also play a role in the security of your WordPress website. 

It must offer a sufficient level of security to minimize the risk of malicious attacks. "The configuration of the operating system and the underlying web server hosting the software is just as important for maintaining the security of WordPress applications.", explains the WordPress security guide in this regard.

What exactly makes a good, secure web host? To choose the right one, pay attention to: 

• His notorietyA solid hosting provider that has been present on the market for several years will often tend to be more credible.
  Check customer reviews and research specialized groups and forums to get a better idea of ​​the hosting provider you are considering.
• His use of good security practices : presence of a firewall and antivirus to protect its servers, regular updates and backups, use of the latest software versions, SSL support, malware analysis.
  Carefully read the websites of the hosting providers that are catching your eye to uncover this information.
• The quality of its customer servicePrioritize responsive support that is available 24/24 in case of problems.

Ideally, a dedicated or WordPress-specific hosting provider is often preferable in terms of security to shared hosting. With shared hosting, you share bandwidth resources with other websites. If each site isn't isolated, you'll also be affected if an infected site on your server is hacked.
However, dedicated or specialized hosting will be more expensive than shared hosting.

Protect the WordPress admin login page

Since the beginning of this article, we have discussed attempts to connect to the WordPress administration, which malicious bots love.

It must be said that WordPress "lures" them in by making the login form page visible, publicly accessible in two ways: 

• mysite.com/wp-admin
• mysite.com/wp-login.php

This works on any WordPress site, unless its webmaster has changed the URL of the login form page to strengthen its protection!

This operation can be performed very simply using the free extension. WPS Hide Login.

As stated in its description in the official directory,"The wp-admin directory and the wp-login.php page become inaccessible, so you need to bookmark it or remember the URL." to be able to connect.

Here's how to proceed. Once the extension is activated, go to Settings > WPS Hide Login.

Change the slug your login URL by entering something complex, for example by combining numbers and letters: 

Use two-factor authentication

To further secure the connection to your administration interface (admin), enable two-factor authentication. 

The principle of this mechanism is simple: after entering your username and password, It is necessary to validate access to your site using a verification code sent to your smartphone or tablet.. 

This is the system now used on most e-commerce sites when you make a purchase. To accept the payment, your bank requires you to confirm it via its app or SMS.

Several free WordPress plugins allow you to implement two-factor authentication: 

• Two Factor Authentication.
• WP2FA.
• miniOrange's Google Authenticator.

Whichever one you choose to use, you will notably need to scan a QR code to authenticate yourself:

Block spam

Now, let's talk about spam. On WordPress, it mainly takes the form of unwanted comments which can contain malicious code and links to disreputable sites.

To strengthen the security of your site, protect yourself against this scourge by activating the Akismet extension, which is present by default on every WordPress installation.

This feature will filter out the vast majority of unwanted comments and save you from having to approve hundreds of spam comments per day.

For the rest, apply the following settings to your comment settings: 

• As an admin, always approve comments manually.
• Ask the author of a comment to provide their name and email address.
• If needed, you can also close comments on articles older than X days (it's up to you to decide the duration).

To do all of this, go to Settings > Comments as you can see in the screenshot below:

To effectively combat spam, a good practice is to install a CAPTCHA system on your site to distinguish humans from bots. To do this, activate one of the following two extensions: reCaptcha by BestWebSoft ou Login No Captcha reCAPTCHAYou can also integrate directly. Google's free reCAPTCHA system, but this requires a minimum of coding knowledge.

Improve the security of the wp-config.php file

Without further ado, let's continue this overview of WordPress security by now talking about a key file: wp-config.phpThis last element, located at the root of your site, manages its settings.

By default, it contains guidelines to enhance the security of your WordPress site, but nothing prevents you from going even further by adding additional code.

Here are some things you can do:

Update WordPress security keys

These are used, in particular, to encrypt your users' cookies. Replace the default ones by randomly offering new ones using this free tool.

Check the prefix of your database tables.

By default, WordPress offers the wp_ prefix during each new installation of the CMS… but This is a bad security practice because this prefix is ​​easily detectable by a hacker..

To avoid any problems, it's best to change it with each new installation. If it's already too late, you'll need to change this prefix in wp-config.php.

Don't forget to do this in each table of your database using the Database Search and Replace script.

For a novice, the easiest and least risky option is to use an extension like Brozzme DB Prefix & Tools AddonBut be careful, make sure to back up your site beforehand.

Restrict access to file editors

Finally, you can secure the way your plugin and theme files are edited by simply prohibiting file editing on the WordPress admin.

This simple line of code will disable the "Edit" menus in your back office. :

define('DISALLOW_FILE_EDIT',true);

Protecting your website using the .htaccess file

After the file wp-config.phpNow, let's look at another strategic file to ensure WordPress security: the file .htaccess.

This is an Apache server configuration file, used by most web hosting providers. There's a good chance that's the case for yours.

Le .htaccess can prove very useful in terms of SEO, to fight against spam and therefore to strengthen security.

However, you must handle it with care: The slightest syntax error within it can trigger the display of a erreur 500For example, and make your site inaccessible.

If you are not sure of yourself (this also applies to wp-config.php), refrain from doing so or call upon a team of professionals to support you.

Want to try it on your own? These code snippets might interest you:

• Options All -Indexes allows you to disable the display of directory contents from your site in a browser.
• <files .htaccess>
order allow,deny 
deny from all 
</files>
  protects access to the file .htaccess.
• <files wp-config.php>
order allow,deny 
deny from all 
</files>
  protects access to the file wp-config.php.
  

Hide your WordPress version

By default, WordPress displays the version it's running on in its code. Anyone can therefore access it and see if your site is up to date, or if it's using an outdated version of the CMS.

Hackers can use this public information to find out what known security vulnerabilities are present on your site, and exploit them to harm you.

To limit their scope of action, you can hide your WordPress version by adding this line of code to your file. functions.php :

remove_action("wp_head", "wp_generator");

To verify that the version display has disappeared, refresh your page. Right-click on Google Chrome and select "View page source". 

Using the keyboard shortcut Ctrl + F (PC) or Cmd + F (Mac), search for the word "generator". You shouldn't find anything. If you do, the following line of code will be displayed:

Finally delete the file readme.html located at the root of your site, since it also contains your version number.

Check file and directory access rights

Speaking of files, it is paramount to control their access rights – as well as those of their directories – in order to secure your WordPress site.

By default, it is possible to assign read, write and execute permissions on your files and directories.

Obviously, if a permission is incorrectly configured, hackers could take advantage of it to gain access and perform malicious actions. 

Regarding file and folder access rights (permissions), The WordPress documentation recommends the following: : 

• All directories must have permissions set to 755 or 750.
• All files must have permissions of 644 or 640. One exception: wp-config.php which should have permissions of 440 or 400 to prevent other users on the server from reading it.
• No 777 permissions should ever be given to a directory.

To find out if your files and directories have the correct permissions, log in to your FTP client, then take a look at the "Access Rights" column.

If something is wrong, right-click on the file or directory in question, then change its permissions by choosing "File access rights":

Prioritize installing plugins and themes from the official directory

We've talked a lot about plugins and themes throughout this article, and you've probably noticed that we always recommend extensions from the... official WordPress directory.

Beyond the staggering number of extensions it offers – nearly 60,000 – the official directory offers an advantage in terms of security.

For both extensions and themes, all "are manually reviewed by volunteers before being made available on the repository", states the white paper dedicated to security on WordPress.

Even though WordPress specifies that this does not guarantee "that they are free from security flaws"This first filter is still quite useful.

This level of verification isn't necessarily the case with third-party stores. So be careful when searching for themes or extensions.

Focus on established brick-and-mortar stores with a good reputation and/or on solid platforms, such as ThemeForest for the themes or of CodeCanyon for WordPress plugins.

No longer need an extension or theme on your back office? Deactivate and then delete them to limit security risks.

Being a vigilant webmaster

Finally, the last tip is mainly in the form of general advice, applicable to both WordPress and your internet browsing: be vigilant.

For it :

• Do not open emails that seem suspicious. to avoid any risk of phishing (Phishing).
• Create separate access for each user People who may collaborate on your site (freelancers, team members, etc.) should not be given your login credentials, even if it seems simpler and faster.
• Define the right roles depending on the actions that each user will be required to perform. For example, a writer does not need to be an administrator of your site.
• Avoid allowing file downloads on your website.
• Clean your database regularly, for example using a multi-tasking extension like WP Rocket.
• Activate maintenance mode when appropriate, for example when carrying out a large-scale update.

WordPress security: a summary

The security of a WordPress website should be a top priority for all webmasters. While no website is infallible, implementing the tips and best practices presented in this article will help you significantly reduce the risk of hacking. 

About that, A hacked website may exhibit certain characteristics that should alarm you. : 

• It becomes impossible to connect to it.
• The hyperlinks on your pages redirect to third-party sites that you are not aware of (e.g., adult content).
• New users are being added to your site without your permission.
• Your browser or Google tells you that your site has been hacked.

If in doubt, act very quickly. The impact on your revenue, SEO, brand image, and user experience can be disastrous.

Do you need assistance to secure or update a WordPress site that has been the victim of an attack?

The WP Maintenance team of experts is available 7 days a week to provide you with tailored support. Contact us for more information.