The Practical Guide to WordPress Security: 2020 Edition
The Practical Guide to WordPress Security: 2020 Edition
WordPress powers over 455 million websites — that’s 35% of all websites in the world.1
But all too often, WordPress website owners make critical security mistakes.
Website owners compromise their data, losing customer trust and scaring off potential visitors. They open themselves to serious security hacks that could cost thousands of dollars and hours of frustration to fix.
Those hours = lost time that you could be spending building your business, expanding your customer base, and boosting your sales.
Instead, you’re spending that time trying to clean up a WordPress hack that could have been prevented with less than 60 minutes of effort.
Sound like a headache you want to avoid? You’re in luck! This guide will walk you through 10 practical steps to help make your WordPress website more secure.
Who is This Guide For?
This guide is for WordPress website owners who want to…
Protect their data
Attract more customers
Save themselves from expensive mistakes
If you’re nodding along to any of those descriptions, you’ve come to the right place. 🙂
Who is This Guide Not For?
This guide is not for WordPress website owners who want to…
Leave their private data open to the public
Scare away customers
Pay thousands of dollars and waste valuable hours cleaning up hacks
…just kidding. (Do those people even exist?)
In reality, this guide is probably a bit basic for people with expert knowledge of web security and/or backgrounds in online data protection.
In other words, if you are like the average WordPress website owner — wanting to protect your website, but not sure where to get started — read on!
Is WordPress Secure?
Many people wonder — is WordPress truly secure?
The short answer is yes: the core WordPress software is inherently secure. Developers routinely audit and address WordPress security vulnerabilities.
Once upon a time, website owners had to manually update their websites to the latest version of WordPress software. Now, the updates are even easier. The latest versions of WordPress automatically update from within the admin dashboard itself.
However, WordPress is “open source,” meaning that the code is open to the public. That status is both a blessing and a curse.
Being open source is a blessing, because it means that people are constantly building on the core WordPress capabilities, developing creative new plugins and themes that can fit nearly any need.
But it’s also a curse, because anyone with time and interest can develop a plugin or theme and release it into the WordPress community — regardless of skill, experience, or commitment to maintain their release and keep it up-to-date with evolving security practices.
Therein lies the problem.
The result: many WordPress themes and plugins are “abandoned” each year. They’re not maintained to be compatible with the latest version of WordPress, and they potentially expose sites to major security flaws.
If any of these plugins are on your site, they could be making it easy to hack into your website, steal data, and infect your site and others with malicious code.
With that sobering thought in mind, let’s move on to the fun part…practical, actionable steps to make your WordPress website safer.
How Do I Make My Website Safer?
Now you know why it’s important to protect your WordPress website, and you’re ready to improve your website security.
What’s the first step?
Think of the proverb: “Prevention is the best medicine.”
The underlying idea absolutely applies to WordPress security. The easiest way to deal with compromised security is to prevent compromises in the first place.
Pretty obvious, right?
Improving (or “hardening”) your WordPress security works in three parts — prevent, detect, and (if necessary) restore.
Prevent hackers from accessing your site
Detect if your site is compromised
Restore your site to a clean state
Here are 10 steps to make your website more secure, and most will take just 5 minutes each.
Less than 60 minutes of your time now = saving you hours of trouble and thousands of dollars down the road.
Worth it? I’d say so!
1. Delete “admin” user account
Did you know that “admin” is the default username for WordPress websites? Many WordPress websites have a user with the username “admin.”
Why is that a problem? Well, hackers need two things to break into a WordPress website: username + password.
If your website is still using the “admin” username, you’re giving hackers 50% of what they need to break in.
That means they’re already halfway into your site.
Rather than having to guess unique or personal usernames like “nicole123” or “mynameisjohnsmith,” hackers can be reasonably confident that “admin” already exists as a username on WordPress site.
Remember, the “admin” username = trouble.
Check on your website if there is a user account with the username “admin.” If so, either delete it or demote it to “subscriber” privileges.
Tip: You can setup a new account for yourself with a personalized username and password. If you typically login through the admin user account, make sure to have your new login information stored before you delete the admin account!
More on passwords and storing information coming up in tip #3. 👍
2. Limit user accounts
Speaking of user accounts, it’s important to periodically review your users and see who has an account. For each user account, ask yourself — does this account need to exist?
Sometimes old accounts exist from past employees who no longer work at the company. Or old web developers who built the site, but no longer need access.
Each account is a potential security risk. Minimize risks by deleting unnecessary user accounts.
If a user account has to exist, set it to the lowest relevant privilege settings. In order of privilege, those settings are:
Tip: Store your passwords with a password manager. I recommend LastPass.
4. Limit Login Attempts
Malicious hackers can try to force their way into a website by repeatedly guessing passwords until they find the correct one. Plugins such as Limit Login Attempts help prevent this attack by — you guessed it — limiting login attempts to a certain number of tries.
If a visitor fail to login after a certain number of tries (typically three), they are locked out for a set time period.
“But wait!” I hear you exclaim. “I totally listened to your earlier tips, and I created a super strong, safe password. Why do I still need to limit login attempts?”
Kudos for creating a strong password! But keep in mind — your login may now be strong, but can you guarantee that all logins for all users are strong? And will always be strong in the future?
Even if your password is strong now, limiting login attempts is an extra step to keep your site safe for the future.
Limiting login attempts can also discourage hackers from repeatedly attempting to login to your site. It’s like putting a “Protected by Home Security System” sign on your front door — a flag that you take security seriously and are not an easy target.
5. Delete Unused Themes and Plugins
Have you ever installed a plugin only to decide that it didn’t fit your needs?
Maybe you wanted to display your Instagram feed on your website, so you tested three plugins before picking the one that worked best.
Or perhaps you wanted to show social media icons on your blog, so you tried a few plugin options.
Or could it be that you installed a new theme, but didn’t bother to remove the old default theme from your website.
There are many reasons that websites have unused themes and plugins. However, these old themes and plugins are security vulnerabilities and could be full of potential doors into your website.
I’ve seen some sites bogged down by 10 or even 20 extra plugins. Not only can unnecessary plugins slow down your website speed (decreasing site performance and SEO), they also pose security risks. Even if a theme or plugin is deactivated, it can still let malicious hackers into your website.
I recommend that all site owners periodically review their themes and plugins. Ask yourself — do I actually need this theme/plugin?
If the answer is no, deactivate and delete it!
6. Update WordPress, Themes, and Plugins to Latest Versions
Outdated themes, plugins, and core WordPress installs are among the largest security problems for WordPress websites.
New versions of WordPress automatically update on websites. Unless your site has deactivated WordPress automatic updates, you should be update to date.
As of now, the latest version is 5.4.2 — you can check if you’re running the latest version of WordPress by Googling “Latest version of WordPress” and comparing in the admin dashboard.
In addition to updating WordPress itself, but sure to update your plugins and themes. Most themes and plugins make this process straightforward. Update themes by checking in the Admin > Appearance > Themes. Update plugins by checking in Admin > Plugins.
7. Install an SSL Certificate
This tip (and #8 below) isn’t as straightforward as #1-6, but it’s just as important. An SSL (or Secure Sockets Layer) Certificate, is crucial for website security.
SSL encrypts information sent between your website and other sources. For example, if you enter your credit card information on an e-commerce website, SSL keeps your data safe between the website and card processor.
You know the little lock that appears next to the URL on websites? That’s proof of an SSL certificate.
I’ll go more in-depth about SSL certificates in the future. For now, it’s sufficient to say that if your site doesn’t have an SSL certificate, you’re potentially compromising your website visitors, data, and SEO rankings.
(Yes — Google does take SSL into consideration for search rankings. Aka even if you don’t have an e-commerce store, you absolutely should have an SSL certificate.)
You can create and add an SSL certificate on your own, but the easiest way to add an SSL certificate is through your hosting provide. For most clients, I recommend contacting your web developer or host (GoDaddy, BlueHost, or SiteGround) to setup an SSL certificate for your site.
8. Update PHP
PHP is the language that powers WordPress. Running outdated an outdated PHP version can compromise your sites speed and security.
WordPress websites now post information directly in the admin screen about the minimum recommended PHP version. For example, at the time of this writing the minimum recommended PHP is version 7.4.
Like tip #7, this step will require some changes within your hosting setup. I suggest you contact your web host and ensure that your website is running the minimum recommended version of PHP.
9. Run Periodic (Free!) Checks
Ok, whew. You’ve done steps #1-8…
Your usernames = unique
Your logins = limited
Your plugins = purged
Your passwords = preternaturally, positively pretentious
…you get the idea. 😉
So what comes next?
Now that you’ve hardened your WordPress website security, it’s still valuable to periodically check that nothing is awry.
I recommend using a tool such as Sucuri SiteCheck to check that everything is ship-shape.
But let’s say the worst happens — you check the website and find a dreaded hack, or malicious files. What now?
That’s where the final, and most important tip comes into play…
10. Schedule Backups
I cannot say this enough…BACKUP, BACKUP, BACKUP.
If there’s one thing to take away from this guide, it’s that backups are the absolute most important thing to save time and money
Do you value your time? Backup your website.
Do you want to save thousands of dollars? Backup your website.
Do you want prevent the loss of weeks, months, or even years, of data? Back 👏 Up 👏 Your 👏 Website 👏
A clean website backup is your #1 tool to recover a compromised website.
I recommend backing up your website at least weekly. If you have a high- activity site (such as an e-commerce or membership platform), even more frequent backups are important.
You can use paid plugins (such as BackupBuddy) or free plugins (such as BackWPUp). If you want to go another route, many hosting providers offer backup services. Check with your specific host to see what options are available.
Whatever system you use for backups, be sure that you are backing up both your database and files.