WordPress Security Fundamentals: How to Not Get Hacked

#
By Mike Davey, Senior Editor

WordPress has come a long way towards its stated goal of democratizing publishing, powering roughly 43% of the websites on the web. However, that status makes it a prime target for hackers and other malicious actors. In this article, we’ll look at what you can do to make your WordPress site more secure, examine practices like storing WordPress in its own directory and disabling errors from outputting to the screen, and how the right hosting service can help alleviate security concerns.

Security isn’t something you do once and forget about. It’s an ongoing process that requires constant education. This article focuses on the basic security steps you can take to keep your WordPress site safe.

Isn’t WordPress Secure Already?

No site is 100% secure. Given enough time and resources, an attacker can breach any site. That doesn’t mean there’s no point in security measures. The exact same thing could be said of any physical building, and yet Fort Knox remains unplundered.

WordPress itself is reasonably secure. It may seem counterintuitive, but the open-source nature of the WordPress project likely helps to spot and fix vulnerabilities. Literally thousands of developers work on, in, and around WordPress every single day. The collective effort of so many people makes it very strong, because it only takes one person to find a vulnerability and report it. WordPress also has a dedicated security team responsible for making sure WordPress core is as secure as possible.

The WordPress Security Team is made up of approximately 50 experts including lead developers and security researchers — about half are employees of Automattic…and a number work in the web security field. The team consults with well-known and trusted security researchers and hosting companies.

– WordPress Security White Paper

WordPress core is only one component of what makes a WordPress site. Plugins and themes are much more common avenues of attack. As Sucuri notes in their 2022 Website Threat Research Report, “the most notorious threats to content management systems stem from vulnerabilities introduced by extensible components, plugins, themes, and other third-party software.”

Update WordPress, Themes, and Plugins Regularly

Keeping WordPress core, and all installed plugins and themes updated to the latest stable versions is one of the easiest things you can do to keep your site secure. It’s also one of the easiest to neglect.

There are large, publicly available databases of known vulnerabilities for WordPress core, plugins, and themes. Attackers can read those databases just as easily as anyone else, and then target sites using older versions of plugins and themes with known vulnerabilities.

Audit Your Plugins and Themes

Auditing your extensions is critical to keeping your site secure. Try to limit your extensions to those provided by reputable sources, both the author and where you are downloading it from.

For free plugins and themes, be sure to get them from wordpress.org if available. For premium extensions, only download them directly from the vendor. Avoid free or “nulled” premium extensions as these can be modified to contain backdoors to allow the “street vendor” to easily gain full access to your site. Remember how your parents always told you to never take candy from strangers? THIS IS THAT CANDY.

Candy hearts with messages like "U stink" and "Prize pig."

Beware of themes which bundle plugins in the theme itself rather than requiring plugin dependencies be installed normally. Plugins bundled in a theme can’t be updated through the normal auto-update process, thus relying on the theme to release updates for its dependencies as well.

Don’t keep plugins or themes installed that you are not using. Even an inactive plugin can be a vulnerability because it is still a part of your codebase and publicly accessible from the web. Try to choose extensions which are updated regularly, and again, update your extensions regularly.

Use HTTPS

By this point, using HTTPS instead of HTTP should go without saying. The trouble with anything that “goes without saying” is that people stop saying it.

Your site is almost certainly already being served over HTTPS. It’s been around for well over two decades at this point, and Google’s Chrome browser has been identifying HTTP sites as “Not Secure” since 2018.

On the off chance your site is still on HTTP, you need to switch it to HTTPS as soon as you can.

Don’t Use Common Administrator Usernames

This is another easy one. Using “admin” or “administrator” as a username unnecessarily exposes you to risk. If your site uses one of these usernames, create a new admin account and delete the old one. You can always associate all posts/content from the old user with another user when you delete it.

Exercise the Principle of Least Privilege

The principle of least privilege basically says that each part of a system should have access and permissions to the resources it needs to do its job, and nothing more. Don’t give any more power or access than is required. In WordPress terms, the easiest thing you can do is not make anyone an administrator on your site that doesn’t need to be.

Limit Login Attempts

By default, WordPress does nothing to prevent someone from trying to login hundreds of times per minute or more. There’s nothing to prevent automated bots from trying to get the right passwords by chance. While WordPress core doesn’t prevent this, there are plenty of plugins that promise to help prevent repeated login attempts from compromising your site.

Use 2-Factor Authentication

2-Factor authentication is an added layer of login security. Your password is the first layer. After the correct password is provided, you must pass a second challenge before you are able to login. This is usually in the form of a 6-9 digit number provided by your phone or another device which you provide in an additional input. The possession of a device you have configured for 2-factor authentication with your site confirms that it is you attempting to log in and not an attacker who happens to have your password.

You can add 2-factor authentication to your WordPress site with plugins like WP 2FA or Google Authenticator.

Put WordPress in Its Own Subdirectory

Installing WordPress in its own subdirectory can help sidestep some of the malicious traffic knocking on your door. Another reason to do it is that it gives you a cleaner directory structure.

Diagram comparing WordPress files in a standard install to WordPress files in their own directory

Doing this makes it a bit harder for attackers to identify that you’re using WordPress. It might be more beneficial to move your wp-config.php file outside of the publicly accessible web root directory. There are arguments both for and against doing this.

Disable Directory Browsing

An attacker that can see your files has a golden opportunity to look for weak points and vulnerabilities. WordPress makes it ridiculously easy to browse directories, unless steps have been taken to lock them down. Attackers just need to visit yoursite.com/wp-includes/ to see all your files. If you’ve disabled directory browsing, they should see something like this instead:

A white screen showing "403 Forbidden."

If you see files when you try this, you’ll need to disable directory browsing. Your host may be able to do this for you. If not, you’re going to have to dig around in your Apache or Nginx configuration files. Please note that changing these configuration files can have drastic effects on your site. We strongly recommend testing any changes out on a staging site before rolling them out to production.

The Nginx configuration file’s default name is nginx.conf. Directory listing is disabled by default in Nginx, so you should see autoindex off; when you open the file. If you see autoindex on;, your files are viewable.

Note that location rules can change exactly what is and isn’t being indexed. Unless you know precisely what you’re doing, changing the autoindex parameter may hide files that weren’t meant to be hidden. Proceed with caution.

Turning off directory indexing in Apache requires modifying your .htaccess file. Look for a line that says Options +Indexes. If you see this, it indicates automatic directory indexing is enabled. Removing +Indexes will disable that option. You can also turn off directory indexing for a particular directory by providing the path and using Options -Indexes. The warning we gave in regards to Nginx applies just as much here. If you don’t understand, don’t mess with it.

Keep Regular Backups

If your server evaporated today, would your site be up and running again tomorrow? Backups help ensure you can restore a site in the event it’s compromised and the damage is irreparable.

How long you should retain backups depends on how valuable the site is and how often it changes. A busy ecommerce site will need more frequent backups than a personal blog.

Never store your backups on the server where your site is hosted. This is important for two reasons:

  1. If your site is ever compromised, the attacker may delete or infect your backups
  2. If your backups became accessible (some plugins create backup files right in the uploads directory) a hacker could download your backup and use that to gain access to the live site

Test Restoring From Backups

Running test restores is an essential part of the process. It’s a terrible feeling to reach for a backup and find out it doesn’t work…or wasn’t being created in the first place.

After restoring, make sure any database dumps or other sensitive files that were part of the backup are deleted or not publicly accessible.

Use a Good Host

The right host can go a long way in keeping your site safe. Hosts that specialize in WordPress are usually attuned to the security needs of that platform.

Some hosts eliminate the need to take some of the steps we’ve discussed, because those security features are automatically enabled. For example, both WP Engine and Flywheel offer automated daily backups, malware scanning, 2-factor authentication, managed updates for WordPress core, themes, and plugins, and other security features as part of their hosting plans.

Security Plugins

Reviewing all of the security plugins available for WordPress would be a series in itself. A search on the plugin repository gives us dozens of options.

Three of the most popular general purpose security plugins for WordPress are Wordfence Security, iThemes Security](https://en-ca.wordpress.org/plugins/better-wp-security/), and Sucuri Security.

We’re not making any endorsements, but the fact that these plugins have been around for years and boast millions of active installations says something about their effectiveness.

Wrapping Up

Securing your website is like trying to keep squirrels out of your birdfeeder. There are always going to be squirrels. You just have to make your feeder harder to reach than the others.

Attackers may be clever, or they may prefer a brute force approach. One thing they always are is persistent. We’ve covered some of the ways you can harden your sites against these attacks, but security can’t be adequately covered by a single article. The persistence of malicious actors requires that you be equally persistent in educating yourself about security practices and more sophisticated attacks.

Now that you’ve covered the fundamentals, you might want to tackle penetration testing for WordPress, or look into how to encrypt passwords, keys, and more with PHP. Last but not least, there are steps you can take to further secure WordPress by modifying your wp-config file.

What do you do to keep your site secure? Have any tips which you think everyone should know about WordPress security? Sound off in the comments below.

About the Author

Mike Davey Senior Editor

Mike is an editor and writer based in Hamilton, Ontario, with an extensive background in business-to-business communications and marketing. His hobbies include reading, writing, and wrangling his four children.