WordPress Security: 26 Steps To Protect Your Website[2019]

WordPress security plays a HUGE role in your website performance.

As you finished website optimization, it gets more popular and automatically attracts attention from hackers.

You will be attacked! Sooner or later.

The real question is: Are you prepared?

This guide outlines ALL the necessary steps you need to make in order to maximize your blog’s safety.

Let’s get started!

This guide was made specifically for non-techie guys(like me).

• WordPress Security: Basics
• WordPress Security: Plugins
• WordPress Security: Bonus Tools
• How to Fix a Hacked Website?
• How Should You Approach This Guide?

WordPress Security: Basics

Pure statistics:

Cybercrime damages will cost the world $6 trillion annually by 2021.

Website security was, is, and will be one of the main concerns all webmasters have to encounter.

The threat is huge and inevitable. You’d better prepare. And you’d better do it right now!

Below are some of the finest techniques that will help you protect your web property and keep it away from “dirty hands”.

Let’s start with the most essential steps EVERYONE should follow.

1Secure Your Computer

It all starts from the very beginning. Do yourself a great favor from right on and get a decent antivirus and malware scanner.

These tools will make sure that your computer operates correctly without any security issues.

Do the entire computer scanning upon installation and repeat the process regularly.

Tools to consider:

• 360 Total Security
• Norton
• Kaspersky
• Bitdefender

2Password Protect Your Laptop

Thousands of laptops are getting stolen each year in the U.S. Information is getting leaked too easily.

Create a difficult password no one but you knows. Use it in laptop activation window.

You never know who wants to check your computer (especially if you have it in the office).

3Use Password Manager

Here is the thing; you MUST use tons of different, unique, and complex passwords when working with your website.

Yet, it may seem troublesome to remember all of them.

There are two ways to consider:

1. Write them all down on the piece of paper and NEVER show it to ANYONE.
2. Use a reliable password manager and thrive!

I personally recommend using LastPass as an all-in-one tool.

It’s one of the most secure and cheapest (24$/year) solutions for password management.

4Access your site from a secure location

Wi-fi network through which you access your website matters too. Public internet spots are easily hacked.

It’s been suggested that you use only trustworthy wi-fi spots, ideally, only your owns.

5Reputable Hosting Provider

As you finished working on your PC security and organized an extensive unique password system, it’s time to indulge your blog with a reputable hack-proof hosting provider that will also make your website speed-optimized.

Among all of the options on the market I would suggest you use the ones below:

– Siteground for small to medium blogs

– And WP Engine for more sophisticated players

Siteground is probably the BEST options for beginner bloggers and websites of 1-5 years of age.

WP Engine would be a great choice for websites with high traffic and high amount of potential attacks.

I host my blogs on SiteGround and recommend it to all of my readers without any hesitation.

Some of the reasons why millions of bloggers and I choose it:

1. In 2018, SiteGround achieved the incredible 98% Client
   Satisfaction rate!
2. It optimizes the performance of WordPress sites so much that you can see speed gains between 20% and 500% depending on the type of site you run!
3. In 2018, SiteGround was extremely successful in keeping clients sites well secured.

Sign up to SiteGround right now and forget about the insecure and poor-performing website!

In order to help you out with the registration, I have described the whole process step-by-step.

Check out: How to Start a Blog in 2019 

6Get Your Website Encrypted

Here is the sad truth, any computer in between you and the server can monitor your credit card information, usernames and even passwords(!), unless the pathway is encrypted with an SSL certificate.

It is also one of the most important Google ranking signals!

Cloudflare SSL will encrypt the web traffic to prevent data theft and another tampering.

The best part is that it’s absolutely free of charge.

Note: It will change your site’s URL from http://www.example.com to https:// www. example.com. Make sure you implement an SSL encryption BEFORE adjusting WordPress security settings and downloading any security plugins. It will save you a lot of time, as you will have to use the new URL address quite often.

7Change Your Admin Area URL

Normally, your Admin area URL would look like this:

– example.com/wp-login/
or
– example.com/wp-admin/

Why would you change it?

Because it gives you yet an extra layer of defense against Brute Force Attacks!

It also helps you hide the fact, that you are actually using WordPress, so the potential attackers would have to figure out other ways.

And finally, it makes your login screen more appealing.

Now, how to change Admin Area URL?

There are a couple of nice plugins on the market that will help you with this task. You may try WPS Hide Login or Custom Login URL.

They are both easy to use, all you need to do is type in the new URL and remember it, or bookmark in your browser.

Note: These two plugins were tested on hundreds of websites and work just fine. Yet I strongly recommend doing a website back-up using the reliable WP back-up plugins, prior to the URL change.

8Create an “Admin” User Name

You should NEVER have a default user name “admin” in your WordPress website.

This is the first user that attackers would try to get access to.

How to create a new admin user name in WordPress?

Step 1: Head over to the Dashboard and click Users-All users:

Step 2: Click on Add new:

Step 3: Create your own unique name and make yourself an administrator and click on Add New User

Step 4: Make the “admin” user a simple subscriber with no rights to change the website content and settings.

9Come Up With a Strong Password

This step might sound too obvious, yet many new bloggers tend to omit it.

You MUST create a super-duper password that will add a solid layer of security to your website.

WordPress allows you two great options:

– It generates a strong password by itself:

– It allows you to create your own

Pro Tip: You may allow WP to generate a unique password for you AND add up some extra digits, signs or letters to make it even more secure!

You can even use an online tool called Strong Password Generator, it will create a very hard to hack combination.

10Disable Pingbacks and Trackbacks

These rather useless features of WordPress are not helping your website becoming more secure by any means.

The only prominent thing they do is increasing the workload.

You may turn them off in less than 1 min.

Simply go to Admin Panel-Settings-Discussions and uncheck “Allow link notification from other blogs(pingbacks and trackbacks) on new articles”.

11Themes and Plugins

When your blog starts attracting new readers you should think about purchasing a premium WordPress theme.

Unreliable WP themes and plugins may cause HUGE problems for bloggers.

They are poorly coded and possess tons of flaws.

Those flaws are the doorways that can give access to potential threats. Some of the torrent FREE themes and plugins are already infected with malware.

One of the best things you can do for your website safety is to get the themes and plugins from dependable resources such as MyThemeShop.

Their products are beautiful, fast, and SECURE!

12Keep Your Website Updated

Having themes and plugins from trustworthy sources is one thing, updating them regularly is another!

New versions of WP products will always help you maintain website security.

Things you should constantly update:

• WP version
• WP theme
• WP plugins

More Updates = More Security!

Note: Though is has little to do with WordPress security matter you should never forget updating your old blog posts. Finest copywriting techniques can help a lot.

13Enable Web Application Firewall (WAF)

WAF will place itself between your site and the rest of the internet.

Every request from now on will go through its system before it reaches your site.

Web Application Firewall companies can perform two amazing tricks:

1. They can detect bad traffic.
2. They can reject bad traffic, so it never reaches your server.

All decent WAFs are paid.

Which WAF plugin should you choose?

Later in this guide, I am gonna introduce you a MASSIVE security plugin called Sucuri.

Almost all of its features are absolutely free. One of the paid ones is WAF!

It is powerful, dependable and legit!

Sucuri’s WAF is constantly updated to notice common and emerging attacks.

This degree of protection makes it super complicated to harm your site.

14Uncheck Membership Option

Membership option for Anyone can register should be unchecked in General Settings.

You do it for the single purpose of controlling WHO can register on your website.

In case it is checked, you open a doorway for spammers.

Here is how to disallow anyone to register on your website:

Dashboard- General- Settings-Membership(uncheck)

15Scan The Site Regularly

Even if everything may seem safe and sound, you totally should do website checkups.

That is a good habit that all thoughtful bloggers have mastered a long time ago.

Now the question is:

How to do WordPress security checkup?

There are some services on the market that offer you scheduled website checking.

The only problem is that they may be quite pricey!

So if you are short on a budget one of the best ways would be using WordPress security plugins.

Let’s check them out!

WordPress Security: Plugins

In the previous section, you’ve learned how to create a custom Admin Area URL and create an “admin” username.

Why not put some more extra layers of security to this vital part?

Let me introduce some of the best plugins out there, that will make your admin area bullet-proof.

16Login LockDown plugin

Sometimes it happens that hackers try to get in your site by guessing your admin password.

One of the weakest spots WordPress has is that it allows entering passwords as many times as the user wants.

Hackers may use special scripts which automatically enter different combinations until the site is cracked.

The best solution would be using a special plugin. The one that is blocking users with too many failed login attempts (5 or more).

In Login LockDown plugin you may choose:

• Number of failed attempts
• Retry time period
• Lockout length
• Lockout invalid usernames

17WP Security Question plugin

This plugin will provide an extra level of security for your admin login page.

The principle is simple.

You create pick up a question from the list or create your own one:

Next, you scroll down the settings page and check the “Ask security question on login screen” option.

Then you head over to Users-All users, click on your username and scroll down to the bottom of the page.

There you will find the field for the answer typing:

Every time someone will try to access your site through the login page, they will have to find an answer to the question as well.

18Google Authenticator plugin

This quite powerful plugin for WordPress gives you two-factor authentication using the Google Authenticator app for iPhone, Android, and Blackberry.

You will receive a new password on your phone.

The plugin will require typing in the unique digital code in your admin login area each time you want to access the website.

19WP fail2ban plugin

This strong, yet simple plugin is one of the most effective security measures you can implement to fight with brute-force password-guessing attacks.

The biggest difference of this plugin from Login LockDown is that you can let implement the immediate banning if the program will spot the brute-force attack.

20Updraft Plus WordPress Backup plugin

Installing a dependable back-up plugin on your WordPress site is probably one of the best single decisions you can make in order to maintain its security and performance.

Anytime you are doing some changes in the WordPress settings or activate new plugins that you never worked with, I strongly recommend you do backups.

This way you will easily be able to restore the whole information and get your website back to work

Pro Tip: Schedule the regular backups, every day/week/month.

21Theme Authenticity Checker (TAC) plugin

TAC will assure that the theme you are using on your blog is safe and not infected with a potential thread.

Normally, there is no need in this plugin, if you got your theme from a reputable source.

On the other hand, if you are not ready to invest in a good premium theme and found a nice free one “somewhere”, you need to do a proper check.

If the plugin finds an encrypted code, you may consider contact the theme author or switch to a safer one.

22Inactive Logout plugin

This helpful plugin will make your account secure from snoopers and “friends” to protect your data by assuring auto log out a system within a certain time.

If any users use the same machine as you to access your account it will automatically log you(and them) out.

Lot’s of reputable banks and online businesses use this method to prevent unnecessary users from wandering around.

23Sucuri Security plugin

An AMAZING and super powerful plugin for your WordPress security. It is especially helpful for non-technical guys like me.

The interface is simple, and all settings are done in a couple of clicks!

Download the plugin and activate it. After it’s activated, you need to go to the Sucuri menu – Dashboard.

You will see the request to Generate a free API key.

Fill in the required fields, then click on 1, 2, and 3.

When the key is generated, go to Hardening tab in Sucuri Settings.

The plugin will offer you Hardening feature for all weak spots of your website.

Click on the “Apply Hardening” button for all of the options

• Remove WordPress Version
• Block PHP Files in Uploads Directory
• Block PHP Files in WP-CONTENT Directory
• Block PHP Files in WP-INCLUDES Directory
• Information Leakage
• Default Admin Account
• Plugin and Theme Editor

The Scanner feature will allow you to scan your website for potential threads.

All of these options if applied will help to keep your blog much more secure.

Note: You can revert hardening options anytime you want.

In this section, I’ve shown you some of the finest security plugins on the market.

Next section will get you even further on the way of your WordPress security optimization.

WordPress Security: Bonus Tools

In this section, I am gonna reveal some of the most efficient online tools that will help you check your website security issues and maintain its safety.

Even if you have implemented all the strategies above, you may still want to do an extra scanning that will help you find out the blog’s vulnerabilities (if there are any).

Let’s check some of the finest online security scanners:

24WPSCANS

This scanner is one of the most comprehensive WordPress vulnerability scanners online.

Some of the main features are:

– Deep scan technology
– Instant scans
– Automatic scans
– All-in-one dashboard
– Push notifications
– Advanced reports

Simply put your website URL into the tab, click on “START SCAN” button, and get your scan results!

25Sucuri SiteCheck

Apart from an awesome security plugin, Sucuri offers the clients a free online website malware and security scanner.

The one thing you need to do is to enter your website’s URL and click on  Scan Website button.

Sucuri SiteCheck will scan the website for website errors, blacklisting status, known malware, and out-of-date software.

26Virus Total

A handy online tool that allows you to analyze suspicious URLs and files then facilitates the quick detection of worms, viruses, trojans, and all sorts of malware.

Type in your website’s URL, click on Scan it, and get an instant result:

How to Fix a Hacked Website?

If you happened to be one of those people who start praying only when they hear the storm thunder, then basically you have two options:

1. Fix the broken site yourself(Requires big knowledge and high skills)
2. Let the professionals do the job.

The first option would be suitable for those who feel comfortable with WordPress Security issues and code.

The second one would be a great choice for those who would rather allow masters to do their job and make sure there are no backdoors left in your site.

Recovering the website may cost you thousands of dollars if you hire a solo professional.

Sucuri(which I’ve already mentioned a couple of times) guarantee they will clean the whole website and make sure you are safe and sound for FREE!*

*You should be one of their paid customers.

Don’t forget that it’s better to be proactive than reactive!

How Should You Approach This Guide?

Maintaining WordPress Website Security may seem an intimidating task.

To help you speed up the process I have created a detailed checklist.

Click on the image below to download it.

It will walk you through the entire process of the WordPress security optimization step-by-step.

You will find there all the techniques I covered here + 2 bonus tips not mentioned in this guide.

I hope you found some helpful information in this guide!

Leave your thoughts and questions in the comment section below.

Also, add me on LinkedIn or follow me on Quora, I share some useful info there 😉

Cheers!