Protecting your WordPress site is critical to avoid hacks that can lead to data loss, downtime, and costly repairs. Here’s a quick summary of 8 effective security measures:

  1. Use Strong Passwords & Enable 2FA: Secure your login with complex passwords and two-factor authentication.
  2. Update WordPress, Themes & Plugins: Keep everything updated to fix vulnerabilities.
  3. Install a Security Plugin: Use tools like Sucuri or Wordfence for malware scanning and firewalls.
  4. Limit Login Attempts: Prevent brute force attacks by restricting failed login attempts.
  5. Enable SSL (HTTPS): Encrypt your site’s data with an SSL certificate.
  6. Set Correct File Permissions: Restrict access to files with proper permissions (e.g., 644 for files, 755 for folders).
  7. Disable File Editing in Admin: Turn off the built-in editor to prevent unauthorized code changes.
  8. Back Up Your Site Regularly: Use plugins like UpdraftPlus to create and store backups.

Quick Tip: Combine these tactics for layered protection. Start with strong passwords, 2FA, and regular updates for immediate security improvements.

1. Set Up Strong Passwords and 2FA

Creating Strong Passwords

Your WordPress password is the first line of defense against potential breaches. As WordPress.org says, “Securing your WordPress starts with a strong password. A strong password is complex. It isn’t easy to guess since it doesn’t contain recognizable words, names, dates or numbers”.

Here are some tips for creating a secure password:

  • Go Long: Use a password that’s at least 20 characters.
  • Mix It Up: Include uppercase and lowercase letters, numbers, and special characters.
  • Avoid Personal Details: Avoid anything easily guessed, like names, birthdates, or company info.
  • Keep It Unique: Don’t reuse passwords across accounts.

Adding Two-Factor Authentication

Two-factor authentication (2FA) provides an extra layer of protection for your WordPress site. Even if someone gets your password, they can’t log in without the second verification step.

Here’s how to enable 2FA:

  • Pick an Authenticator App: Use a trusted app with cloud backup options. Popular choices include Google Authenticator, Authy, LastPass Authenticator, and 1Password.
  • Install a 2FA Plugin: Since WordPress doesn’t have built-in 2FA, add a plugin to enable this feature.
  • Save Backup Codes: Securely store your backup codes. These are essential if you lose access to your authenticator app or device.

For instance, in March 2023, WPBeginner added 2FA through an authenticator app after noticing a spike in login attempts. This significantly boosted their site’s security.

“Two-step authentication is a method of making your online accounts safer. Not only does it require that you know something to log in (a password), but you must also possess something (your mobile device or a physical key).” – WordPress.com Support

Next, we’ll explore how keeping WordPress components updated can further secure your site.

2. Update WordPress Core, Themes and Plugins

WordPress

How Updates Protect Your Website

Updating WordPress regularly is a must to keep your website secure. With nearly 90,000 attacks targeting WordPress sites every minute, outdated software leaves you exposed. Shockingly, 61% of these attacks result from skipped updates, and 52% are directly tied to outdated plugins. As Marissa Bracke puts it, “Keeping out of date software and plugins on your server is sort of like laying out a nice, plush ‘Welcome’ mat for hackers and bots”. Considering WordPress powers over 43.5% of websites, staying updated is non-negotiable.

Updates fix known vulnerabilities, so installing them promptly reduces your site’s risk of being compromised.

Steps to Update Safely

To update WordPress without breaking your site, stick to these best practices:

  • Back Up Everything
    Before making any changes, back up your entire site – this includes your database, plugins, and themes. A backup ensures you can restore your site if something goes wrong.
  • Test in a Staging Environment
    Use a staging site to test updates before applying them to your live site. Many hosting providers offer staging tools, so you can catch and fix any issues without affecting your visitors.
  • Follow the Right Update Order
    Update your site in this order: active theme, free plugins, premium plugins (after checking licenses), and finally, the WordPress core.
  • Post-Update Checks
    Once updates are complete, clear your caches, exit maintenance mode, and reactivate plugins one by one. This helps you spot any conflicts or issues.

If your site hasn’t been updated in a while, take extra precautions. Switch to a default WordPress theme and disable all plugins before updating the core software. This approach minimizes compatibility problems.

Keeping your WordPress site updated is a critical step in your security plan. Once your software is current, you can focus on adding a strong security plugin to further protect your site.

3. Choose the Right Security Plugin

Key Security Features to Look For

Protecting your WordPress site starts with picking the right security plugin. Make sure the plugin you choose offers these critical features:

  • Malware Scanning: Automatically detects and removes harmful code.
  • Web Application Firewall (WAF): Blocks suspicious traffic and known attack methods.
  • Login Protection: Shields against brute force attacks and supports extra authentication steps.
  • Content Protection: Guards your site from scraping and unauthorized access.

Best Security Plugins for WordPress

Here’s a quick comparison of some highly-rated WordPress security plugins:

Plugin Name Key Features Ideal For
Cloudflare CDN, firewall, bot management Overall site protection
Sucuri All-in-one security, malware removal Small businesses
MalCare Server-side scanning, low resource usage Sites with limited resources
All-In-One Security Security auditing, firewall, login protection Content-heavy websites

Among these, All-In-One Security (AIOS) is a standout choice, boasting a 4.7-star rating and over 1 million installations.

Setting Up Your Security Plugin

After installing your plugin, follow these steps to get the most out of it:

  1. Activate Core Features: Turn on the firewall and malware scanning right away.
  2. Secure Logins: Set up brute force protection and enable two-factor authentication (2FA).
  3. Automate Scans: Schedule daily or weekly scans to keep your site safe.
  4. Review Logs Regularly: Check activity logs to spot anything unusual.

4. Block Multiple Login Attempts

Why Login Limits Matter

By default, WordPress allows unlimited login attempts. This opens the door to brute force attacks, where automated tools try countless password combinations to break into accounts.

Such attacks not only risk compromising user accounts but can also strain your server resources. For instance, Sucuri reported blocking 450,000 WordPress attack attempts in just three months. Clearly, putting login limits in place is a smart and necessary step to strengthen your site’s defenses.

Tools to Limit Logins

Plugins are an easy way to restrict login attempts on your WordPress site. Here’s a quick comparison of some popular options:

Plugin Name Active Users Rating Key Features
Limit Login Attempts Reloaded 2+ million 4.9/5 IP intelligence, country blocking, premium features
Limit Login Attempts 400,000+ 4.6/5 Basic protection, email notifications
WP Limit Login Attempts 100,000+ 4.6/5 CAPTCHA verification, IP blocking

To set up login protection, follow these steps:

  • Limit the number of failed login attempts to a maximum of 5.
  • Set a temporary lockout period for accounts after failed attempts.
  • Turn on email alerts to notify you of blocked login attempts.
  • Add Google reCAPTCHA for an extra layer of protection.

“It’s simple and works as expected. Guess it’s wise to use a plugin such as this one, against brute force attacks.” – Guido

When combined with strong passwords and two-factor authentication (2FA), limiting login attempts creates a solid defense against unauthorized access. Up next, we’ll discuss how SSL protection can further secure your WordPress site.

5. Add SSL Protection

Getting an SSL Certificate

SSL certificates secure the connection between your website and visitors, keeping sensitive information safe from hackers. Without SSL, browsers like Google Chrome flag your site as “Not Secure”, which can damage both trust and rankings.

Here are two ways to get an SSL certificate:

  • Free Option: Let’s Encrypt provides certificates with strong encryption, comparable to paid options. Many hosting services offer easy integration with Let’s Encrypt for quick setup.
  • Paid Option: Providers like GoDaddy sell SSL certificates, which often include extra features and technical support. These are ideal for e-commerce sites or businesses handling sensitive customer data.

“With SSL, your site will run on an encrypted connection so that hackers cannot access any sensitive information, like credit card numbers and user login credentials.” – WPBeginner

Setting Up HTTPS

Once you have an SSL certificate, follow these steps to enable HTTPS:

Step Action
Backup Save a full backup of your site
Install Upload the certificate to your server or CDN
Update URL Change your site URL to HTTPS in settings
Force SSL Modify the wp-config.php file

The Really Simple SSL plugin simplifies setup by detecting your certificate and handling the configuration. Prefer manual setup? Add this line to your wp-config.php file:

define('FORCE_SSL_ADMIN', true);

This ensures admin logins and sessions are always secure.

“The main goal of using SSL is to protect your visitors’ data from hackers and malicious actors.” – WP Engine

Post-Setup Checklist

After enabling HTTPS, confirm everything works as expected:

  • Look for the padlock icon in your browser.
  • Test forms and login pages to ensure they load securely.
  • Verify that external resources (like images or scripts) are served over HTTPS.
  • Add your HTTPS site to Google Search Console for better indexing.

Next, we’ll cover how to set proper file permissions to further strengthen your website’s security.

sbb-itb-976b402

6. Set Correct File Permissions

File Permission Basics

Setting the right file permissions is a key step in securing your site. These permissions control who can access or modify files and are defined using a three-digit number system:

  • The first digit applies to the file owner.
  • The second digit applies to the group.
  • The third digit applies to the public.

Each digit ranges from 0 to 7 and represents different levels of access:

  • 4 = Read
  • 2 = Write
  • 1 = Execute
  • 0 = No access

For example, a permission of 644 means:

  • The owner has read and write access (6 = 4 + 2).
  • The group can only read (4).
  • The public can only read (4).

Correct Permission Settings

To keep your WordPress site secure, use these recommended file permissions:

WordPress Files/Folders Recommended Permission Purpose
Root directory (/) 755 Allows navigation but limits write access
wp-includes 755 Protects core WordPress files
wp-admin 755 Secures admin interface files
wp-content 755 Protects themes, plugins, and uploads
Regular files 644 Standard protection level for files
wp-config.php 444 Makes it read-only for added security
.htaccess 444 Limits write access to this critical file

How to Update File Permissions

Here’s how to adjust file permissions:

  1. Back up your site before making any changes.
  2. Use tools like FTP, cPanel, or SSH to access your files.
  3. Update permissions using the appropriate method. For example, with SSH, you can use the chmod command:
    chmod 755 directory-name

Important: Avoid using permission 777. It grants unrestricted access to everyone and poses a major security risk.

After updating permissions, test your site to ensure everything is functioning correctly. Some plugins may require specific settings, so check their documentation if needed.

7. Turn Off Admin File Editing

Why Disable the File Editor?

The built-in file editor in the WordPress admin area lets you directly modify theme and plugin files. While convenient, it can also open the door to serious security risks. If someone gains access to your admin panel, they could use this feature to add harmful code to your site. Turning off the editor is a straightforward way to reduce potential damage.

Here’s how you can do it:

  1. Back up your site to ensure you can restore it if needed.
  2. Find the wp-config.php file in your WordPress root directory.
  3. Add this line of code just before the line that says /* That's all, stop editing! Happy blogging. */: 
    define('DISALLOW_FILE_EDIT', true);
  4. Save the file and check to confirm the editor is disabled.

Once the editor is turned off, you’ll need safer methods for making changes to your site’s code.

Secure Alternatives for File Editing

Disabling the built-in editor means you’ll need to rely on other tools for modifying your site’s files. Here are some secure options:

Method Best For Why It’s Safer
Child Themes Customizing themes Keeps your changes safe during updates
SFTP Client Direct file access Ensures encrypted file transfers
Staging Environment Testing changes Lets you safely test modifications
Custom Code Plugins Adding small PHP snippets Keeps changes isolated and manageable
SSH Command Line Advanced users Provides secure remote access

Tips for Safe Code Changes

When making changes, keep these tips in mind:

  • Always test updates on a staging site before applying them to your live site.
  • Use version control tools to track your changes and roll back if needed.
  • Document every change you make for easy reference later.
  • Double-check your file permissions after editing to ensure they remain secure.

Disabling the editor not only improves your site’s security but also encourages a more controlled approach to code changes.

8. Back Up Your Site Regularly

Why Regular Backups Matter

Backing up your site regularly is like having an insurance policy for your website. If hackers attack or files are corrupted, backups let you restore your site without losing everything. Hackers often delete or damage files and databases, so having a recent backup can save the day.

“Website backups represent your safety net. They are the critical piece of security necessary if all other resources fail.”

A proper backup system saves copies of your website files and database, allowing you to roll back to a stable version if something goes wrong.

Backup Tools and Options

Here are some popular WordPress backup tools to consider:

Backup Plugin Active Users Key Features Annual Cost
UpdraftPlus 3+ million Cloud storage, Full/partial backups $70-$399
BackWPup 700,000+ Easy to use, Scheduled backups $69-$349
Jetpack VaultPress Not specified External server backups, Real-time backup $59.40-$119.40
BlogVault Not specified Off-site backups, Zero server load $149-$499

When choosing a backup tool, look for features like:

  • Automated backup scheduling
  • Options for full or database-only backups
  • Secure off-site storage
  • Easy restoration process
  • Real-time backups (important for e-commerce websites)

These tools make it easy to recover your site quickly after a security issue.

Backup Storage Tips

  1. Schedule Backups During Low Traffic
    Run full backups during times of low website activity, such as overnight, to avoid slowing down your site. Database backups should be done more often since they hold critical, frequently updated information.
  2. Use Multiple Storage Locations
    Keep your backups in at least two places to reduce the risk of losing them:

    • Cloud storage services
    • Local drives or external storage
    • Remote backup services
  3. Rotate Your Backups
    Follow a rotation schedule to keep backups manageable and ensure you always have recent copies. For example:

    • Daily database backups: Keep for 7 days
    • Weekly full backups: Keep for 1 month
    • Monthly full backups: Keep for 3–6 months

“Once your website files are overwritten or deleted, there is no way to recover them unless you have a backup. In that regard, backups are in many cases, a lifesaving solution.”

How to Secure Your WordPress Website 2024 (Complete Guide)

Conclusion

Keeping your WordPress site secure requires regular attention and maintenance. With 98% of WordPress vulnerabilities tied to plugins and more than half of WordPress sites using outdated PHP versions, the risks are clear.

The eight strategies outlined earlier provide a solid defense, but their effectiveness depends on consistent use and monitoring. As Max Shestov, Lead Web Developer, puts it:

“WordPress websites should not be left unmaintained”

Here’s a recommended maintenance schedule to keep your site secure:

Timeframe Security Tasks
Daily Check site uptime, review security alerts, and back up your site
Weekly Update plugins/themes, run malware scans, and review suspicious activity
Monthly Test backups, analyze site performance, and ensure functionality
Quarterly Update passwords, clean up your database, and check contact forms

Sticking to this schedule helps you stay ahead of potential threats.

Failing to prioritize security can result in:

  • Exposed customer data
  • Losing access to your site
  • Being flagged by browsers
  • Search engine penalties
  • Drops in traffic and revenue

Regular upkeep is key to protecting your site and maintaining its performance.