By Dan Davies 
Why Website Security Is Important
Website security is critical to protect your WordPress site from hackers, malware, and data breaches. A compromised site can lead to loss of sensitive data, lower search rankings, and a damaged reputation. Ensuring your site is secure helps build trust and prevents costly downtime. So whether you are looking after your own website or websites for clients, you want to make sure your site is locked down and free from hackers. Take it from me, who has experienced this firsthand. A hacked site is a complete nightmare and nothing I would wish upon my worst enemies (Not that I have enemies!).
Back in 2010 when I first started out with WordPress, I didn’t realise the importance of security until it was too late, and not only my site but my clients’ sites were also compromised. So in this guide, I want to share all I have learned over the past 15 years to ensure that it didn’t happen again.
Keep WordPress Updated
ReRegular updates are essential to prevent security vulnerabilities. Outdated core files, themes, and plugins are common entry points for attackers. So this is an easy fix for me to perform and goes a long way.
Steps to stay updated:
- Enable automatic updates for core WordPress files.
- Regularly check and update plugins and themes.
- Remove unused or outdated plugins.
Simply doing this will not only safeguard your website and solve most security issues but it will go a long way to improving every aspect of your website, even site performance so it’s a win-win!
Use Strong Passwords and User Permissions
Weak passwords are a major security risk. Limiting access and using strong passwords reduce the chances of a breach. Historically (and in some cases, it still does), WordPress used to give the first user created the username ‘admin’. This was a security disaster. Think about it, not only did any potential hacker already have access to your login screen, they also had your username. So all they had to do was ‘guess’ your password and they had full control of your website! If you’re thinking that no one could guess your password then think again. Most passwords are terrible and there are databases of passwords available that hackers can use to repetitively test on your login page until they get in with a working combination. So here are some good tips…
Best practices:
- If your admin account is using the username ‘admin’, change it!
- Use a password manager to generate strong, unique passwords.
- Assign user roles carefully and limit admin access.
- Enable Two-Factor Authentication (2FA) for added protection.
Only give access to those who need it and only give them the relevant access they need. If they do not need admin-level access, do not give it to them. So for example, if you have someone who needs to write blog posts and go in and verify and edit posts, give them the role of Editor. This will protect your website.
Understand the Role of WordPress Hosting
Choosing a secure hosting provider is one of the most important steps to protect your site. This often gets overlooked and beginners will often go for whatever suits their wallet. Again take this from my experience. My first hosting plan was, wait for it… FREE. I thought I had hit the jackpot until my clients started messaging me asking me why there were ads all over their website! Another lesson learned. You get what you pay for. Spend thee time to research hosting providers to ensure you get a good one.
What to look for:
- Regular backups.
- DDoS protection.
- Malware scanning and firewall features.
- 24/7 monitoring and support.
- Secure data centers with uptime guarantees.
- Automated threat detection and mitigation.
- Strong access controls and isolation policies.
- Built-in redundancy and disaster recovery plans.
WordPress Security in a Few Easy Steps (No Coding)
You don’t need to be a web wizard to secure your site. Here are some easy steps to follow that you can implement to secure your site now:
1. Install a WordPress Backup Solution
A reliable backup ensures you can recover your site if it’s compromised. Hopefully, your hosting provider is taking regular backups for you, but quite often hosts will charge you more money the more backups they store for you. This is why I suggest you look to keep your own copies of backups yourself.
This is a genuine story from my experience. A client came to me as their site was behaving strangely; turns out they had been hacked. It had appeared normal for the past week, but it had started to behave weirdly that day. He contacted me to see if I could help. My first question was, “Do you have backups?” He responded with a firm YES! Anyway, long story short, he did have backups, but none of them were any good. The site had been compromised 8 days before, and he had 7 days of backups. So every single backup his hosting had for him was useless.
So, I introduce to you a solution that you can set up today.
Recommended Plugin: UpdraftPlus.
You can install this and configure it in minutes and store automated backups anywhere you want. I would recommend some cloud storage such as Dropbox or Google Drive. You can configure it to take daily backups and decide how many copies you want to keep before they start replacing older backups. If you have the space, then I think 21 or 28 is enough. You will probably never need them, but it’s always better to be safe than sorry.
2. Install a Reputable WordPress Security Plugin
Security plugins provide firewall protection, malware scanning, and login security. Without a security plugin, it’s like leaving your front door open. You could do it, but you know you shouldn’t. It can feel daunting when installing a security plugin, and just installing it only does half the job (if that). It will need configuring. There are several great options on the market, and I will be sure to come back and revise this article to reference them all and create mini guides on what you should be doing when you install them, but for now, I’m only going to discuss my plugin of choice.
- Recommended Plugin: Defender Pro.
Now, while I have to give notable mentions to Wordfence, iThemes, and Sucuri, I have to recommend my favourite: Defender Pro. It’s user-friendly, has a fantastic interface, and is incredibly easy to set up. It provides excellent recommendations and one-click solutions to lock down your website.
Stay tuned for a detailed guide. While this is a premium plugin, members of our WP Odyssey Pro community can use this plugin as part of their membership.
3. Enable a Web Application Firewall (WAF)
A WAF helps block malicious traffic before it reaches your website. So having one in place can prevent a lot of bad traffic from getting to your website. Blocking this bad traffic not only protects your website from attacks but will also speed up your site in most cases as your server is not having to use up its resources fending off or dealing with these requests. So another win-win, a safer, faster website.
Recommended Option: Cloudflare.
While many security plugins such as Defender Pro offer their own WAF, in order for you to take advantage of this you have to be hosting your website with them which is why my recommendation goes to Cloudflare. It’s free and does an amazing job of protecting your website. There will be a detailed guide coming soon on how to take advantage of Cloudflare.
4. Move Your WordPress Site to SSL/HTTPS
SSL encrypts data, making your site more secure and trustworthy. It should go without saying now that this is a must but just incase your WordPress site is still being serverd with a http:// url – CHANGE IT! I know not all SSL certificates are created equal but there is no excuses in todays day and age. Update your sites url in the settings to https and do the following.
- Obtain a free SSL certificate via Let’s Encrypt.
- Update your site settings to force HTTPS.
If you are unsure, then you can either do this in your cPanel or in your hosting dashboard. if you’re stuck, speak to your hosting and they should be able to help.
WordPress Security for DIY Users
Change the Default Admin Username
As mentioned above, using “admin” as a username makes it easier for attackers to guess login details. Change it to a unique username. If you’re using this still, please change it now.
Disable File Editing
Prevent hackers from modifying files through the WordPress dashboard by adding this to your wp-config.php file:
define('DISALLOW_FILE_EDIT', true);This is a quick fix and if you are not using something like Defender Pro then this is how you would do it manually.
Disable PHP File Execution in Certain WordPress Directories
Add the following to your .htaccess file to prevent PHP execution in sensitive directories:
<Files *.php>
Deny from all
</Files>Again, this can be done with one click inside something like Defender pro but if you’re not using it, this is the workaround.
Limit Login Attempts
Limiting login attempts helps prevent brute force attacks. Remember how we mentioned above how hackers can attempt lots of login attempts guessing passwords. Just to clarify when I say a lot I mean a lot – more than you can imagine. It can be as high as 500 per second! So limiting this can save you a lot of hassle.
Recommended Plugin: Limit Login Attempts Reloaded.
Add Two-Factor Authentication (2FA)
2FA adds an extra layer of security by requiring a second verification step. While this can feel annoying as you’ll have to add a secret code in every time you want to log in to your admin, trust me, it is not as annoying as having to deal with a hacked account. It’s fairly easy to set up and can save you a lot of hassle down the line. You can use any off-the-shelf plugin for this or its included in Defender Pro.
Change the WordPress Database Prefix
The default wp_ database prefix makes sites vulnerable to SQL injection attacks. Change it during installation or with a plugin. This is an advanced level recommendation but it is highly suggested. You could use anything other than wp_ to protect your website.
Password Protect WordPress Admin and Login Page
Adding password protection to your login page adds an extra layer of security.
Disable Directory Indexing and Browsing
Prevent visitors from viewing directory structures by disabling indexing. If you are able to navigate to yourwebsite.com/wp-content for example and see the files and directories you need to speak to your host as they should be disabling this. The last thing you want is for a potential hacker or anyone as a matter of fact being able to see inside your hosting account. Get it locked down straight away.
Disable XML-RPC in WordPress
XML-RPC can be exploited for brute force attacks. Disable it using a plugin or by adding the following in your wp-config is a quick fix.:
add_filter('xmlrpc_enabled', '__return_false');Automatically Log Out Idle Users
Inactive users can pose a security risk. Set automatic logouts for idle sessions. If they are not active on your site, log them out. This can be achieved with several off-the-shelf plugins.
Add Security Questions to the WordPress Login Screen
Adding security questions enhances login protection. Prevents bot activity.
Scan WordPress for Malware and Vulnerabilities
Regularly scanning your site helps detect and remove threats before they cause harm. One of the reasons I love Defender Pro is that it not only tests your WordPress website files (including theme and plugins) for suspicious code but it also compares original themes and plugins files against what is in your website to see if anything has been altered is dodgy.
Fix a Hacked WordPress Site
If your site is hacked:
- Restore from the most recent backup.
- Scan your site for malware.
- Update all WordPress core files, plugins and themes.
- Change all passwords immediately.
- Contact your hosting provider for assistance.
Bonus Tip: Hire a WordPress Maintenance Service
Consider hiring professionals to manage updates, security, and backups for peace of mind.
FAQs on WordPress Security
Q: How often should I update my WordPress site?
A: Regular updates should be applied as soon as they are available.
Q: Can I secure my site without a plugin?
A: Yes, but plugins simplify and automate the process.
Q: Is free hosting safe?
A: Generally, free hosting lacks proper security measures. Trust be I’ve been there 😃