17 Steps to Secure Your WordPress Site

At HubSpot, we talk a lot aboutdelighting customers. We believe that all growing businesses should seek to provide their customers with the best experience possible. So, allow me to spotlight one of the most important forms (if notthemost important form) of customer service — cybersecurity.

As your business grows, the number of problems you’ll need to solve and your customers’ expectations for how you address those problems will increase. One of those problems is keeping your customers’ information secure. If you can’t provide this fundamental service from the get-go, it signals that you don’t solve for your customers.

There’s no way around it: If you have an online presence, you need to prioritize security. And if WordPress is your CMS, youdefinitelyneed to prioritize security, since hackers launch90,000 attacksagainst WordPress websites every minute. Yikes.

The good news is that most of these hacking attempts are easily preventable. In this article, we’ll get into the details of the most common and dangerous security vulnerabilities that come with using WordPress. Then, we’ll cover all the steps you’ll need to manage a safe, secure WordPress website.

Why You Need WordPress Security

Let’s discuss the 3 reasons why every successful website built with WordPress prioritizes security. These apply to businesses of all sizes, reputations, and industries.

It protects your information and reputation.

If attackers attain personal information about you or your website visitors, there’s no end to what they could do with the information. Security breaches open you up to public data leaks, identity theft, ransomware, servers crashing, and the list unfortunately goes on. Needless to say, any of these events is far from ideal for the growth and reputation of your business, and are usually a major waste of time, money, and energy.

Your visitors expect it.

Your customers need to trust that their information will be used and stored safely, whether it be contact information, payment information (which requiresPCI compliance), or a basic response to a survey. There’s a catch-22 here: If your security measures work, your customers will never need to know. If they ever do see news about your site’s security, chances are it’s bad news and most won’t come back.

Google likes secure websites.

A safe website is a searchable one. Website security directly affects visibility from a search on Google (and other search engines), and has for a while. Security is one of the easiestways to boost your search rank. You can read about what other factors affect how Google ranks your website in ourUltimate Guide to Google Ranking Factors.

Clearly, protecting your online properties should be a key concern. Every website needs to ensure safety for their visitors and users, and we’ll go over the steps to do this. But first, you might be wondering...

Is WordPress secure?

A reasonable question to ask. A challenging one to answer.

There’s no way around it: Websites that use WordPress are a popular target for cyberattacks. Arecent studyby cybersecurity provider Sucuri reported that, in 2019, out of every 100 CMS-powered websites successfully hacked, 94 used WordPress. This marked a 4% increase from the prior year.

Image Source

This might be less surprising knowing that36% of all websitesuse WordPress, which is over 400 million websites. Still, 94% of all CMS-targeted attacks is still quite high, even when taking into account WordPress’ market share.

But before you hard-delete your WordPress account, you should know that these numbers aren’t entirely WordPress’ fault. Or, at least not the fault of the WordPress product itself.

WordPress employs a large security team of world-class researchers and engineers looking for vulnerabilities in its system, and regularly releases security updates to their software. As far as WordPress core goes, we’re covered. Really, the problem lies with how WordPress is made available to its users.

WordPress is open-source software, meaning that the source code is available for anyone to modify and distribute. Because WordPress is open-source, the software is infinitely customizable and optimizable. There are thousands of plugins, themes, and developers with the skills to modify the backend code themselves. This flexibility is a defining feature of WordPress, and a huge part of what makes it so powerful and widely-used.

The downside to all this freedom is that an improperly configured or maintained WordPress website is prone to a myriad of security issues. WordPress gives a lot of power to its users, and with great power (say it with me) comes great responsibility. Responsibility that many are shrugging off. Hackers know this and target WordPress websites accordingly.

Another thing: Asking if any website is really “secure” is a bit of a moot question. The truth is, perfect security simply doesn’t exist, especially online. As WordPressstates:

“[S]ecurity...is risk reduction, not risk elimination. It’s about employing all the appropriate controls available to you, within reason, that allow you to improve your overall posture reducing the odds of making yourself a target, subsequently getting hacked.”

You can never guarantee complete immunity to online threats, but youcantake steps to make them much less likely to occur. The fact that you’re reading this means you probably care about security and are willing to go the extra mile to keep you and your visitors safe. To sum all this up,WordPress is secure, but only if its users take security seriously and follow best practices.

WordPress Security Issues

So, what could happen if one chooses to push all these numbers aside and do nothing to secure their WordPress site? As it turns out, a lot. The most common types of cyberattacks on WordPress websites are:

Brute-Force Login Attempts

This is one of the simplest types of attacks. A brute-force login occurs when attackers use automation to enter many username-password combinations very quickly, eventually guessing the right credentials. Brute-force hacking can access any password-protected information, not just logins.

Cross-Site Scripting (XSS)

XSS occurs when an attacker “injects” malicious code into the backend of the target website to extract information and wreak havoc on the site’s functionality. This code could be introduced in the backend by more complex means, or submitted simply as a response in a user-facing form.

Database Injections

Also known as a SQL injection, this happens when an attacker submits a string of harmful code to a website through some user input, like a contact form. The website then stores the code on its database. Similarly to an XSS attack, the harmful code runs on the website to fetch or compromise confidential information stored in the database.

Backdoors

A backdoor is a file containing code that lets an attacker bypass the standard WordPress login and access your site at any time. Attackers tend to place backdoors among other WordPress source files, making them difficult to find by inexperienced users. Even when removed, attackers can write variants of this backdoor and continue using them to bypass your login.

Denial-of-Service (DoS) Attacks

These attacks prevent authorized users from accessing their own website. DoS attacks are most frequently carried out by overloading a server with traffic and causing a crash. The effects are worsened in the case of a distributed denial-of-service attack (DDoS), a DoS attack conducted by many machines at once.

Phishing

When an attacker contacts a target posing as a legitimate company or service, this is known asphishing. Phishing attempts typically prompt the target to give up personal information, download malware, or visit a dangerous website. If an attacker accesses your WordPress account, they could even coordinate phishing attacks on your customers while posing as you.

Image Source

Hotlinking

Hotlinking occurs when another website shows embedded content (usually an image) that is hosted on your website without permission, so that the content appears like it’s their own. While more akin to stealing than a full-blown attack, hotlinking is usually illegal and gives the victim serious issues, since they have to pay every time content is retrieved from their server when displayed on another website.

For these crimes to occur, hackers need to discover holes in a site’s security. Common vulnerabilities that hackers look for when targeting WordPress websites include:

• Plugins:Third-party plugins account for the majority of WordPress security breaches. Since plugins are created by third parties and have access to the backend of your website, they're a common channel for hackers to disrupt your site’s functionality.
• Outdated WordPress versions:WordPress sometimes releases new versions of their software to patch security vulnerabilities. When fixes come out, the vulnerabilities become public knowledge, and problems with old versions of WordPress are often targeted by hackers.
• The login page:The backend login page for any WordPress website by default is the site’s main URL with “/wp-admin” or “/wp-login.php” added to the end. Attackers can easily find this page and attempt a brute force entry.
• Themes:Yes, even your WordPress theme can open your site up to cyberattacks. Outdated themes may be incompatible with the most recent version of WordPress, allowing easy access to your source files. Also, many third-party themes do not follow WordPress’ standards for code, causing compatibility issues and similar vulnerabilities.

更深层次的看WordPress安全问题,e our article onWordPress security issues you should know about.

How to Secure Your Wordpress Site

Now that we’re past the scary part, let’s discuss what you can do to reduce the threat of a cyberattack on your WordPress website.

Website security, and by extension WordPress website security, comes down to following a set of best practices. Some of these apply to all websites in general (e.g. strong passwords and two-factor authentication, SSL, and firewalls), while others apply specifically to WordPress websites (e.g. using secure plugins and a secure WordPress theme).

To keep your site at its safest, we recommend adhering to as many of these best practices as you reasonably can.

Secure your login procedures.

The most fundamental step to securing your website is keeping your accounts safe from malicious login attempts. This do this:

1. Use strong passwords:We used to think there would be flying cars in the future. Now, in 2020,people are still using “123456” as apassword. Make sure that all users with accounts on your WordPress backend areusing strong passwordsto log in. You might want to use one of our recommendedpassword managersto generate strong passwords and keep track of them for you.
2. Enable two-factor authentication:Two-factor authentication(2FA) requires users to verify their sign-on with a second device. This is one of the simplest, yet most effective tools to secure your login.
3. 不要做任何帐户sername “admin”:Chances are, this will be the first username attackers will plug in during a brute force login attempt. If you’ve already created a user with this name, create a new administrator account with a different username, or run theUsername Changerplugin.
4. Limit login attempts:Placing a cap on the number of times a user enters the wrong credentials in a certain amount of time will prevent hackers from brute-forcing a login. Some hosting services and firewalls might take care of this for you, but you can also install a plugin likeLimit Login Attemptsfor the job.
5. Add a captcha:You’ve likely seen this security feature on many other websites. They add an extra layer of security to your login by verifying that you are indeed a living person. Again, plugins are your friend for this.reCaptcha by BestWebSoftis one we recommend — see ourguide to enabling Google reCaptcha in WordPress.
6. Enable auto-logout:While you should remember to log out of your WP account when finished, auto-logout prevents strangers from snooping in your account if you forget. To enable auto-logout on your WordPress account, try theInactive Logoutplugin.

Use secure WordPress hosting.

When choosing the service that hosts your website, there are many factors to take into account, but security should be a top priority. Consider services that have taken steps to protect your information and promptly recover if an attack occurs. See our list of recommendedWordPress hosting providers.

Back up your website.

Being hacked is bad. Losing all your information is even worse. Make sure you have your website information backed up by WordPress and your host in the event of an attack (or any other incident) that causes data loss. We recommend backups be automatic as well. See our list of the bestWordPress backup pluginsavailable.

Update your version of WordPress.

Outdated versions of the WordPress software are a very common target for hackers. Make sure youregularly check for and install WordPress updatesas soon as possible to eliminate vulnerabilities found in older versions.

To update WordPress to the latest version, first back up your site and check that your plugins are compatible with the latest version of WordPress, updating plugins accordingly. You can reference our guide forhow to update your WordPress plugins.

After updating your plugins, follow theupdate instructions on WordPress’ website.

Install one or more security plugins.

We highly recommend installing one or more reputable security plugins on your website. These plugins do much of the security-related manual work for you, including scanning your website for infiltration attempts, altering source files that might leave your site susceptible, and preventing content theft like hotlinking. Some reputable plugins cover almost everything on this list.

Whichever plugin(s) you decide to install, security-related or not, make sure they’re well-established and legitimate.See our list of recommended WordPress security plugins.

Use a secure WordPress theme.

Just like you shouldn’t install a sketchy plugin on your site, resist the urge to use just any WordPress theme that looks good. To prevent vulnerabilities caused by a Wordpress theme, choose one that is compliant with WordPress standards.

To check whether your current theme meets WordPress’ requirements, copy your website URL (or the URL of any WordPress site or any theme’s live demo) intoW3C’s validator. If you find your theme isn’t compliant, search for a new theme in the officialWordPress theme directory. All themes in this directory are safely compatible with WordPress software. Alternatively, see HubSpot’slist of recommended WordPress themes, or search another credible theme marketplace.

Enable SSL/HTTPS.

SSL (Secure Sockets Layer) is the technology that encrypts connections between your website and visitors’ web browsers, ensuring that the traffic between your site and your visitors’ computers is safe from unwelcome interceptions.

你的WordPress站点需要启用SSL。不仅will it boost SEO, but it also plays directly into your visitors’ first impression of your website. Google Chrome will even warn users if the site they’re visiting doesn’t follow the SSL protocol, which directly reduces website traffic.

To see whether your WordPress site follows the SSL protocol, visit your WordPress site’s homepage. If the homepage URL begins with “https://” (the “s” stands for “secure”), your connection is secured with SSL. If the URL begins with “http://”, you’ll need toobtain an SSL certificate for your website.

Install a firewall.

A firewall sits between the network that hosts your WordPress site and all other networks, and automatically prevents unauthorized traffic from entering your network or system from the outside. Firewalls keep out malicious activity out of your site by eliminating a direct connection between your network and other networks.

We recommend installing aWeb Application Firewall (WAF) pluginto protect your WordPress site. As with everything else on this list, carefully deliberate which type of firewall and which plugin works best for your needs before making your choice.

Never trust user input.

If any part of your website accepts a response from visitors, be it a payment form, a contact form, or even a comment section on a blog post, this is an opportunity for an XSS or database injection attack. Attackers could enter malicious code into any of these text fields and disrupt your website’s backend.

为了避免这个问题,确保你过滤掉special characters from user input before it is processed by your site and stored in a database. Alternatively, you can use aWordPress form pluginto get the job done.

Limit WordPress user permissions.

If your WordPress site has multiple user accounts, we recommend changing the roles of each user to limit their access to only what they need. WordPress hassix rolesto choose for each user. By limiting the number of users with administrator permissions, you reduce the chance of an attacker brute-forcing their way into an admin account, and limit the damage that can be done if an attacker does correctly guess a user’s credentials. See our guide onhow to change WordPress user permissions.

使用WordPress监视。

Having a monitoring system in place for your website will alert you of any suspicious activity that occurs on your site. Ideally, your other measures would have prevented such activity, but it’s better to find out sooner rather than later.

Log user activity.

Here’s another way to get out ahead of issues before they occur: Create a log of all activity that users take on your website, and check this log periodically for suspicious activity. This way, you’ll see if another user is acting suspiciously (e.g. trying to change passwords, altering theme or plugin files, installing or deactivating plugins without permission). Logs are also useful for cleanup after a hack, showing you what went wrong and when.

This isn’t to say that all password changes or file modifications are always signs of a hacker among your team. However, if you’re employing many external contributors and giving them access permissions, it’s always a good idea to keep an eye on things.

Many WordPress plugins create activity logs, and there are several dedicated logging plugins for WordPress likeWP Activity Logor the freeActivity Logplugin.

Change the default WordPress login URL.

As I’ve mentioned, the default URL for the WordPress login page for any WordPress site is easy to find. Plugins likeWPS Hide Loginchange this login page URL for you.

Conduct regular WordPress security scans.

It’s a good idea to runroutine check-upson your site. Aim for at least once a month. There are multiple plugins that can scan your site for you. Here are theseven WordPress scanner plugins we recommend.

Disable file editing in the WordPress dashboard.

By default, WordPress lets administrators edit the code of their files directly with the code editor. This gives attackers an easy way to alter your files if they gain access to your account. If a plugin hasn’t already disabled this feature, you can do some light coding to disable it yourself. Add the code below to the end of the filewp-config.php:

// Disallow file edits
define( 'DISALLOW_FILE_EDIT', true );

Change your database file prefix.

文件的名字,你的WordPressdatabase begin with “wp_” by default. Hackers leverage this setting to locate your database files by name and conduct SQL injections.

A simple fix? Change the prefix to something different, like “wpdb_” or “wptable_”. It is possible to set this when installing the WordPress CMS. If your site is already live with this setting, you can rename these files. In this case, we highly recommend using a plugin to handle this process, since your database stores all your content and a misconfiguration will break your website. Look for the ability to change table prefixes among the features of your preferred security plugin.

Disable your xmlrpc.php file.

XML-RPC is a communication protocol that enables the WordPress CMS to interact with external web and mobile applications. Since the incorporation of the WordPressREST API, the XML-RPC is used much less frequently than it once was. However, it is still utilized by some to launch powerful attacks on WordPress sites.

This is because XML-RPC technology lets attackers submit requests containing hundreds of commands, making it easier to commit brute force login attacks. XML-RPC is also less secure than REST because its requests contain authentication credentials that can be exploited.

If you’re not using XML-RPC, you can disable thexmlrpc.phpfile. First, check whether your site is making use of the file. Plug your URL into thisXML-RPC validatorto check whether your site is currently making use of the protocol. If not, the easiest way to disable this file is with a plugin likeDisable XML-RPC-API. Your WordPress security plugin may also be able to do this for you.

Consider deleting the default WordPress admin account.

我们已经讨论了改变“admin”用户名the default WordPress admin account, but if you want to take things a step further, get rid of this default account altogether, and make a new account with the same administrator permissions.

What To Do If You’re Hacked

So, you’ve implemented some or all of the measures above, and now you want to be extra prepared in case something goes wrong. Or, something has gone wrong. Either way, here’s what to do:

Remain calm.

It’s natural to panic in these situations. Just remember that a security breach can happen to anyone. It’s necessary to keep a clear head so you can locate the source of the breach and begin to resolve it.

Turn on maintenance mode on your website.

Limiting access to your site keeps visitors away from your side and safe from the attack. Only open your website when you’re confident the situation is under control.

Start creating an incident report.

Record all relevant details that can help solve the issue. These include, but are not limited to:

• When you discovered the problem.
• What led you to believe you were attacked.
• Your current theme, active plugins, hosting provider, and network provider.
• Any recent changes you made to your WordPress site before the incident.
• A log of your actions while finding and fixing the issue.

Update this document as more details become available.

Reset access and permissions.

Change all account passwordson your WordPress site to prevent any further website changes. Next,force-logoutany users still logged in.

所有账户持有人也应该考虑updating passwords on their work and personal devices, as well as personal accounts, since you can’t know for sure what the attackers were able to access beyond your WordPress site.

Diagnose the issue.

Either search for the problem yourself with a security plugin, or, depending on the scale of the attack, hire a professional to diagnose the problem and repair your site. Regardless of what method you choose, run a security scan on your site and local files to clear any remaining harmful files or code the attackers might have left, and to restore any missing files.

Review related websites and channels.

If you have accounts for any other online platform linked to your website, such as a social media account or another WordPress site, check these platforms to see if they were affected. Change your passwords for these channels as well.

Reinstall backup, themes and plugins.

Re-install your theme and plugins (double-checking that they’re safe). If you have a backup in place, restore the most recent backup prior to the incident.

Change your site passwords again.

Yes, you did reset all WordPress passwords before, but these credentials could have been compromised while you were fixing the problem. You can never be too careful.

Alert your customers and stakeholders.

After your site is up and running again, strongly considerreaching out to your customersalerting them of the attack, especially if personal information was accessed and leaked. It’s the right thing to do, and be prepared for negative responses from customers.

Check that your website is not blacklisted by Google.

If your website was blacklisted by Google as a result of the attack, Google will not-so-subtly warn users about entering your website:

Image Source

While blacklisting is necessary to keep users away from harmful websites, it will also scare most traffic from your legitimate site. Sucuri has afree toolto scan your website for Google blacklist status.

Follow the best practices above.

Taking all possible precautions to limit the possibility of another attack will give you some peace of mind. Let’s hope something like this doesn’t happen again. But if it does, you’ll be in much better shape.

Don’t take security for granted.

I know I might have come off a bit preachy in this article. I apologize, but I promise it’s for good reason. If you don’t believe me, take it from former IBM CEO Ginni Rometty:

“Cybercrime is the greatest threat to every company in the world.”

And it will continue to be. Cybercriminals are constantly evolving new ways to leverage companies’ online presence against them, and security engineers are always developing new methods to stop them. This is the ever-turning cycle of security on the internet, and we’re all caught in the middle. Always keep your customers’ safety in mind, so they have one less thing to worry about.

To learn more about what HubSpot is doing to protect its users,clickhere.

Note: Any legal information in this content is not the same as legal advice, where an attorney applies the law to your specific circumstances, so we insist that you consult an attorney if you’d like advice on your interpretation of this information or its accuracy. In a nutshell, you may not rely on this as legal advice or as a recommendation of any particular legal understanding.

Editor's note: This post was originally published in May 2020 and has been updated for comprehensiveness.