When you’re in charge of WordPress websites for several clients, it’s hard to ever relax. Problems seem to come out of nowhere, and clients will email, text, and call in a panic because their site has slowed down or crashed. Plus, if one client’s site goes down, you know that there could be trouble with all the other ones as well. Being dedicated to your job and having clients spread across different time zones means you never get a break from the worry.
There’s no surefire way to ensure a website never, ever has a problem. However, relying on dependable WordPress-focused services, like your host and theme provider, can solve and prevent many common issues, including hacks.
If your WordPress site has ever been hacked – or even if you’ve just imagined it when going over all the possible outcomes – you know the panic that’s bound to set in. Simply knowing a security breach is possible is enough to get you on track to creating a safer website that’s monitored by a reliable host. In this article, we’ll go over how to harden your WordPress website and arm it with the best security possible.
Here’s what it can look like if your WordPress gets hacked:
- You’re unable to log in. One of the easiest ways for hackers to gain access to your WordPress account is to change the user password. However, they may also remove your user account completely. Being unable to access your account with your regular password and being unable to reset your password is a strong sign you’ve been hacked because it means your user account is gone.
- New content is on your site…and you didn’t put it there. If you notice that there’s a static page in place of your homepage and/or if the website theme is replaced, that’s a sign you’ve been hacked. However, there may be much more subtle differences that you’ll have to look harder to find. For example, there may be a random link in the content that goes to a shady site.
- Your website redirects to another website. Hackers will sometimes add scripts that redirect visitors to a totally different site – one you definitely don’t want them on. Using an insecure server increases the probability of this happening, which is why it’s important to always choose quality hosting.
- There’s a browser or Google warning when you try to access your site. There are a few different reasons why you may get a browser warning that there’s a problem with your site, and hacking is only one of them. It could also have to do with a plugin or theme code that has to be removed. Or, it may be a problem with your domain or SSL, which your host can help with. If Google is displaying a warning, though, that could point to a sitemap hack, which impacts how Google crawls your site.
Whenever there’s a security vulnerability, your WordPress security plugin or web host should notify you of the breach. Having security measures in place to alert you to the issue and solve the problem is the best course of action.
There are a number of ways that hackers can take control of your website.
Most WordPress hacks are automated, and the most frustrating part is that they can be easily prevented by keeping your WordPress site up to date. While it’s possible that a hacker will target one specific site, usually websites are part of a much larger, broader attack. Here’s how hackers take over your site:
- Backdoors – are hidden files or scripts, present an alternative way to access your site. Then, a backdoor can be used to add a malicious redirect to another site where you wouldn’t want to send your visitors.
- Brute force logins – is when automated tools figure out weak passwords.
- Cross-scripting – lets hackers send malicious code to a browser via a script in a plugin that’s being used.
- Denial of Service (DoS) – adds bugs or errors to a website’s code so the site no longer works properly.
- Pharma hacks – when code is entered into an outdated version of WordPress.
These sound pretty scary. Luckily, there are steps you can take to prevent these problems from happening in the first place.
A Quick Overview of WordPress Hardening
WordPress website hardening puts a robust security force field in place. WordPress hardening includes:
- Changing your WordPress login URL.
- Hiding your WordPress version.
- Using strong passwords and requiring all user accounts to have strong passwords.
- Password-protecting your WP admin directory.
- Disabling file editing in the WordPress Dashboard.
- Disabling PHP file execution in certain WordPress folders.
- Requiring two-step verification on the WordPress login screen.
- Limiting login attempts.
- Disabling login hints.
- Limiting login access to certain IP addresses.
- Disabling user enumeration.
- Disabling XML-RPC.
There are a number of ways to make your website safer and keep yourself from getting WordPress hacked in the future. While you may be able to handle some of these must-dos on your own, it’s always best to work with a dedicated host who will put the proper safety precautions in place, monitor your site, respond to any potential breaches, and keep you posted on any and all issues.
In this article, we’ll walk you through some of the hardening methods you can tackle on your own, but note that others are usually too advanced for the average user. In that case, you’ll want to work with a WordPress security professional, like a next-generation host, for well-rounded and in-depth security.
15 Tips for Creating a Secure WordPress Website
There are a number of reasons why your WordPress site may get hacked – and there are several ways to strengthen your site, too. Let’s go over the main security vulnerabilities that every agency, developer, and freelancer should know about, plus, how to protect your site from falling prey to them.
Always Use the Latest Version of WordPress
Every time WordPress releases a new version, you should update your website as soon as possible. WordPress versions often have security patches to fix problems with the previous version. If you don’t update, you could leave your site vulnerable.
By always having the latest version of WordPress, you close security gaps that hackers can potentially get through. Your best option is to set up automatic updates so they run without you having to do it manually. And remember that every time you update your site, you should have a backup of your site saved. Any quality host will automatically update your site to the latest version of WordPress so that you don’t have to stay on top of it.
Use the Strongest Passwords Possible
If you don’t create a secure enough website, it’s easy for hackers to access your WordPress admin panel – and once they do that, they can do pretty much anything they want. Hackers use automated tools to run through numerous potential passwords until they hit on the right one. They can then log in to your WordPress admin account and have full control.
Having a weak password is one of the biggest website vulnerabilities, but it’s also the one that’s easiest for you to remedy. In addition to setting a secure password for your WordPress admin account – and changing it regularly – make sure that every website-related service is protected by a strong and unique password, like your FTP and host logins.
Here are a few tips for setting strong passwords:
- Don’t use a version of your name, username, brand name, or website name.
- Don’t use a dictionary word, whether it’s in English or another language.
- Never create a short password – it should be around eight characters, minimum.
- Don’t use just letters or just numbers – your password should combine letters, numbers, and symbols.
There are security plugins such as Wordfence (also available as a standalone Login Security plugin) you can use that will force all users to create strong passwords, and sometimes this service comes standard with hosting plans. Also, if you add two-factor authentication to your website, it’ll be even harder for hackers to get in and create their own account. Furthermore, if you haven’t already, set a schedule for regular password updating, like once every 30, 60, or 90 days.
Set a Limit on Login Attempts
WordPress default is to let users attempt to log in a limitless number of times. However, this leaves your site vulnerable to hackers who attempt to find your password by trying numerous combinations. You can use a dedicated plugin such as Wordfence, linked above, to set a limit on login attempts, but your web application firewall (more on that in a bit) may come standard with this feature.
Limit Access to Your Site
The larger your team, the harder it is to limit who has access to your site. However, the fewer people, the better, because you lower the risk for accidental or purposeful security breaches. Look through your list of admin accounts (go to Users in the Dashboard sidebar) to see if there are any that are no longer part of the team, don’t need access to WordPress or should have less access to your site. Also, note any users that you don’t recognize.
Before removing a user you don’t recognize, check with your account holders to see if they updated their account details – it’s possible a user is an actual admin, but they’ve made a change you don’t recognize. At this point, also clean up your user list to remove anyone who is no longer part of your website and/or shouldn’t have access. Click the checkbox next to any user you want to remove, then change the Bulk Actions dropdown to Delete. Or, to remove a single user, click the Delete link under their username.
Set a Logout Timer for Idle Users
If you have a lot of people who have access to your site, consider using a dedicated plugin that will automatically log them out when they’re idle. If the user walks away from their computer while they’re still logged in to your site, anyone can make changes to your WordPress account. A plugin, such as the free Inactive Logout, will let you set the duration to decide how long a user can be idle before they’re auto-logged out. You can also write a message that will pop up on the screen right before the user is logged out – that way, if they’re still in front of their computer, they can opt to stay logged in.
Reinforce Your Site With Server-Side Protection
When you can have protection on the server-side of your site, hackers will have an even tougher time breaking in. By adding an extra layer of protection to your wp-admin, you protect your login screen, WordPress admin area, and files. The best way to do this is by using HTTPS SSL, which is an encrypted connection, to protect your wp-admin. Check with your host to see if they offer this level of security.
Use a Web Application Firewall
One of the best ways to keep your site secure is by using a web application firewall (WAF). Essentially, a WAF will keep malicious traffic away from your site. There are two options:
- DNS-level firewall: This type of firewall will send traffic through its own cloud proxy servers. The only traffic that will make its way all the way to your site will be quality, non-malicious traffic.
- Application-level firewall: When you use a plugin to serve as a WAF, the traffic will reach your server, but the plugin will check it out before loading scripts.
While an application-level firewall is better than nothing, a DNS-level firewall is the safer option of the two. Popular plugins like Wordfence, services like Cloudflare, and secure hosts like Convesio offer this.
Only Install Up-To-Date, Reliable Plugins and Themes
If you have out of date or nulled plugins or themes, your WordPress website is vulnerable to a hack. “Nulled” refers to premium plugins and themes that should be paid for (when purchased from the right source) but instead are offered for free on another site. These elements are meant to collect information or, worse, harm your site.
Never use a plugin or theme from a source you don’t trust. Select yours from the WordPress library or make sure to read plenty of reviews if you go with an outside source. Furthermore, any plugins you choose should be tested and compatible with your WordPress version.
The reason why plugins and themes have to be updated is that those updates include security features and patches. If you don’t have the latest version, you don’t have the latest security measures. Stay updated by always using the latest versions of reputable plugins and themes. If you choose the right hosting provider, they’ll run these updates for you.
Get Rid of Unused Installations
If you have deactivated plugins and themes that you won’t be needing, delete them. The same goes for unnecessary files, WordPress installations, and databases – get rid of them. The more data that’s sitting in WordPress, the more vulnerable your site is, especially when it comes to old WordPress installations that won’t be up to date.
Delete Unwanted Files
You need to discover any files that don’t belong there, and then remove them. To do this, you may need to install a security plugin, like the ones below. Popular options are Wordfence (again!), Defender, and MalCare. These types of plugins can scan your site and alert you to anything that doesn’t belong.
However, note that a quality web host will do this for you automatically, which means you won’t have to worry about installing a plugin, scanning regularly, or removing problematic files. And if you feel that your site needs a manual scan right now, you can contact your host to handle that for you, too.
Run Regular Backups and Scans
Backup your WordPress site regularly (once a day or more), and make sure to include the database, media files, and plugin and theme files in each backup. Also, run malware and file integrity scan regularly to locate any malicious files that may be on your server. There are several WordPress security plugins you can use to automate this process. However, note that scans don’t actually remove malware – they just let you know it’s present. You’ll still need to get rid of the malware yourself (or have your host handle it).
You should regularly scan for malware, spyware and viruses on your computer, too. No matter how secure your website is, if your computer is unsafe – for example, if there’s a keylogger on it – your website is at risk.
Monitor Changes to Your Files
Any time an attack occurs, there’s some trace that it leaves behind – there may be evidence of the attack in the logs or in files, for example. You should be monitoring your files all the time, and there should be alerts set up so that you know whenever a change is made. That way, if a change occurs that you didn’t know about in advance, you can quickly assess if it’s due to a security breach or not. Some of the plugins mentioned above, such as Defender, can take care of this for you.
Regularly Clean Your Database
When you clean out your database, you get rid of extra, unnecessary data that your site’s accumulated over time, like spam and trash comments, settings for themes you no longer use, etc. The less useless data there is in your database, the faster your site will run. Plus, if you received an alert from your security plugin or provider that your database has been hacked, this step is a necessary one. There are several plugins to choose from in the WordPress directory: WP Optimize is the most popular dedicated option, or you can consider WP-Sweep, or Advanced Database Cleaner. Alternatively, you can work with a host who handles regular database cleanups for you.
Choose a Secure Web Host
When you’re partnered with an unreliable and insecure hosting company, you face a number of problems, including the inability to scale, too much server downtime, and single points of failure. You should be able to scale your site up when traffic surges without worrying that it’s going to crash, go down, or become more vulnerable to security breaches. Here’s another consideration: the best hosting isolates each website so that one compromised site doesn’t affect any others.
If you settle for an inexpensive and low-quality hosting package, you’ll be sharing a server with hundreds of other customers. As a result, your site will slow down. Also, all of those other sites pose security risks to your site – the more sites that are crammed on a server, the more insecurities there are. Furthermore, a “budget” host probably won’t monitor your site closely or know if there’s been an attack.
Most hosting companies offer some sort of security service, but wherever their role stops, yours begins – and if you have no clue how to manage or secure a website, yours could be left highly vulnerable. Work with a host that will offer an array of security features and around-the-clock monitoring and management. Your host should also:
- Be open to answering any of your questions about security, including explanations of the features they offer and their processes.
- Offer the most recent stable version of software.
- Regularly backup your website, while also offering reliable processes for recovery should something go wrong.
Two standard security measures that every site should have are configuring a firewall and adding SSL for extra security. You can use plugins for both of these must-haves, but to keep your site lean, it’s best if you find a host that includes these features in their standard plan.
Here are two more important considerations when choosing a web host:
- Don’t use a shared server. You should never choose a host that will put your site on a shared server. When you’re on a shared server, that server is hosting your site along with many others. If one site is compromised, yours is at risk, too.
- Use SFTP encryption. Your web host should offer SFTP encryption, which means that your data and password are encrypted when you connect to your server. Even if there’s a hacker present, they won’t be able to see your password, because it will be concealed when transported between your computer and your website.
Set up Recurring Security Measures
By adding a security plugin to your WordPress site, you’ll be notified of suspicious activity as soon as it occurs. For example, if someone attempts an unauthorized login or adds a file, you can get a notification. The plugin should provide a warning that clearly communicates what the issue is so that you know the next steps to take.
Alternatively, you can work with a security service provider that will monitor your site and fix problems that occur. This is a costly option, though, but security shouldn’t be an option for most site owners – you need your WordPress site to be safe. Quality WordPress hosting should have 24/7 security monitoring built-in so that you don’t have to hire yet another service provider just to keep your site functioning.
How to Prioritize WordPress Security With Your Web Host
It’s best to always partner with providers that use top-notch security services. For example, Patchman is a server-level solution that detects and fixes vulnerabilities and malware. It does it all while running behind the scenes – customers don’t have to install or configure it, or even keep an eye on it for maintenance. When Patchman catches a security fix in a new release, it backports the fix to apply it to all earlier versions.
Here’s another example: Human Presence’s behavior analysis engine detects and eliminates 99% of malicious bot spam. Website visitors can’t see that it’s working, but it continues to protect analytics, comments, forms and reviews, and it also stops content and data from being scraped from your site.
When you choose web hosting from Convesio, security services come standard. For example, Cloudflare’s enterprise security functionality is a good way of securing your WordPress site, but it usually costs upwards of $200 per month. With next-generation hosting, you get this out-of-the-box.
These other security features are highly important, too. With many hosting packages, you’d have to purchase these security benefits separately – now, you can have them included in your standard package:
- Advanced firewall rules.
- Advanced managed rule set.
- Automated malware patching.
- Automated vulnerability patching.
- Comment and form spam protection.
- Enterprise DDoS mitigation.
- Human presence bot detection.
- Intelligent threat detection.
- OWASP core rule sets.
- Rate limiting.
- Reputation-based threat protection.
Find a Web Host You Trust
Relying on secure WordPress hosting is a must for agencies, developers, freelancers, and any website owner who needs their site up-and-running without hiccups. Full-service hosting means you can rely on your provider to watch your website closely, know as soon as there’s an issue and fix it, all without your involvement. Here are just a few of the features to look for in a secure web host:
- Latest PHP
- Disabled directory browsing
- Hardened database security
- Scales to demand (which also avoids unnecessary costs)
- Site isolation and container security
At Convesio, if they start detecting a certain amount of load on a WordPress instance, they’re able to split traffic between multiple instances. This sort of high-availability WordPress hosting usually costs a lot, upwards of $1,400 per month. The reason it’s so expensive is that it’s such a difficult (and important) problem to solve. With Convesio, you pay just $50 a month and are able to create a multi-tenant WordPress site that scales into multiple nodes.
A secure website isn’t one that will never have any security-related issues – it would be impossible to promise that. Instead, a secure website is one where there are as many security risk reductions made as possible. The stronger and more secure your website, the less vulnerable it is to hacks.
Some security measures to keep your site from getting WordPress hacked are obvious and easy to handle on your own, like creating strong passwords and only opting for reputable plugins and themes. Others are more difficult to manage, though, especially if you’re in charge of numerous websites for clients.
Nobody wants to deal with the trouble of a WordPress hack. Your site will become unavailable to visitors, and your business can be impacted – and the longer your site is inaccessible, the greater the overall impact. Taking action fast is necessary.
So much of this can be automated and handled for you with the right host – they can take over regular backups, malware scans, security updates, encryption, and firewalls. Whether you’ve had a hacked site and never want to go through it again or you’d love to boast that your sites have never been hacked, quality security is key. Keeping your WordPress website up-to-date and partnering with a quality hosting partner like Convesio can prevent hacks from happening in the future.
This is a guest article contributed by Lindsay Pietroluongo.
Lindsay started her freelance career in 2009 and writes about business tech, tools, and advice for small brands and solopreneurs. She loves productivity hacks, minimalist workflows, and every horror movie that comes out.