In this post, we’re going to point out the most common WordPress security vulnerabilities and show you how to increase WordPress security before your site is compromised.
Using this information, you’ll be able to create a WordPress security checklist that helps you find & eliminate these vulnerabilities.
If you’re ready to implement the WordPress security solutions that actually work and keep your site secure, this post is for you!
Let’s get started..
What is the best security for WordPress?
Protecting your site is all about limiting the attack surface. Making yourself a small target. Keeping a low profile.
And most of these security measures have nothing to do with WordPress at all. They have everything to do with your digital privacy & security habits.
Security is a process, not a product.
If you’re in the habit of protecting your email, usernames & passwords, payment methods, internet traffic, etc., securing your WordPress site is a simple task.
But even if you aren’t, the tips and strategies detailed in this post can still be put into practice without too much effort.
How do I make my WordPress site more secure?
We don’t need another post about the best WordPress security plugins, what we need to know are the best habits and practices that make (and keep) us secure.
We’re going to start with some tips for personal privacy & security, move on to some of the easy (and most effective) steps for website security, and close with a couple advanced strategies to keep your site safe from attack.
Remember, the optimal way to protect your site is to have real protection in place before something bad happens.
How To Increase WordPress Security
The following 4 areas all build off of each other, so it’s important to address them in this order. The good news is that most of these tasks can be completed within 60 minutes.
1. OpSec
Operation Security (OpSec) is a seemingly complex topic that is actually quite simple.
It’s all about listing what you need to protect (usernames, passwords, personal data, etc.), finding out who might try to exploit this data (hackers, advertisers, etc.), and seeing how they are vulnerable.
If you want to shortcut this process, simply follow these steps:
- Utilize a trusted VPN on all devices connected to the web
- Always use unique passwords and usernames for every account
- Employ 2 Factor Authentication wherever possible
- Shield your money by creating virtual cards for online payments
- Use a privacy focused email provider like Fastmail
Most people aren’t being directly targeted. They get inadvertently exposed when a large company with millions of users gets hacked (such as the 2012 LinkedIn breach).
When you have good OpSec habits in place, data breaches will have little to no impact on your security overall.
Now let’s focus on your WordPress site.
2. Logins
The most common way WordPress sites are hacked is through the login page (your-site.com/wp-admin).
The easiest way to prevent this is by using a unique username and password. Something you have never used (and will never use) anywhere else.
If someone gets a hold of your email username & password, trying to login to your WordPress site with those credentials will fail.
And with 2FA enabled, even the correct credentials aren’t enough to access your site.
In addition to this, make sure you edit each WordPress user profile to display a different name publicly than the username they use to log in to the site.
If you want to go the extra mile, you can even do things like changing the login URL from the default and/or using a plugin to limit the amount of times someone can try to log in.
Your login page is your site’s first line of defense, so take care of this first.
3. Updates
Another common vulnerability to your site is through active plugins. Each plugin you use is another potential attack surface.
Try to use as few plugins as possible, and make sure the ones you have installed come from a trusted development team that provides frequent updates.
Make sure to apply these updates as soon as they are available. Without these security updates, WordPress itself or your active plugins can be exploited to add malware (or worse) to your site.
All of this also applies to your WordPress theme and WordPress itself, but takes almost no effort, since you can toggle a checkbox to enable automatic updates.
If you have plugins or a theme that haven’t received any updates in months, now would be a good time to find alternatives and replace them.
Recommended Resource
With Thrive Suite you get total control over your site's design, branding, plugins, and theme.
Lastly, make sure to backup your site regularly and store those backups off-site. If you ever do have a problem, you can quickly roll back to a previous version of your site.
4. WordPress
In this final section, we’re going to cover something that most sites treat as an afterthought; WordPress security plugins.
A security plugin can provide a whole host of features to keep your site safe, but not all of the options available are good ones, especially the free versions.
Most free WordPress security plugins only inform you that there is a problem after it happens, they don’t prevent anything.
While they may provide a WordPress security scan, they don’t provide a lot of actual protection unless you pay for the premium version, so consider upgrading.
The security plugin I use for all my sites is Malcare.
It includes daily malware scans with one-click malware removal, a real-time firewall, bot protection, and keeps a database of plugin vulnerabilities.
Do a bit of research to find out which security plugin is right for you. A good security plugin can do a lot of the heavy lifting to keep your site secure.
Recommended Resource
MalCare will keep your site secure without slowing it down.
Final Thoughts
Improving the security of your WordPress site isn’t difficult, and doesn’t take a lot of time. But it’s easy to keep putting it off until later.
How much time have you invested building and growing your site? Set aside the next hour to protect your investment.
Be proactive. Address these vulnerabilities now.
What about you?
What are you doing to keep your site secure?
Let us know by leaving a comment below..
Thank you for putting this guide together. I never considered how everything starts with good OpSec.
Sure thing, Henry. Good OpSec habits can keep you secure wherever you need it.
Wow, I’ve never thought about having unique usernames, just unique passwords. Does it make that big of a difference?
It makes a big difference, Madeline!
Whenever a site’s data is breached, bad actors will test those usernames on all the major sites. Having the same username on multiple sites gives them a great starting point.
I use 2FA on my site, and have changed the login page URL. This makes it more secure and greatly minimizes the amount of spam I get on my site.
Great tips, Angela. Thanks!
I use a plugin that changes how the post author name appears, this way someone trying to attack my site through the WordPress login doesn’t have a good starting place – they have incorrect usernames…
That’s an excellent tip, Simram! Thanks for commenting!
Reading this post changes how I think about security. I used to think keeping everything updated might break my site or change how things looked. I should worry less about that and think about how those updates probably contain security patches. Thank you!
That’s great, ML. Thanks for stopping by!
Your article here helped me a lot, is there any more related content about OpSec? Thanks!
Hi Benjamin, my favorite source is ‘The Privacy, Security, and OSINT Show’ podcast. Not a lot of content specifically about websites, but great on OpSec regarding phones, laptops, VPNs, personal data, and privacy best practices.
Good article, sir! What password manager do you recommend?
Thanks, Mr. Keyes! I’m currently using Bitwarden.
I couldn’t agree more with recommending fewer plugins. Many stop getting updates, or get taken over by another developer that puts in ads or other undesirable nonsense. Fewer = Better.
Exactly right, Nick! I’m down to 9 active plugins at the moment. Better security & site speed!