WordPress security: complete guide to protect your website

# WordPress security: complete guide to protect your website Your WordPress website is a target. Every day 90,000+ WordPress websites get hacked. Hackers steal customer data, inject malware, or use your server for spam. A hacked website means lost revenue, damaged reputation and angry customers. The good news? WordPress itself is secure. It's bad security practices that make websites vulnerable. In this guide you'll learn exactly how to fully secure your WordPress website against hackers, malware and other threats. ## Why WordPress websites get hacked **Common reasons:** - Weak passwords (still #1 cause) - Outdated WordPress versions with known vulnerabilities - Unsafe plugins and themes - Shared hosting with compromised neighbor - No SSL certificate - Default admin username **What hackers do with hacked websites:** - Inject SEO spam (hidden links to sketchy sites) - Distribute malware to your visitors - Host phishing pages - Use your server for DDoS attacks - Steal customer data - Ransomware: site held hostage until ransom paid **Costs of a hack:** - Website cleanup: €200-€1000+ - Lost revenue during downtime - Google blacklist (can take weeks to get off) - Lose customers through reputation damage - Possible legal problems with data breaches Prevention is 100x cheaper and easier than recovering after a hack. ## 1. Use strong passwords and 2FA Weak passwords are responsible for 8 out of 10 hacks. "admin123", "password", or your company name are dangerous. **Create strong passwords:** **Use a password manager:** - 1Password (€2.99/month) - Bitwarden (free/€10/year) - LastPass (freemium) These tools: - Generate random passwords of 20+ characters - Store everything securely encrypted - Auto-fill in browsers - Sync between devices **Password requirements:** - Minimum 16 characters - Uppercase, lowercase, numbers, symbols - No dictionary words - Unique per account (never reuse!) **Example strong password:** `k9$mPx2#vL4@qN8wZ!yR` **Setup Two-Factor Authentication (2FA):** **Via Wordfence plugin:** 1. Install Wordfence Security (free) 2. Go to Wordfence > Login Security 3. Click "Enable 2FA" 4. Scan QR code with authenticator app (Google Authenticator, Authy) 5. Enter test code to activate **Via iThemes Security:** 1. Install iThemes Security plugin 2. Go to Security > Settings > Two-Factor Authentication 3. Enable for all admin users 4. Choose method: authenticator app or email codes Now login is impossible without physical access to your phone, even if password is leaked. ## 2. Keep WordPress, plugins and themes up-to-date Outdated software is the #2 cause of hacks. Every update patches known security vulnerabilities. **Why updates are crucial:** Example: 2021 WordFence patch for vulnerability affecting 1+ million sites. Hackers had complete site access. Solution: update to WordPress 5.7.1. Sites that didn't update were massively hacked. **Enable automatic updates:** **WordPress core updates:** Add to wp-config.php: ```php define('WP_AUTO_UPDATE_CORE', true); ``` This updates WordPress automatically to new versions. **Automate plugin updates:** **Easy Updates Manager plugin** (free): 1. Install Easy Updates Manager 2. Go to Dashboard > Updates Options 3. Enable "Auto Update Plugins" 4. Optional: exclude critical plugins for manual review 5. Enable email notifications **Theme updates:** Usually safe to auto-update, but always test first on staging if you have custom modifications. **Update routine:** - Make backup BEFORE updates - Test updates first on staging environment - Check your site after updates - Keep changelog of updates **Plugins and themes from reliable sources:** - Only from WordPress.org repository - Or known premium developers (Elegant Themes, StudioPress) - Check reviews and recent update date - Avoid "nulled" plugins (cracked paid plugins = often malware) ## 3. Install a security plugin Security plugins monitor your site 24/7 and block attacks automatically. **Best WordPress security plugins:** **Wordfence Security** (free/premium) **Free features:** - Web Application Firewall (WAF) - Malware scanner - Login security (2FA, login limiter) - Real-time threat defense feed - Traffic monitoring **Premium features** (€99/year): - Real-time firewall updates (free: 30 day delay) - Real-time malware signatures - Country blocking - Priority support **Install and configure:** 1. Install Wordfence 2. Run first scan (can take 30-60 min) 3. Review and fix found issues 4. Enable "Extended Protection" (free) 5. Setup email alerts **iThemes Security** (free/pro) **Free features:** - Brute force protection - 404 detection (bots scan for vulnerabilities) - Database backups - Strong password enforcement - 2FA **Install:** 1. Install iThemes Security 2. Run Security Check 3. Click "Secure Site" for one-click hardening 4. Manually review advanced settings **Sucuri Security** (free plugin + paid firewall) **Free plugin:** - Malware scanner - Security activity auditing - File integrity monitoring - Blacklist monitoring **Paid firewall** (€200/year): - Cloud-based WAF (faster than plugin firewalls) - DDoS protection - CDN included - Guarantee: site cleanup if hacked **Which to choose?** - **Beginners:** Wordfence free (most features, user-friendly) - **Advanced:** iThemes Security Pro (€80/year) - **Enterprise:** Sucuri firewall (€200/year) ## 4. Limit login attempts Hackers use brute force attacks: try thousands of passwords until they get in. **Setup login limiter:** **Via Wordfence:** 1. Go to Wordfence > All Options 2. Look for "Brute Force Protection" 3. Set: "Lock out after 5 failed logins" 4. Lock out duration: 60 minutes 5. Enable "Immediately block IP after 10 lockouts" **Via Limit Login Attempts Reloaded** (free): 1. Install plugin 2. Settings > Limit Login Attempts 3. Max 4 attempts 4. Lockout: 20 minutes 5. Enable long lockout after 4 lockouts (24 hours) **Extra security: hide wp-login.php** **WPS Hide Login plugin** (free): 1. Install WPS Hide Login 2. Settings > WPS Hide Login 3. Change login URL to something unique: yoursite.com/secretlogin247 4. wp-admin and wp-login.php no longer work 5. Hackers can't even find login page **Note:** Save your custom login URL well! Bookmark it. ## 5. Change default admin username Hackers always try "admin" as username first. Make it harder for them. **Change admin username:** You can't directly change username in WordPress. Solution: 1. Log in as admin 2. Go to Users > Add New 3. Create new user with unique name (e.g. john_admin_2847) 4. Give this Administrator rights 5. Log out and in with new user 6. Delete old "admin" user 7. Assign all content to new user **Bonus: hide usernames in author URLs** By default WordPress shows your username in URLs: yoursite.com/author/admin **Edit Author Slug plugin** (free): 1. Install plugin 2. Users > Your profile 3. Edit Author Slug: change to nickname or custom slug 4. Real username stays hidden ## 6. Install SSL certificate (HTTPS) SSL encrypts data between visitor and server. Without SSL hackers can intercept passwords. **SSL benefits:** - Protects sensitive data (passwords, credit cards) - Google ranking boost - Browser warning without SSL ("Not secure") - Visitor trust **Install free SSL:** Most hosting providers offer free Let's Encrypt SSL: **Via hosting control panel:** 1. Log in to hosting dashboard 2. Look for "SSL" or "SSL Certificates" 3. Select your domain 4. Click "Install Let's Encrypt SSL" 5. Wait 2-10 minutes for activation **Force WordPress to HTTPS:** **Really Simple SSL plugin** (free): 1. Install plugin 2. Activate plugin 3. Plugin detects SSL and configures everything automatically 4. Site is now fully HTTPS **Manual (without plugin):** Add to wp-config.php: ```php define('FORCE_SSL_ADMIN', true); ``` And add to .htaccess: ```apache RewriteEngine On RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] ``` ## 7. Make regular backups Backups save you from hacks, crashes, or mistakes. You can restore everything in minutes. **Backup strategy:** **3-2-1 rule:** - 3 copies of your data - 2 different media (server + cloud) - 1 offsite backup (external location) **Backup frequency:** - Database: daily (small, changes often) - Files: weekly (larger, changes less) - For webshops: multiple times per day **Best backup plugins:** **UpdraftPlus** (free/premium) **Free features:** - Complete site backups - Automatic scheduling - Store in cloud (Google Drive, Dropbox, OneDrive) - 1-click restore **Configure:** 1. Install UpdraftPlus 2. Settings > UpdraftPlus Backups 3. Files backup schedule: Weekly 4. Database backup schedule: Daily 5. Choose remote storage (Google Drive) 6. Authorize and test backup **Premium version** (€70/year): - Incremental backups (faster) - Multisite support - Priority support - Migration tool **BlogVault** (paid, €89/year) - Daily automatic backups - 365 days backup history - Staging environment included - Malware scanning - 1-click restore **BackupBuddy** (€80/year) - Complete backups + database only options - Migration tool included - Backup to Stash (own cloud) **Test your backups:** Do a test restore on staging environment once per quarter. Backup that doesn't restore is useless. ## 8. Secure wp-config.php and .htaccess These files contain sensitive configuration and database credentials. **Protect wp-config.php:** Add to .htaccess (in root folder): ```apache order allow,deny deny from all ``` **Or move wp-config.php one folder up** (outside public_html): WordPress automatically looks one level up if not in root. **Protect .htaccess:** Add to .htaccess: ```apache order allow,deny deny from all ``` **Change database prefix:** Default prefix is "wp_" - predictable for SQL injection attacks. During installation: change to something random like "k8m3_" **After installation:** Use "Change DB Prefix" plugin or manually via phpMyAdmin (advanced). ## 9. Disable file editing in dashboard WordPress lets admins edit plugins and themes via dashboard by default. If hacker gets access, they can easily inject backdoors. **Disable file editing:** Add to wp-config.php: ```php define('DISALLOW_FILE_EDIT', true); ``` Now "Edit" option is gone from Plugins and Appearance menus. For changes you use FTP/SFTP. ## 10. Implement Web Application Firewall (WAF) A WAF filters malicious traffic before it reaches your website. **Types of firewalls:** **Plugin-based firewall:** - Wordfence, iThemes Security - Runs on your server - Free but uses server resources **Cloud-based firewall:** - Sucuri, Cloudflare - Traffic goes through their servers first - Faster and no server load - Paid (Sucuri) or free (Cloudflare) **Setup Cloudflare WAF (free):** 1. Create free Cloudflare account 2. Add your domain 3. Update nameservers at domain provider 4. Firewall rules automatically active 5. Customize rules under Security > WAF **Cloudflare security settings:** - Security Level: Medium (or High during attacks) - Challenge Passage: 30 minutes - Browser Integrity Check: On **Sucuri Firewall** (€200/year): - Professional WAF - DDoS mitigation - Malware cleanup guarantee - CDN included ## 11. Secure WordPress directory permissions Wrong file permissions let hackers modify files. **Correct permissions:** Folders: 755 Files: 644 wp-config.php: 440 or 400 **Set permissions via FTP:** 1. Connect via FileZilla or other FTP client 2. Right-click on wp-content folder 3. File permissions > 755 > Apply to directories recursively 4. Right-click again > File permissions > 644 > Apply to files recursively 5. wp-config.php separately: permissions 440 **Via SSH (if you have access):** ```bash find /path/to/wordpress/ -type d -exec chmod 755 {} \; find /path/to/wordpress/ -type f -exec chmod 644 {} \; chmod 440 wp-config.php ``` ## 12. Disable XML-RPC if you don't use it XML-RPC is an API often abused for brute force attacks. **Check XML-RPC:** Go to: yoursite.com/xmlrpc.php If you see a page with "XML-RPC server accepts POST requests only" - it's active. **Disable XML-RPC:** **Disable XML-RPC plugin** (free): Simple: install, activate, done. **Manually via .htaccess:** ```apache order deny,allow deny from all ``` **Note:** Jetpack and mobile apps use XML-RPC. Only disable if you don't use these. ## 13. Monitor your website for malware Even with all security measures a new vulnerability can hit you. Monitor regularly. **Malware scanning tools:** **Wordfence scan** (built-in): - Daily automatic scans - Compares core files with official repository - Detects backdoors, malware, spam injections **Sucuri SiteCheck** (free online): 1. Go to sitecheck.sucuri.net 2. Enter your URL 3. Scan shows malware, blacklist status, SSL issues **Google Search Console:** - Free tool - Warns about malware or hacked content - Setup on search.google.com/search-console **MalCare** (paid, €99/year): - Daily malware scans - Auto-cleanup when detected - Firewall included **What to do when malware detected:** 1. **Take site offline** (maintenance mode) 2. **Change all passwords** (WordPress, hosting, database, FTP) 3. **Scan local computer** for malware (possibly stolen FTP credentials) 4. **Restore from clean backup** (if recent available) 5. **Or use cleanup service:** - Sucuri (€200-€500) - Wordfence Response Team (€490) 6. **Update everything** after cleanup 7. **Improve security** to prevent recurrence ## 14. Hardening measures Extra security measures for optimal protection. **Disable directory browsing:** Add to .htaccess: ```apache Options -Indexes ``` Now hackers can't browse through your folders at: yoursite.com/wp-content/uploads/ **Hide WordPress version:** Add to functions.php: ```php remove_action('wp_head', 'wp_generator'); ``` Hackers no longer see which WordPress version you're running. **Change database table prefix:** During installation: change "wp_" to "xk9_" or random prefix. After installation: use plugin or manually via phpMyAdmin. **Disable PHP execution in uploads folder:** Add .htaccess in /wp-content/uploads/: ```apache deny from all ``` Hackers can't execute scripts even if they upload files. ## 15. Choose secure WordPress hosting Cheap shared hosting shares server with hundreds of sites. If one gets hacked, you're also at risk. **Secure hosting features:** - Malware scanning - Automatic backups - Server-level firewall - DDoS protection - Isolated accounts (shared server, isolated files) - Automated WordPress updates - SSL certificates included **Safest WordPress hosting providers:** **Antagonist** (€15/month) - Managed WordPress security - Malware scanning and removal - Automatic backups - DDoS protection - [View Antagonist](/en/providers/antagonist) **TransIP** (€4.95/month) - Free SSL - Daily backups - DDoS protection - [View TransIP](/en/providers/transip) [Compare secure WordPress hosting](/en/wordpress/hosting) ## Frequently asked questions about WordPress security **Is WordPress secure?** WordPress core is very secure. Most hacks come from weak passwords, outdated plugins, or bad hosting. With proper security measures WordPress is extremely secure. **What does WordPress security cost?** Basic security is free (plugins, updates, strong passwords). Premium: Wordfence Premium €99/year, backup service €70-100/year, premium hosting €10-20/month extra. Total €200-400/year for complete protection. **How do I know if my WordPress is hacked?** Signs: site loads slowly, strange redirects, unknown admin users, Google blacklist warning, spam content on your site. Check with Wordfence scan or Sucuri SiteCheck. **Can I secure my WordPress site myself or do I need an expert?** This guide gives you everything you need. Basic security measures are easy to implement. For advanced security or after a hack an expert can help. **Which security plugin is best?** Wordfence (free) offers most features and is user-friendly. iThemes Security is good alternative. For enterprise: Sucuri firewall (paid, €200/year). ## Practical security checklist **Implement immediately (1-2 hours):** - [ ] Install Wordfence Security - [ ] Change admin password to 20+ random characters - [ ] Enable 2FA on admin account - [ ] Install SSL certificate - [ ] Setup UpdraftPlus backups (daily) - [ ] Run first malware scan **This week (3-4 hours):** - [ ] Update WordPress, plugins, themes - [ ] Enable automatic updates - [ ] Limit login attempts - [ ] Change admin username - [ ] Hide login page with WPS Hide Login - [ ] Disable file editing (wp-config.php) - [ ] Test backup restore **Advanced hardening (optional, 2-3 hours):** - [ ] Implement Cloudflare WAF - [ ] Fix file permissions (755/644) - [ ] Disable XML-RPC - [ ] Setup Google Search Console monitoring - [ ] Change database prefix - [ ] Consider hosting upgrade **Monthly maintenance:** - [ ] Run malware scan - [ ] Check for plugin/theme updates - [ ] Review security logs in Wordfence - [ ] Test backup restore (quarterly) - [ ] Check Google Search Console for issues **After hack (emergency procedure):** 1. Site offline (maintenance mode) 2. Change all passwords 3. Scan local computer for malware 4. Restore from clean backup OR hire cleanup service 5. Update everything to latest versions 6. Implement all security measures from this guide 7. Monitor extra intensively first months **More information:** - [Choose secure WordPress hosting](/en/best-wordpress-hosting) - [Make automatic backups](/en/wordpress/backups) - [WordPress knowledge base](/en/knowledge-base) Your WordPress website is now maximally secured against hackers and malware. Sleep tight!