WordPress Security Guide 2024

In this WordPress Security Guide we have put together a huge collection of secure activities you can build to protect your WordPress.

Is WordPress Secure?

Short answer: yes. But let’s dig into more details as there are things you can do to improve the security of your WordPress installation and prevent attacks and vulnerabilities from affecting your company website, e-commerce shop, or blog.

If you’re a Neoxea customer, many of the steps required to better protect your WordPress are present out of the box with our WordPress Hosting services.

WordPress usually gets a bad reputation for being prone to security vulnerabilities and not being a safe platform to use for a business website. Most of the time is due to the fact that users ignore security best practices.

Outdated WordPress core installation, theme, plugins, user/credentials/authentication management, poor server administration, and lack of security knowledge open ways for hacking practices every single day.

WordPress powers over ~40% of all websites on the internet, and with thousands of themes and plugins available, it’s not surprising that vulnerabilities exist and are constantly being discovered.

WordPress Vulnerabilities

Backdoors

The aptly named backdoor vulnerability provides hackers with hidden passages bypassing security encryption to gain access to WordPress websites via abnormal methods – wp-Admin, SFTP, FTP, etc. Once exploited, backdoors enable hackers to wreak havoc on hosting servers with cross-site contamination attacks – compromising multiple sites hosted on the same server. In Q3 2017 Sucuri reported that backdoors continue to be one of the many post-hack actions attackers take, with 71% of the infected sites having some form of backdoor injection.

Backdoors are often encrypted to appear like legitimate WordPress system files, and make their way through to WordPress databases by exploiting weaknesses and bugs in outdated versions of the platform. The TimThumb fiasco was a prime example of backdoor vulnerability exploiting shady scripts and outdated software compromising millions of websites.

Fortunately, prevention and cure of this vulnerability are fairly simple. You can scan your WordPress site with tools like SiteCheck which can easily detect common backdoors. Two-factor authentication, blocking IPs, restricting admin access, and preventing unauthorized execution of PHP files easily take care of common backdoor threats, which we will go into more below. Canton Becker also has a great post on cleaning up the backdoor mess on your WordPress installations.

Pharma Hacks

The Pharma Hack exploit is used to insert rogue code in outdated versions of WordPress websites and plugins, causing search engines to return ads for pharmaceutical products when a compromised website is searched for. The vulnerability is more of a spam menace than traditional malware but gives search engines enough reason to block the site on accusations of distributing spam.

Moving parts of a Pharma Hack include backdoors in plugins and databases, which can be cleaned up following the instructions from this Sucuri blog.

However, the exploits are often vicious variants of encrypted malicious injections hidden in databases and require a thorough clean-up process to fix the vulnerability. Nevertheless, you can easily prevent Pharma Hacks by using recommend WordPress hosting providers with up-to-date servers and regularly updating your WordPress installations, themes, and plugins.

Brute-force Login Attempts

Brute-force login attempts use automated scripts to exploit weak passwords and gain access to your site.

Two-step authentication, limiting login attempts, monitoring unauthorized logins, blocking IPs, and using strong passwords are some of the easiest and highly effective ways to prevent brute-force attacks. But unfortunately, a number of WordPress website owners fail to perform these security practices whereas hackers are easily able to compromise as much as 30,000 websites in a single day using brute-force attacks.

Malicious Redirects

Malicious redirects create backdoors in WordPress installations using FTP, SFTP, wp-admin, and other protocols and inject redirection codes into the website.

The redirects are often placed in your .htaccess file and other WordPress core files in encoded forms, directing the web traffic to malicious sites. We will go through some ways you can prevent these in our WordPress security steps below.

Cross-Site Scripting (XSS)

Cross-Site Scripting (XSS) is when a malicious script is injected into a trusted website or application. The attacker uses this to send malicious code, typically browser-side scripts, to the end-user without them knowing it. The purpose is usually to grab cookie or session data or perhaps even rewrite HTML on a page.

According to WordFence, Cross-Site Scripting vulnerabilities are the most common vulnerability found in WordPress plugins by a significant margin.

Denial of Service

Also, known as DOS, it’s the most dangerous of them all, Denial of Service (DoS) vulnerability exploits errors and bugs in the code to overwhelm the memory of website operating systems. Hackers have compromised millions of websites and raked in millions of dollars by exploiting outdated and buggy versions of WordPress software with DoS attacks.

Although financially motivated cybercriminals are less likely to target small companies, they tend to compromise outdated vulnerable websites in creating botnet chains to attack large businesses.

Even the latest versions of WordPress software cannot comprehensively defend against high-profile DoS attacks, but will at least help you to avoid getting caught in the crossfire between financial institutions and sophisticated cybercriminals. And don’t forget about October 21st, 2016. This was the day the internet went down due to a DNS DDoS attack. Read more about why it is important to use a premium DNS provider to increase your WordPress security.

WordPress Security Guide

According to internet live stats over 100,000 websites are hacked every day.

That’s why it’s so important to take some time and go through the following recommendations below on how to better harden your WordPress security.

Invest in Secure WordPress Hosting

When it comes to WordPress security, there is much more than just locking down your site, although we’ll give you the best recommendations on how to do that below. There is also web server-level security for which your WordPress host is responsible. We take security very seriously here at Neoxea and handle a lot of these issues for our clients.

It’s very important that you choose a host that you can trust with your business. Or if you are hosting WordPress on your own VPS, then you need to have the technical knowledge to do these things yourself. And to be honest, trying to be a sysadmin to save $20/month is a bad idea.

Server hardening is the key to maintaining a thoroughly-secure WordPress environment. It takes multiple layers of hardware and software level security measures to ensure the IT infrastructure hosting WordPress sites is capable of defending against sophisticated threats, both physical and virtual.

For this reason, servers hosting WordPress should be updated with the latest operating system and (security) software as well as thoroughly tested and scanned for vulnerabilities and malware.

Server-level firewalls and intrusion detection systems should be in place before installing WordPress on the server to keep it well-protected even during the WordPress installation and website construction phases. However, every software installed on the machine intended to protect WordPress content should be compatible with the latest database management systems to maintain optimal performance. The server should also be configured to use secure networking and file transfer encryption protocols (such as SFTP instead of FTP) to hide away sensitive content from malicious intruders.

Use Latest PHP Version

PHP is the backbone of your WordPress site and so using the latest version on your server is very important. Each major release of PHP is typically fully supported for two years after its release. During that time, bugs and security issues are fixed and patched on a regular basis. As of right now, anyone running on version PHP 7.1 or below no longer has security support and is exposed to unpatched security vulnerabilities.

And guess what? According to the official WordPress Stats page, as of writing this, over 57% of WordPress users are still on PHP 5.6 or lower. If you combine this with PHP 7.0, a whopping 77.5% of users are currently using PHP versions that are no longer supported. That is scary!

Sometimes it does take businesses and developers time to test and ensure compatibility with their code, but they have no excuse to run on something without security support. Not to mention the huge performance impact running on older versions has.

Don’t know which version of PHP you are currently on? Most hosts typically include this in a header request on your site. A quick way to check is to run your site through Pingdom. Click into the first request and look for a X-Powered-By parameter. Typically this will show the version of PHP your web server is currently using. However, some hosts will remove this header due to security reasons. neoxea removes this header by default to keep your site safe.

Here at neoxea we only recommend using stable and supported versions of PHP, including 7.2, 7.3, 7.4, and 8.0, PHP 5.6, 7.0, and 7.1 have been phased out. You can even switch between PHP versions with a click of a button from within the cPanel Control Panel, PHP Select under the software category.

Always Use the Latest Version of WordPress, Plugins, and Themes

Another very important way to harden your WordPress security is to always keep it up to date. This includes WordPress core, plugins, and themes (both those from the WordPress repository and premium). These are updated for a reason, and a lot of times these include security enhancements and bug fixes. We recommend you to read our in-depth guide on how WordPress automatic updates work.

Unfortunately, millions of businesses out there running outdated versions of WordPress software and plugins, and still believe they’re on the right path to business success. They cite reasons for not updating such as “their site will break” or “core modifications will be gone” or “plugin X won’t work” or “they just don’t need the new functionality”.

In fact, websites break mostly because of bugs in older WordPress versions. Core modifications are never recommended by the WordPress team and expert developers who understand the risks involved. And WordPress updates mostly include must-have security patches along with the added functionality required to run the latest plugins.

Did you know that it has been reported that plugin vulnerabilities represent 55.9% of the known entry points for hackers? That is what WordFence found in a study where they interviewed over 1,000 WordPress site owners that had been victims of attacks. By updating your plugins you can better ensure that you aren’t one of these victims.

It is also recommended that you only install trusted plugins. The “featured” and “popular” categories in the WordPress repository can be a good place to start. Or download it directly from the developer’s website. We strongly discourage any use of nulled WordPress plugins and themes.

First off, you never know what the modified code might contain. This can easily end up in your site getting hacked. Not paying for premium WordPress plugins also doesn’t help the community grow as a whole. We need to support developers.

Here’s how to properly delete a WordPress theme.

You can use an online tool like VirusTotal to scan a plugin or theme’s files to see if it detects any type of malware.

How to Update WordPress Core

There are a couple of easy ways to update your WordPress installation. If you are a neoxea customer we provided automatic backups with a one-click restore option. This way you can test new versions of WordPress and plugins without having to worry about it breaking anything. Or you could also the first test in our staging environment.

To update WordPress core you can click on “Updates” in your WordPress dashboard and click on the “Update Now” button.

You can also update WordPress manually by downloading the latest version and uploading it via SFTP.

Important! Overwriting the wrong folders could break your site if not done correctly. If you are not comfortable doing this, please check with a developer first.

Follow the steps below to update your existing installation:

1. Delete the old wp-includes and wp-admin directories.
2. Upload the new wp-includes and wp-admin directories.
3. Upload the individual files from the new wp-content folder to your existing wp-content folder, overwriting existing files. Do NOT delete your existing wp-content folder. Do NOT delete any files or folders in your existing wp-content directory (except for the one being overwritten by new files).
4. Upload all new loose files from the root directory of the new version to your existing WordPress root directory.

How to Update WordPress Plugins

Updating your WordPress plugins is a very similar process to updating WordPress core. Click into “Updates” in your WordPress dashboard, select the plugins you want to update, and click on “Update Plugins.”

Likewise, you can also update a plugin manually. Simply grab the latest version from the plugin developer or WordPress repository and upload it via FTP, overwriting the existing plugin within the /wp-content/plugins directory.

It’s also important to note that developers don’t always keep their plugins up to date. The team over at WP Loop did a great little analysis of just how many WordPress plugins in the repository aren’t up to date with the current WordPress core. According to their research, nearly 50% of the plugins in the repository have not been updated in over 2 years.

This doesn’t mean the plugin won’t work with the current version of WordPress, but it’s recommended that you choose plugins that are actively updated. Out of date plugins are more likely to contain security vulnerabilities.

Use your best judgment when it comes to plugins. Look at the “Last Updated” date and how many ratings a plugin has. As seen in the example below, this one is out of date and has bad reviews so we would most likely recommend staying away from it. WordPress also has a warning at the top of most plugins that haven’t been updated in a while.

There are also a lot of resources out there to help you stay on top of the latest WordPress security updates and vulnerabilities. See some of them below:

• WP Security Bloggers: An awesome aggregated resource of 20+ security feeds.
• WPScan Vulnerability Database: Catalogs over 10,000 WordPress Core, Plugin and Theme vulnerabilities.
• ThreatPress: Daily updated database of WordPress plugins, themes, and WordPress core vulnerabilities.
• Official WordPress Security Archive

Authentication and Permissions

Use Strong Usernames and Passwords

Surprisingly one of the best ways to harden your WordPress security is to simply use strong usernames and passwords. Sounds pretty easy right? Well, check out SplashData’s 2019 annual list of the most popular passwords stolen throughout the year (sorted in order of popularity).

• 123456
• password
• 123456789
• 12345678
• 12345
• 111111
• 1234567
• sunshine
• qwerty
• iloveyou

That is right! The most popular password is “123456”, followed by an astonishing “password”. That is one reason why here at neoxea on new WordPress installs we actually force a complex password to be used for your wp-admin login (as seen below on our one-click install process). This is not optional.

The core WordPress wp_hash_password function uses the phpass password hashing framework and eight passes of MD5-based hashing.

Some of the best security starts from the basics. Google has some great recommendations on how to choose a strong password. Or you can use an online tool like Strong Password Generator. You can learn more about here how you can change your WordPress password.

It is also important to use different passwords for every website. The best way to store them is locally in an encrypted database on your computer. A good free tool for this is KeePass. If you don’t want to go down this route there are also online password managers such as 1Password or LastPass. Even though your data is hosted securely in the cloud, these are generally safer since you aren’t using the same password across multiple sites. It also keeps you from using sticky notes.

And as far as your WordPress install goes you should never use the default “admin” username. Create a unique WordPress username for the administrator account and delete the “admin” user if it exists. You can do this by adding a new user under “Users” in the dashboard and assigning it the “Administrator” profile (as seen below).

Once you assign the new account the administrator role you can go back and delete the original “Admin” user. Make sure that when you click on delete that you choose the “Attribute all content to” option and select your new administrator profile. This will assign the person as the author of those posts.

You can also rename your current admin username manually in phpMyAdmin with the following command. Make sure to backup your database before editing tables.

Lock Down Your WordPress Admin

Sometimes the popular strategy of WordPress security by obscurity is appropriately effective for an average online business and WordPress site. If you make it harder for hackers to find certain backdoors then you are less likely to be attacked. Locking down your WordPress admin area and login is a good way to beef up your security. Two great ways to do this is first by changing your default wp-admin login URL and also limiting login attempts.

How to Change Your WordPress Login URL

By default your WordPress site’s login URL is domain.com/wp-admin. One of the problems with this is that all of the bots, hackers, and scripts out there also know this. By changing the URL you can make yourself less of a target and better protect yourself against brute force attacks. This is not a fix-all solution, it is simply one little trick that can definitely help protect you.

To change your WordPress login URL we recommend using the free WPS Hide login plugin or the premium Perfmatters plugin. Both of the plugins have a simple input field. Just remember to pick something unique that won’t already be on a list that a bot or script might attempt to scan.

How to Limit Login Attempts

While the above solution of changing your admin login URL can help decrease the majority of the bad login attempts, putting a limit in place can also be very effective. The free Cerber Limit Login Attempts plugin is a great way to easily setup lockout durations, login attempts, and IP allowlists and denylists.

If you are looking for a more simple WordPress security solution, another great alternative is the free Login Lockdown plugin. Login LockDown records the IP address and timestamp of every failed login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. And it is completely compatible with the WPS Hide login plugin we mentioned above.

How to Add Basic HTTP Authentication (htpasswd protection)

Another way to lock down your admin is to add HTTP authentication. This requires a username and password before being able to even access the WordPress login page. Note: This generally shouldn’t be used on eCommerce sites or membership sites. But it can be a very effective way to prevent bots from hitting your site.

Apache

If you are using a cPanel host, you can enable password-protected directories from their control panel. To set it up manually, you will first need to create a .htpasswd file. You can use this handy generator tool. Then upload the file to a directory under your wp-admin folder, such as:

home/user/.htpasswds/public_html/wp-admin/htpasswd/

Then create a .htaccess file with the following code and upload it to your /wp-admin/ directory. Make sure you update the directory path and username.

AuthName "Admins Only"
AuthUserFile /home/yourdirectory/.htpasswds/public_html/wp-admin/htpasswd
AuthType basic
require user yourusername

The one caveat to doing it this way is that it will break AJAX (admin-ajax) on the front-end of your site. This is required by some third-party plugins. Therefore you will also need to add the following code to the above .htaccess file.

<Files admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any
</Files>

Nginx

If you are running Nginx, you can also restrict access with HTTP basic authentication. Check out this tutorial.

Lockdown a URL path

If you’re using a web application firewall (WAF) such as Cloudflare or Sucuri, they also have ways to lock down a URL path. Essentially you can set up a rule so that only your IP address is able to access your WordPress admin login URL. Again, this generally shouldn’t be used on eCommerce sites or membership sites as they also rely on accessing your site’s back-end.

• Cloudflare has a lockdown URL feature in their Pro and higher accounts. You can set up a rule for any URL or path.
• Sucuri has a blocklist URL path feature. You could then allowlist your own IP.

Take Advantage of Two-Factor Authentication

And of course, we can’t forget two-factor authentication! No matter how secure your password is there is always a risk of someone discovering it. Two-factor authentication involves a two-step process in which you need not only your password to login but a second method. It is generally a text (SMS), phone call, or time-based one-time password (TOTP). In most cases, this is 100% effective in preventing brute force attacks on your WordPress site. Why? Because it is almost impossible that the attacker will have both your password and your cellphone.

There are really two parts when it comes to two-factor authentication. The first is your account and or dashboard that you have with your web hosting provider. If someone gets access to this they could change your passwords, delete your websites, change DNS records, and do all sorts of horrible things.

The second part of two-factor authentication pertains to your actual WordPress installation. For this there are a couple of plugins we recommend:

• Duo Two-Factor Authentication
• Google Authenticator
• Two Factor Authentication

Many of these have their own Authenticator Apps you can install on your phone:

• Android Duo Mobile App
• iPhone Duo Mobile App
• Android Google Authenticator App
• iPhone Google Authenticator App

After installing and configuring one of the above plugins, you will typically have an additional field on your WordPress login page to enter your security code. Or, with the Duo plugin, you first log in with your credentials and are then required to choose an authentication method, such as Duo Push, call, or passcode.

This method can easily be combined with changing your default login URL, which we went over earlier. So not only is your WordPress login URL something only you know, but it now requires extra authentication to get in.

Use HTTPS for Encrypted Connections – SSL Certificate

One of the most overlooked ways to harden your WordPress security is to install an SSL certificate and run your site over HTTPS. HTTPS (Hyper Text Transfer Protocol Secure) is a mechanism that allows your browser or web application to securely connect with a website.  A big misconception is that if you aren’t accepting credit cards that you don’t need SSL.

Well, let us explain a few reasons why HTTPS is important beyond just eCommerce. Many hosts, including Neoxea, offer free SSL certificates with Let’s Encrypt.

Security

Of course, the biggest reason for HTTPS is the added security, and yes this does pertain strongly to eCommerce sites. However, how important is your login information? For those of you running multi-author WordPress websites, if you are running over HTTP, every time a person logs in, that information is being passed to the server in plain text. HTTPS is absolutely vital in maintaining a secure connection between a website and a browser. This way you can better prevent hackers and or a middle man from gaining access to your website.

So whether you have a blog, news site, agency, etc., they can all can benefit from HTTPS as this ensures nothing ever passes in plain text.

SEO

Google has officially said that HTTPS is a ranking factor. While it is only a small ranking factor, most of you would probably take any advantage you can get in SERPs to beat your competitors.

Trust and Credibility

According to a survey from GlobalSign, 28.9% of visitors look for the green address bar in their browser. And 77% of them are worried about their data being intercepted or misused online. By seeing that green padlock, customers will instantly have more peace of mind knowing that their data is more secure.

Referral Data

A lot of people don’t realize is that HTTPS to HTTP referral data is blocked in Google Analytics. So what happens to the data? Well, most of it is just lumped together with the “direct traffic” section. If someone is going from HTTP to HTTPS the referrer is still passed.

Chrome Warnings

As of July 24th, 2018, versions of Chrome 68 and higher started marking all non-HTTPS sites as “Not Secure.” Regardless of whether they collect data or not. This is why HTTPS is more important than ever!

This is especially important if your website gets a majority of its traffic from Chrome. You can look in Google Analytics under the Audience section in Browser & OS so see the percentage of traffic your WordPress site gets from Google Chrome. Google is making it a lot more clear to visitors that your WordPress website might not be running on a secured connection.

Performance

Because of a protocol called HTTP/2, a lot of times, those running properly optimized sites over HTTPS can even see speed improvements. HTTP/2 requires HTTPS because of browser support. The improvement in performance is due to a variety of reasons such as HTTP/2 being able to support better multiplexing, parallelism, HPACK compression with Huffman encoding, the ALPN extension, and server push.

And with TLS 1.3, HTTPS connections are even faster. Neoxea supports TLS 1.3 on all of our servers.

Re-thinking HTTPS now? Check out our in-depth WordPress HTTPS migration guide to get you up and going and learn more in our TLS vs SSL comparison.

To enforce a secure, encrypted connection between you and the server when logging in to and administering your site, add the following line to your wp-config.php file:

define('FORCE_SSL_ADMIN', true);