When it comes to WordPress security, there are a lot of things you tin can do to lock down your site to preclude hackers and vulnerabilities from affecting your ecommerce site or blog. The last thing you desire to happen is to wake upwardly one forenoon to discover your site in abattoir. So today we are going to be sharing a lot of tips, strategies, and techniques you tin can utilize to better your WordPress security and stay protected.

If you're a Kinsta client, y'all don't demand to worry about a lot of these, every bitwe offer gratuitous hack fixes!Simply even with this guarantee, you lot should e'er follow the best security practices.

Is your WordPress site secure? Check out these 19 ways to lock it downward and keep the hackers at bay. 🔒 Click to Tweet

Is WordPress Secure?

The first question you're probably wondering, is WordPress secure? For the most office, yep. However, WordPress usually gets a bad rap for being decumbent to security vulnerabilities and inherently not beingness a condom platform to use for a business. By and large this is due to the fact that users keep following industry-proven security worst-practices.

Using outdated WordPress software, nulled plugins, poor system administration, credentials management, and lack of necessary Web and security knowledge among not-techie WordPress users continue hackers on top of their cyber-crime game. Even manufacture leaders don't always utilize the all-time practices. Reuters was hacked considering they were using an outdated version of WordPress.

Fundamentally, security is not about perfectly secure systems. Such a thing might well be impractical, or impossible to observe and/or maintain. What security is though is risk reduction, non chance elimination. It's nigh employing all the appropriate controls available to yous, within reason, that permit you to improve your overall posture reducing the odds of making yourself a target, subsequently getting hacked. – WordPress Security Codex

Now, this is not to say vulnerabilities don't be. According to a Q3 2017 written report past Sucuri, a multi-platform security company, WordPress continues to pb the infected websites they worked on (at 83%). This is up from 74% in 2016.

WordPress security vulnerabilities
WordPress security vulnerabilities

WordPress powers over 43.0% of all websites on the cyberspace, and with hundreds of thousands of theme and plugin combinations out there, it'due south not surprising that vulnerabilities exist and are constantly being discovered. However, at that place is as well a dandy community effectually the WordPress platform, to ensure these things get patched ASAP. Every bit of 2022, the WordPress security team is made upwards of approximately 50 (up from 25 in 2017) experts including atomic number 82 developers and security researchers — about half are employees of Automattic and a number work in the spider web security field.

WordPress Vulnerabilities

Bank check out some of the dissimilar types of WordPress security vulnerabilities below.

  • Backdoors
  • Pharma Hacks
  • Creature-force Login Attempts
  • Malicious Redirects
  • Cross-site Scripting (XSS)
  • Denial of Service

Backdoors

The aptly named backstairs vulnerability provides hackers with subconscious passages bypassing security encryption to proceeds admission to WordPress websites via abnormal methods – wp-Admin, SFTP, FTP, etc. In one case exploited, backdoors enable hackers to wreak havoc on hosting servers with cantankerous-site contamination attacks – compromising multiple sites hosted on the same server. In Q3 2017 Sucuri reported that backdoors continue to exist one of the many post-hack actions attackers take, with 71%of the infected sites having some form of backdoor injection.

Malware family distribution
Malware family distribution

Backdoors are often encrypted to announced similar legitimate WordPress system files, and make their style through to WordPress databases by exploiting weaknesses and bugs in outdated versions of the platform. The TimThumb fiasco was a prime example of backdoor vulnerability exploiting shady scripts and outdated software compromising millions of websites.

Fortunately, prevention and cure of this vulnerability is fairly simple. You lot tin can browse your WordPress site with tools similar SiteCheck which tin easily detect common backdoors. Two-cistron authentication, blocking IPs, restricting admin admission and preventing unauthorized execution of PHP files hands takes care of common backdoor threats, which we will go into more below. County Becker also has a great post on cleaning upwards the backdoor mess on your WordPress installations.

Pharma Hacks

The Pharma Hack exploit is used to insert rogue lawmaking in outdated versions of WordPress websites and plugins, causing search engines to render ads for pharmaceutical products when a compromised website searched for. The vulnerability is more of a spam menace than traditional malware, but gives search engines plenty reason to block the site on accusations of distributing spam.

Moving parts of a Pharma Hack include backdoors in plugins and databases, which can exist cleaned up following the instructions from this Sucuri web log. However, the exploits are ofttimes cruel variants of encrypted malicious injections hidden in databases and require a thorough clean-up process to ready the vulnerability. Nevertheless, y'all can easily forestall Pharma Hacks by using recommend WordPress hosting providers with upwardly to date servers and regularly updating your WordPress installations, themes, and plugins. Hosts similar Kinsta also offer free hack fixes.

Animate being-force Login Attempts

Brute-strength login attempts use automated scripts to exploit weak passwords and gain access to your site. 2-step authentication, limiting login attempts, monitoring unauthorized logins, blocking IPs and using stiff passwords are some of the easiest and highly constructive means to prevent brute-force attacks. But unfortunately, a number of WordPress website owners fail to perform these security practices whereas hackers are easily able to compromise as much as 30,000 websites in a unmarried twenty-four hours using brute-force attacks.

Malicious Redirects

Malicious redirects create backdoors in WordPress installations using FTP, SFTP, wp-admin, and other protocols and inject redirection codes into the website. The redirects are often placed in your .htaccess file and other WordPress core files in encoded forms, directing the web traffic to malicious sites. We volition go through some ways yous tin prevent these in our WordPress security steps below.

Cross-Site Scripting (XSS)

Cross-Site Scripting (XSS) is when a malicious script is injected into a trusted website or application. The aggressor uses this to ship malicious code, typically browser-side scripts, to the finish user without them knowing it. The purpose is ordinarily to grab cookie or session information or peradventure fifty-fifty rewrite HTML on a page.

Co-ordinate to WordFence, Cross-Site Scripting vulnerabilities are the most mutual vulnerability found in WordPress plugins by a significant margin.

Denial of Service

Perhaps the about unsafe of them all, Deprival of Service (DoS) vulnerability exploits errors and bugs in the code to overwhelm the retentiveness of website operating systems. Hackers accept compromised millions of websites and raked in millions of dollars past exploiting outdated and buggy versions of WordPress software with DoS attacks. Although financially motivated cybercriminals are less probable to target modest companies, they tend to compromise outdated vulnerable websites in creating botnet chains to assail big businesses.

Fifty-fifty the latest versions of WordPress software cannot comprehensively defend against high-profile DoS attacks, but volition at to the lowest degree help you to avoid getting defenseless in the crossfire between financial institutions and sophisticated cybercriminals. And don't forget almost October 21st, 2016. This was the day the net went down due to a DNS DDoS assault. Read more about why it is important to use a premium DNS provider to increment your WordPress security.

WordPress Security Guide 2022

Co-ordinate to net live stats over 100,000 websites are hacked every twenty-four hours. ðŸ˜® That'due south why it's then important to accept some fourth dimension and get through the following recommendations below on how to better harden your WordPress security.

WordPress sites hacked every day
WordPress sites hacked every twenty-four hour period

Nosotros volition make sure to go along this post upwardly to date with relevant data equally things alter with the WordPress platform and new vulnerabilities sally.

  1. Secure WordPress Hosting
  2. Use Latest PHP Version
  3. Clever Usernames and Passwords
  4. Latest Versions
  5. Lock Down WordPress Admin
  6. Two-Factor Hallmark
  7. HTTPS – SSL Certificate
  8. Hardening wp-config.php
  9. Disable XML-RPC
  10. Hide WordPress Version
  11. HTTP Security Headers
  12. WordPress Security Plugins
  13. Database Security
  14. Secure Connections
  15. File and Server Permissions
  16. Disable Editing in Dashboard
  17. Forestall Hotlinking
  18. Always Have WordPress Backups
  19. DDoS Protection

1. Invest in Secure WordPress Hosting

When information technology comes to WordPress security, there is much more than just locking down your site, although we'll give you lot the best recommendations on how to do that below. There is also web server-level security for which your WordPress host is responsible. We take security very seriously hither at Kinsta and handle a lot of these problems for our clients.

Information technology'southward very important that you choose a host that you can trust with your business. Or if yous are hosting WordPress on your own VPS, and so you need to have the technical knowledge to practice these things yourself. And to be honest, trying to be a sysadmin to salvage $20/month is a bad idea.

Secure WordPress hosting
Secure WordPress hosting

Server hardening is the key to maintaining a thoroughly-secure WordPress environs. It takes multiple layers of hardware and software level security measures to ensure the IT infrastructure hosting WordPress sites is capable of defending confronting sophisticated threats, both physical and virtual.

For this reason, servers hosting WordPress should be updated with the latest operating system and (security) software likewise equally thoroughly tested and scanned for vulnerabilities and malware. A good example of this is when Kinsta had to patch NGINX for OpenSSL security vulnerabilities that were discovered.

Server-level firewalls and intrusion detection systems should be in place before installing WordPress on the server to continue it well-protected even during the WordPress installation and website construction phases. However, every software installed on the machine intended to protect WordPress content should exist compatible with the latest database management systems to maintain optimal operation. The server should as well be configured to use secure networking and file transfer encryption protocols (such as SFTP instead of FTP) to hide abroad sensitive content from malicious intruders.

Hither at Kinsta, we utilize Google Cloud Platform's fastest servers and premium tier network for all of our WordPress customers to ensure a fast and secure WordPress hosting experience. A big advantage of this is that it is built on a security model that has been congenital upon over the class of xv years, and currently secures products and services similar Gmail, Search, etc. Google currently employs more than than 500 full-time security professionals. All sites on Kinsta are besides protected by our free Cloudflare integration, which includes a secure enterprise-level firewall as well every bit costless DDoS protection.

Kinsta also uses Linux containers (LXC), and LXD to orchestrate them, on top of Google Cloud Platform which enables us to completely isolate not just each account, but each split WordPress site. Security is congenital into our compages from the beginning and this is a much more secure method than offered past other competitors.

Kinsta hosting architecture.
Kinsta hosting architecture.

ii. Employ Latest PHP Version

PHP is the courage of your WordPress site and and so using the latest version on your server is very important. Each major release of PHP is typically fully supported for ii years after its release. During that fourth dimension, bugs and security issues are fixed and patch on a regular ground. As of right now, anyone running on version PHP 7.1 or below no longer has security support and are exposed to unpatched security vulnerabilities.

Supported PHP Versions
Supported PHP Versions

And guess what? Co-ordinate to the official WordPress Stats folio, as of writing this, over57% of WordPress users arestill on PHP five.vi or lower. If you combine this with PHP vii.0, a whopping 77.5% of users are currently using PHP versions that is no longer supported. That is scary!

77.5% of WordPress users are currently using PHP versions that are no longer supported! 😮 Click to Tweet

Sometimes information technology does accept businesses and developers time to test and ensure compatibility with their lawmaking, but they take no excuse to run on something without security support. Not to mention the huge operation bear on running on older versions has.

WordPress PHP version Stats
WordPress PHP version Stats

Don't know which version of PHP you are currently on? Most hosts typically include this in a header request on your site. A quick fashion to check is to run your site through Pingdom. Click into the first asking and expect for a X-Powered-By parameter. Typically this will show the version of PHP your web server is currently using. However, some hosts will remove this header due to security reasons. Kinsta removes this header past default to proceed your site safe.

Check PHP version in Pingdom
Check PHP version in Pingdom

Here at Kinsta we only recommend using stable and supported versions of PHP, including vii.2, 7.3, and 7.4. PHP 5.6, seven.0, and seven.1 accept been phased out. You can even switch between PHP versions with a click of a button from within the MyKinsta dashboard.

Change to PHP 7.4.
Change to PHP 7.4.

If you are on a WordPress host that uses cPanel, you can commonly switch between PHP versions by clicking into "PHP Select" nether the software category.

cpanel php version
cPanel PHP version

iii. Use Clever Usernames and Passwords

Surprisingly ane of the all-time ways to harden your WordPress security is to just utilise clever usernames and passwords. Sounds pretty easy right? Well, check out SplashData'due south 2019 annual listing of the most popular passwords stolen throughout the year (sorted in order of popularity).

  • 123456
  • countersign
  • 123456789
  • 12345678
  • 12345
  • 111111
  • 1234567
  • sunshine
  • qwerty
  • iloveyou

That is right! The most popular password is "123456", followed by an astonishing "password". That is ane reason why here at Kinsta on new WordPress installs we actually forcefulness a complex password to exist used for your wp-admin login (as seen below on our one-click install process). This is non optional.

Force secure WordPress password
Force secure WordPress password

The core WordPress wp_hash_password part uses the phpass countersign hashing framework and eight passes of MD5-based hashing.

Some of the all-time security starts from the basics. Google has some great recommendations on how to choose a strong countersign. Or yous tin can utilize an online tool like Strong Password Generator. You can learn more well-nigh hither how you can change your WordPress password.

It is also important to apply different passwords for every website. The best way to store them is locally in an encrypted database on your computer. A good gratis tool for this is KeePass. If you don't want to become down this route there are also online password managers such equally 1Password or LastPass. Fifty-fifty though your data is hosted securely in the cloud, these are generally safer since you aren't using the same password beyond multiple sites. It too keeps y'all from using sticky notes. ðŸ˜‰

And as far as your WordPress install goes you should never use the default "admin" username. Create a unique WordPress username for the ambassador account and delete the "admin" user if it exists. You lot can exercise this by adding a new user under "Users" in the dashboard and assigning it the "Administrator" contour (equally seen below).

WordPress administrator role
WordPress administrator office

One time yous assign the new account the administrator function you can go back and delete the original "Admin" user. Make certain that when you click on delete that you cull the "Attribute all content to" choice and select your new administrator profile. This will assign the person every bit the author of those posts.

delete admin attribute all content to
Attribute all content to admin

You tin likewise rename your electric current admin username manually in phpMyAdmin with the following command. Make certain to backup your database earlier editing tables.

          UPDATE wp_users Ready user_login = 'newcomplexadminuser' WHERE user_login = 'admin';

4. Always Use the Latest Version of WordPress, Plugins, and Themes

Another very of import manner to harden your WordPress security is to e'er keep it upwards to date. This includes WordPress core, plugins, and themes (both those from the WordPress repository and premium). These are updated for a reason, and a lot of times these include security enhancements and bug fixes. We recommend you to read our in-depth guide on how WordPress automated updates work.

Keep WordPress up to date
Continue WordPress up to date

Unfortunately, millions of businesses out there running outdated versions of WordPress software and plugins, and still believe they're on the right path of business concern success. They cite reasons for non updating such as "their site will pause" or "core modifications will be gone" or "plugin X won't work" or "they just don't demand the new functionality".

In fact, websites break generally considering of bugs in older WordPress versions. Cadre modifications are never recommended past the WordPress squad and expert developers who understand the risks involved. And WordPress updates mostly include must-have security patches along with the added functionality required to run the latest plugins.

Did you lot know that information technology has been reported that plugin vulnerabilities represent 55.ix% of the known entry points for hackers? That is what WordFence found in a study where they interviewed over 1,000 WordPress site owners that had been victims of attacks. Past updating your plugins you can improve ensure that you aren't one of these victims.

hacked wordpress websites plugins
Hacked WordPress sites

It is besides recommended that you only install trusted plugins. The "featured" and "popular" categories in the WordPress repository tin be a good identify to first. Or download it straight from the programmer's website. We strongly discourage any use of nulled WordPress plugins and themes.

First off, you never know what the modified lawmaking might contain. This can easily end upwardly in your site getting hacked. Non paying for premium WordPress plugins besides doesn't aid the community grow every bit a whole. Nosotros demand to support developers.

Here's how to properly delete a WordPress theme.

Y'all can use an online tool like VirusTotal to browse a plugin or theme's files to see if it detects any type of malware.

VirusTotal
VirusTotal

How to Update WordPress Core

There are a couple easy ways to update your WordPress installation. If you lot are a Kinsta customer we provided automatic backups with a ane-click restore option. This way y'all can test new versions of WordPress and plugins without having to worry about information technology breaking annihilation. Or you lot could also first exam in our staging environs.

To update WordPress core you can click into "Updates" in your WordPress dashboard and click on the "Update Now" push button.

Update WordPress core
Update WordPress core

You lot tin also update WordPress manually by downloading the latest version and uploading it via SFTP.

Important! Overwriting the wrong folders could interruption your site if not washed correctly. If y'all are not comfortable doing this, please bank check with a programmer first.

Follow the steps beneath to update your existing installation:

  1. Delete the old wp-includes and wp-admin directories.
  2. Upload the new wp-includes and wp-admin directories.
  3. Upload the individual files from the new wp-content folder to your existing wp-content folder, overwriting existing files. Do NOT delete your existing wp-content binder. Do Not delete any files or folders in your existing wp-content directory (except for the one being overwritten by new files).
  4. Upload all new loose files from the root directory of the new version to your existing WordPress root directory.

How to Update WordPress Plugins

Updating your WordPress plugins is a very like process to updating WordPress core. Click into "Updates" in your WordPress dashboard, select the plugins you want to update, and click on "Update Plugins."

Update WordPress plugins
Update WordPress plugins

Too, yous can also update a plugin manually. But take hold of the latest version from the plugin programmer or WordPress repository and upload it via FTP, overwriting the existing plugin within the/wp-content/plugins directory.

Information technology'due south also of import to annotation that developers don't ever go along their plugins upwards to appointment. The squad over at WP Loop did a bang-up little analysis of only how many WordPress plugins in the repository aren't up to date with the current WordPress core. Co-ordinate to their research nearly 50% of the plugins in the repository have not been updated in over two years.

This doesn't mean the plugin won't work with the current version of WordPress, only information technology's recommended that you lot choose plugins that are actively updated. Out of date plugins are more likely to contain security vulnerabilities.

wordpress plugins not updated
img src: WP Loop

Use your best judgment when information technology comes to plugins. Look at the "Last Updated" date and how many ratings a plugin has. Equally seen in the case beneath, this ane is out of date and has bad reviews so we would most likely recommend staying away from it. WordPress besides has a warning at the superlative of well-nigh plugins that haven't been updated in a while.

Old WordPress plugin with bad ratings
Old WordPress plugin with bad ratings

In that location are likewise a lot of resources out there to assistance you lot stay on top of the latest WordPress security updates and vulnerabilities. See some of them below:

  • WP Security Bloggers: An awesome aggregated resource of 20+ security feeds.
  • WPScan Vulnerability Database: Catalogs over 10,000 WordPress Core, Plugin and Theme vulnerabilities.
  • ThreatPress: Daily updated database of WordPress plugins, themes, and WordPress core vulnerabilities.
  • Official WordPress Security Archive
WordPress security archive
WordPress security archive

5. Lock Down Your WordPress Admin

Sometimes the popular strategy of WordPress security by obscurity is accordingly effective for an average online business organization and WordPress site. If you brand it harder for hackers to find certain backdoors then you are less probable to be attacked. Locking downward your WordPress admin area and login is a expert manner to beef upwardly your security. Two great ways to practice this is first by irresolute your default wp-admin login URL and also limiting login attempts.

Security by obscurity can be an like shooting fish in a barrel and effective mode to beef up your WordPress security. 🔒 Click to Tweet

How to Alter Your WordPress Login URL

Past default your WordPress site's login URL is domain.com/wp-admin. One of the bug with this is that all of the bots, hackers, and scripts out there also know this. By irresolute the URL yous can make yourself less of a target and better protect yourself against brute force attacks. This is not a set up-all solution, it is simply one picayune play a joke on that can definitely help protect you.

To modify your WordPress login URL we recommend using the free WPS Hibernate login plugin or the premium Perfmatters plugin. Both of the plugins have a simple input field. Only recall to pick something unique that won't already be on a list that a bot or script might endeavour to browse.

Hide WordPress login URL with Perfmatters
Hide WordPress login URL with Perfmatters

How to Limit Login Attempts

While the above solution of irresolute your admin login URL can help decrease the majority of the bad login attempts, putting a limit in place can too be very effective. The complimentary Cerber Limit Login Attempts plugin is a great way to easily setup lockout durations, login attempts, and IP whitelists and blacklists.

limit login attempts wordpress
Limit login attempts in WordPress

If yous are looking for a more simple WordPress security solution, some other dandy culling is the free Login Lockdown plugin. Login LockDown records the IP accost and timestamp of every failed login try. If more than a certain number of attempts are detected inside a short catamenia of time from the aforementioned IP range, then the login function is disabled for all requests from that range. And it is completely compatible with the WPS Hide login plugin we mentioned above.

login lockdown wordpress
Lockdown WordPress

How to Add together Basic HTTP Authentication (htpasswd protection)

Some other way to lock down your admin is to add HTTP authentication. This requires a username and password before being able to even admission the WordPress login page. Note: This generally shouldn't be used on eCommerce sites or membership sites. But it tin be a very effective fashion to foreclose bots from hit your site.

.htpasswd authentication prompt
.htpasswd authentication prompt

Apache

If y'all are using a cPanel host, you tin can enable password protected directories from their control panel. To set it up manually, yous volition kickoff demand to create a.htpasswd file. You can apply this handy generator tool. Then upload the file to a directory under your wp-admin folder, such equally:

          home/user/.htpasswds/public_html/wp-admin/htpasswd/

Then create a .htaccess file with the following code and upload it to your /wp-admin/ directory. Brand sure you update the directory path and username.

          AuthName "Admins Only" AuthUserFile /home/yourdirectory/.htpasswds/public_html/wp-admin/htpasswd AuthType basic require user yourusername

The one caveat to doing information technology this way is that it will break AJAX (admin-ajax) on the front-end of your site. This is required past some third-political party plugins. Therefore you will also demand to add the post-obit lawmaking to the above .htaccess file.

          <Files admin-ajax.php> Order allow,deny Permit from all Satisfy whatever </Files>

Nginx

If you are running Nginx, y'all can also restrict admission with HTTP basic authentication. Check out this tutorial.

If you host your WordPress site at Kinsta, you can utilise our easy password protection (htpasswd) tool in the MyKinsta dashboard. Y'all can observe it under the "Tools" section on your site. Simply click "Enable", choose a username and password, and you're good to go!

Enable .htpasswd protection
Enable .htpasswd protection

Later information technology'due south enabled your WordPress site volition then require authentication to admission it. You can change the credentials at any fourth dimension or disable it when you no longer need it.

Lockdown a URL path

If yous're using a web application firewall (WAF) such as Cloudflare or Sucuri, they likewise have ways to lockdown a URL path. Essentially you lot can prepare a rule so that simply your IP accost is able to admission your WordPress admin login URL. Again, this mostly shouldn't be used on eCommerce sites or membership sites as they likewise rely on accessing your site's dorsum-end.

  • Cloudflare has a lockdown URL feature in their Pro and higher accounts. Y'all can gear up a rule for any URL or path.
  • Sucuri has a blacklist URL path feature. You could then whitelist your own IP.

half-dozen. Have Advantage of 2-Gene Authentication

And of course, we can't forget ii-factor authentication! No matter how secure your countersign is there is always a risk of someone discovering it. Ii-factor authentication involves a two-step process in which you need not merely your password to login but a second method. Information technology is generally a text (SMS), phone telephone call, or time-based erstwhile password (TOTP). In near cases, this is 100% effective in preventing brute force attacks to your WordPress site. Why? Because information technology is almost impossible that the attacker will have both your countersign and your cellphone.

In that location are really two parts when it comes to two-factor authentication. The showtime is your business relationship and or dashboard that you have with your web hosting provider. If someone gets access to this they could change your passwords, delete your websites, modify DNS records, and all sorts of horrible things. We hither at Kinsta partnered up with Authy and accept two-factor authentication available for your MyKinsta dashboard.

The second part of ii-factor authentication pertains to your actual WordPress installation. For this there are a couple plugins we recommend:

  • Duo Ii-Gene Authentication
  • Google Authenticator
  • Two Cistron Authentication

Many of these have their own Authenticator Apps you tin can install on your phone:

  • Android Duo Mobile App
  • iPhone Duo Mobile App
  • Android Google Authenticator App
  • iPhone Google Authenticator App

After installing and configuring one of the above plugins, you will typically accept an additional field on your WordPress login page to enter your security code. Or, with the Duo plugin, you get-go log in with your credentials and are so required to cull an authentication method, such as Duo Button, call, or passcode.

This method can easily be combined with changing your default login URL, which we went over before. So not only is your WordPress login URL something only you know, only it now requires extra authentication to go in. ðŸ’ª

WordPress two-factor authenticator page
WordPress 2-cistron authenticator page

Then make certain to take reward of two-factor authentication, it can be an easy way to beef up your WordPress security.

Subscribe Now

seven. Use HTTPS for Encrypted Connections – SSL Certificate

One of the well-nigh overlooked ways to harden your WordPress security is to install an SSL certificate and run your site over HTTPS. HTTPS (Hyper Text Transfer Protocol Secure) is a mechanism that allows your browser or spider web application to securely connect with a website.  A big misconception is that if you aren't accepting credit cards that yous don't need SSL.

Well, allow us explain a few reasons why HTTPS is of import across just eCommerce. Many hosts, including Kinsta, offer free SSL certificates with Let'south Encrypt.

HTTPS encrypted connections
HTTPS encrypted connections

one. Security

Of course, the biggest reason for HTTPS is the added security, and yes this does pertain strongly to eCommerce sites. Even so, how important is your login information? For those of you running multi-author WordPress websites, if you are running over HTTP, every time a person logs in, that information is beingness passed to the server in plain text. HTTPS is absolutely vital in maintaining a secure connectedness between a website and a browser. This mode y'all can better prevent hackers and or a centre man from gaining access to your website.

So whether you accept a blog, news site, bureau, etc., they can all tin can benefit from HTTPS equally this ensures cipher always passes in plain text.

2. SEO

Google has officially said that HTTPS is a ranking factor. While information technology is merely a small ranking factor, most of yous would probably take any reward you can get in SERPs to vanquish your competitors.

3. Trust and Brownie

According to a survey from GlobalSign, 28.nine% of visitors look for the green address bar in their browser. And 77% of them are worried about their data being intercepted or misused online. Past seeing that green padlock, customers will instantly take more peace of heed knowing that their data is more than secure.

4. Referral Data

A lot of people don't realize is that HTTPS to HTTP referral data is blocked in Google Analytics. So what happens to the information? Well, most of information technology is merely lumped together with the "direct traffic" section. If someone is going from HTTP to HTTPS the referrer is still passed.

5. Chrome Warnings

As of July 24th, 2018, versions of Chrome 68 and higher started marking all non-HTTPS sites every bit "Not Secure." Regardless of whether they collect data or non. This is why HTTPS is more important than ever!

This is especially important if your website gets a bulk of its traffic from Chrome. Yous tin look in Google Analytics under the Audience section in Browser & Os so see the percentage of traffic your WordPress site gets from Google Chrome. Google is making it a lot more articulate to visitors that your WordPress website might not be running on a secured connection.

Chrome not secure website
Chrome not a secure website

6. Performance

Because of a protocol chosen HTTP/2, a lot of times, those running properly optimized sites over HTTPS can even see speed improvements. HTTP/2 requires HTTPS because of browser back up. The improvement in performance is due to a multifariousness of reasons such equally HTTP/2 being able to support ameliorate multiplexing, parallelism, HPACK pinch with Huffman encoding, the ALPN extension, and server push.

And with TLS 1.3, HTTPS connections are even faster. Kinsta supports TLS 1.3 on all of our servers and our Kinsta CDN.

Re-thinking HTTPS now? Cheque out our in-depth WordPress HTTPS migration guide to go you lot upward and going and learn more than in our TLS vs SSL comparision.

To enforce a secure, encrypted connection between you and the server when logging into and administering your site, add together the post-obit line to your wp-config.php file:

define('FORCE_SSL_ADMIN', true);

(Suggested reading: if y'all're using legacy TLS versions, you might desire to fix ERR_SSL_OBSOLETE_VERSION Notifications in Chrome).

8. Harden Your wp-config.php file

Your wp-config.php file is like the heart and soul of your WordPress installation. It is past far the about important file on your site when it comes to WordPress security. It contains your database login information and security keys which handle the encryption of information in cookies. Beneath are a couple things you can do to better protect this important file.

1. Move wp-config.php

By default, your wp-config.php file resides in the root directory of your WordPress installation (your/public HTML folder). Simply you tin can move this to a not-www accessible directory. Aaron Adams wrote up a great caption of why this is benign.

To motility your wp-config.php file but copy everything out of information technology into a different file. And so in your wp-config.php file you can identify the following snippet to only include your other file. Annotation: the directory path might be different based on your spider web host and setup. Typically though it is simply one directory above.

<?php include('/habitation/yourname/wp-config.php');

Note: this won't work for Kinsta clients and will break functionality on our platform.This is considering our open_basedir restrictions don't allow execution of PHP above the ~/public directory for security reasons. The expert news is nosotros handle this for y'all! Nosotros practise effectively the same thing past blocking access to wp-login.php within the ~/public directory. Our default Nginx config includes a rule that volition return a 403 for whatsoever attempted admission of wp-config.php.

2. Update WordPress Security Keys

WordPress security keys are a set up of random variables that better encryption of information stored in the user's cookies. Since WordPress two.7 there have been four different keys: AUTH_KEY, SECURE_AUTH_KEY,LOGGED_IN_KEY, andNONCE_KEY.

When you lot install WordPress these are generated randomly for you. However, if you take gone through multiple migrations (check our curated listing of the best WordPress migration plugins) or purchased a site from someone else, it can be expert to create fresh WordPress keys.

WordPress actually has a free tool which you lot can use to generate random keys. You can update your current keys which are stored in your wp-config.php file.

WordPress security keys
WordPress security keys

Read more most WordPress security keys.

3. Change Permissions

Typically files in the root directory of a WordPress site will exist set to 644, which means that files are readable and writeable by the owner of the file and readable by users in the group owner of that file and readable by everyone else. According to the WordPress documentation, the permissions on the wp-config.php file should be set to 440 or 400 to forbid other users on the server from reading it. You can easily alter this with your FTP client.

wp-config.php permissions
wp-config.php permissions

On some hosting platforms, the permissions might need to be different because the user running the spider web server doesn't accept permission to write files. If you lot aren't sure near this, bank check with your hosting provider.

nine. Disable XML-RPC

In the past years XML-RPC has become an increasingly large target for brute force attacks. Every bit Sucuri mentioned, 1 of the hidden features of XML-RPC is that you tin can use the system.multicall method to execute multiple methods inside a single request. That'southward very useful equally it allow application to pass multiple commands within one HTTP request. But what also happens is that information technology is used for malicious intent.

In that location are a few WordPress plugins like Jetpack that rely on XML-RPC, only a bulk of people out there won't need this and it tin can be benign to simply disable access to information technology. Not certain if XML-RPC is currently running on your website? Danilo Ercoli, from the Automattic team, wrote a lilliputian tool chosen the XML-RPC Validator. You can run your WordPress site through that to see if it has XML-RPC enabled. If it isn't, you will see a failure message such as shown in the image below on the Kinsta blog.

check wordpress xml-rpc
WordPress XML-RPC validator

To disable this completely you lot can install the free Disable XML-RPC plugin. Or you can disable it with the premium perfmatters plugin, which also contains spider web performance improvements.

If you are a customer here at Kinsta this is not needed because when an set on through XML-RPC is detected a little snippet of code is added into the NGINX config file to stop them in their tracks – producing a 403 error.

          location ~* ^/xmlrpc.php$ { render 403; }

10. Hibernate Your WordPress Version

Hiding your WordPress version touches once again on the subject of WordPress security by obscurity. The less other people know nearly your WordPress site configuration the better. If they come across you are running an out of date WordPress installation, this could be a welcome sign to intruders. By default, the WordPress version shows up in the header of your site'southward source code. Once more, nosotros recommend simply making certain your WordPress installation is always upward to date so you don't have to worry about this.

wordpress version source code
WordPress version in source code

Y'all can use the following lawmaking to remove this. Simply add it to your WordPress theme's functions.php file.

Important! Editing the source code of a WordPress theme could pause your site if not done correctly. If you are non comfortable doing this, please check with a developer first.

function wp_version_remove_version() { return ''; } add_filter('the_generator', 'wp_version_remove_version');

Yous could also utilize a premium plugin similar perfmatters (developed by a squad member at Kinsta), which allows you to hide the WordPress version with 1-click, along with other optimizations for your WordPress site.

Hide WordPress version with Perfmatters
Hibernate WordPress version with Perfmatters

Another place where the WordPress version shows up is in the default readme.html file (every bit shown beneath) that is included in every WordPress version. It is located in the root of your installation, domain.com/readme.html. You tin can safely delete this file via FTP.

wordpress version readme
WordPress version in readme file

If you're running WordPress 5.0 or higher this is no longer applicable every bit the version number is no longer included in the file.

11. Add together Latest HTTP Security Headers

Another footstep you can take to harden your WordPress security is to take reward of HTTP security headers. These are usually configured at the web server level and tell the browser how to behave when handling your site's content. There are a lot of different HTTP security headers, only below are typically the most important ones.

  • Content-Security Policy
  • X-XSS-Protection
  • Strict-Transport-Security
  • X-Frame-Options
  • Public-Key-Pins
  • X-Content-Type

KeyCDN has a smashing in-depth post if you lot want to read more well-nigh HTTP security headers.

You lot can check which headers are currently running on your WordPress site by launching Chrome devtools and looking at the header on your site's initial response. Beneath is an example on kinsta.com. You can see nosotros are utilizing the strict-transport-security, x-content-type, and x-frame-options headers.

HTTP security headers
HTTP security headers

You can also browse your WordPress website with the free securityheaders.io tool by Scott Helme. This volition show you which HTTP security headers you currently have on your site. If you lot aren't sure how to implement them you lot can always ask your host if they tin help.

http security headers scan
HTTP security headers scan

Note: It is likewise of import to recollect that when y'all implement HTTP security headers how it might affect your WordPress subdomains. For example, if you add the Content Security Policy header and restrict access by domains, that you need to add your ain subdomains also.

12. Use WordPress Security Plugins

And of course, nosotros accept to requite some WordPress security plugins some mentions. At that place are a lot of great developers and companies out there which provide great solutions to help better protect your WordPress site. Hither are a couple of them.

  • Sucuri Security
  • iThemes Security
  • WordFence Security
  • WP fail2ban
  • SecuPress

Kinsta has hardware firewalls, active and passive security, by-the-minute uptime checks and scores of other advanced features to preclude attackers from gaining access to your data. If, despite our best efforts, your site is compromised nosotros'll fix it for free.

Here are some typical features and uses of the plugins higher up:

  • Generate and forcefulness stiff passwords when creating user profiles
  • Force passwords to expire and exist reset on a regular basis
  • User action logging
  • Piece of cake updates of WordPress security keys
  • Malware Scanning
  • Ii-factor authentication
  • reCAPTCHAs
  • WordPress security firewalls
  • IP whitelisting
  • IP blacklisting
  • File changelogs
  • Monitor DNS changes
  • Block malicious networks
  • View WHOIS information on visitors

A very important feature that many security plugins include a checksum utility. What this means is that they inspect your WordPress installation and await for modifications on the core files every bit provided by WordPress.org (via the API). Whatsoever changes or modifications to these files could indicate a hack. You tin can also utilize WP-CLI to run your own checksum.

Make sure to read our thorough guide on File Integrity Monitoring.

Another great plugin that deserves an honorable mention is the WP Security Audit Log plugin. This is crawly for those of you working on WordPress multisite or simply multi-author sites. Information technology helps ensure user productivity and lets administrators see everything that is existence changed; such as logins, password changes, theme changes, widget changes, new post creations, WordPress updates, etc.

It's a complete WordPress activity log solution. As of writing this the WP Security Audit Log plugin has over lxxx,000+ agile installs with a 4.seven out of five-star rating. Information technology is an excellent option if you lot're looking for a WordPress multisite compatible security solution.

wordpress security audit log
Security inspect log viewer

It besides has boosted premium add-ons such every bit e-mail notifications, user sessions direction, search, and reports. Check out these additional WordPress security plugins that can help lock out the bad guys.

xiii. Harden Database Security

In that location are a couple means to ameliorate the security on your WordPress database. The first is to utilise a clever database name. If your site is named volleyball tricks, by default your WordPress database is most probable named wp_volleyballtricks. Past changing your database proper noun to some more obscure it helps protect your site by making it more than difficult for hackers to identify and access your database details.

A second recommendation is to apply a different database table prefix. By default WordPress uses wp_. Changing this to something like 39xw_ can be much more secure. When you install WordPress information technology asks for a table prefix (as seen below). There are also ways to alter the WordPress tabular array prefix on existing installations. If you're a Kinsta client, this isn't needed. We've got site and databased locked down!

wordpress table prefix
WordPress tabular array prefix – img src: jatinarora

14. Always Utilize Secure Connections

Nosotros can't stress enough how important information technology is to use secure connections! Ensure that your WordPress host information technology taking precautions such as offering SFTP or SSH. SFTP or Secure File Transfer Protocol (too known as SSH file transfer protocol), is a network protocol used for file transfers. It is a more secure method vs standard FTP.

We only support SFTP connections at Kinsta to ensure your data remains safe and encrypted. Most WordPress hosts too typically utilise port 22 for SFTP. Nosotros take this a step farther here at Kinsta and every site has a randomized port which can exist found in your MyKinsta dashboard.

SFTP details in MyKinsta.
SFTP details in MyKinsta.

It'southward also important to ensure that your domicile router is setup correctly. If someone hacks your home network they could gain access to all sorts of information, including perchance where your important information most your WordPress site(s) is stored. Here are some simple tips:

  • Don't enable remote management (VPN). Typical users never utilise this feature and by keeping it off you can proceed from exposing your network to the outside world.
  • Routers by default apply IPs in the range such every bit 192.168.ane.i. Apply a different range, such as 10.9.viii.seven.
  • Enable the highest level of encryption on your Wifi.
  • IP white-list your Wifi so that simply people with the password and certain IP can admission it.
  • Keep the firmware on your router upwards to engagement.

And always be careful when logging into your WordPress site in public locations. Remember, Starbucks is non a secure network! Take precautions such as verifying the network SSID before yous click connect. You lot can also use a third party VPN service such as ExpressVPN to encrypt your internet traffic and hibernate your IP address from hackers.

15. Cheque File and Server Permissions

File permissions on both your installation and web server are crucial to beefing upward your WordPress security. If permissions are too loose, someone could easily gain access to your site and wreak havoc. On the other hand, if your permissions are too strict this could break functionality on your site. So it is of import to accept the correct permissions prepare across the board.

File Permissions

  • Readpermissions are assigned if the user has rights to read the file.
  • Write permissions are assigned if the user has rights to write or modify the file.
  • Execute permissions are assigned if the user has the rights to run the file and/or execute it as a script.

Directory Permissions

  • Read permissions are assigned if the user has the rights to access the contents of the identified folder/directory.
  • Write permissions are assigned if the user has the rights to add or delete files that are independent within the folder/directory.
  • Execute permissions are assigned if the user has the rights to access the actual directory and perform functions and commands, including the ability to delete the information within the folder/directory.

You lot can employ a free plugin like iThemes Security to scan the permissions on your WordPress site.

wordpress file permissions
WordPress file permissions scan

Here are some typical recommendations for permissions when it comes to file and folder permissions in WordPress. See the WordPress Codex article on changing file permissions for a more in-depth explanation.

  • All files should exist 644 or 640. Exception: wp-config.php should be 440 or 400 to preclude other users on the server from reading it.
  • All directories should be 755 or 750.
  • No directories should always be given 777, even upload directories.

16. Disable File Editing in WordPress Dashboard

A lot of WordPress sites have multiple users and administrators, which can make WordPress security more complicated. A very bad practice is to give authors or contributors administrator access, only unfortunately, it happens all the time. It is important to give users the correct roles and permissions and then that they don't interruption anything. Because of this, it can be beneficial to simply disable the "Appearance Editor" in WordPress.

About of you take probably been there at 1 point or another. You go to quickly edit something in the Advent Editor and suddenly you are left with a white screen of death. It is much ameliorate to edit the file locally and upload it via FTP. And of course, in best do, y'all should exist testing things like this on a development site first.

WordPress appearance editor
WordPress appearance editor

Also, if your WordPress site is hacked the very first thing they might practice is try to edit a PHP file or theme via the Advent Editor. This is a quick way for them to execute malicious code on your site. If they don't have admission to this from the dashboard, to brainstorm with, it can aid forbid attacks. Place the post-obit code in your wp-config.php file to remove the 'edit_themes', 'edit_plugins' and 'edit_files' capabilities of all users.

ascertain('DISALLOW_FILE_EDIT', true);

17. Prevent Hotlinking

The concept of hotlinking is very elementary. You find an image on the Internet somewhere and use the URL of the paradigm straight on your site. This paradigm volition be displayed on your website but it volition be served from the original location. This is really theft as it is using the hotlinked site's bandwidth. This might not seem like a large deal, but information technology could generate a lot of extra costs.

The Oatmeal is a great example. The Huffington Mail hotlinked a cartoon of his which consisted of multiple images and it racked up a whopping $1,000+ beak.

hotlinking
Hotlinking pecker

Prevent Hotlinking in Apache

To prevent hotlinking in Apache just add the following code to your .htaccess file.

          RewriteEngine on RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER} !^http(south)?://(www\.)?yourdomain.com [NC] RewriteRule \.(jpg|jpeg|png|gif)$ http://dropbox.com/hotlink-placeholder.jpg [NC,R,Fifty]

The second row defines the allowed referrer – the site that is allowed to link to the image directly, this should be your actual website. If y'all want to allow multiple sites you can duplicate this row and replace the referrer. If yous want to generate some more than circuitous rules, have a look at this htaccess hotlink protection generator.

Foreclose Hotlinking in NGINX

To prevent hotlinking in NGINX simply add the post-obit code to your config file.

          location ~ .(gif|png|jpe?g)$ { valid_referers none blocked ~.google. ~.bing. ~.yahoo yourdomain.com *.yourdomain.com; if ($invalid_referer) { return 403; } }

Forestall Hotlinking on CDN

If you are serving your images from a CDN and then the setup might be slightly different. Here are some resources with popular CDN providers.

  • Hotlink protection with KeyCDN
  • Hotlink protection with Cloudflare
  • Hotlink protection with MaxCDN

18. Always Take Backups

Backups are the ane affair everyone knows they need but don't always accept. Nearly of the recommendations in a higher place are security measures yous tin can take to better protect yourself. Simply no matter how secure your site is, it volition never be 100% safe. So you want backups in example the worst happens.

Most managed WordPress hosting providers now provide backups. Kinsta has 5 different types of backups, including automated backups that so that yous tin rest easy at night. Y'all tin even i-click restore your site.

Backups in MyKinsta.
Backups in MyKinsta.

If your host doesn't take backups there are some popular WordPress services and plugins which you can apply to automate the process.

WordPress Backup Services

WordPress site backup services usually take a depression monthly fee and store your backups for you in the cloud.

  • VaultPress (from the Automattic team, now part of Jetpack)
  • CodeGuard
  • BlogVault

WordPress Fill-in Plugins

WordPress backup plugins permit you to grab your backups via FTP or integrate with an external storage source such as Amazon S3, Google Cloud Storage, Google Bulldoze, or Dropbox. We highly recommend going with an incremental solution so it uses fewer resources.

  • Duplicator
  • WP Time Sheathing
  • BackupBuddy
  • UpdraftPlus
  • BackUpWordPress
  • BackWPup
  • WP BackItUp

Note: We don't permit not-incremental backup plugins on Kinsta servers due to operation issues. But this is because nosotros handle all this for you at a server-level so it doesn't slow down your WordPress site.

19. DDoS Protection

DDoS is a blazon of DOS attack where multiple systems are used to target a single system causing a Deprival of Service (DoS) attack. DDoS attacks are cipher new – according to Britannica the first documented case dates dorsum to early 2000. Unlike someone hacking your site, these types of attacks don't commonly damage your site merely rather will but take your site down for a few hours or days.

What can you do to protect yourself? One of the best recommendations is to utilise a reputable 3rd party security service like Cloudflare or Sucuri. If you lot are running a business concern it tin brand sense to invest in their premium plans. If you're hosted on Kinsta, you don't demand to worry about setting up DDoS protection past yourself. All of our plans include a complimentary Cloudflare integration with DDoS protection born.

DDoS protection from Cloudflare and Sucuri
DDoS protection from Cloudflare and Sucuri

Their avant-garde DDoS protection can be used to mitigate DDoS attacks of all forms and sizes including those that target the UDP and ICMP protocols, as well as SYN/ACK, DNS amplification and Layer seven attacks. Other benefits include putting y'all behind a proxy which helps to hide your origin IP address, although it is not bulletproof.

Make sure to cheque out our case study on how to finish a DDoS assail. We had a client with a small-scale east-commerce site running Easy Digital Downloads which got over 5 million requests to a single page inside 7 days. The site typically only generated between 30-40 MB a day in bandwidth and a couple hundred visitors per day. But out of the blue, the site instantly went to between 15-xix GB of data transfer a mean solar day! That's anincrease of 4650%. And Google Analytics showed no boosted traffic. So that is not good.

High bandwidth from DDoS attack
High bandwidth from DDoS attack

The client implemented Sucuri'due south web application firewall on their site and all of the bandwidth and requests instantly dropped on the site (equally seen below) and there hasn't been a single issue since. So definitely a good investment and time saver if yous are running into issues like these.

Added Sucuri web application firewall
Added Sucuri web application firewall

Summary

Equally yous can see, there are numerous ways you tin can harden your WordPress security. Using clever passwords, keeping core and plugins upwards to date, and choosing a secure managed WordPress host are just a few that will go along your WordPress site up and running safely. For many of yous, your WordPress site is your both your business concern and income, and so it's important to take some time and implement some of the security best practices mentioned higher up, sooner rather than subsequently.

Have any important WordPress security tips that we missed? If so feel free to let united states of america know below in the comments.

Save fourth dimension, costs and maximize site performance with:

  • Instant aid from WordPress hosting experts, 24/vii.
  • Cloudflare Enterprise integration.
  • Global audience attain with 29 data centers worldwide.
  • Optimization with our congenital-in Application Performance Monitoring.

All of that and much more, in one plan with no long-term contracts, assisted migrations, and a 30-24-hour interval-money-back-guarantee. Check out our plans or talk to sales to notice the plan that's right for you.