WP Wheelie’s Guide to Securing Your WordPress Website

By | Published | Updated 2 January 2022

My first WordPress website was a blog about teaching. I thought I was too small for hackers to worry about. But I was wrong. I got hacked and lost years of work.

The key message is that if you have any kind of website, you need to protect it from being hacked. If you run a business website, you need to be even more protected.

But first, a few of truths:

  • Nothing you do can guarantee you won’t get hacked. But you can make it less likely and easier to bounce back if you are hacked.
  • It is not as simple as installing a plugin and doing nothing else.
  • Many online reviews and articles are advertising affiliate products (the author gets paid a commission if you buy the product).

I am not affiliated with any products I mention, I advise things that require you to do things beyond installing a plugin, and I outline:

  • Free or low-cost options
  • Fast options that don’t slow down your website
  • The most secure options

Then, you can choose the options that best suit your needs.

1. Install & Setup a WAF to Secure Your WordPress Website

A WAF or Web Application Firewall acts as a filter between your website and people who want to visit your website (traffic).

The WAF monitors this traffic, then blocks any suspicious traffic while letting legitimate traffic through. It does by comparing the requests being made by incoming traffic and comparing them to a ruleset of known threats.

image showing how a firewall helps secure a WordPress website

I have personal experience with three WAF services:

  • Wordfence free plugin
  • Wordfence premium plugin
  • Sucuri paid WAF service (only paid is available)

The key differences between Wordfence (free) and Wordfence (Premium) WAFs is:

  • Updates to the ruleset for known threats is delayed by 30 days in the free version, but it updated in real-time in the premium version

The key difference between Wordfence and Sucuri WAFs is:

  • Wordfence is plugin and hence lives on your hosting company’s server. Sucuri is a cloud-based service. Hence, Sucuri does not slow down your server or your website.

Recommendations Based on Cost

If cost is your key consideration, go with the free version of Wordfence.

If you want a cheap option, but with better protection go with the premium version of Wordfence at $99 per year.

Sucuri offers a comparable firewall plan for $9 US per month, but it doesn’t include malware scanning. Wordfence does. Sucuri does offer malware scanning with their Sucuri platform, but that costs $199 US per year.

Recommendations Based on Speed

Slow websites frustrate visitors and annoy Google. If speed is you’re your most important consideration go with either Sucuri:

  • Firewall at $9 US per month
  • Platform at $199 US per year

Recommendations for Best Security

Use both the Sucuri platform and Wordfence premium. They play well together and offset each other’s weaknesses (cloud vs plugin).

2. Keep Everything on Your Site Updated

Most successful hacks come from vulnerabilities in your website’s code. In order of importance, this includes code within WordPress:

  • Plugins
  • Core
  • Themes
graph showing how hacked wordpress sites were compromised
Graph Courtesy of Wordfence

Vulnerabilities are often detected and fixed before hackers find them. When hackers do find a vulnerability first, developers quickly patch them.

In either case, the best way for you to avoid being hacked through vulnerable code is to keep your plugins, WordPress version and themes up to date.

Sadly, Sucuri reports that 49% of hacked WordPress websites had outdated plugins, core files or themes when they were attacked.

Automatically Update Everything Through Your Host

You can often set up automatic updates of plugins and themes through your hosting company. If your host uses cPanel, go to Cpanel > WordPress Toolkit. Then click ˅ beside your domain name. Towards the bottom of the screen, you will see a link to Autoupdate Settings.

Click this link and then set Autoupdate settings for both plugins and themes to be forced.

Since WordPress 5.6, your site will automatically update to the latest WordPress version.

Automatically Update Plugins & Themes Using Code

If you cannot update plugins and themes through your host, you can do it by adding some code to your functions.php file.

add_filter( 'auto_update_plugin', '__return_true' );

add_filter( 'auto_update_theme', '__return_true' );

Recommendations When Securing Your WordPress Website

Enabling autoupdates via your host or via code does not cost anything. Nor do they have advantages over each other in terms of:

  • Speed
  • Security

Either option works fine.

But sometimes different updates (e.g., different plugins) can cause issues with your website. To be safe install the following 2 (free) plugins:

3. Use Strong Passwords, Unique Passwords & a Password Manager

Strong passwords are important when securing your WordPress website because hackers can use automated bots to guess and check a huge volume of passwords. Over 12 months, Wordfence blocks over 10 billion bogus logins.

This is known as a brute-force attack, and it is a common way hackers gain entry into your website.

securing your wordpress website against common brute force attacks
Graph Courtesy of Wordfence

What makes a strong password? Two things:

  • Length
  • A random combination of letters (upper and lowercase), numbers and symbols.

At the time of writing this, Google recommends that your password has at least 12 characters.

For example, according to security.org the 8-letter word thousand would take a bot less than 6 seconds to crack. Yet, a password with 12 characters can take years.

While 12 is good now, as technology improves so do does the speed at which bots can crack passwords. So, I recommend 16+ characters.

Due to dictionary attacks and improving technology, random passwords are better than passwords containing words. Words can be guessed (rapidly) as single entities, where a random string of characters cannot.

Further, by including numbers and symbols, as well as upper- and lower-case letters, you exponentially increase the number of guesses it takes to crack your password.

Generate Your Long & Random Password Below

4. Use 2FA to Further Strengthen Your Login Process

According to hackers, adding 2FA to your login process is one of the best things you can do when securing your WordPress website. 2FA stands for two-factor authentication, and it is a great way to guard against brute force attacks.

You may have already used it with some of your other online accounts, as it is becoming more common. It involves two steps (factors) when logging in:

  • The typical username and password step
  • A second step, where you receive a confirmation code or link

To set up 2FA, you first need an authenticator app on your phone. Common ones you can use are:

  • Google Authenticator
  • Microsoft Authenticator
  • LastPass Authenticator

Once you have selected and set up an authentication app, you need to connect it to your WordPress website.

If you use Wordfence, you can set up 2FA by going to Wordfence > Login Security. Next, use your authentication app on your phone to scan QR code on the Wordfence > Login Security page. Then follow the prompts.

If you are not using Wordfence, you can connect your authentication app to your website using the plugin WP 2FA.

5. Protect Your Login with reCAPTCHA

Google created reCAPTCHA to help tell the difference between humans and bots. It is not a perfect system, but it does help to secure your WordPress website.

To use Google’s reCAPTCHA you need to have an existing Google account (e.g., Gmail). Then:

  • Login to you’re the admin section of Google reCAPTCHA
  • Add your website using the + sign in the top right of the page
  • Select V2 Tickbox or V3 from the options at the top left of the page (read all of action 8 before choosing)
  • Click the gear icon (settings) in the top right of the page
  • Select the drop menu ˅ beside Google reCAPTCHA keys and leave this window open
securing your wordpress website by adding recaptcha

You will need to copy and paste the two key codes that you see into one of two plugins.

If you are using Wordfence, you can paste the keys into Wordfence > Login Security > Enable reCAPTCHA. You also must:

  • Tick the box enable reCAPTCHA
  • Set your reCAPTCHA Human/Bot threshold score

Note, Wordfence only allows V3 reCAPTCHA keys. So, if you want to use Wordfence to enable reCAPTCHA, you must select V3 when setting up your codes in Google.

If you:

  • Are not using Wordfence
  • Are using Wordfence but prefer the V2 checkbox option

You can use the free plugin such as Login Security reCAPTCHA.

6. Limit Login Attempts to Secure Your WordPress Website

The way that hackers crack your login details is through guessing and checking. With the help of bots, they can guess and check at an incredible rate.

In addition to earlier items on this WordPress security checklist, you should limit the number of times a user can enter an incorrect username and password combination.

If you are using Wordfence, go to Wordfence > All Options > Brute Force Protection, then click enable and set:

  • Lockout out over how many failures?
  • Lockout after how many forgot password attempts?
  • Count failures over what time period?
  • Amount of time a user is locked out?

If you are not using Wordfence, you can use the free plugin WPS Limit Login.

7. Change Your Login Slug

On websites, a slug is an extra part at the end of your domain name. For example, the slug for this page is /wordpress-security-checklist.

Why change the slug? Because the default /wp-login and /wp-admin slugs are well known by hackers.

Of course, as with other actions in this WordPress security checklist, changing your login slug is not enough on its own. Yet, it makes it harder to hack your website.

You can use the free plugin WPS Hide My Login to change your login slug.

8. Disable XML-RPC: Essential When Securing Your WordPress Website

XML-RPC allows for:

  • Remote publishing, such as the WordPress phone app
  • Remote connection through wordpress.com for Jetpack

If you do not use either the phone app or Jetpack, then it is more secure to disable XML-RPC. And for other reasons (mainly speed), I never recommend using Jetpack.

If you are using Wordfence, then go to Wordfence > Login Security > Settings, and tick Disable XML-RPC authentication.

securing your wordpress website by disabling xml rpc
disable xml rpc wordfence

If you are not using Wordfence, you can use the plugin Disable XML-RPC. Simply install and activate. That’s all.

9. Strengthen Key WordPress Files & Folders

Security permissions determine who can read, write, and execute the files that sit behind your website.

I recommend setting:

  • wp-config.php to 600
  • other critical files to 644
  • folders (directories) to 755

The easiest way to strengthen the permissions of key files and folders is through Cpanel. Go to Cpanel > WP Toolkit > Security > Security Measures. Then tick Restrict access to files and directories.

If you are setting up a new website, go ahead and tick all the security measures. They cover strategy 10.

However, if you are securing an existing site, it may be safer to action one item at a time. Then, if enabling a security item causes problems with your website, you know which action to undo.

10. Harden Other Aspects of WordPress

If your host uses Cpanel, go to Cpanel > Domains > WP Toolkit > Security > Security Measures. Then tick all the measures and save.

In addition to the above, if you use Wordfence, go to Wordfence > All Options > Additional Options. Then tick all the options under that heading and click save.

Another option is the free Sucuri plugin, which doesn’t include the firewall (WAF) but does include hardening options.

If you use both Sucuri and Wordfence, but not Cpanel, go to:

  • Sucuri > Settings > Hardening, then tick all the options (except firewall)
  • Wordfence > All Options > Additional Options. Then tick all the options.
hardening wordpress using sucuri

What About SSL or HTTPS?

You should always have an SSL certificate that allows you to serve your website via HTTPS instead of the unencrypted HTTP format. It is considered standard practice and Google while rank HTTPS websites above comparable HTTP sites.

Yet, HTTPS doesn’t really protect your website from being hacked. Rather, it encrypts confidential information your website’s customers provide (e.g., their credit card details).

WP Wheelie’s Security Guide in a Nutshell

  1. Install a WAF (Web Application Firewall)
  2. Keep Plugins, themes and WordPress core files updated
  3. Use strong and unique passwords with a password manager
  4. Set up 2FA (two-factor authentication)
  5. Use reCAPTCHA on your login page
  6. Limit login attempts
  7. Change your login slug
  8. Disable XML-RPC authentication
  9. Strengthen critical files and folders
  10. Harden WordPress

What are the best 5 tips when securing your WordPress website?

1. Keep everything (plugins, WP core files, themes) updated
2. Secure your login with 2FA, limited login attempts, reCAPTCHA and strong, unique passwords
3. Install a WAF
4. Disable XML-RPC authentication
5. Harden WordPress

WP Wheelie’s Guide to Securing Your WordPress Website

shaun killian (aka the WP Wheelie) profile

Shaun Killian (aka the WP Wheelie) has been working with WordPress for over 15 years. He started this site as a way of giving back to the WP community by freely sharing his expertise. For his day job, Shaun is the lead designer at WEBsmall, a web design business specialising in helping individuals, small businesses and non-profit organisations to make their online presence felt. He also spends part of each day doing physio to try and get the hang of using 2 prosthetic legs.

If you notice anything is out-of-date on this post please contact Shaun.