Website Security Best Practices for WordPress: An Ultimate 20-Point Checklist

Looking for an all-in-one guide with actionable tips to optimize the security of your WordPress website? Here’s a 20-point checklist that you can easily follow.

As a proud owner of multiple online businesses, I have finally realized why ignoring my own WordPress websites was a costly mistake. I got hacked and lost my data because of outdated plugins, themes, and WP core releases.

That was enough to teach me multiple lessons I will be sharing (which I learned the hard way) with you through an actionable checklist so that you don’t have to endure the same pain that I did.

Even if you’re a total newbie, securing your website is nothing different than taking care of your home, car, office, and other personal assets.

Always remember that hackers are constantly attacking websites, always targeting the most vulnerable ones with little to no basic security.

We’ll start off with the most basic steps and then proceed with slightly advanced ones.

But First, Is WordPress Really Secure?

Despite being a top target of hackers, the WordPress platform is inherently secure.

But just like any other platform, risks are associated, specifically if you are not careful. The same risks apply to leaving your doors unlocked at night or not having a security system at your premises.

Don’t blame the intruders. You just made it easy for them to get in and inflict damage.

Why is Website Security Critical for WordPress?

Did you know that over half of all WordPress websites attacked are due to outdated plugins and delayed core updates? Delaying updates can make your website extremely insecure and highly vulnerable to intrusions and threats.

Years of hard work can wipe out right before your eyes if you don’t take your WordPress website’s security seriously – just like it happened to me.

In my case, I also had to deal with devastating consequences, such as loss of business revenue, getting back and forth with the hosting support, and buying premium themes and plugins.

And that’s when I realized: It’s all about the basics that I never followed in the first place!

I was wrong the whole time.

Imagine you visit a website and Google warns you that it is not safe. Would you still continue?

That’s a scenario for more than 15 million website visitors daily. In addition, Google also regularly blacklists more than 10,000 websites every single day. You really don’t want to be in the bad books of Google, do you?

Let’s start with understanding the root causes of these attacks and what actionable steps that you can take to stop them.

Understanding WordPress Vulnerabilities – Why Do WordPress Websites Get Attacked?

Let’s first understand the basic ecosystem of a WordPress website:

1. WP Core – the WordPress open-source software provided by hosting companies and downloaded from WordPress.org
2. Themes – The overall design and layout of your website, including fonts, colors, and images. These can be free or purchased from a reputable marketplace (Themeforest) or the theme developer’s website. These can be free or paid.
3. Plugins – These are software add-ons that enhance the functionality of your WordPress website. By default, WordPress comes with multiple features, but to get the most out of this platform, you have to rely on plugins. Some are built by WordPress, whereas most of them are developed by third-party developers. Similar to themes, plugins are both free and paid.

Together, all 3 elements combine to give a powerful end-user experience. If any one of the elements breaks, it could potentially increase the risk of your site getting hacked.

Common entry points for attackers include:

• Cracked themes and plugins: Many website owners will not invest in installing paid plugins and themes. Instead, they download the cracked versions. Hackers can easily inject malicious code into your website to take control if you’re using nulled or pirated versions.
• Outdated Software: Running outdated WordPress core, themes, or plugins is like leaving a window open for hackers.
• Weak Passwords: Weak passwords are still one of the most common causes of WP attacks! Use strong passwords with capital, lowercase, numbers, and a symbol. Never use easily guessable words such as your name, website name, year of birth, etc.
• Brute Force Attacks: An old but effective method that hackers still use to date. This involves using multiple variations of usernames and passwords until one works correctly. 
• Phishing: Derived from “fishing”, hackers use fraudulent techniques of sending emails and tricking you into entering your username and passwords onto reputable-looking websites.
• Vulnerable Plugins and Themes: Not all plugins and themes are created equal. Some may contain security flaws that attackers can exploit. Thoroughly review and vet each plugin and theme before purchasing one.
• SQL Injection: Hackers can inject malicious SQL codes into your website if they find a vulnerability in your themes or plugins.
• DDoS Attacks: When more traffic is sent to the website than its servers can handle, resulting in frequent crashes.
• Installing non-tested plugins: Always read the plugin review thoroughly before installing it. Not all plugins work as expected.

Security Best Practices for WordPress: Your Actionable Checklist

Based on my personal experience and vetted by our experts at Rapyd Cloud, this actionable checklist is the only solution you ever need to keep your site safe from hackers.

Part 1: The Basics

1. Get a Reliable Web Hosting

Before you can decide about the aesthetics of your WordPress website, you need to find a reliable hosting service provider. Many site owners fail to do their due diligence and opt for the most economical one.

The problem with this approach is that not every web host is equal and most of the shared plans are not optimized for WordPress websites. At the end, they all face the same fate; malware infections and lost rankings!

And since most of you may not have the time or resources to do all the hard lifting, Rapyd Cloud’s Managed WordPress hosting does the job for you. With world-class security, integrated CDN, site monitoring, malware detection, and automated backups, a good host acts as a first line of defense against attacks.

2. Install an SSL Certificate on Your Website

You see this padlock?

This indicates that the website is secure and uses an SSL certificate.

By default, almost all hosting service providers including Rapyd Cloud now provide a free SSL certificate with their hosting services.

Once SSL is activated, also set an HTTPS redirect so that anyone visiting the non-secure (HTTP) version of your website is automatically redirected to its secure version (HTTPS).

3. Keep Everything Updated – WordPress Core, Themes and Plugins

I was one of the unlucky owners who never updated the core theme and plugins and faced dire consequences of it!

Ignorance isn’t bliss anymore. The cost of planned downtimes for server maintenance and updates is nothing compared to recovering from a hack.

Think of updates as security patches that close potential loopholes. To check for updates, click Updates under Dashboard and you will see a list of themes, plugins, and WP core that require updates.

Make sure that everything shows as “up to date.” That’s one tip down.

4. Regularly Backup Your WordPress Website

This point relates to the previous one. Every time you make an update to your website, perform a backup to the last operating version of your website. If anything breaks up, you can safely restore it with no hiccups.

You seriously don’t want to be in a situation with a broken website and no backups to fix it.

You also need to understand that in the worst possible scenarios, if your website gets hacked, having a safe and secure backup will ensure you are up and running in no time.

You can use any free or premium backup plugins. Alternatively, if you are hosted with us, your website, our platform will perform daily automatic backups.

Here’s how you can initiate backups at Rapyd Cloud. Here are some popular plugins to perform a one-click backup of your website:

• UpdraftPlus WP
• JetPack
• Duplicator
• All-in-one WP Migration and Backup
• Backup – WordPress Backup & Plugin

5. Also, Keep Your Backups Separate

While backups are important, keeping them in the same location as your current website is not going to help either.

What if the server malfunctions? Your data and backups could be erased. With Rapyd Cloud, you get automated daily backups, stored at separate servers from your current website ensuring continuity in case your website goes down.

6. Choose Plugins and Themes Wisely:

Before installing any plugin or theme, do your research. Check reviews, ratings, and the developer’s reputation.

I wish I had done the same while mindlessly installing plugins without looking at the reviews. At the end, I had a site bloated with so many plugins, I didn’t even know what to do with them.

Only install plugins from reputable sources like the official WordPress.org repository. Check if the plugins are tested with the latest WP core version and the last time when an update was made.

If there are no regular updates by the developer, pass them on. Better safe than sorry.

7. Remove Unused Plugins

If you’re not using a plugin or theme, delete it.

“But what harm is it posing to my website? I am not using it!” You aren’t, but your database is.

Inactive plugins are the silent killers. Hackers can still use them to inject malicious code into your website.

Head to Plugins>Installed Plugins and browse for deactivated plugins. Then find the Delete link underneath to delete that plugin, permanently closing any possible loopholes in the future:

Do the same for themes and delete all unused ones.

8. Install a Security Plugin

Not installing a security plugin was another costly mistake! It wasn’t until I installed it for my clients that I noticed the way it worked in blocking hacking attempts.

A security plugin is like hiring a 24-hour guard right at your website’s doorsteps ensuring only people with authorized access enter the system. One of the most popular security plugins for WordPress is Wordfence Security.

Tight on budget?

Go with its free version, which provides the same level of security as the paid version ($149 per year). The only difference is that the former has a delay of 30 days in patching for new vulnerabilities whereas the latter provides real-time protection.

There are many reputable plugins that you can use, such as Sucuri, Wordfence, Solid Security, and Security Ninja. Out of these, I am personally using Wordfence Security, and so far, it’s going great.

You get login & firewall protection, malware scanning, and active monitoring of your website to track user activity and suspicious behavior.

Wordfence Security has more than 5 million installs with an average rating of 4.7 on the WordPress.org repository. Here is a live demo of its functions inside of a WP website dashboard:

This is equivalent to installing a security camera outside your home.

Part 2: Advanced Settings

9. Setup a Firewall

Securing your website means performing multiple actions to keep it safe from any malicious activity. Relating to the previous point, a good plugin provides a basic level of firewall protection,

A firewall, explained in simplest terms, is a network security device through which all incoming and outgoing traffic to your website is monitored. When a malicious activity is detected, the firewall blocks it immediately.

A basic Web Application Firewall (WAF) is now a standard offering among many reliable hosting providers, including Rapyd Cloud.

With security plugins like Wordfence, you can easily set up and monitor incoming/outgoing traffic rules.

10. Use Strong Credentials – Complex Passwords and Unique Usernames

Would you lock your door and place its key under the doormat outside of your house?

How about using a strong lock with a complex key combination and keeping it safe with yourself?

Which option sounds more reasonable? If you’re like me, the second one reduces the risk of intruders breaking in.

The same goes for your WordPress website.

Use strong and unique passwords for all your WordPress accounts. Avoid easily guessable information like birthdays or pet names. Moreover, do not use the same password across all your accounts.

We also do not recommend using any password manager. In fact, password managers should be avoided at all costs.

In 2022, LastPass, one of the most popular password managers, suffered two massive data breaches resulting in hackers stealing encrypted password vaults and personally identifiable information.

Who suffered? The customers that relied on this tool to do the very thing it failed.

Here are some examples of weak passwords:

• Short passwords less than 8 characters – 123456a
• Passwords with recognizable keyboard patterns – qwerty12345
• Common names – Michael

Here are some examples of strong passwords:

• Lengthy with random characters – Mich@elsLapt0p88!!
• Long recognizable words with multiple characters – Walk2miles3achDay!

Always focus on using a strong password because the chances of it getting cracked are exponentially much higher than that of a weak password.

11. Use 2-Factor Authentication

A two-factor (2FA) authentication method adds an additional layer of protection to your site. It ensures that the person accessing the website is the one who he/she really is.

Even though using a strong password is important, it isn’t secure enough for your website.

What if someone gets access to your credentials and you haven’t enabled 2FA?

With 2FA enabled, every time you log in, a code is sent via SMS or email that you need to enter for authorization. I personally use the Google Authenticator app on my phone, and every time I have to log in, I’d simply enter the authorization code for verification.

By default, WordPress does not come with 2FA. You can use any of the following plugins:

• Google Authenticator
• Wordfence Login Security
• 2FA
• Loginizer
• Solid Security

These plugins further make it nearly impossible for cybercriminals to hack your website.

12. Change the Default Admin URL and Username

By default, the admin URL for any WordPress website is:

https://yourwebsite.com/wp-admin

This URL is a part of every standard WP installation because every time you install WordPress, you hardly bother to change the admin URL. That’s also another blunder I made.

“Why does it even matter?”

It does. While the link is easy for you to remember, it is also just as easy for the hackers to launch brute-force attacks.

Just changing the default admin URL can significantly reduce hacking attempts, such as:

https://yourwebsite.com/site-login-panel

https://yourwebsite.com/we-can-login-in-here

The same goes for the admin login. Many website owners (even me before my website got hacked) had “admin” as the username. Changing it can make it much more difficult for hackers to guess the right username.

13. Limit Login Attempts

We all forget passwords once in a while. With so many websites to manage, I find it intimidating to memorize every login credential.

I even have to retype my passwords multiple times to figure out the correct one until I am in.

And that is exactly what hackers do. They continue multiple attempts with various combinations of passwords and usernames until they are successful. This is called a “brute-force attack.”

As a website owner, there is no harm in multiple attempts to log in to your WP dashboard. But you definitely want to limit this access to any unknown person who might be trying to get in.

With a security plugin like Wordfence Security, you can limit login attempts, making it difficult and time-consuming for hackers to break in.

To enable this feature, head over to Wordfence>Firewall>Global Firewall Options

Scroll down and you can define a number against Lock out after how many login failures. That’s it.

Let the plugin do its job and thank me later.

14. Turn Off File Editing

WordPress has a built-in code editor making it easy for admins to edit themes, plugins and other files. Anyone with malicious intent can change the contents of your files and inject malicious code.

To avoid this situation, disable the file editing feature. To do this, head over to Appearance>Theme File Editor, locate the WP-Config.php file and insert the following code.

// Disallow file edit
define( 'DISALLOW_FILE_EDIT', true );

If you need assistance, better hire a WordPress professional or let your hosting company do this for you. Alternatively, you can also use a plugin to get this job done safely, such as All In One Security, Wordfence, or MalCare.

15. Disable PHP File Execution

Hackers have many ways to compromise your digital assets, and one of these methods is by uploading malicious files to your WP website. Here’s how to further harden your website security.

You need to disable PHP file execution, which stops all malicious code from running on your website. It is a fairly simple and easy way to do it.

Open up Notepad or any text editor on your system and enter the following code:

<Files *.php>
deny from all
</Files>

Now save this file as .htaccess.txt and upload it to your /wp-content/uploads and /wp-includes directories. You can upload using any FTP uploader or via the website admin panel provided by your hosting service company.

16. Change the Default Database Prefix

The default prefix for all WordPress websites is wp_, which is why it is the most common prefix name for all databases. When you get something by default, make it difficult for hackers to guess it by changing its name.

And that’s what you have to do here. You need to first change the database prefix in the wp-config.php file, which should have a line that looks like this:

$table_prefix = 'wp_';

Now use phpMyAdmin to update the table names:

RENAME table `wp_options` TO `wp_awesomesite_options`;

You can use this query structure and change what comes after the “TO” to match the table name with the updated prefix.

17. Disable Directory Indexing and Browsing

The directory indexing and browsing feature for my websites is disabled and if someone tries to access it, they will see this error:

Directory browsing gives hackers a way to know where the files are located on your server and which one of them could potentially have vulnerabilities.

Remember the .htaccess file we created earlier? Head over to this file on your server and add the following code:

Options All -Indexes

There you go, another security measure making it much more difficult for hackers to break in!

18. Use SFTP instead of FTP

SFTP means Secure File Transfer Protocol and as the name suggests, it’s a secure version of the FTP protocol. Some hosting providers such as we at Rapyd Cloud, use the more advanced and safer version, the SFTP while transferring files and data to and from your website.

SFTP is secure because it encrypts the transmitted data.

If your hosting provider only uses FTP, ask them to provide you with SFTP. If they do not have this option, it is time to think about migration to a secure host.

19. Regularly Update PHP Versions

PHP is a programming language used to build WordPress and to run WP on the server, you need to have the latest version of PHP.

Head over to Tools>Site Health>Info>Server to check the version of your PHP. As of writing this blog, the latest PHP version is 8.3, released on November 23, 2023.

If your version is not the latest, better to update it. I also strongly suggest you leave this part to either a WordPress professional or the experts at your hosting company, because if not done right, it could potentially break your website.

20. Hide Your WordPress Version Number

Many WordPress themes show the WP core version to the public, however it is never required in the first place.

No visitor should know the version number of your CMS because hackers can easily guess potential security flaws with your website.

There is nothing to worry about if you are using a security plugin like Sucuri or Wordfence as they automatically hide the WP version number.

If you don’t have a plugin or want to do it manually, add the following line of code in the functions.php file in Theme File Editor.

remove_action('wp_head', 'wp_generator');

Web Hosting and Its Role in WordPress Site Security: The Foundation

Your web host plays a crucial role in your website’s security as most of the attacks begin from having a weak and unreliable service provider. Server-side security is the first line of defense against many threats. This means that if a hosting provider does not take security seriously, all websites on those servers could potentially be vulnerable to external threats.

At Rapyd Cloud, that’s not the case. Our Managed WordPress Hosting is built with security in mind. Our experts work round the clock to provide advanced security features, including:

• DDoS Prevention: Protection against distributed denial-of-service attacks.
• SSL Encryption: Secure communication between your website and visitors.
• Server-Level Firewalls: Robust firewalls to block malicious traffic.
• Automated Backups: Regular backups to ensure you can quickly restore your site in case of an incident.
• Integrated CDN: Ensuring your site loads at blazing-fast speeds.

Conclusion: Taking Control of Your WordPress Security

This 20-point checklist will significantly strengthen the security of your WordPress website. Even following the most basic tips can go a long way in providing the necessary protection you need.

I also encourage you to regularly audit your website for vulnerabilities and take proactive steps to improve your security posture. Train your employees to monitor suspicious user behavior as human error is a big cause of security breaches.

Ready to experience the peace of mind that comes with secure, managed WordPress hosting? Explore Rapyd Cloud’s solutions today!

Frequently Asked Questions

How do I secure my WordPress login page?

Change the default login URL and admin name, implement 2FA, and limit login attempts. You can achieve this all by using a security plugin.

What are the best tools for WordPress malware detection?

Sucuri, Wordfence, and MalCare are all popular options.

Can I protect WordPress without a plugin?

Yes, but plugins often provide convenient and effective solutions for many security tasks. You cannot solely rely on manual protection.

How does managed hosting improve WordPress security?

Managed hosting providers handle server-side security, updates, and other technical aspects, freeing you to focus on your website. It’s like having your own experts without the hefty price tag.

What should I do if my WordPress website is hacked?

Immediately change all passwords, scan for malware, restore from a clean backup, and contact your hosting provider for assistance.

What are some common signs that a WordPress site has been compromised?

Unexpected changes to your website, suspicious redirects, new user accounts you didn’t create, and malware warnings from your browser.