WordPress is the world’s most popular and widely used content management system, powering over 40% of all websites. It is also the world’s most attacked CMS. WordPress was the target of 90% of all hacking attempts (Source: Sucuri in 2018) on content management systems (CMS) with more than 500 WordPress websites are hacked every day (Source: Kinsta).
Why do hackers attack WordPress sites? That depends. The bulk percentage of attacks is automated. In these types of attacks, the hacker’s intention may be to hijack the site to use it for purposes like adding backlinks for SEO for their own site or to deliver malware to its users; it may be to steal valuable data such as email lists or other sensitive information, or it may be to inject ransomware or other malware in order to get the site owner to pay up a ransom.
If you are a WordPress site owner or developer and you are reading this, you are either finding this information worrying (as you should) or you may think it will never happen to you (in which case you should know that more than 80% of firms have reported being hacked at least once according to Duke University).
Either way, we have proudly created what we consider to be the Ultimate 2022 WordPress Website Security Checklist. We have a list of 25 actionable steps that you can take to protect your website against security vulnerabilities.
Let’s get started!
Table of Contents
1. Use a secure hosting provider
WordPress can be deployed on premise or in 3rd party cloud such as in a shared hosting provider. Picking the correct location to host WordPress is a key aspect of having a secure deployment. If the WordPress site is deployed in a shared environment that is vulnerable, compromise is likely.
On the other hand, some of the best and most secure shared hosting providers offer additional tools to add to your site’s security, such as:
- They will maintain current hardware, php versions, and server software to stop hackers from taking advantage of a known security flaw in an outdated version.
- Continuous network monitoring for suspicious activity.
- DDOS attack prevention
2. Keep WordPress and its Components up to date
WordPress is regularly maintained and updated. WordPress also comes with thousands of plugins and themes that you can install on your website. These plugins and themes are maintained by third-party developers most of whom regularly release updates as well. These updates often include updates against newly discovered security vulnerabilities.
This cannot be emphasized enough: nearly every WordPress website that is not kept up to date will be hacked sooner or later. Hackers also make scripts that automatically search the internet for known vulnerabilities in WordPress, its plugins, and its themes. If these scripts are able to find your site and it has vulnerable components, it will be hacked.
How to do it:
On the left hand side of the wp-admin page, click on “Dashboard” and then select “Updates”. You will be to see in this tab whether WordPress, the plugins, and themes are all up to date. You will also be able to set up automatic updates here.
Alternatively, automatic updates can be configured, by inserting the code below into the “wp-config.php” file. As with all manual code editing or config file change solutions, unless you feel confident about what you are doing we recommend either hiring a developer or using plugins. It is very easy to mess up an app with code changes.
//WP auto update
define( 'WP_AUTO_UPDATE_CORE', true );
//WP Plugin auto update
add_filter( 'auto_update_plugin', '_return_true' );
//WP Theme auto update
add_filter( 'auto_update_theme', '_return_true' );
3. Do not use vulnerable components
Keeping components up to date is unfortunately not enough to always avoid having vulnerable components. This is because not all plugins and themes are kept up to date by their developers. Certain plugins and themes, which shall not be named, have their latest version remain vulnerable despite having known and published vulnerabilities. Therefore, it is essential to verify that the plugins used by your site have development teams that are responsive and responsible.
How to do it:
Check components for known vulnerabilities and for release histories. If a plugin has not been updated in a long time, it may not be maintained.
BB-SEC offers a free vulnerability database where you can search through known vulnerabilities here.
4. Maintain regular backups
Backups are not just for recovery after a development change inadvertently messes up your environment. They are an essential part of a strong disaster recovery plan for a cyber security breach or attack. If your site is compromised and an attacker has gotten a persistent foothold into your site, unless you have a backup that is stored off of WordPress, you will not necessarily be able to recover your site easily. Attackers who gain administrator permissions to a WordPress site will also be able to delete or modify backups. Therefore, it is recommended to regularly make backups and store them in a different location.
5. Restrict access to the admin interface
When people think about hacking, they frequently envision hackers infiltrating servers using advanced techniques and computer “magic” (as in the movies). The majority of the time, however, attackers gain access to websites and accounts in the same manner as everyone else, by getting the credentials of a valid user.
By default, the WordPress Admin interface is accessible to the internet and anyone with or without valid credentials can attempt to login. Therefore, it is recommended that access to the admin interface including the login page itself is restricted.
How to do it:
It is advised to restrict access to wp-admin by whitelisting allowed IPs and, when possible, restricting access altogether to a private network. Most of the time withis can be done via the .htaccess file as most WordPress hosts use the popular Apache web server.
For example, to block access to your wp-admin and wp-login.php pages to the IP 10.10.10.10, use the following code snippet:
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^10\.10\.10\.10$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>
To restrict access to the entire site (such as for your staged or dev environment), use the following code snippet:
<IfModule mod_rewrite.c>
RewriteCond %{REMOTE_ADDR} !^123\.10\.10\.10$
RewriteRule .* - [F,L]
</IfModule>
Further down this checklist, you will see additional recommendations on securing wp-admin. This is because the administrator access to this interface is very powerful including allowing users to run arbitrary code. Because of this, it is the most common location for hackers to target your site.
6. Use SSL/TLS
SSL ensures that data sent over the network between a browser and your site is encrypted. This includes any credentials sent to the site such as the password to the wp-admin interface. If the traffic is not encrypted, an attacker may be able to capture the password by sniffing (listening to) the traffic. Then, you will have to deal with a malicious actor with administrator permissions to your site.
How to do it:
Steps for enabling SSL will depend on which hosting solution you chose. Many hosting providers include free x.509 certificates (a must for a secure SSL configuration). As with many of the security hardening steps, there are also plugins for SSL configuration.
Alternatively, SSL can also be configured manually in WordPress, but it is a permanent and more performance-optimized solution. Here are the steps for Apache servers (most common setup):
1. Go to the Settings » General page. Here, the change the URL address to HTTPS (instead of HTTP) in the WordPress and site address sections. Save changes once complete (note that WordPress will log you out and you will be asked to re-login).
2. Next, set up redirects from HTTP to HTTPS by adding the following code to your .htaccess file:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>
3. Next, set up SSL in the wp-config.php file to force SSL on your WordPress admin area and login pages:
define('FORCE_SSL_ADMIN', true);
Now your website is configured to use SSL / HTTPS, but you still may encounter mixed content errors which are caused by sources such as images, scripts, or stylesheets that are still loading using the insecure HTTP protocol. In case the case that occurs, they will need to be fixed individually.
BB-SEC can help audit your WordPress site for security
7. Disable XML-RPC in WordPress
One of the fundamental WordPress APIs is XML-RPC, which enables apps to connect to and communicate with WordPress websites via the XML and HTTPs protocols. It enables you to post to your WordPress blog using well-known blog clients like the WordPress mobile applications or other remote blogging software. Additionally, you need it to connect to services like IFTTT.
You do not need to have XML-RPC enabled if you are not using any of these capabilities. By turning it off, you essentially shut one more door that a potential hacker would try to use to access your website.
How to do it:
While it is also possible to do it manually, the easiest and the most recommended method is to simply install and activate the “Disable XML-RPC” plugin.
8. Disable Directory Indexing and Browsing
When someone accesses your website, your web server processes the request and sends an index file, such as index.html, to the visitor’s browser. If the server is unable to locate an index file, it may instead display all of the files and folders in the requested directory. It is common for directory browsing to be turned on by default.
The security issue is that hackers can view the files that make up your website, including all the themes and plugins used, via directory browsing. If any of these plugins or themes are known to have security flaws, hackers may use this information to commandeer your site, steal your data, or carry out other malicious operations. Attackers may also utilize directory browsing to go through your files and folders for sensitive data. Even content that you normally sell, like ebook downloads, could be stolen.
This is why disabling directory browsing in WordPress is regarded as a security best practice.
How to do it:
Simply create an .htaccess file with the following line of code in it:
Options All -Indexes
9. Disable PHP File Execution in Certain WordPress Directories
It is recommended to restrict execution access to directories which do not need it such as /wp-content/uploads/. This will make it more difficult for an attacker to perform arbitrary code execution attacks even if they gain arbitrary file upload to those directories.
By default, there is an .htaccess file located in your WordPress website’s root folder, but you can also create and use it inside your inner WordPress directories restricting access to those individually.
How to do it:
To protect your website from backdoor access files, create a .htaccess file and upload it to your site’s /wp-includes/ and /wp-content/uploads/ directories as well as any other directory where execution permissions are not needed. Add the following code to the file:
<Files *.php>
deny from all
</Files>
10. Disable File Editing
How to do it:
Disable file editing in the WordPress admin area by adding the following line of code into the wp-config.php file:
define( 'DISALLOW_FILE_EDIT', true );
11. Change WordPress Database Prefix
Spammers and hackers run automated codes for SQL injections targeting WordPress databases with the default prefix wp_. While changing the prefix does not eliminate SQL injections if they are present, it makes it just a bit harder for the site to be caught up in automated attacks if it is vulnerable and it is an easy change to make.
How to do it:
Change the table prefix line from wp_ to something else like this wp_abc123_ in the wp-config.php file. The change in code will look like this:
$table_prefix = 'wp_abc123_';
12. Limit login attempts
By default, WordPress does not limit the number of login attempts by a user, rendering brute force attacks possible. In a brute force attack, usernames and passwords are “guessed” in an effort to log into a system with the login credentials and permissions of an existing user. Automated applications and scripts are used as brute force tools by some attackers. Therefore, it is recommended that login attempts are limited.
How to do it:
As with most authentication controls, plugins are the best way to implement this.
13. Force strong passwords in users
It is a known fact that unless users, unless forced otherwise,
tend to use easy to remember passwords. Easy to remember passwords are
generally also easy to guess, making password guessing attacks such as the one
discussed in Step 5 easier. Even if login attempts are restricted to 3 attempts
per user before lock out, a password such as “admin” for the user “admin” may
be something an attacker guesses in one go. Therefore,
it is recommended that strong passwords are also enforced in all users.
How to do it:
As with most authentication controls, plugins are the best way to implement this.
14. Change the default admin username
After installing WordPress, unless you specify another name or unless your hosting provider requires a different username, the default administrator username will be “admin”. This is very easy to guess and attackers regularly attempt to brute force users with the username “admin”.
How to do it:
The steps to implement this are as follows:
- From the left-hand menu, click on Users > Add New.
- Create new Administrator user. Fill in all of the fields for the user and select “Administrator” from the Role drop-down options.
- Click on Add New User.
- Log in as the newly added user and delete the original “admin” user.
15. Add Two Factor Authentication
Two-factor authentication is a technique for protecting accounts that requires a user to log in using both something they know (the account’s password) and something they have (the associated mobile device or a physical key). This method of protection has the merit that even if someone discovers a user’s password, they would still need to have stolen the user’s physics belongings in order to access the account, making the likelihood of compromise much less likely.
How to do it:
As with most authentication controls, plugins are the best way to implement this.
16. Enforce Least Privilege
Least privilege is the idea and practice of giving users, accounts, and computer processes access to only the resources they need to do the tasks they are assigned to. Not only does this protect against a user accidentally misusing higher-level permissions but this also protects the site itself in case a lower privileged user is compromised. In this case, even though the attacker will gain access to a user they will not gain administrator permissions and be limited in the damage they may case.
WordPress allows assigning users different levels of permissions. By default, there are six different user roles: Super Admin, Administrator, Editor, Author, Contributor, and Subscriber. Plugins exist that further optimize permission management.
How to do it:
Roles can be edited or created under the Users in the left hand menu.
17. Enable a WAF
A WAF (web application firewall) is a type of firewall that specifically helps protect web applications such as a WordPress site. It does so by filtering and monitoring HTTP traffic between the site and the Internet. It adds defenses against attacks such as cross-site forgery, cross-site-scripting (XSS), file inclusion, and SQL injection, among others.
How to do it:
This control is provided by some hosting providers. Otherwise, there are also WAF plugins.
18. Automatically log out Idle Users in WordPress
Having unterminated inactive sessions increases the likelihood of a session hijacking attack being successful, such as one where a session token is leaked from a vulnerable proxy. Or, if a user leaves their laptop unattended in a public location such as at a coffee shop or library with the tab open, then stranger may be able to see any sensitive information in the authenticated console and perform actions such as creating whole new posts. As such, it is a good practice to terminate inactive user sessions.
How to do it:
The best way to implement this is via plugins.
19. Scan WordPress for Malware and Vulnerabilies
Even if all the controls discussed in this article are implemented, it is possible that an attacker finds a vulnerability to exploit in your WordPress site – it may be that the attacker finds a brand new Zero-day vulnerability to exploit or that the site has an unusual configuration causing a security issue.
Attackers can be relentless and they need to be only right once / find one usable security flaw to compromise a system. On the other hand, site owners must be correct every time in their defenses. For if even one fails, it may mean that an attacker may be able to get a foothold.
Because of this, it is recommended to scan for malware and vulnerabilities regularly. Typically, it is done once a week or once a month. Additionally, an annual penetration is recommended.
How to do it:
Hosting providers usually include scans at an additional fee. BB-SEC also has penetration testing and scanning services. If neither is within your budget, not to worry! We also have free do-it-yourself guides and tips on our blog and through out our website.
20. Keep an audit log
Monitoring user activity is a great way to detect abnormalities such as the signs of a compromised account and be able to avoid repudiation issues. In cyber security, a repudiation attack is when an application is unable to know and/or prove that an actor performed certain actions.
For example, imagine a hacker compromises the employee user “Bob” because there is a vulnerability in the WordPress application. The attacker gains the Bob’s permissions and then defaces the application. As you rely on the default records, all you see is that the posts were modified by the user Bob. Without more information, you may erroneously conclude that Bob, and not the hacker, performed this action. If that happens, the hacker successfully performed a repudiation attack.
Monitoring has non-security benefits as well, depending on the type of monitoring performed. For example, it can be useful for managing workflows and generating metrics helpful towards improving the useability of the site.
How to do it:
The best way to implement this is via plugins.
21. Set up alerts for suspicious WordPress logins and activity
Administrators of a WordPress website do not need to know about every change their users. However, you need to be instantly alerted of critical changes and user actions that may impact the security or operations of your website and business. For example, if you have logs enabled and only review them once a week, you may have days that a compromise goes unnoticed. However, if you are alerted immediately, you will be able to take action right away and stop an attacker in their track and hopefully before they can do too much damage.
How to do it:
Usually the same plugins that have logging functions have alert functions. Review alert and logging functionalities when selecting such a plugin.
22. Change salts and security keys in WordPress
WordPress uses strings of random characters called “salts” or “security keys” to encrypt your username and password. People often use the
words “WordPress salts” and “WordPress security keys” interchangeably, but they always mean the same eight strings. These strings are used to hash your login information, which is a term in cryptography for the process of one-way encryption. The login information can’t be told apart from
the random characters, so it can’t be stolen or used to get into your website even if an attacker captures the hashed data.
There are 4 different security keys in use in WordPress: AUTH KEY, SECURE AUTH KEY, LOGGED IN KEY, and NONCE KEY. Each security key has a salt that goes with it. Because they protect your login information, it is very important to keep your WP salts secret. Because there is a risk that an attacker guesses or breaks a security key, it is recommended to change them at regular intervals. If a successful compromise occurs, it is also recommended to change the keys as the attacker may have pulled them from the wp-config.php file where the WP salts are usually stored.
How to do it:
The best way to implement this is via plugins.
23. Secure your wp-config.php file
As you’ve probably noted by reading through this guide, it’s that wp-config.php is a very powerful configuration file containing many sensitive secrets. If an attacker gains access to this file, they will be able to capture security keys and other sensitive configuration data. If they are able to write to this file, they will be able to perform many malicious actions. With all this vital data and functions of this file, securing wp-config.php is of great importance.
How to do it:
There are several possible solutions, including:
- Securing it through the .htaccess file
- Moving the file outside of the root directory (this step, if done, has to be performed carefully as moving to a less secure location would make things worse).
- Restricting file permissions on wp-config.php
