How to Protect Your WordPress Website [The Only Guide You’ll Ever Need]

WordPress users tend to spend a lot of time on their website design, content and optimisation, yet often forget one essential factor: website security. While it may seem like a dull matter for people who aren’t developers, keeping your WordPress safe is a critical part of running your business.

Why may you ask?

Let’s explore this question together.

Why is Protecting Your WordPress Important?

Like other safety-related things in life, website security is a necessary evil. Usually, when you commission a developer or an agency to create a website for you, the topic of security will pop up. Experts know first-hand how often websites get hacked - especially WordPress websites due to the platform’s popularity. They will typically advise you to protect your website in a variety of ways and may recommend some well-known security practices.

Many people disregard this information because they’ve never dealt with a hacked website and so they simply can’t imagine the hassle, time and effort resolving it can cause.

First of all, if you run an online business, or at least you manage part of your business through the website, a hacker attack will inevitably stop your work process. If you own an online store, you will be unable to sell; if you book appointments through your website, you will not be able to do so.

For high-volume online stores, this is particularly bad - not only will you be unable to sell for a while, but you may lose orders too. Website backups are typically created once a day, and if you get hacked hours after it’s done, all the orders made in the meantime will be lost.

If your website is operational, a hack might still have occurred - for example, links can be injected into the code and point to other websites.



If you monetise your website via ads, you may get your ads replaced with someone else's ads (and therefore display ads that you won’t get any revenue from).

There are plenty of cases when your website may get compromised, and it will take you days, if not weeks, to realise it. In the scenario with the spam link injection, this can affect your SEO (since Google strongly dislikes spammy links). As a result, your Google rankings could suffer, and it may take you a long, long time to repair this kind of damage.

There is also the matter of customer trust; people get really concerned when they hear a website they use has been hacked.

The use of SSL certificates has prevented the gravest consequences like leaking credit card numbers, but some data can still be obtained. Users may associate a hacker attack on your website with poor security and decide to stop using your services altogether.

Overall, if your website gets hacked, you can repair it, but protecting your WordPress in the first place is a much painless way to go.

Can you fix a hacked WordPress?

If you aren’t familiar with the process, fixing a hacked WordPress website can be quite a struggle. Clearing up infected code requires a specific kind of knowledge. Unlike many other technical issues, it would be difficult to Google a quick fix due to the varying nature of the hacker attacks.

If an attack has already occurred, you can use a plugin to scan your website, but most of the available plugins will just point out what file(s) has been modified recently, and you’ll still have to clean everything manually.



Another way you can try and fix this is by restoring a backup of your website. This, however, is not a 100%-guaranteed fix, especially if you aren’t sure when your WordPress was hacked (and therefore, which backup copy is clean for sure).

You can also contact a specialised agency that offers malware removal and technical assistance; they will act relatively quickly and clean your WordPress for you, but it comes at a cost, of course.

You need to keep in mind that even if you’re successful in fixing up the damage, this situation can (and likely will) happen again if you don’t set proper protection.

Your best shot here is to act preemptively and secure your website by taking a detailed and comprehensive approach to protection.

But what does this mean?

So, how do you protect your WordPress website? What actionable steps can you take? We're glad you asked! Keep reading.

Actionable Steps to Protect Your WordPress website

1. Choose a Good Hosting Provider

Before focusing on any other security steps, choosing a solid foundation for your website is critical. Working with a good hosting provider that can offer you multiple layers of security is the simplest way to protect your website from future cyber-attacks. The choice of a web hosting provider is rarely something people plan meticulously, especially if they haven’t been running online businesses for years.

The way web hosting is usually chosen is through a recommendation from a friend, via the agency building the website or through online research.

What inexperienced users often look for is the cheapest  pricing. As with most things in life, though, reliable, high-quality hosting will cost more, and it will also offer you more. Good hosting providers offer plenty of security features that could mean the difference between whether you have to deal with a hacked website or not.

On the other hand, low-cost hosting providers will cut corners whenever they can to cover the difference, and unfortunately, security is an area that suffers a lot.

Let us give you an example of some of the features we make available to our customers. Besides the classic options such as DDoS protection, SSL certificates, and Web Application Firewalls, we have a few that will level up your website security game.

One of them is Patchman, an application that can be extremely useful to users who don’t automatically update their WordPress. Patchman scans your installation and fixes any known vulnerabilities in WordPress core files and numerous popular plugins. Rather than automatically updating software to fix the vulnerability, which could cause site-breaking dependency issues, Patchman applies the security fix to the currently installed version.



You can have complete confidence that patches applied will happen safely and without damaging your website.

If you are going for shared hosting, choosing high-performing, secure hosting is imperative. Many companies also offer WordPress hosting, which is specifically configured for WordPress and your site will typically perform much better on it.

If you have a high-volume website and choose to upgrade your hosting account, go for the Fully-managed dedicated server will guarantee a higher level of security, as opposed to its cheaper (unmanaged) counterpart.

All in all, do thorough research on web hosting and don't let the price guide you in your choice.

2. Keep Your WordPress Updated

This is probably the first advice you will hear from your web developer - keep everything updated! Many WordPress owners disregard this as a rule, whether consciously or not, and become targets of malicious attacks.

The reason this happens is due to vulnerabilities discovered by hackers. If you are interested in reading more on the topic, we recommend this article, but to sum it up, vulnerabilities are "holes' in the code of the application you're using. There is a constant battle between hackers and software developers, where hackers find and exploit security vulnerabilities, and the developers seek to patch them quickly.

Like other CMS applications, WordPress goes through cycles of updates, in which new features are added, and the developers work to fix any known vulnerabilities. Every year, there are usually 1-3 major updates and many minors, all of which are critical for security, as they almost always contain security patches.

But wait - if you have something like Patchman, why do you still need to update?

Patchman covers WordPress core files and some of the most popular plugins, but many plugins are not patched through the app. This means that all of those plugins, if left outdated, will easily become an entering point for the hackers to do as they pleased on your website.

Keeping your WordPress updated is quite easy.

First of all, all versions after 5.6 (released in December 2020) have automatic updates enabled, which means that you don't need to do anything. If that's not the case for some reason (say your developer disabled them), there are a couple of ways you can enable your auto-updates.

One is via Softaculous, the application often used by cPanel users to install WordPress on their servers.  Softaculous’ WordPress Manager allows you to configure automatic upgrades; you can select to auto-upgrade just minor updates, or majors also.



You can additionally opt to automatically upgrade your plugins and themes too. Best of all, it will take a backup prior to any automatic upgrade just in case there is any need to revert.

Another option, if you are somewhat skilled in modifying your code, is to use WordPress’ native automatic updates configuration - find out more about this directly on WordPress’ KB.

3. Choose a Strong Username and Password

The most common WordPress hacking attempts include using stolen login details. We're talking about the so-called Brute Force attack – an efficient and straightforward type of cyber-attacks, where hackers let a computer try different combinations of usernames and passwords until they find the right ones.

Many people use the username "admin" as this appears by default when using a software application like Softaculous to install your WordPress.

Don't use the default username, making things easier for the hackers - choose a different username, like your email address. If you have been handed an already created user with this username, create a new administrator and delete the existing one.



Same goes for your password; the stronger it is, the better. Choose a long password that includes digits and special characters or, even better, generate a random one.

If you are worried you'll forget your password, try to come up with a system that can help you remember. Some people like to use a static combination of characters + the name of the website as a differentiator ( Jack1990Apple!), others go for assosiative passwords.

Of course, you can simply save your login details and not worry about whether or not you'll remember them. Do not use your browser to store your login details though! This is quite an unsafe (and commonly used) option.

If you'd like to store your login details so that you don't have to type them every time, use a password manager like Lastpass - they have a free plan, and your login details will be as safe as possible. With the password manager you need to remember just 1 password (the master one) and also store credit card details.

4. Limit Login Attempts

Another way to prevent brute force attacks (again, they'll try to break in by guessing your details) is by simply limiting the number of login attempts. Fortunately, this is a rather easy thing to do; simply install a plugin such as Loginizer or, if you're using a security plugin, check if it doesn't offer this as a feature.

Customers on Kualo’s shared hosting service are also protected from brute force login attacks automatically - with brute force attempts throttled and blocked.

5. Use 2FA (two-factor authentication)

Two-Factor Authentication has become somewhat of a gold standard in the past couple of years. In fact, many reputable websites will force their users to implement 2FA  on their account as one of the most reliable ways of protecting it. The way it works is that it will require an additional authentication (usually through your phone) every time you log in from a device that’snot recognised.

This means that even if hackers have your exact login details, they will still be unable to log in without that additional authentication.

You can install a plugin such as WP 2FA and force other users on your website to use that too (especially if they have administrator or editor rights). Remember to always download your backup codes and store them in a secure location, in case you lose access to your phone.

6. Change the URL of your login page

Much like the "admin" username, another notorious detail of WordPress when it comes to login access is its login page. The default one is either "www.yourwebsite.com/wp-login.php" or "www.yourwebsite.com/wp-admin"

Either way, if you leave it like this you make it much easier for hackers to identify the entrance to your backend and commence a brute force attack.

Change the URL (slug) to your login page by using a plugin such as ThemeMyLogin or look for a security plugin that will include multiple features that we listed (2FA, limit login attempts, etc.).

There is also an excellent article by WPBeginner on how to change manually your login URL, but if you aren't comfortable managing code, it's best not to go there.

7. Install a Security Plugin

At the time of writing this article, there are more than 50 million plugins available, both free and paid. It would be a pity not to take advantage of the large base of plugins that can protect your installation from malicious attacks.

On the other hand, each plugin you install is another piece of code that needs to be taken care of (i.e. updated). A multitude of plugins also increases the risk of incompatibility - this is when two or more plugins cannot work together - so you need to avoid installing plugins you can go without.

Some of the best security plugins will combine several features, as mentioned above, thus reducing the number of plugins you'll have to install in order to do all the things we're talking about. Some great examples are:

• Wordfence security - another prevalent option packed with features. Great for users with multiple websites via its Wordfence central, the plugin checks WordPress for several security risks such as malicious code, spam injections and even bad URLs
• WP Cerber Security - a great plugin featuring a power combo of options, many of which are recommended in this article. In fact, this is probably one of the plugins with the most comprehensive list of security features.
• All in One WP Security - this plugin is very popular among less technically experienced users, and there is also no paid version, so no restrictions whatsoever. It will require more manual configuration, but its simplicity ensures a relatively flat learning curve.

8. Install an Activity Log Plugin

This is a neat piece of advice that can be useful on many occasions. The Activity log plugin will record and show logs of any activity performed by different users on your website. Think of it as sort of a CCTV camera, keeping an eye on everything that happens on your website (in text format, of course!)

If multiple users with administrator rights work on your website, this is an excellent way to keep a record of what is being done.

From a security perspective, it can show you various information that can be very handy - from failed login attempts to changes in the WordPress site files and settings. If you’re someone who likes to perform their own website maintenance, this feature is a must.

A great (and free) option is the WP Activity log, a plugin that has been around for years and is also known for both its detailed log and interface simplicity.

9. Install an SSL Certificate

This should go without saying, but let's include this recommendation to be on the safe side.

Once, an SSL was required for websites that needed to be secure for specific transactions like payments. Nowadays, however, it doesn’t matter whether you are processing payments on your website or not. SSL is mandatory for any website that is processing sensitive information like passwords, names, addresses, etc.

The beside-the-scenes mechanics of this are as follows:  without an SSL on your website, all of the data transferred between the user’s web browser and your web server is delivered in plain text that hackers can read.

Once you install an SSL the sensitive information is encrypted before being transferred between the two parties – the user’s web browser and your server, protecting it from third parties with malicious intents.

Google recognised the importance of an SSL certificate a while ago and started showing on the top positions websites that could offer an encrypted transfer of information.

Additionally, in 2018, Google warned all website owners that every site that doesn’t have active SSL would be displayed as “Not Secure” in the URL. This makes the SSL certificate an absolute must; the good news is that it's quite easy to obtain, and, what’s more, at some hosting companies (including Kualo!) an SSL is included free of charge.

10. Setup Backups

While backups might not work 100% if and when you need to fix a WordPress problem, they are your first line of defence. A website backup can come in handy not just when there is a hacker attack, but when there are technical issues too.

Many times, when installing a new theme/plugin or working actively on your site, something may break, so having a backup in place is without a doubt a must.

While most reliable hosting providers will have those daily backups set for you, it's not a bad idea to either learn how to do them manually or use a backup plugin like UpdraftPlus or BackupBuddy. Both of those have the option to upload your website backups to cloud services like Amazon or export them locally.

You can also use the Softaculous Backup feature which is easily accessible in your cPanel. The good news is that it offers maximum simplicity and comes at no additional charge. The bad news is that, unlike its counterparts, it will upload the backups on your hosting account, so it will use disk space and it’s also stored in the same place as the website itself. If something was to happen to your account (say, delete files by accident or a manual hacker intrusion) your backup copy might be compromised as well.

Remember always to create a backup copy if you're planning to work on your WordPress and you are unsure of the end results!

If you’re running a high-traffic eCommerce website, hourly backups might be the best choice for you. As mentioned before, websites that generate a lot of orders can suffer significant losses in case they have to restore a backup done several hours earlier.

More Actionable Steps to Protect Your WordPress website [Advanced]

The tips you will find in this section require a bit more advanced knowledge in managing your WordPress and confidence in writing directly into its code. If you don't feel comfortable doing these steps, it's advisable to consult a WordPress developer who could help you execute them.

11. Disable File Editing

WordPress comes with a built-in code editor, which allows you to edit your theme and plugins files from your admin panel. If the wrong person gets access to your admin panel, that might be a huge security risk. That’s why we recommend disabling this feature.

You can do it by adding a piece of code to your wp-config.php file:

1 // Disallow file edit 

2 define( 'DISALLOW_FILE_EDIT', true );

12. Disable PHP File Execution for Specific WordPress Directories

Add another layer of protection by disabling PHP file execution in directories where it’s not necessary. The reason you want to do that is because hackers often use the function to upload backdoor access files or malware to your WordPress site. This is a dangerous step if you don't know what you're doing as your site may stop working, so tread carefully! The directory you're looking for is /wp-content/uploads/

You can do this by opening a text editor like Notepad and paste this code:

<Files *.php>

deny from all

</Files>

Save this file as .htaccess and upload it to /wp-content/uploads/ folders on your website using an FTP client or through your File Manager in cPanel.

13. Disable XML-RPC

Once XML-RPC was used to connect your WordPress site with web and mobile apps, but since WordPress released its own REST API, the XML-RPC became a liability instead of a useful feature.

For instance, if a hacker wanted to try 1000 different passwords on your websites, they would have to make 1000 separate login attempts which will be caught by your security plugin or firewall. However, if you keep XML-RPC enabled, a hacker could use the system.multicall function and try 1000 different passwords with 30-60 requests.

That’s why we strongly recommend disabling it, and you can do it by simply adding a code in your .htaccess file:

# Block WordPress xmlrpc.php requests



<Files xmlrpc.php>



order deny,allow



deny from all



allow from xxx.xxx.xxx.xxx



</Files>

On line 5 you should insert your own IP if that's the only one you'd like to retain XML-RPC from (otherwise, just delete it).

Note: If you are one of our users, there is no need to perform this step, as your XMLRPC will be protected by LiteSpeed's Brute Force Protection feature.

14. Restrict bots access

While your website will always be crawled by some bots, bad bots can create annoying disturbances. They could slow down your workflow and/or disrupt the functionality of your WordPress site, thus causing a loss of users.

A great way to deal with this is to prevent abusive bots from obtaining access to your WordPress. Insert the following code to the .htaccess file.

SetEnvIfNoCase User-Agent ^$ keep_out



SetEnvIfNoCase User-Agent (pycurl|casper|cmsworldmap|diavol|dotbot) keep_out



SetEnvIfNoCase User-Agent (flicky|ia_archiver|jakarta|kmccrew) keep_out



SetEnvIfNoCase User-Agent (purebot|comodo|feedfinder|planetwork) keep_out



Order Allow,Deny



Allow from all



Deny from env=keep_out

Non-technical tips to keep your WordPress safe

Use the Principle of Least Privilege (POLP) 

Give any of your website users the least amount of access possible. If you have a content writer, for example, it’s not necessary to provide them with an administrator account - an Editor user will do just fine. Do not share your account unless it’s absolutely necessary, and if you do - change your password as soon as whoever you gave it to doesn’t need it anymore.

Do not share your hosting details too unless it’s absolutely necessary.

Don’t use nulled (illegally downloaded) WordPress themes and plugins

At some point, it may become a temptation to save some money and download an unlicensed plugin or theme. In this case, you will pay in another way - most likely with positioning a backdoor to your WordPress. Hackers often hide spammy links or malicious code within the unlicensed items and offer them for free download.

Avoid them at any cost and if you commission a website or functionality, make sure to confirm with the developer everything is licensed properly.

Final Thoughts

Consider the time (and funds) you’ll spend to secure your WordPress as another critical business investment. Fixing a hacked website will cost you considerably more - in the most unfortunate case, it could even cost you your business. Following this guide will not guarantee 100% protection against malicious attacks, but it will decrease the chances of that happening significantly.

Do you find any of the advice offered hard to follow? Did we miss anything important? Ping us in the comments, we’d love to hear your thoughts!

Or if you’re ready to switch to Kualo’s super-secure WordPress hosting, check our plans here.