WordPress Security GuideWordPress is easily, and often, hacked. This is because WP is designed to work with many Plugins and Themes made by third parties (which WordPress itself has limited control over). PHP, the technology that WP is built with, is, for similar reasons, just as vulnerable.
To give an idea of how important securing WordPress is:
Here is a list of all (known) WordPress security flaws:
Here is a list of all (known) PHP security flaws:
To keep your WordPress site secure, we strongly recommend doing all of the following:
1 - Update WordPress, Plugins and Themes
Almost all hacked WordPress sites are using old versions of WP or themes and plugins. WP itself is constantly updated to fix the newest security flaws, as are many plugins and themes. Click here for our guide on keeping WordPress updated
2 - Update PHP
Same as with WordPress, PHP needs to be updated (at least once every year or 2). Click here for a guide on updating PHP. You should always update WP before updating PHP. Your site may not always work with the latest PHP version, and if updating PHP breaks your site, you can easily switch back to an older version to bring the site back up. Make sure you're never more than 2 PHP versions behind the latest
3 - Install a Security Plugin
A security plugin is essentially a team of security guards for your website. They block attacks, run malware scans, and help protect unsecure portions of your website that you may not be aware of. We recommend using BulletProof Security above others as it provides a strong level of security, is very simple to use, and light weight (so it won't slow your site down)
4 - Remove Unused Plugins and Themes
Each plugin and theme you install contains it's own potential list of security problems that can be exploited. Removing any themes and plugins you don't use can be the difference between your website being secure and being hacked
5 - Enable WordPress
If you have a static website, meaning that content isn't updated regularly and there are no interactive elements (like contact forms, comment sections or member sign ins) then the best way to secure your site is by converting it into a static page. This removes all the PHP code, which is the root source of all WordPress exploits. There are 2 plugins which can do this for you:
Static HTML Output Plugin
Note that these are somewhat advanced tools, so it's not recommended you use them if you're unexperienced with WordPress
6 - Enable SSL
SSL won't secure your site from malicious attacks, but it will protect visitors to your website from spying and attacks from hackers (who may try to steal contact details like email address and credit card information). Click here for our guide on how to enable SSL in WordPress.
7 - Add Google ReCAPCHA to your contact forms
If your contact form doesn't have any security, hackers can "trick" it to sending out SPAM, which can have your website put on blacklists. Click here for our guide on adding ReCAPTCHA to WordPress.
8 - Change the Wordpress login URL
To prevent malicious bots from brute forcing or DDOS'ing a default wordpress login url, we recommend changing the default wordpress login url to a custom one. Click here for our guide on changing the admin login url.
9 - Disabling xmlrpc.php
XMLRPC.PHP allows remote connections into your Wordpress account - this has been used for various tools and publishing applications that require remote access to Wordpress.
In Wordpress 5.0 and later, this feature is by default, turned off - we recommend having this feature off if you do not have any external applications accessing your Wordpress remotely as this closes a point of access. Click here for our guide on disabling this feature in .htaccess file.