WordPress Security Guide

WordPress is easily, and often, hacked. This is because it is designed to work with many Plugins and Themes made by third parties, which WordPress itself has limited control over. PHP, the technology that WP is built with, is just as vulnerable for similar reasons. Please note that the information in this guide is provided as a suggestion, and we can't provide detailed support for modifications to a Content Management System. If you require assistance with this, we'd recommend speaking to your website developer to ensure relevance and compatibility with your site.

To give an idea of how important securing your WordPress installation is:

Here is a list of all (known) WordPress security flaws:

Here is a list of all (known) PHP security flaws:

To keep your WordPress site secure, we strongly recommend doing all of the following:

1 - Update WordPress, Plugins and Themes

Almost all hacked WordPress sites are using old versions of WordPress, themes and plugins. WordPress itself is constantly updated to fix the newest security flaws, as are many plugins and themes. Click here for our guide on keeping WordPress updated.

2 - Update PHP

PHP needs to be updated occasionally as well, for similar security and efficiency increases. Click here for a guide on updating PHP. WordPress should always be updated before updating PHP. Your site may not always work with the latest PHP version, and if updating PHP breaks your site, you can easily switch back to an older version to bring the site back up. We would recommend never being more than two versions behind the latest PHP version.

3 - Install a Security Plugin

A security plugin will block attacks, run malware scans, and help protect unsecured portions of your website that you may not be aware of. We recommend using BulletProof Security as it provides a strong level of security, is very simple to use, and is lightweight. Other common choices are Wordfence and Sucuri.

4 - Remove Unused Plugins and Themes

Each plugin and theme you install contains its own potential list of security problems that can be exploited. We would recommend keeping your plugin use to a minimum where possible, and removing unused plugins.

5 - Consider converting to a static website

If you have a static website, (i.e. content isn't updated regularly and there are no interactive elements like contact forms, comment sections or member sign ins) then the best way to secure your site is by converting it into a static page. This removes all the PHP code, which is the root source of all WordPress exploits. Incidentally, it will also greatly increase your website load speed.

Two plugins which can do this for you are Static HTML Output Plugin and Simply Static. Note that these are somewhat advanced tools, so it's not recommended you use them if you're inexperienced with WordPress.

6 - Enable SSL

An SSL Certificate won't directly protect your site from malicious attacks, but it will protect visitors to your website. Any details sent to your website will be encrypted, so hackers would not be able to spying and attacks from hackers (who may try to steal contact details like email address and credit card information). Click here for our guide on how to enable SSL in WordPress.

7 - Add Google ReCAPTCHA to your contact forms

If your contact form has no human verification, it can easily be abused by bots. This abuse ranges from sending you emails with malicious content, to having your contact form send out 'thanks for your contact' emails with malicious content to targeted email addresses. This can have your domain and IP put on blacklists, making it harder for legitimate emails to be delivered. Click here for our guide on adding ReCAPTCHA to WordPress.

8 - Change the Wordpress login URL

To prevent malicious bots from brute-forcing or DDOS'ing a default Wordpress login URL, we recommend changing the default Wordpress login URL to a custom one. Click here for our guide on changing the admin login url.

9 - Disabling xmlrpc.php

xmlrpc.php allows remote connections into your Wordpress account. This has been used for various tools and publishing applications that require remote access to Wordpress. In Wordpress 5.0 and later, this feature is turned off by default. We recommend ensuring this feature is off if you do not have any external applications accessing your Wordpress remotely, as this closes a possible point of access. Click here for our guide on disabling this feature in your .htaccess file.

For more tutorials on website development and Wordpress troubleshooting, view our List of Wordpress Guides.

Thank you for your feedback on this article.