Top 10 Security Tips to Keep Your WordPress Site Healthy

As we go through the winter months and whether changes, many of us go to our local pharmacy and take advantage of a flu shot. We do this because maybe we have had the flu before and the second of pain from the jab is nothing in comparison to the hours and days of sickness from catching the flu bug. 

As everyone’s grandparents tell them, “An ounce of prevention is worth a pound of cure.” Keeping strong cyber security hygiene to prevent hacks saves you from expensive remediation costs, compromised data and a weakened WordPress immune system. Did you know that breached sites are more likely to fall victim to additional attacks?

Follow these 10 WordPress security tips to keep your site from falling ill from malware this winter season.

1 – Use MFA 

Having one or two additional pieces of information to authenticate an identity takes just an extra minute of a user’s time and makes a huge difference in preventing hacks. Alex Weinert, director of Microsoft’s Identity Security Division states that their research found that MFA reduces the chance of an account being compromised by 99.9%.This is one of those small changes with a profound impact that is worth implementing. Multi-factor authentication would require that the attackers have physical access to your mobile device to authenticate, making it one of the most robust security features that can be employed.

2 – Keep WordPress and Components Updated

Because roughly 40% of the world’s websites run on WordPress, it makes financial sense for hackers to target it.  The benefit of having such a large open source community is that vulnerabilities or regressions identified in WordPress Core and popular WordPress plugins are quickly spotted, but this only benefits those that keep their sites updated or those that subscribe to some sort of service that alerts them of any vulnerability or updates them for them.

Check out the changelog to see exactly what is included in each update, so you don’t pass up important security patches. Hackers know how to exploit vulnerabilities in themes and plugins and gain entry through these outdated components. Keeping your site updated keeps you out of the hacker’s radar for longer.

3 – Use a WordPress Security Plugin

Even if your site and its plugins are up-to-date, WordPress security is reactive in nature. There is a critical window of time between when a vulnerability is discovered and when the update is released that your site is at risk. Security plugins often come with scanners, server-side file integrity monitoring (SSS), intrusion detection and other features that protect you at your most vulnerable hour. 

4 – Use a firewall 

A firewall keeps malicious traffic from accessing your WordPress site by monitoring incoming traffic and blocking known threats. Firewalls can protect from anything from a brute force attack to a DDoS attack. 

Essentially the firewall acts as a “man in the middle,” filtering any malicious requests from reaching the origin server. In our previous post “Everything You Need To Know About Web Application Firewalls” we provide a more in-depth explanation into what a firewall provides. 

5 – Install a Backup Solution

Something, at some point is going to happen and when it does you will be on your knees in gratitude for your backup solution. You could make a change or delete a piece of code that breaks your site and you need to restore it to its prior state. You could get hacked and need to have original files for comparison to isolate malware. There are many situations in which a backup solution can make or break you. Save the day and always keep a copy of your site on the ready. WordPress offers many reputable free and “freemium” backup solutions for your site. Check out Sucuri’s Website BackupUpdraftPlus or Duplicator or do your own research and see what works for you.

6 – Choose your Hosting company wisely

Not all hosting companies are created equal and choosing wisely can help you secure your first line of defense against attackers. Find a hosting company that offers dedicated servers or virtual private servers (VPS). While a VPS is still on a shared server, it uses virtualization to give you dedicated resources within that shared server. If properly maintained, updated and patched, this setup is more secure than a general shared server where your stability can depend on the choices and activity of other tenants.

Find out if your hosting company offers SFTP (SSH File Transfer Protocol). Microsoft defines SFTP as “a network protocol that provides file access, file transfer, and file management over any reliable data stream.” It is an infinitely more secure version of the FTP connection.

It can also be convenient to find a web hosting company that also offers managed hosting solutions. Managed hosting is when the hosting service provider sets up, monitors and maintains the server on behalf of the customer. 

7 – Lock it down  

Limit ADMIN users as much as possible and only give users the amount of access they need to do their job. This recommendation is based on the Principle of Least Privilege (PoLP). Make sure your users do not have “Grant” privileges. These are privileges that allow the user to grant access and privileges to other users and add new users into the system. Keep a spreadsheet of when permissions are requested and for how long they are requested. If a developer needs ADMIN access for a certain period of time, note it so their level of access does not remain after the project has been completed.

8 – Set login attempt limits

Without login attempt limits, brute force attacks are easy, and even with 2FA implemented, brute force attacks are still possible if an email has been compromised and there are no login limits. You can set the period of time a user is locked out from the admin panel in WordPress. This reduces the limitless chances of entering password after password and can cause hackers to move on to their next exploit. Additionally, you can see which IPs are repeatedly trying to access your site and ban the IPs that appear suspicious.

9 – Log out inactive users

The days of hackers sidling up after someone at a cyber cafe or hotel computer station to search for pages left open are relics of the past. However, it just takes an insecure internet connection (think public wifi), and leaving up pages you aren’t actively working on for hackers to take advantage of the situation. They can intercept and hijack your session remotely which gives them the same access and abilities as you, as long as you are logged in. Even if you log off, the hacker can swap the salts in wp-config.php file to reset active session. They can also use cross-site scripting or XSS to perform cookie stealing. Cookie stealing gives the hacker access to the account without any need for login credentials as long as the cookie hasn’t expired. Setting a parameter for logging out inactive users protects your site from unnecessary risk. 

10 – Purge inactive components 

Although inactive, plugins are still technically executable files. This means that they can be infected and used to install malware throughout your WordPress site. It’s a good security precaution to remove inactive plugins that you don’t plan to use. They only increase the number of possible opportunities for attackers and increase the size of the haystack in case something does happen.

Bonus – Get an SSL certificate 

While an SSL certificate does not provide your website any security from getting hacked, it does protect customers’ sensitive data in transit across your site. These are often included at no additional charge in security packages or by hosting providers. They are also available for free online by companies like Let’sEncrypt, so there is no excuse not to have one. An SSL certificate provides an encrypted connection for sensitive client-based information like credit card transactions, medical information, logins, addresses etc. This certificate authenticates the secure transaction of data on your site, adds the s to the https in your url, and helps consumers have confidence that their information is securely transmitted.


While it is always easier not to get your flu shot, we know that the flu is much worse than the momentary prick of the needle. The infections you can catch from a hack come with consequences like financial loss, damage to reputation, operational downtime, loss of data, and legal action. Bump up your WordPress security immune system with these 10 tips and stride into the new year with a healthy productive site.


You May Also Like