According to W3Techs, 43.2% of all websites on the internet use WordPress. And of all websites that use a CMS (Content Management System) more than half (64%) leverage WordPress to power their blog or website. Unfortunately, since WordPress has such a large market share it has also become a prime target for attackers.
You might be wondering whether WordPress is safe to use. And the short answer is yes — WordPress core is safe to use, but only if you maintain it to the latest version and employ some additional protections on the admin login page.
With every plugin or theme that you add to the environment, you introduce more risk to your environment. So, there are a number of important steps you’ll want to take to ensure that your WordPress website is safe from threats and known vulnerabilities.
In this post, I’ll be breaking down the WordPress ecosystem along with some security best practices to help you understand whether WordPress is safe and how to protect your site from attacks.
What is WordPress?
WordPress is one of the simplest and most popular ways to create a blog or website. Licensed under GPLv2 and written in PHP, WordPress is an open-source content management system. That means literally anyone can use or modify WordPress for free.
Since WordPress has made building websites and blogs a simple code-less experience, it is widely used and has gained massive popularity over the years. It allows website owners to easily manage and update content, images, and website designs without needing to know much at all about programming. Furthermore, its extensive plugin and theme library makes it easy to add new design options and functionality to any WordPress website.
Some examples of sites built with WordPress include:
- E-commerce —E-commerce websites or online stores allow visitors to purchase goods and services online. They use online payment systems to facilitate transactions, which are often installed in the form of a WordPress plugin.
- Blogs — Blogs share topical information or knowledge and typically display most recently published content first. Blogs can be used to rank for specific keywords or terms and might be devoted to sharing photos, reviews, tutorials, recipes. There are a wide range of different WordPress plugins and themes that can help you create the perfect blog space.
- Portfolios — A portfolio site can be used to showcase your creative designs, web designs, photographs, and other assets.
- Businesses — Business websites provide general information about a company or service. WordPress makes it easy for small businesses to launch their online presence and create a platform for potential customers to contact, obtain quotes, find social media or marketing campaigns, and obtain general information.
- Forums — WordPress makes it easy for site owners to create forum platforms where users can ask questions, share experiences, and offer advice.
These are only a small handful of examples of sites you can build with WordPress.
Is WordPress core secure?
In short, yes — WordPress core is secure, but only if you maintain it to the latest version.
WordPress is an open source software that’s maintained by a world-class team of security experts. Since the code base is publicly accessible, anyone can review and analyze it. Whenever a bug or security issue is reported by the open-source community, it is updated to patch the issue.
But at the time of writing, only 60% of WordPress sites are using the latest version of WordPress. That means the other 40% of outdated sites are at risk of hackers targeting known vulnerabilities.
And while minor updates can be automatically updated by WordPress, major updates need to be manually updated in the WordPress dashboard — unless your hosting company is managing the core version of WordPress for you.
Hackers are constantly scanning the internet for outdated core WordPress installations or websites using plugins or themes with known vulnerabilities. They even have automated scripts that make it easy to find and exploit vulnerable websites.
So when asking the question is “WordPress core secure?” we can say that while not necessarily perfect, it is always most secure when using the latest version.
How to secure WordPress
So we now know that WordPress core itself is relatively secure — as long as we keep it patched to the latest version. But what about all those plugins and themes?
Well, the extensibility of WordPress makes it easy to add new functionality or features with a click of a button. But it also introduces new security risks and vulnerabilities.
Every plugin or third party component that you install in your WordPress environment opens up the potential for a bug which could allow an attacker to gain access to your site. Fortunately, there are a few key steps that you can take to secure your WordPress site.
1 – Keep your WordPress plugins and themes patched
WordPress has literally thousands of options when it comes to plugins and themes.
These plugins and themes are built and supported by the community and authors of the plugin or theme. So when choosing a plugin or theme, it’s important to look at the ratings and support channel. This will help you gauge whether the component is reputable and receives regular updates for known issues.
The community is regularly communicating security issues for WordPress plugins and themes. So check for updates often to keep your plugins patched against known vulnerabilities.
Since WordPress version 5.5, users have had the option to enable automatic updates for plugins and themes.
Enabling auto-updates can help improve security and fast track important updates. The only pitfall to automatic updates is that it can possibly result in plugin conflicts, formatting issues, or even site failure.
While this practice is more secure, you’ll also want to make sure that you have backups setup on the website just in case there are plugin or theme compatibility issues or errors.
Another point about automatic updates to keep in mind is that the checks for available updates are done via WordPress Cron, so you will want to ensure that WordPress Cron is working properly on the website before enabling automatic updates.
As a final note, you can reduce risk by simply removing any plugins or themes that are no longer being used on your site. This way, they can’t be targeted by attackers.
2 – Use strong usernames and passwords for WordPress login and hosting
When you set up your hosting account or WordPress website login credentials, it’s important to use complex usernames and passwords. Stay away from simple or default usernames and passwords.
We recommend creating unique passwords with a combination of letters, numbers, and special characters — at least 12 characters long.
You can also check with your hosting provider if you are using a hosting control panel like cPanel or Plesk to see if you can modify the username and set stronger passwords and/or enable 2FA to help protect against brute force attacks to the login pages.
When setting up users for FTP or sFTP on the hosting server don’t use easily guessed usernames like email@example.com. When given the option of using FTP or sFTP we always recommend using sFTP to ensure it is using the best encryption and not clear text data transfer.
3 – Protect your WordPress login pages
The WordPress default login pages /wp-login.php and /wp-admin are commonly crawled by bots. Hackers use scripts to brute force attack and guess admin login credentials.
By default, WordPress does not limit the number of failed login attempts and does not contain any native 2FA system, rendering it particularly vulnerable to these types of attacks. To help fight against these attacks, there are a few things we can do to harden the WordPress login page.
Enable two factor authentication
Another common way to protect your login panel and restrict access is with 2FA (Two Factor Authentication). Using a 2FA plugin will prompt the user logging in to verify an additional way — for example, a code or phrase verified by an external service.
Change your default login page
Changing your default login page to a unique URL is yet another way to help mitigate attacks.
By changing the URL, hackers will no longer know the exact path to your login page, making it much harder for automated scripts and attackers to access it.
One of the easiest ways to modify the path to your WordPress login URL is by using a plugin. But if you’re a bit more technical, you can modify your .htaccess file with the following code to change the path:
RewriteRule ^super-unique-login$ http://yourwebsite.com/wp-login.php [NC,L]
This code changes your login page to: http://yourwebsite.com/super-unique-login.php
Deny all unnecessary access
With all that being said, by far the most secure method is to outright deny any and all attempts at accessing the login or admin panel from IP addresses which do not require it.
This can be done very easily by adding protected pages with our website firewall but can also be done free-of-charge by using .htaccess file rules within Apache environments.
Limit failed logins
By default, WordPress does not limit the number of failed login attempts. But you can use a plugin to limit login attempts and prevent brute force attacks.
In many cases, security plugins will have the ability to block an IP address after a specified number of failed attempts. You can typically set the block as a permanent ban or a timed lockout of the IP address.
The Sucuri WAF makes it easy to restrict access to login pages for authorized IP addresses. If you are using a WAF or CDN, be sure you have x-forwarded-for set, or you will be blocking the WAF or CDN IP address — not the bad actor.
4 — Setup daily website backups
Website backups are the foundation of a strong security posture. When your WordPress website encounters an error or is infected with malware, you’ll want the ability to recover as quickly as possible.
The hosting server or control panel you are using may offer on-server backups for your WordPress website. Some offer options for daily, weekly, or monthly backups. You’ll want to exercise caution when using hosting server backups, however. They can take up a lot of space on the hosting server and potentially cause issues if you use up all your available storage space.
You can avoid this pitfall by using a third party backup service such as our Sucuri Backups!
If you’re looking for another easy solution, the WordPress repository has a plethora of different backup plugins to choose from. Some even have the option to store the backup on your hosting server or upload backups to a storage service like Dropbox or Google Drive.
And if you love the command line, you can quickly install and use WP-CLI to backup your WordPress website.
But regardless of which solution you choose, the best option for a website backup is one that is automatic, redundant, and stored outside of your hosting server.
5 — Install an SSL Certificate
An SSL (Secure Socket Layer) certificate is a digital certificate that encrypts the data that is being sent through your website. Although SSL encryption is not going to help protect your website from attackers, it does still play an important role in the overall security and trustworthiness of your website. Strong encryption is vital to ensuring your (and your site visitors) privacy is protected whenever they submit data on your site.
Let’s take a look at how it works.
When a browser connects to your website over ‘https://’ it will check the firewall, CDN, or hosting server for a domain validated SSL certificate. The SSL certificate creates a secure encrypted connection when any data is being transferred from the browser to the website. This helps protect data in transit from contact forms, payment forms, and even the login pages on your website.
Furthermore, SSL certificates are important for trust and credibility. Visitors can easily see that their connection to a website is encrypted.
If you need help, you can check our our guide for step-by-step instructions on how to install an SSL certificate on your website.
6 — Use the latest compatible version of PHP
Out of date versions of PHP do contain vulnerabilities, so it’s important to patch to the latest compatible version.
PHP, like WordPress, is maintained by its community. And because PHP is so popular, it is also a target for hackers – but the latest version will be patched against known vulnerabilities. Updating your PHP is essential to keeping your WordPress site secure.
Furthermore, updating to WordPress’s recommended PHP version (currently 7.4 or higher) may deliver a performance increase that will benefit all traffic to your website. PHP becomes more efficient with each new version — your website may also become faster when using the latest version of PHP. A faster WordPress website means better rankings — and improved user experience.
You can reference the latest PHP compatibility and WordPress versions from the Core handbook.
7 — Advanced DIY Protection (.htaccess & wp-config.php)
If you have some technical skills with coding and want to take a more hands on approach to protecting your WordPress installation, here are some options for hardening your installation.
Add one or more of the following to your .htaccess file to harden your WordPress site. And keep in mind that if you’re making changes to an existing file, create a backup of the original file in case the changes cause a conflict or error on your website.
Restrict logins to a specific IP range
This rule restricts access to wp-login.php to an IP, protecting you from unauthorized login attempts in other locations.
<FilesMatch “wp-login.php”> Require ip YOURIP Require ip YOURIP2 </FilesMatch>
Disable browser viewing of directories:
This rule prevents attackers from viewing the folder contents of your website.
Options All -Indexes
This will disable trackbacks and ping-backs among other nuisances, but keep in mind it can also prevent users from placing comments on the website.
<FilesMatch "xmlrpc.php"> require ip YOURIP </FilesMatch>
Add security headers
You can add custom HTTP response headers by using the Header directive in your .htaccess file.
<IfModule mod_headers.c> Header set X-XSS-Protection "1; mode=block" Header always append X-Frame-Options SAMEORIGIN Header set X-Content-Type-Options nosniff Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains; preload" </IfModule>
Disallow file modifications in wp-config.php
Add the following code to your wp-config.php file to prevent attackers from installing unwanted or malicious components in your environment.
define('DISALLOW_FILE_EDIT', true); define('DISALLOW_FILE_MODS', false);
This feature will restrict your ability to install and update components from the WordPress dashboard. So, you’ll want to regularly patch your plugins and themes via WP-CLI to ensure they’re up to date.
Disable PHP execution in /wp-content/uploads
Add the following to your to /wp-content/uploads/.htaccess file to disable PHP execution.
<FilesMatch *.php> require ip YOURIP </FilesMatch>
Bear in mind that within some website environments this can break the website, so be sure to check for any formatting issues that may occur afterwards.
While WordPress core receives frequent updates and has a default software security policy in place, there are many ways you can harden the installation to enhance the security of your WordPress website. That includes maintaining regular updates to patch against known vulnerabilities, establishing a regular backup routine, using strong unique passwords on all of your accounts, and restricting access to your admin and login pages.
And in the event that you’re not able to regularly patch or update your WordPress site, consider leveraging a web application firewall to virtually harden against known vulnerabilities.