Disclaimer: This post may contain affiliate links. The opinions expressed are mine. Read more.

WordPress Security – 9+ Steps To Hack-Proof Your Website

As a web hosting business owner for 20 years, I managed hundreds of servers and thousands of WordPress installations. I’ve seen hackers do many nasty things.

Not only at a loss of hours to repair the damage done but millions of lost revenue and trust by your website’s visitors.

My key takeaway is that you must now reduce your risk and secure your WordPress website before an attack occurs. If you don’t take WordPress security seriously, it’s not a matter if you’ll get compromised, but when.

Unfortunately, for most, security is only considered after a website is hacked. Don’t be one of those individuals and properly spend the time and money to secure your WordPress now.

Is WordPress Secure?

The short answer is yes, WordPress is secure.

The data shows an alarming 90% of all compromised websites are WordPress-based. While that may be true, WordPress has a huge bullseye target on its back.

Source: Sucuri

WordPress is the most popular website platform by a huge margin. Over 42% of all websites on the Internet use WordPress. Wix is a far distant second.

Since WordPress is a big hacker target, security is critical you get right.

WordPress itself isn’t an insecure platform. If anything, WordPress core code, with a few exceptions, has been very secure. Since it has wide acceptance, hackers and security professionals have looked very closely at the open-sourced code. WordPress has been the subject of much security peer review.

The problem with WordPress is more to do with the extendability and flexibility of the WordPress platform itself. There are thousands of free and commercial WordPress plugins and themes to choose from. Not all of them were created with the utmost security in mind.

Sometimes it’s the combination of two plugins that makes WordPress insecure. Not all possible combinations of software used have been tested. It’s pretty much impossible to do.

Not to mention, WordPress can be configured in many different ways where it is possible to do something foolish and set up an insecure WordPress blog.

Let’s discuss the specific steps of what you can do to make sure your WordPress is secure.

Many of my recommendations are WordPress specific, but some (like strong passwords) can apply to any website.

What I discuss will not 100% eliminate the chance of getting hacked. After all, the classic saying in computer security is that the only secure computer is unplugged and locked in a safe. What I suggest will severely reduce your risk to close to zero, where a hacker will choose easier targets.

Unfortunately, there are far too many other websites that can be easily hacked.

1. Find A Secure WordPress Host

You can have the most secure WordPress installation, but if your web host is compromised, it’s game over man! Game Over!!

Your choice in WordPress Hosting matters.

Server hardening is the first and critical step in WordPress security.

It should be said all of the large WordPress hosts are secure to some degree, but it is a black box to you as the customer. You don’t know the security methods used besides what they tell you. For obvious reasons, web hosts will never reveal all of their security measures partly to thwart attacks from the very hackers they are trying to block.

Though some tell-tale signs exist, a web host isn’t taking security seriously. Here are some warning signs you should look out for with your choice of WordPress host:

  • Outdated Software – Such as control panel, older versions of PHP, and operating system.
  • Lack Of Transparency – No notifications when outages or security breaches occur. You only discover them after the fact from third-party websites and not from the hosting provider.
  • No Status Page – There’s no status page to alert you to the state of their services.
  • One Data Center – As a business risk, no web host should have all of their eggs in one basket (data center). Not only for security reasons but for other factors such as environmental (hurricanes, earthquakes, fire, etc.).
  • No DDoS Attack Mitigation – Hackers can overwhelm the network capacity of a web host by commanding their bot networks to attack a server. This is known as a Distributed Denial-of-Service (DDoS) attack. Network routing methods can mitigate such DDoS attacks; if your web host doesn’t offer this could be considered a possible risk.
  • Constant Downtime – While not a security issue, it shows how well operations and hardware infrastructure are managed. A good system administrator should not be seen or heard.
  • Password Strength – If your web host’s control panel doesn’t require a certain level of complexity of your chosen password. That’s a possible warning sign of other areas of lax security.
  • No Two-Factor Authentication – If they don’t allow two-factor login to their services, chances are their administrators don’t use it too!

Type Of Web Hosting Also Matters

Your choice in the type of web hosting matters as well. Shared web hosting is the cheapest but can also be the least secure.

With shared hosting, all it takes is one insecure website that can be compromised. A hacker can then overwhelm that website and slows down all the websites hosted on the same server. This is the best-case scenario.

In the worst case, it could allow the hacker to ‘root‘ the webserver compromising all accounts on the server. The hacker gains access to the compromised account and all accounts on the web server. There are root toolkits hackers use to automate this process. Fortunately, ‘rooting’ is a rare occurrence today, but it does happen.

The next level up from shared hosting is getting a VPS(Virtual Private Server) or sometimes referred to as cloud hosting. In the WordPress universe, this is typically known as managed WordPress hosting.

A VPS has the added benefit of more control over what services to run. Don’t need email hosting because you use Google Workspace? A VPS typically can control the services needed to run your website. This gives fewer attack vectors for your website. A shared host doesn’t have that option since you are sharing the web server, sometimes thousands of other customers.

A VPS is like a dedicated server but done via software to divvy a real server. Since VPSes are created via software, they can be hacked.

VPSes are not as secure as dedicated hardware. A dedicated server is the ultimate in security but comes with other issues (such as redundancy) outside the scope of securing a WordPress install.

For most website owners, a VPS or managed WordPress hosting is a good enough compromise in security with more reliability and redundancy.

It may cost more than basic WordPress hosting, but in the end, you’ll know your WordPress software will be more secure.

2. Run A WordPress Site Health

You must get a lay of the land and know the current state of your WordPress installation.

The creators of WordPress are fully aware of the security risks. In recent versions, they’ve added a Site Health option.

To Access Site Health in WordPress, under the ‘Tools‘ menu and select ‘Site Health‘.

You get a rundown of your overall WordPress setup and recommended changes to better secure your installation.

In the Info tab, you can get versions of the software installed, such as:

  • WordPress core
  • PHP
  • PHP configuration
  • Web server
  • Operating system and release
  • MySQL
  • Theme

It’s a quick rundown of your WordPress setup by your web host. However, it’s not 100% complete. To get a complete audit of PHP, I recommend using the WordPress plugin phpinfo() WP.

It runs the phpinfo(); function to give you a full rundown of the PHP you are using, the modules installed and any PHP caching to improve performance.

Take that list and compare what’s available currently. Check to see if the version currently used has a known security risk.

In your research of installed software, contact your web hosting provider if there are newer versions you can use. If not, that’s perhaps a warning sign of how secure your web host service is.

3. Keep WordPress Updated

One of the easiest things you can do to keep your WordPress secure is to keep your WordPress core, WordPress theme, and plugins all updated.

It should be said to first back up your website before anytime you update WordPress.

To see a list of updates needed, in WordPress, view the administration menu ‘Dashboard‘ section and select ‘Updates‘. You should see something similar below.

WordPress Updates

WordPress Core

I recommend automating your WordPress core updates. WordPress can update automatically when minor versions are released.

Your WordPress Theme

Your choice of WordPress theme not only matters from what the users experience but can affect the security of your WordPress installation.

WordPress themes have been the source of attacks. Some WordPress themes have special functionality or libraries that a hacker attacks.

Installed WordPress Plugins

Outdated or insecure WordPress plugins are the #1 method a hacker will gain access.

By very nature, the more WordPress plugins installed, the less secure your WordPress is. I’m very picky about which WordPress plugins I’ll install. This is not only for security reasons but also for performance.

It is recommended to keep your WordPress installation at an absolute bare minimum of plugins and customizations.

You should always keep your WordPress plugins with the current version. It is an easy vector for a hacker to spot a known vulnerability and then scan the Interwebs for WordPress installations with that known security flaw.

Any WordPress plugins you no longer use should be disabled and then removed. Keeping disabled plugins can cause a security risk since the files can still be accessed from your website.

Separate WordPress Installations By Purpose

It’s no surprise that WordPress’s extendability can make it a performance pig.

A simple way to secure WordPress is to isolate by installation. While my public website may be hacked because of an outdated plugin, my membership area is still functioning because it lacked that very plugin.

For this very website, I have 3 different WordPress installations based on purpose:

  • larryludwig.com – Public-facing content that’s indexable by Google with a focus on performance
  • welcome.larryludwig.com – Landing pages for paid traffic using OptimizePress and is blocked by Google since I do not want these landing pages indexed by Google.
  • members.larryludwig.com – Private membership website and my courses

The needs for each subdomain section are much different.

Each is a separate WordPress installation and runs only the plugins needed to manage that website. I’ve found this is a much better way to secure WordPress. It gives the public-facing part of my website the least amount of plugins to not only make it more secure but faster-loading for SEO.

Depending on your web host, this type of setup may cost more. Though many hosting plans already include multiple website hosting.

4. Malware Scanning


Larry's Take

This is my go-to WordPress and website service to protect my business since 2015. It offers malware, DDoS, DNS, SSL, and hacking protection that has saved me from intrusions. The one time I did have to use their malware removal service, Sucuri was quick to resolve. The only negative aspect is their price though it could pay for it for itself in just one attack thwarted.
9.5 Out of 10
PlatformCloud, WordPress
Price$199.99 - $499.99+ per year
Promotion30-Day Money Back Guarantee
Learn More

Malware is the most often WordPress hack. Unlike website defacements, where it’s apparent your WordPress blog has been compromised, malware, in most cases, is hidden from public view.

In my years as a web host operator, I saw hundreds of WordPress installations with malware. In almost all cases, the website owner was unaware.

Malware can break your blog but can infect website visitors, attack other websites, or, worse yet, steal personal information stored in your WordPress.

You need a service like Sucuri to detect, alert, and help remove malware.

Sucuri will check multiple times daily via a server file scan if your WordPress installation has been compromised. It scans your WordPress installation for any known installed malware. Plus, if you get compromised, Sucuri’s monthly fee includes free malware removal.

Sucuri also includes a WordPress plugin that has some free features, including options to harden your WordPress installation.

5. Backup WordPress


Larry's Take

Backups and security are a critical part of maintaining your WordPress blog. Don’t rely on your web hosting provider to make backups of your site! Make sure you are in control and have off-server backups. BlogVault is an easy-to-use backup and malware security monitoring service.
8.5 Out of 10
PlatformCloud, WordPress
Price$7.40 - $149 per month
Annual DiscountYes
PromotionStart Your Free Trial
Learn More

I can’t recommend enough having a solid backup strategy in place for your website. Often backups are an afterthought until it’s too late. Even if your web host offers free backups, no one cares more about your data than you do!

It’s critical to have multiple backups of your WordPress installation. Ideally, at least 30 days’ worth of backups. I’ve seen cases where malware was installed months ago, and the client does not have a clean backup that does not include that malware.

If your WordPress website is important (of course it is duh), I recommend BlogVault. It’s an easy-to-use WordPress plugin that backups up your files off-server in their cloud service. Restoring a WordPress backup is easy and allows you to be back and running quickly.

BlogVault includes a firewall, uptime monitoring, and automated WordPress updates. While it’s nice that BlogVault has this all-in-one package, I personally prefer Sucuri and Cloudflare for these respective features.

6. Use Strong Passwords

Don’t use the Spaceballs password ‘12345’ for your WordPress login.

Unfortunately, the reality isn’t too far off. According to the firm Lookout, the 10 most common passwords are:

  1. 123456
  2. 123456789
  3. Qwerty
  4. Password
  5. 12345
  6. 12345678
  7. 111111
  8. 1234567
  9. 123123
  10. Qwerty123

I recommend using a password manager for all passwords. Not only should your password be random characters, but I also recommend the following password parameters:

  • 16-24 characters in length
  • Unique and not used with another service
  • Includes uppercase, lowercase, numbers, and special characters (ie, &,%, $, !, etc.)
  • Not stored in any publically accessible area.

Get A Password Manager


Larry's Take

1Password is my recommended password manager and can sync your data between your devices. It supports all of the popular operating systems and smartphones. Plus, 1Password has web browser extension support and remote access via any web browser.
10.0 Out of 10
PlatformmacOS, iOS, Windows, Android, Cloud, Linux
Price$2.99/mo. - $7.99 user/mo.
Annual DiscountNo
PromotionTry 1Password For Free
Learn More

Instead of writing down passwords on a Post-It note on your monitor, I recommend using a password manager. 1Password is the one I use and trust. 1Password can store your passwords and automatically generate passwords for you. It supports every major operating system and smartphone device. It automatically syncs your passwords between devices.

It’s an easy tool to set up and a must-have for any user online. I store every password I use online with 1Password. With my former web hosting company, I used 1Password to manage over 1,600 passwords!

Set Up 2 Factor Authentication

Amping up WordPress login security to eleven is easy.

You want to increase security by not only something you know (ie, a password) but another possible attribute. The two other options for authenticating an individual are:

  • A physical attribute — Your eye, palm, fingerprint, or face.
  • Something on your person — Keyfob, USB device, RFID card, or phone

I’m a fan of using two-factor authentication by phone application. While it isn’t the most secure method, it is more secure than other popular email authentication methods or SMS text. a dedicated keyfob or USB device is the most secure because it can also be most time-intensive. A two-factor app on your smartphone should be enough to secure a WordPress blog.

Google has a free app for iPhone and Android, but I do not recommend it. If you were to lose or get damaged, all of your 2F keys would be gone. That means you must have to reset all of your accounts using two factor. So I do not recommend this app.

Authy Desktop is what I recommend. While 1Password also supports two-factor, I prefer having my passwords and two-factor information in separate applications/services. Should one service gets compromised, the other, in theory, should be secure.

You’ll need WordPress to support Two Factor Authentication. Fortunately, a free WordPress plugin supports the basics, oddly enough, called Two Factor Authentication.

The premium version adds:

  • 30-day trusted devices
  • Turn on-off per user
  • Emergency codes

7. Install A Web Application Firewall


Larry's Take

Cloudflare has many features to protect and speed up your website. Though I recommend using Cloudflare for its security features. The free version includes DDoS protection and SSL encryption. If you get the 'Pro' edition, you can use their Web Application Firewall (WAF) to block attacks and countries which have a plethra of hackers and bot networks.
9.5 Out of 10
PlatformCloud, WordPress
PriceFREE - $200+ per month
Annual DiscountNo
Learn More

Gone are the days a hacker would manually attack a website to find an insecure server. Instead, hackers have millions of bots (already compromised websites and personal computers) that are constantly scanning the Internet for insecure software.

It has been reported by Statista that the number of bots in 2016 was 51.8% of all online traffic!

One can assume that it is much higher today. Worst yet, these bots can sometimes appear to be users on your website, giving you a false sense of website audience or click fraud. They can not only falsify your web analytics but can jam up your email list.

Without hesitancy, I recommend and use Cloudflare to better secure your WordPress installation.

To better protect WordPress, it’s best to prevent hackers from ever knocking at your door. If you have an unknown vulnerability (which is always possible), blocking access is the first line of defense.

There are plenty of WordPress security plugins like WordFence or JetPack that do the work of Cloudflare but at the WordPress level.

Though I personally rather have security higher up the network chain than tax my WordPress installation. In my opinion, you are best to have WordPress focus on serving your web pages, then perform tasks like security checking. It hinders the performance of your WordPress unnecessarily.

Plus, today, with the millions of computers a hacker may access, an attack is very widely distributed. In plain English, many WordPress plugins that try to thwart attacks are useless in brute force attacks. It is not uncommon for a hacker to use one IP address, and you’ll not see that same IP address used again until days later.

WordPress plugins that block logins after 3 attempts from the same IP address are less than useless.

What Cloudflare Offers

Cloudflare has a free option, though I recommend at least getting the ‘Pro’ option which is only $20 per month.

Cloudflare offers these services:

  • DNS Hosting
  • DDoS Protection
  • Web Application Firewall (WAF) (in Pro edition)
  • Managed Rules (in Pro edition)
  • Page Caching
  • Minification of HTML, CSS, and JavaScript
  • Free SSL encryption

Enable Firewall Rules

Cloudflare gives you many options to better secure your WordPress installation.

As you can see from the 24-hour window of this very website, I’ve blocked a significant amount of traffic.

Here is my recommended option to set up with Cloudflare.

Allow Bots

The first rule is making sure I allow known bots to monitor and analyze my own website so they aren’t blocked by mistake by Cloudflare. At the moment, this list is for excluding Ahrefs, and Pingdom since these are bots I DO want to access my website. Cloudflare is fully aware of bots like GoogleBot and Bing, so you do not need to set up special rules for those bots to index your website.

Block ‘Bad Actor’ Countries

Not every country is friendly to commerce. Some countries are more prone to hacker networks and bots. Also, I have no desire to work in some countries where language is a barrier because my content is in English.

The second step in my Cloudflare firewall setup is to outright block countries I do not want access to my website. Do not pass go, and go directly to jail! Sorry, not sorry. My Cloudflare rule is as follows:

(ip.geoip.country in {"RU" "KP" "NG" "IR" "AF" "IQ" "UA" "VE" "CU" "TR" "BD" "PK" "NP" "RO" "EE" "LV" "SY" "EG" "HT" "SO" "YE" "ZW" "CG" "CD" "ER" "CF" "KE" "BR"})

This firewall rule blocks the following countries from accessing my website:

  • Russian Federation
  • North Korea
  • Nigeria
  • Iran
  • Afghanistan
  • Iraq
  • Ukraine
  • Venezuela
  • Cuba
  • Turkey
  • Bangladesh
  • Pakistan
  • Nepal
  • Romania
  • Estonia
  • Latvia
  • Syria
  • Egypt
  • Haiti
  • Somalia
  • Yemen
  • Zimbabwe
  • Congo (Brazzaville)
  • Congo (Kinshasa)
  • Eritrea
  • Central African Republic
  • Kenya
  • Brazil

Surprisingly, most of my attacks are coming from Venezuela and Cuba. Two countries where it’s almost a 100% chance they aren’t interested in how to start with affiliate marketing or how to start a blog.

It should be noted this is a personal decision. Your mileage may vary depending on your audience and security needs. Adjust accordingly.

For example, I get little traffic from mainland China, yet China is a big source of bot traffic. In my case, instead of outright blocking China, I placed them in my Cloudflare ‘Bot Test’ rule (see next section).

My friend Steve, on the other hand, has lots of traffic from that area of the world. He would be foolish to block. One could argue not to even bot test since that can delay first-time visitors. In Steve’s case might be better suited to use Cloudflare’s Managed Rules (see below) to thwart most attacks from China.

With my previous blog Investor Junkie, GDPR became a thing.

Instead of dealing with the headaches of GDPR compliance, I decided to block all European Union (EU) countries. Not only was the EU a very small part of my website traffic, but there were also US FATCA laws that many of financial firms must comply with.

This made their visiting my blog moot since the firms would not accept foreign resident applications anyways. The only visitors I got were onlookers of US investing or ex-pats. Neither audience was I able to help with.

Block Bots

The second rule I created is for the countries where I will accept traffic, but it is a high risk for bot traffic. I would much rather have a lower analytics count than bots traversing my website.

(ip.geoip.country in {"IN" "CN"})

  • India
  • China (Mainland)

Cloudflare, it uses the newer firewall rule called Managed Challenge. The user (or bot) gets shown a web page like this below if it’s the first time visiting your website.

If it’s a bot, they don’t get through. If it’s a person, it redirects to the webpage they requested. While this interstitial page is a turn-off for real people (it will increase the bounce rate), that’s the downside I’m willing to take for high-risk countries.

Enable Managed Rules

Cloudflare has thousands of pre-built firewall rules to block hackers and attacks from visiting your website. These rules scan for attacks and, if detected, will either:

  • Default – Keep the default rule that Cloudflare has in place
  • Block – Block visitors from accessing the web page
  • Disable – Turn off the rule
  • Simulate – Does not do anything when detecting the event and logs the event.
  • Challenge – use Cloudflare’s test to determine if it’s a user or a bot

For each rule, you can adjust from the default.

I’ve modified the rules to my own liking and issues with my website setup. From my experience, firewalls, and Cloudflare in particular, not all rules accurately detect an attack. Be aware false positives can occur, and you should monitor your traffic reports in Cloudflare.

8. Enable SSL

Today if you aren’t using SSL, it not only puts your website at risk, it also hurts your SEO rankings. Google has stated the use of SSL is a ranking factor. If your website isn’t using SSL, you should enable it now. Fortunately, there are many free options, such as using Cloudflare or many web hosts using Let’s Encrypt for SSL certificates.

The important fact is to get it SSL enabled.

I have a simple tutorial on installing an SSL certificate for WordPress.

9. Log Capture and Analysis

Larry's Take

Monitor and get alerts about events in WordPress. Keep a record for user changes, updates to plugins, and any changes to WordPress. A must have for any membership blog to audit changes and keep your site secure.
8.0 Out of 10
Price$89 - $449 per year
Promotion14-Day Free Trial
Learn More

Last but not least, is creating a breadcrumb trail of WordPress events.

Out of the box, WordPress does not have such capability. If you are running a WordPress website that stores private information, you want to ensure PCI compliance and audit trail of events for your WordPress website.

WP Activity Log allows you to capture and send to a remote log server every important event that occurs within WordPress, such as:

  • Login of users to wp-admin
  • Installation, updates, and removal of WordPress plugins or themes

WP Activity Log is a plugin I use on my membership system and when I use WooCommerce. It’s a must-have WordPress plugin if security is of the utmost importance. It allows a paper trail of all of the events that occur on your WordPress installation.

Larry Ludwig

About Larry Ludwig

Larry Ludwig is an entrepreneur, financial expert, tech & marketing guru with over 25 years of industry experience.

In July 2018, Larry successfully sold Investor Junkie for $6 million.

You May Also Like