SUCURI Q2 hacked analysis report shows 74% of 9,771 infected
websites was WordPress. Millions of website owners love
WordPress and having more than 58% market
share in a content management system for sites.
I see hundreds of questions/concern every month in Facebook
Group, Stack Overflow regarding website got
hacked/malware infected .
Website security is as important as your
content and SEO , and one should do whatever it takes to
keep the online business safe and secure.
There are multiple approaches to tightening your WordPress
however, following you will learn the practical ideas which I
do and I hope will be helpful to you.
Hardening & Security Tips
1. Go Passwordless
Brute Force attack is one of the old techniques to constantly
try to get into the WordPress admin with many user/password
By going passwordless, you are not leaving any option for a
hacker to attempt login. Wondering how does it work?
Let me show you.
The default WordPress login window looks like:
When you go passwordless, you will not have the option to enter
the user and password instead you will need to authenticate
with your phone. It’s simple and convenient.
UNLOQ has WordPress plugin too which let you
replace the password with your phone. UNLOQ use TLS over the
communication and data is encrypted with an AES-256-CBC
You can have up to 100 users with unlimited authentication in
FREE which is more than enough for WordPress
Teddy ID is little different. You
should enter your credential once, and it stores and encrypt
the password for you in the browser.
In next login attempt, instead of entering the credential you
must match the photo being displayed on your phone and if that
match then your login is successful.
Teddy ID WordPress can be downloaded from here .
Let the magic happens and goes passwordless.
2. Have Solid Backup
Backup is your friend! When things go wrong, and nothing works
then, a backup will come for a rescue.
There could be many things go wrong with the following.
- Messed up with the configuration
- Files got deleted
- Website got hacked
- You installed some plugin and then site broken
- Site is broken after updating WordPress/Theme/Plugins
If you are unable to fix or taking a long time to put your
online business operational, then you can consider restoring
your website from the backup.
Most of the shared web hosting like SiteGround , InMothionHosting
provide daily backup, so you are okay. However, if you are with
some other web hosting, then you may want to check the backup
If you are on VPS like DIgitalOcean or Linode,
then the backup is not enabled by default, and they charge
around 20% of your VPS plan.
So if you are on $10 plan, you need to pay additional $2 for
Trust me; it’s worth it. There were many situations when I had
no option than restoring Geek Flare from Linode backup.
If you are cloud like AWS, Google Cloud then
you must consider taking snapshot regularly or use a
third-party backup tool.
If you have a backup with web hosting then I don’t see any
reason to use the backup plugin, but in case you want, here are
some of the popular free backup & restore
plugins for WordPress.
Active installed over 900,000 says a lot. Updraft Plus let you backup your website
data in a cloud like Amazon S3, Google Drive, DropBox, FTP,
Whenever you need to restore, you are just a click away.
Backup by Backup Guard gives you an
option to backup files or database or both. You can customize
your backup location and visualize the live progress of backup
Don’t settle anything less than a daily backup.
3. Use WAF/Security
The default WordPress installation may expose
configuration/information and can be vulnerable if not harden
There are many security-related plugins available so pick what
you like but ensure it cover the following.
Change Admin URL – WordPress admin is
accessible by default as wp-login.php, and the whole world
knows about it.
So if you know a site is
built on WordPress, then you can try to access admin URL by
adding wp-login.php and do the nasty things in trying to get
It will be a good idea to change the admin URL from
wp-login.php to something else.
Comment Spam Protection – don’t let your blog
post comments with full of spam, advertising.
Block suspicious request – don’t entertain
malicious request, script execution
Implement Security HTTP Header – protect from
clickjacking , secure cookie, XSS attack, etc. by injecting
necessary parameters in HTTP response headers .
Let’s take a look at top four plugins
Wordfence is loved by over a
million websites and has tons of features including the
- WordPress Firewall
- Blocking Features
- Login Security
- Security Scanning
- IPv6 Compatible
All In One WP
Security & Firewall
Tips & Tricks HQ develop all-in-one security plugin and
active installed on more than 400,00 websites. Some of the
popular features/protection are:
- Comment SPAM
- Security Scanner
- Brute force attacks
- File system/database security
- User account/login security
iThemes plugin previously
known as Better WP Security helps you to protect your website
from more than 30 types of attacks.
Better WP Security is available in FREE with most of the common
features/security; however, if you need more then you may try
Shield a.k.a. WordPress
Simple Firewall is simply awesome and gives you almost
everything you need for FREE.
I use this plugin currently and love the dashboard and
comprehensive features. Worth giving a try.
4. Use Cloud-based
Security/firewall by WordPress plugin is good, but it’s still
within WordPress and protection starts when the request reaches
If you are looking to have additional protection, then you must
consider using cloud-based security. Security from cloud
protects and block the attackers from the edge of the network.
Most of the cloud-based security provider also offer you a
CDN (Content Delivery Network) to make your
website load faster.
Some of the popular CDN & Security providers are:
One of the industry leaders in providing website security and
high-performing CDN for better performance and security.
SUCURI offers complete website
security for eternal security and performance.
Incapsula by Imperva provides CDN & Security for all types
of website from blog to enterprise level of applications.
Incapsula has a FREE plan to get you started and offer the
- Bad bot/SPAM protection
- IPV6 compatible
- DDoS/SQLi/XSS/Backdoor protection
- Content compression/minification
- Image optimization
- SSL support
- And much more…
- They offer a trial to the higher version so go ahead if you
are serious about website protection.
The list won’t be complete without including CloudFlare . One of the most popular CDN &
Security provider to make your website secure and speedy.
Take a look at the plan details for features comparison .
Some of the worth mentioning features of CloudFlare.
- Global CDN
- FREE SSL Certificate
- HTTP/2, WebSockets, IPv6 support
- DNSSEC, cache purge, custom rules
- Comment spam, content scraping, OWASP WAF, DDoS protection
StackPath recently bought MaxCDN and provide
secure CDN and WAF. StackPath doesn’t have any FREE plan and
pricing starts from $20 per month.
Some of the StackPath’s features are:
- Two-step authentication
- OWASP top 10 vulnerability protection/WAF
- DDoS protection against SYN/UDP/volumetric attacks
- Hotlink protection
- Real-time analytics
SUCURI says 55% of an infected website had out-of-date
Having an old version of WordPress, plugin, a theme may be
vulnerable, and as a best practice, you much keep an eye on the
vulnerable plugins and patch on priority.
You may subscribe to WP Scan Vulnerability Database for
an email alert, so you know if used plugin/WordPress/theme are
It’s not hardening, but I think it’s worth mentioning about
hosting provider. Choose the well-known quality hosting
provider to host your website. Some of the popular hosting you
- Google Cloud Platform
Hosting your website on quality provider not only make your
website faster but support you when you need
help. Many things can go wrong, so expert support is the key
when you consider web hosting.
I hope the above helps you in keeping your WordPress website
more secure & robust.
Personally, I follow this strategy on Geek
Flare and works well so thought to share with you all.