How to keep WordPress secure in 2024

Keeping your WordPress site safe is super important. Every day, Google flags over 10,000 sites for harmful software and about 50,000 sites weekly for scams. So continue reading to learn How to keep WordPress secure in 2024. And full WordPress Security Statistics of 2023 could be found here.

If you care about your website, it’s crucial to follow good security steps for WordPress. In this guide, we’ll give you the best tips to keep hackers and harmful software away from your site.

While the main WordPress software is pretty safe and gets checked by many experts, there’s still more you can do to keep your site even safer.

At WordPress Security Guru, we think security isn’t just about getting rid of risks but also lowering them. Even if you’re not a tech expert, there are steps you can take to boost your WordPress security.

We’ve listed some easy-to-follow actions to guard your site from potential threats.

Ready? Let’s get started.

Why WordPress Security is Important?

A hacked WordPress site can cause serious damage to your business revenue and reputation. Hackers can steal user information, passwords, install malicious software, and can even distribute malware to your users.

Worst, you may find yourself paying ransomware to hackers just to regain access to your website.

In March 2016, Google said over 50 million people got alerts about possibly unsafe websites they visited. Every week, Google marks about 20,000 sites as unsafe due to harmful software and 50,000 sites for scams.

If your website is your business, you should really focus on keeping it safe with good WordPress security. Think of it this way: just like a shop owner needs to keep their physical store safe, online business owners like you need to ensure your website is protected.

Keeping Everything in WordPress Updated

WordPress is a free software that gets regular updates. It automatically adds small updates by itself. But for big changes, you have to update it manually.

There are also lots of extra features and designs called plugins and themes that you can add to your site. These extras are made by other companies or people, and they also update them often.

It’s really important to keep everything in WordPress updated. This helps keep your website safe and running smoothly. So always make sure to update the main WordPress software, any plugins, and your chosen theme.

Using Strong Passwords and User Permissions

Hackers often try to break into WordPress using stolen passwords. To make this tough for them, use strong and unique passwords not only for your WordPress login but also for other places like your website’s hosting, email accounts linked to your site, and more.

Remembering strong passwords can be a hassle, but there’s a solution: password managers. They help you store and use complex passwords easily.

Also, be careful about who can access your WordPress site. Only give admin access if really necessary. If you have a team or guest writers, learn about the different access levels in WordPress. This way, you can control what each person can do on your site.

WordPress Hosting’s role in keeping WordPress secure in 2024

The company that hosts your WordPress website plays a big role in keeping it safe.

A good hosting company does several things to guard your site:

• They keep an eye on their system to spot any odd or harmful actions.
• They have tools to stop big cyber-attacks.
• They regularly update their server software and tools. This stops hackers from using old, known tricks.
• They have plans in place to quickly recover data if something major goes wrong.

If you’re on a shared hosting plan, you’re on a server with other websites. This can be risky because if one site has a problem, it might affect others, including yours.

For extra safety, consider a “managed WordPress hosting” service. These companies give more protection features like regular backups and automatic updates to keep your site secure.

WordPress Security the easy way (No Coding)

We get it, thinking about making WordPress safer can be scary if you’re new or not tech-savvy. But don’t worry, many feel the same!

We’ve guided lots of WordPress users like you to boost their website’s security.

We’ll guide you step-by-step, and the best part? You don’t need to know any fancy tech stuff. If you can use a computer mouse to click, you’ve got this!

Install a WordPress Backup Solution

Think of backups as the safety nets for your WordPress site. No website is 100% safe from potential issues, just like even big government sites can face problems.

With backups, you can quickly bring back your website to its normal state if something goes wrong.

There are tools, both free and paid, called WordPress backup plugins, that help with this. The key is to regularly save your site’s backup in a separate place, not where your site is hosted. It’s like keeping a spare key in a different place!

Popular places to store these backups are online storage services like Amazon, Dropbox, or specialized ones like Stash.

Depending on how often you make changes to your site, you might want to backup once a day or even in real-time.

Luckily, there are user-friendly tools like Duplicator, UpdraftPlus, or BlogVault that can handle this for you. They’re easy to set up and use – no tech skills needed!

Great WordPress Plugin for Security

After securing backups, the next step is to set up a system that keeps an eye on everything happening on your website.

This system checks for things like any changes to your files, login attempts that didn’t work, and scans for harmful software.

Good news! There’s a top-notch free tool called Sucuri Scanner that can handle all of this for your WordPress site.

To get started, you’ll want to add and turn on the Sucuri Security plugin. If you’re unsure how to do this, we’ve got a guide that shows you step-by-step how to add a plugin to WordPress.

Once you’ve added it, head to the Sucuri section in your WordPress dashboard. The first thing it’ll ask you to do is create a free account. This gives you access to features like checking your site’s activity, getting email alerts, and more to keep your site safe.

Next, head over to the ‘Hardening’ section in the settings menu. Take a moment to look through each option and then press the “Apply Hardening” button.

These settings help make the parts of your site that hackers target more secure. Just a heads up, one of these features, the Web Application Firewall, is part of a paid package. We’ll chat more about that in the next step, so you can skip it for now if you’re not ready.

We’ll also touch on some of these “Hardening” tips later on, especially if you’re keen to do them without using this plugin or if you’re interested in steps like changing your database’s prefix or adjusting the main admin username.

Once you’ve set up the hardening, the plugin’s default settings work well for most sites and don’t need tweaking. But, a quick tip: you might want to adjust the ‘Email Alerts’.

By default, you might get a lot of emails from the plugin. We suggest getting alerts for important stuff, like when a new user signs up or if there’s a change in plugins. You can adjust these alerts in the Sucuri Settings under ‘Alerts’.

Remember, this plugin has a lot to offer! So, take a moment to explore its different sections, from checking for harmful software to tracking login attempts, to make sure you’re using all its features.

Enabling Web Application Firewall (WAF)

Want a simple way to boost your website’s security? Consider using a web application firewall, or WAF for short.

Think of a WAF like a security guard for your website. It stops harmful visitors before they even get close to your site.

There are two main types:

1. DNS Level Website Firewall: Imagine this as a filter that checks every visitor before they come to your site. It only lets real visitors through and blocks the bad ones. It’s like having a security checkpoint outside your website.
2. Application Level Firewall: This one checks visitors right when they’re at your website’s doorstep, just before they enter. While it’s good, it’s not as effective as the first type because it does a bit more work on your site’s server.

In simple terms, both types of firewalls help keep your website safe, but the first one does a bit more heavy lifting outside, making it more efficient.

What’s great about Sucuri’s firewall is that it offers more than just protection. If, somehow, your site gets hacked while using their service, they promise to clean it up for you, no matter how big your website is.

This promise is a big deal because fixing hacked sites can be costly. Usually, security pros charge a lot – around $250 an hour! But with Sucuri’s full security package, which costs $199 a year, you get protection and peace of mind.

While Sucuri is a top choice, there’s also another well-known option called Cloudflare.

Setup SSL/HTTPS on Your WordPress Site

SSL (Secure Sockets Layer) is like a protective shield for your website. It scrambles the info that goes between your site and a visitor’s browser, making it tough for anyone to snoop and grab data.

Once you set up SSL, your site’s address will start with HTTPS and you’ll spot a little padlock icon in the browser bar. It’s a sign that your site’s data is safe.

Before, getting this protection meant spending anywhere from $80 to a lot more each year. So, many site owners skipped it.

But then, Let’s Encrypt, a group backed by big names like Google, Facebook, and Mozilla, stepped in. They started giving out SSL certificates for free! This made it super easy and affordable for everyone to get SSL protection, including WordPress users.

Lots of hosting companies now offer this free SSL feature. But if yours doesn’t, you can grab one from Domain.com. They offer a top-notch SSL package that even comes with a Trust Logo seal, showing visitors your site’s extra secure.

WordPress Security for More Advanced Users

If you’ve followed all the steps we talked about, your website’s security is already better!

However, there are always extra things you can do for even stronger protection. Just a heads-up, some of these might need a bit of tech know-how or coding skills.

Changing Default “admin” username

In the past, when you first set up WordPress, the main username was often “admin.” This made things easier for hackers trying to break in because they already knew half of the login details.

Luckily, WordPress has updated this. Now, when you start a new WordPress site, you can pick your own unique username.

However, be aware that some quick-install tools for WordPress might still use “admin” as the default. If you see this, it’s a sign you might want to think about changing your web hosting service for better security.

Changing your username in WordPress isn’t straightforward since it doesn’t let you do it directly. But don’t worry, there are a few ways around it:

1. Make a new admin username and remove the old one.
2. Use a tool like the Username Changer plugin.
3. Update the username through a tool called phpMyAdmin.

Just to clarify, we’re referring to the specific username “admin,” not the broader admin role.

Disabling the File Editing feature

WordPress has a handy built-in tool that lets you tweak your website’s code directly from the dashboard. But, if someone with bad intentions gets access, it could pose a risk. So, it’s a good idea to disable this feature for safety.

To turn it off, you can add a specific code to your WordPress settings file, called “wp-config.php.”

Or, for an easier way, you can use the security features in the free Sucuri plugin we talked about earlier. It has a simple setting to disable this code editing feature with just one click.

In Certain WordPress Directories, Disable PHP File Execution

To make your WordPress site even safer, consider stopping certain types of files from running in places they don’t belong, like the /wp-content/uploads/ folder.

Here’s a simple way to do it:

• Open a plain text editor, like Notepad.
• Copy and paste this specific code into the editor.

• Save this file as “.htaccess”.
• Then, use an FTP tool to upload this saved file to the /wp-content/uploads/ folder on your website.

But, if all that sounds a bit complex, don’t worry! You can also achieve this with just one click using the security features in the free Sucuri plugin we talked about earlier.

Limit the Number Login Attempts

By default, WordPress lets anyone try logging in countless times, which isn’t safe. Think of it like someone trying different keys in your front door until they get in. This is called a brute force attack.

A simple solution? Limit the number of times someone can try to log in unsuccessfully. If you’re using the web application firewall we talked about earlier, it’s already doing this for you.

But if not, here’s what you can do:

1. Install and turn on the “Login LockDown” plugin.
2. After it’s activated, go to the “Settings” then “Login LockDown” page to set it up the way you want.

Add 2FA (Two Factor Authentication)

Think of two-factor authentication (2FA) as having a double-lock on your door. Normally, you’d just use a key (your password) to get in. But with 2FA, after using your key (password), you’d also need to enter a code from a separate device, like your phone.

Big sites like Google and Facebook offer this extra security step, and you can add it to your WordPress site too!

Here’s how:

1. Get the “Two Factor Authentication” plugin and turn it on.
2. After that, in your WordPress menu, click on ‘Two Factor Auth’.
3. Now, on your phone, get an app that does this 2FA stuff. There are a few, but we like “LastPass Authenticator” and “Authy” because they let you save your accounts safely.
4. We’ll use “LastPass Authenticator” as an example. Open it, tap ‘Add’, and then scan the QR code shown in your WordPress settings.
5. Done! Now, when you log into your website, after typing your password, you’ll also need to type in a code from your authenticator app.

It’s like having an extra lock on your digital door for added safety!

Changing the WordPress Database Prefix

Imagine every room in a big building having the same name tag, like “Room 101.” If someone knows this, they can easily find and target that room. Similarly, by default, WordPress labels all its data tables with a common name like “wp_”. If you leave it like this, it’s like having that same easy-to-find room tag for hackers.

How to make it harder for them? Change this default label.

We have a detailed guide “How to Change WordPress Database Prefix for Better Security” that can help you do this step by step.

Caution: If you’re not sure about what you’re doing, you might mess things up and your site could stop working correctly. Only try this if you’re confident in your tech skills.

Disabling the Directory Indexing and Browsing

Think of directory browsing like having clear glass windows in your house. Anyone passing by can peek inside and see what you have. In the online world, if directory browsing is on, it’s like having clear windows in your website’s folders, letting anyone see your files and maybe find a way in.

To keep things private:

• Log into your website using tools like FTP or cPanel’s file manager.
• Find a file named “.htaccess” in your main website folder. If you cannot see it there in cpanel file manager, then it means that the file is hidden. Please go to file manager settings and make sure that “show hidden files” option is checked.
• Add this line at the top:

# DISABLE DIRECTORY INDEXES
Options -Indexes

• Save your changes and put the .htaccess file back where you found it on your site.

With this change, it’s like putting up curtains on those windows, keeping prying eyes out!

Disabling XML-RPC in WordPress

Think of XML-RPC like a special doorbell for your WordPress site. It was added to make it easier for your site to chat with other apps and tools. But, this doorbell also has a super loud ring, which can be a problem.

Here’s why:

Normally, if a sneaky person tried to guess your password, they’d have to ring the doorbell 500 times, and you’d probably notice and stop them. But with XML-RPC, they can press the doorbell just a few times and try thousands of different passwords all at once.

In simpler terms, it’s like someone trying to guess your password by pushing a button that tries thousands of codes in just a couple of tries, making it harder for you to stop them.

This is why if you’re not using XML-RPC, then we recommend that you disable it. You can do it by adding the following code at the beginning of your .htaccess file in the main website directory.

Note: Please change allow from 123.123.123.123 part. You can add any ip that you want to allow xmlrpc access from. If you want to block it all together then just remove this line.

If you’re using the web-application firewall mentioned earlier, then this can be taken care of by the firewall.

Automatically log out Idle Users in WordPress

Think of it like leaving your front door unlocked when you step out for a moment. If someone’s not paying attention to their WordPress account and walks away, someone else could sneak in and mess things up.

To avoid this risk, just like how banks sometimes log you out if you’re not active, you can do the same for your WordPress site:

1. Get the “Inactive Logout” tool and turn it on.
2. Go to the “Settings” then “Inactive Logout” in WordPress.
3. Choose how long someone can be inactive before getting logged out and set a message they’ll see.
4. Hit the “save changes” button, and you’re all set!

Scan WordPress for Malware and Vulnerabilities

Think of your WordPress security plugin as a watchdog that regularly checks your website for any suspicious activity or threats, like a guard patrolling your home.

But sometimes, even with a guard on duty, you might notice some strange things happening, like fewer visitors coming by or your site and not showing up as high in search results. If that happens, it’s a good idea to take an extra look.

You can ask the security guard (or your plugin) to do another thorough check or use specialized online tools that act like detectives. These tools will search every nook and cranny of your site to see if there’s any hidden trouble.

But here’s the catch: while these detective tools can spot the problem, they can’t fix it. So, if they do find something, you’ll need to take extra steps to clean up and restore your site, which we’ll talk about next.

Fixing a Hacked or Malware Infected WordPress Site

Many WordPress users don’t realize the importance of backups and website security until their website is hacked.

Cleaning up a WordPress site can be very difficult and time consuming. Our first advice would be to let a professional take care of it.

Hackers install backdoors on affected sites, and if these backdoors are not fixed properly, then your website will likely get hacked again.

Allowing a professional security company like Sucuri to fix your website will ensure that your site is safe to use again. It will also protect you against any future attacks.

Another alternative is Malcare which have options for scans, one-click malware removal and a real-time firewall for complete security of your website.

Although the Malcare free plan can only scan your website, you would need the plus plan to remove malware or offer full protection.

Bonus point: Identity Theft & Network Protection

Think of your online business like a house with lots of valuables. Just as you’d lock your doors and windows to keep burglars out, you need to protect your online stuff from digital thieves.

Imagine someone stealing not just your website but also sneaking into your bank account or using your name to do bad things. Shockingly, there were nearly 5 million such thefts reported in 2020 alone!

To keep your digital life safe, think about getting a tool like Aura. It’s like having a personal bodyguard for your online activities. Here’s what it does:

1. Safe Browsing: Think of this as a secret tunnel (VPN) that keeps your online actions hidden and safe, especially when you’re on public Wi-Fi, like at a cafe.
2. Dark Web Watch: It’s like having a spy who keeps an eye on dark web. If they find any hint that your personal info is being traded or sold, they’ll let you know immediately.

By using such tools, you’re adding extra locks and alarms to your online house, making sure everything inside stays safe. And with that, you’re all set!

We hope this guide has given you some useful tips to keep your WordPress site and online business secure.

If you have questions, Please feel free to put it in the comments section below