When it comes to WordPress security , users are often divided into two camps: those who take security seriously and learn to secure their site, and those who believe or hope nothing will happen to them because they are not important enough.
Unfortunately, the second group is often wrong. Most security breaches are not personal, but are performed by faceless automated scripts that don't care about the relative importance of their site.
Consequently, WordPress security is everyone's business. To give your site the best chance of staying safe and sound, below, we'll go over practical tips on how to secure your WordPress site . Follow them to avoid having to deal with the consequences of your site being defaced, hacked or removed.
Why Investing in WordPress Security is Important
WordPress is one of the most popular content management systems out there, and for good reason. It is easy to use, there are thousands of themes and plugins available for it, and you can create any type of website with it. It is not surprising, then, that WordPress is the engine of more than 40% of the websites on the Internet.
So is WordPress safe?
The above figure might suggest that WordPress is not a good place to start and that it is inherently insecure. However, that is far from the truth.
The WordPress core is very secure and is in fact regularly audited by a security team of industry experts. However, nothing that is connected to the Internet can be 100% secure and there are many factors that determine whether or not a site can be compromised. Most successful hacking attempts boil down to human error, something we hope to alleviate with this post.
Also, as already mentioned, the sheer size of WordPress' user base makes the CMS a focus of attention for hackers because the likelihood of finding victims is higher.
What happens when you get hacked
Loss of revenue and reputation, information stolen, malware installed on your site that can infect visitors, ransomware that blocks your site until you pay the hacker ... none of this sounds attractive, right? However, that's exactly what you risk if you don't take WordPress security issues seriously.
Furthermore, Google could even blacklist you for these types of crimes. Imagine losing all your SEO efforts in one fell swoop. Scary, right?
In short, if your site is in any way important to your business, then securing your WordPress website should be a high priority.
26 effective ways to ensure protection to your WordPress
Follow best practices to create grassroots security
To prevent your website from experiencing any of the crashes described above, the following are tips on how to secure WordPress effectively. We'll start with the absolutely must-have and minimal WordPress security measures everyone should take, and then move on to more advanced and technical procedures. If you only follow the advice in the first part, your site will already be more secure than 99% of the websites out there.
1. Protect your computer, avoid being a risk factor
You may be wondering, what does your computer have to do with your website? Easy: If your computer is infected with a virus or other malware and accesses or uploads files to your site, those files can infect your website as well. To avoid this, be sure to:
Refrain from using public Wi-Fi networks to access your site or use a VPN
Install antivirus software and firewall and keep them up to date
Run regular virus and malware checks on your operating system
Update your operating system and other important programs (like your web browser)
For detailed instructions, check out this post.
2. Build a Secure Base with Trusted Hosting
Your hosting company is usually the first wall hackers have to go through to access your site. For this reason, the first step in securing your WordPress website is investing in a hosting company that implements adequate security measures. This includes support for the latest version of PHP, MySQL, and Apache, as well as a firewall and 24/7 security monitoring. Also, see that they offer SFTP or SSH connections instead of less secure FTP.
Also, choose a hosting company that does daily backups and regular malware scans (like SiteGround, for example). You can even find hosting companies that employ various DDoS prevention measures. Also, be sure to check what your hosting company offers in terms of help to recover compromised websites. When in doubt, always ask your hosting provider what security procedures they have in place.
3. Use strong passwords to close entry points
Passwords are one of the weak points of any website. Luckily, they are also something you have control over. To keep your WordPress website secure, be sure to use strong passwords to:
Your user account
FTP accounts
The WordPress database
Your hosting account
The email address
Everything else that is related to your site
Also, change your passwords frequently. If you can't create a strong password yourself, you can let a password generator create one for you.
WordPress also offers you strong passwords and has an indicator that shows you the strength of your password.
Lastly, if you have trouble remembering your passwords, you can use a password manager like LastPass.
4. Apply minimal user permissions, reduce third-party risk
However, it's not just about your own passwords, but also those of other people on your site. To minimize the risk they pose, first make sure everyone has only permission to do what they have to do. To do this, it makes sense to familiarize yourself with WordPress user roles to understand what each role is capable of and what they do.
For example, you don't want to give a one-time guest blogger admin access. A Contributor role is probably much more appropriate. In fact, you may want to set your default user role as Subscriber (in Settings> General> New user's default role ) to be safe.
Also, it is good practice for WordPress security to give temporary permissions and revoke them later. You can easily do this by changing the roles of users in the Users menu and changing them back when the person has done their job.
Also, delete all user accounts that you no longer need or are no longer in use. Additionally, there are ways to force other users of your site to use strong passwords as well. Many WordPress security plugins include this functionality and there are also paid products like Password Policy Manager.
5. Remove the administrator username to fix a common loophole
WordPress used to set the default username to admin and many website owners never bothered to change it. As a result, admin is usually the first username that hackers try when they launch an attack against your site. If that name is present, all they need is to guess the password.
As such, you should never use that particular username for your WordPress website.
6. Hide your administrator account: Post as a contributor or publisher
Consider creating a contributor or publisher account to add new posts and articles to your site.
How does this help? Well, WordPress automatically creates an author file for every author profile that publishes something to the site. It is usually located in something like yoursite.com/author/authorname .
The problem is that this gives potential hackers some of the login information, as the author's login name is written in plain text in the URL. Again, now all you have to do is guess the password. Therefore, it is better that the authors visible on your site are not those with administrator rights.
Why Investing in WordPress Security is Important
7. Log off inactive users and avoid third-party errors
The next tip is to log out inactive users after a period of inactivity. You are probably familiar with this feature from banking websites. It prevents you or someone else from compromising your site by accidentally staying connected on a public computer or when you walk away from the screen for a while.
This is necessary because your session can be hijacked and hackers can abuse the situation to their advantage. It is even more important to terminate idle sessions if you have multiple users on your website. It is also easy, you can use a plugin like Inactive Logout to do it automatically.
8. Minimize security risks by keeping WordPress and its components up to date
Out-of-date files pose a security risk because they leave your site vulnerable to exploits. This is valid both for WordPress itself and for components such as themes and plugins. These get updates for good reason, often including security bug fixes. In fact, vulnerable plugins are the number one source of site hacks according to WordFence.
You can manually update your website through Dashboard> Updates . Always remember to backup your site beforehand. Better yet, apply the updates to a test or development site first, check if everything is okay, and then apply them to the live site.
It is also possible to use WordPress's automatic update feature. From version 5.6 on the same menu, you can choose whether to automatically install only minor security and maintenance updates or major updates as well.
However, the latter is only recommended to a limited extent, as it can break your site without you knowing.
You can also turn on automatic updates for themes and plugins. For themes, go to Appearance> Themes , click on the template of your choice and use the Enable automatic updates link .
In the case of plugins, you will find this option in the Plugins menu on the right.
You can also use Easy Updates Manager to manage these permissions. You can also configure much of it through wp-config.php. It is also possible to update WordPress and its components manually.
Something you should also do without a doubt is periodically review the installed plugins and deactivate and delete what you no longer use.
9. Only use themes and plugins from trusted sources to avoid compromising your site
As we've already established, unreliable themes and plugins are one of the main ways WordPress websites get compromised. To reduce the risk of this happening, the first step is to use only extensions from trusted sources.
That means staying away from "free" versions of plugins and themes. Besides fooling developers with the fruit of their labor, you never know what kind of code may be hidden inside. By uploading them to your site, you may be opening back doors for hackers yourself. So stick with trustworthy sources, like the WordPress.org theme and plugin directory or trusted premium providers.
When considering downloading a theme or plugin, to be safe, check
Your number of users
The reviews and rating
If you have active support with regular updates
Compatibility with your version of WordPress
In short, use plugins and themes that are under active development and that are trusted by a large number of users.
10. Use a backup plugin or service for much-needed insurance
If you are not yet backing up your website, you need to get started now. A backup system will help you restore your site if the worst happens and your site ends up being hacked. Here are some plugins and services for it:
Things to keep in mind:
Back up your site and database files - WordPress websites consist of two parts. Make sure to save both or you will regret it.
Create a regular schedule - Set your backups to take place automatically at regular intervals. How often depends on your site and how often you change things or post content. For a simple website, once a week is sufficient. For an active blog, once a day or even more often may make more sense.
Store backup files off-site - Make sure your backup files go to Dropbox, Google Drive, or a similar service, not your own server. Otherwise, you risk your backups getting infected as well or losing them along with your files if the server breaks.
11. Use secure server connections, keep your traffic protected
Finally, as part of WordPress security fundamentals, make sure you connect to your server securely. One of the most common ways to manage a server is to use FTP. We will also mention it a few times in this guide.
However, FTP has a much more secure cousin called SFTP, which automatically encrypts the traffic between your computer and the server. Whenever you can, use this instead of the unencrypted FTP protocol. Otherwise, you risk your traffic being intercepted and spied on. A good FTP client like FileZilla will allow you to do this.
So is WordPress safe
Advanced techniques to protect your WordPress
Alright, that was it for basic WordPress security best practices. Moving forward, we will review more advanced ways to keep your site secure. They may need a bit of technical knowledge but they are quite doable and will further fortify your WordPress website against disaster.
12. Harden the admin area and avoid brute force attacks
Of course, one of the most important and therefore most worth protecting parts of your website is the admin area or the control panel. If someone can access it with administrator rights, there is nothing they cannot do.
Hackers try to get in there with so-called brute force attacks. This means that they automatically test hundreds or thousands of username and password combinations until something works. So let's go over some ways to prevent that from happening.
a) Change the default administration and login URL
By default, the URLs to log into your site are at yourdomain.com/wp-admin or yourdomain.com/wp-login.php . Hackers know this and will try to access these addresses directly in order to force their entry.
Therefore, one of the easiest ways to avoid most of these attacks is to move the WordPress admin and login pages to other locations. In this way, any attack on them comes to nothing. A plugin like WPS Hide Login makes this quite simple.
b) Limit login attempts
Another good way to stop these attacks is to limit how many times someone can try to log in before being blocked. WordPress has many plugins for this too, like Limit Login Attempts Reloaded.
c) Two-factor authentication
Two-factor authentication means that in addition to entering their password, users will have to enter a code generated by a mobile app or some other device to log into your site. Thus, even if hackers somehow manage to guess or acquire your password, they will not be able to enter your site without, for example, your mobile phone.
Consider using a plugin like Google Authenticator to set up two-factor authentication for your site:
d) Password protect the wp-admin directory
Another way to combat this type of security risk is to protect the entire wp-admin directory with another password. In this way, without it, hackers cannot reach the WordPress login page.
Directory password protection occurs on the server side. If you are running an apache server, create a text file called .htaccess (more on this soon) and enter the following:
AuthName "Members Only" AuthType BasicAuthUserFile /path/to/.htpasswdRequire valid-user <Files admin-ajax.php> Order allow, deny Allow from all Satisfy any </Files>
This code creates a password protected area called "Members Only" that is only accessible to valid users with proper passwords included in a file called .htpasswd and where it is located. The last part is an exception for admin-ajax.php that you need to get it working with WordPress. Upload this file to the wp-admin directory.
Then create another file called, you guessed it, .htpasswd and put this data in it:
username: password
These are all the usernames that have access to this directory (currently only one) along with their passwords.
Important: the password has to be encrypted for it to work. You can do this by entering your username and password in plain text and then copying the result.
Upload it to the location where your .htaccess points. You can do the same on a NGINX server. Alternatively, you can also block the URL with a Firewall and add an exception just for your IP address.
13. Keep your files safe: Disable the WordPress theme and plugin editor
By default, you have access to a file editor in the WordPress control panel under Appearance> Theme & Plugin Editor> Plugin Editor .
Here, you can make changes to WordPress files directly from the back-end. This can be useful when you need to quickly add a line of code. However, it also means that anyone who enters your site with the proper permission level can access those files with potentially disastrous results.
Disable this feature by adding the following code to your wp-config.php file just before where it says That's it, stop editing! Happy blogging:
// Disable WordPress file editordefine ('DISALLOW_FILE_EDIT', true);
What to do instead? Download your files via FTP, edit them locally, and upload them again. Better yet, test all changes on a local development site, and only upload files once you've made sure everything is secure.
14. Check and change file permission levels to protect your server data
Files and folders in the WordPress directory on your server have different permission levels. There are three types: read, write and execute permissions. These determine whether users can access files, make changes, delete, and run. The same goes for the content of the directories.
If the permissions are wrong, this can give people access to files that they shouldn't have access to and that they could use to take down your site. On the other hand, if the permissions are too strict, they can disable some functionality.
You can check and change this with an FTP client. For example, FileZilla has a column called Permissions right on the user interface.
This change is as easy as clicking the right mouse button on a file or folder and choose File permissions .. . After that, just enter the correct numerical value (see below) and click OK .
For instructions for cPanel, look here (below). As for which permission level is correct, according to the WordPress codex, they should be set as follows:
All directories must be 755 or 750
All files must be 644 or 640
wp-config.php should be 600
Some hosts may need different permissions, so talk to your hosting provider if you have problems.
15. Use HTTPS and SSL, encrypt site traffic
HTTPS (Hypertext Transfer Protocol Secure) and SSL (Secure Socket Layers) allow visitors' browsers to establish a secure connection with your hosting server (and therefore with your site). They guarantee that all the information that flows between the two is encrypted.
The use of SSL is mandatory for e-commerce sites and other sites that handle sensitive data, such as credit card information. However, even on a normal website and on blogs, it makes it difficult to steal login information. This is especially vital on a public network or when a lot of people are connecting to your site. In fact, the United States government is moving all of its websites to HTTPS.
Encrypting your site traffic will not only increase the security of your site, it will also benefit your search engine ranking. For example, Google Chrome now shows all non-HTTPS sites as "not secure" in the browser bar.
Lastly, HTTPS is faster, because it uses the HTTP / 2 protocol by default. Therefore, it is even something that can improve the speed of your site. You can try it yourself, here.
The problem with SSL was that it used to be expensive. You had to buy a certificate from a provider and make it work with your site. However, we now have Let's Encrypt, a project backed by Mozilla, Facebook, Google Chrome, Automattic, and others. It is a free SSL certificate that anyone can use.
Talk to your hosting provider and ask about the possibility of doing so. If they don't offer Let's Encrypt, they can at least help you get an SSL certificate or give you the address of a trusted company where you can buy one. If you want to know more about how to convert your WordPress website to HTTPS / SSL, you can use our detailed guide on that topic.
16. Deactivate XML-RPC and close another entry point
XML-RPC allows your site to establish a connection with WordPress mobile apps and plugins like Jetpack. Unfortunately, it is also a favorite of WordPress hackers because they can abuse this protocol to run multiple commands at once. This means that instead of painstakingly testing one password after another, they can test many at the same time and gain access to your site more easily.
Some plugins depend on XML-RPC to function properly. To find out if your site has it enabled, enter your site address here. If it is not active, you will receive an error message.
In that case, it might be a good idea to disable it to close this loophole. You can use a plugin like Disable XML-RPC-API to do it. Alternatively, it is also possible to disable it by pasting the following code in your .htaccess file (later).
# Block WordPress requests xmlrpc.php <xmlrpc.php files> order deny, allowdeny from allallow from XXX.XXX.XXX.XXX </Files>
The line that says allow from XXX.XXX.XXX.XXX is optional. You can use it to allow continuous access to XML-RPC for a particular IP address if necessary. Otherwise, delete it.
17. Use the latest version of PHP to take advantage of security updates
PHP is what WordPress runs. It is present on the server of every website built with the CMS. Like WordPress, the programming language is in constant development. The new versions come with performance improvements but also with vulnerability fixes.
For that alone, it is important that you run the latest version. Also, each new version of PHP only receives support and updates for two years. The currently supported versions are 8.0, 7.4 and 7.3, so it is highly recommended that you be on one of them. Unfortunately, only slightly more than half of WordPress sites follow this advice.
This is not really optimal although it has improved in recent years.
How can you change your version of PHP if you want to take advantage of the latest versions? You usually have an option for this in the administration menu of your accommodation.
However, be sure to test your site for compatibility first. So first, test the new version in a sandbox to see if all your plugins and theme features work with the new version.
18. Protect wp-config.php, one of your most important files
wp-config.php controls many important functions of your site, including connecting to your database. Without it, your whole site is broken. It is time to learn how to protect it.
a) Move it to a directory not accessible to the WWW
Make the file more difficult to access by moving it from the root directory to a directory not accessible through the browser. The easiest way is to simply move it up one level on your server. So if your root directory is in / var / www / html, just move the file to / var / www /. WordPress will automatically find it there, so you don't have to do anything.
If you want to put the file elsewhere, copy it to a new location. Next, tell WordPress where you are replacing the original file content with this (make sure you set it to your actual file path):
<p> Include ('/ server / path / to / wp-config.php');
b) Change your WordPress security keys
WordPress security keys are responsible for encrypting the information stored in your users' cookies. They are located in the wp-config.php file and look like the following
define ('AUTH_KEY', 'put your unique phrase here'); define ('SECURE_AUTH_KEY', 'put your unique phrase here'); define ('LOGGED_IN_KEY', 'put your unique phrase here'); define ('NONCE_KEY' , 'put your unique phrase here'); define ('AUTH_SALT', 'put your unique phrase here'); define ('SECURE_AUTH_SALT', 'put your unique phrase here'); define ('LOGGED_IN_SALT', 'put your phrase unique here '); define (' NONCE_SALT ',' put your unique phrase here ');
These are randomly generated at installation. If you've migrated your site or taken it from someone else, it might be a good idea to revamp them. To do this, use the WordPress Salts key generator to get a new set of random keys.
Just copy and paste over the keys in your wp-config.php file and save, voila.
c) Check the file permissions
As mentioned above, to keep it safe, wp-config.php should have a permission level of 600. If you haven't already, now is a good time to check it out. Use the instructions above to do so.
19. An integrity check of WordPress files alerts you when your site has been compromised
Doing a file integrity check means checking if there are any changes to the data on your site. When there is malware on your site, you will often see new files or file changes where the code is hidden.
Website File Changes Monitor is a security plugin for WordPress that checks your files against the originals and will send you an email when it detects modifications or files that do not correspond. In this way, you can detect hacks in time, find backdoors, malware and infected files.
20. Find weak links early with activity log
The above is best combined with the activity log. The WP activity log tracks what users are doing on your site, what changes they make, when they go online, what settings change, etc.
With this knowledge, you can find out who made a mistake when something goes wrong. You can also check if other users take any action that could compromise your website. It also helps to see if someone comes to your site and causes havoc, such as a user account that has been hacked or secretly added.
Advanced techniques to protect your WordPress
WordPress technical security measures
Alright, for the final part of our guide on how to secure WordPress, we'll look at some relatively complicated ways to protect your site. These will be quite technical so they can be intimidating. Don't let that scare you off though, everything is still very doable.
21. Use .htaccess to further block your site
.htaccess is a bit of a tricky file because it's hidden by default (like all files that start with a period). So if you can't find it on your server, it's probably because you can't see the hidden files.
The solution is quite simple. In your FTP client, you usually have some function that makes them appear in the menu. For example, in FileZilla, you find it under Server> Force Show Hidden Files . In cPanel, you can use these instructions.
Once you can see it, you can download and edit the .htaccess. Please note that all code provided below should always be placed outside of the # BEGIN WordPress and # END WordPress tags to ensure that changes are not overwritten with each new update.
a) Harden your .htaccess and wp-config.php files
The .htaccess and wp-config.php files are the most important in your WordPress installation. Therefore, you must ensure that they are safe. The following snippets will limit external access to them.
# Deny access to wp-config and .htaccess <wp-config.php files> order allow, denydeny from all </files> <.htaccess files> order allow, denydeny from all </files>
b) Limit access to wp-login.php to your own IP
In addition to the above, you can also add the code snippet below. This will not allow access to your site's login page for everyone except the defined IP. Make sure to fill in your own IP address so you don't get disconnected. If you don't know your IP address, you can find it here.
# Limit access to wp-login <Files wp-login.php> order deny, allowdeny from all # allow access from my IP addressallow from XXX.XXX.XXX.XXX </Files>
You can also use this to limit access to wp-admin instead of password protecting it. Put an .htaccess file inside your wp-admin folder and include the following code in it.
# Limit access to wp-admin <FilesMatch ". *"> Order deny, allowdeny from all # allow access from my IP addressallow from XXX.XXX.XXX.XXX </FilesMatch>
If you are using a dynamic and non-static IP, use these instructions.
c) Disable directory indexing and browsing
Any directory that is part of your website architecture is navigable by default if there is no index.html file in it. This is not good because it allows people to see what is in your directories and potentially use it against you. Protect yourself from this by adding this line of code to .htaccess:
# Disable directory indexing and browsing Options All -Indexes
d) Disable PHP execution in WordPress directories to keep hackers away
WordPress works with PHP, therefore it is necessary for users to access and run PHP files on your site. However, hackers can also use this ability to run malicious files in those locations and keep back doors on your site. So it may make sense to block this ability in certain directories where you don't need it like in the wp-content / uploads folder or within wp-includes. You can create your own .htaccess file (just create a text file and name it like that) and then add the following snippet:
# Disable PHP execution in this directory <Files * .php> deny all </Files>
Now save the file and upload a copy of it to your uploads and wp-includes folder.
22. Disable bug reporting and keep confidential information safe
Bug reports are useful for troubleshooting and determining which specific plugin or theme is causing your WordPress website to malfunction.
However, once the system reports an error, it will also display your server path. Needless to say, this is a perfect opportunity for hackers to find out how and where they can exploit your site's vulnerabilities. You can disable this by adding the following code to your wp-config.php file:
// Disable error reporting error_reporting (0); @ ini_set ('display_errors', 0);
23. Remove WordPress version number to stop spreading vulnerabilities
Anyone who takes a look at your website source code will be able to tell which version of WordPress you are using.
Since each version of WordPress has public change logs detailing the list of bugs and security patches, they can easily determine which security holes they can exploit. Therefore, that is not information that you want to give.
Luckily, there is an easy solution. You can safely remove the WordPress version number from your site and RSS feed by editing your theme's functions.php file and adding the following
// Remove WordPress version number from section headremove_action ('wp_head', 'wp_generator'); // Remove WordPress version number from RSS feed remove_version_from_rss () {return '';} add_filter ('the_generator', 'remove_version_from_rss');
24. HTTP security headers solve browser weaknesses
Another way to secure your WordPress website is to implement security headers. They are directives that control the interaction of browsers with your server / site. You can see which headers are active on your site through the browser's developer tools.
You can also use this service to scan your site and find out.
They are typically set at the server level to prevent hacker attacks and reduce the number of security vulnerability exploits. You can add them yourself by modifying the .htaccess to keep web browsers safe from possible attackers.
Before implementing any of the following, be aware that it may affect your subdomains. So if you have any on your site, you may have to include them as well. If you don't want to add these headers manually, consider using a plugin like Security Headers. Make sure to test them using the tools above.
Avoid cross-site scripting attacks
This occurs when hackers inject malicious code into your website to be loaded by the customer's browser. To prevent the browser from loading malicious files, you can use the following code snippet:
header ('Content-Security-Policy: default-src https:');
Prevent Iframe Clickjacking
Add the following line to tell the browser not to display a page in a frame. This helps prevent clickjacking.
header ('X-Frame-Options: SAMEORIGIN');
Enable X-XSS and X-Content-Type-Options protection
Add the following lines to prevent XSS attacks and to tell Internet Explorer not to detect mime types. The latter is to prevent hackers from accessing your server files through the browser functionality.
header ('X-XSS-Protection: 1; mode = block'); header ('X-Content-Type-Options: nosniff');
Enforce HTTPS
Add the following code to tell the browser to only use HTTPS. We have already discussed how using encryption helps keep data safe. Of course, to use this, your site has to actually work on HTTPS.
header ('Strict-Transport-Security: max-age = 31536000; includeSubdomains; preload');
Set the cookie with HTTPOnly and the security flag
Tell the browser to trust only the cookie set by the server and that the cookie is available through SSL channels by adding the following
@ini_set ('session.cookie_httponly', true); @ ini_set ('session.cookie_secure', true); @ ini_set ('session.use_only_cookies', true);
25. Use a firewall and stop attacks before they start
For the last two parts of this WordPress security guide, we want to talk about more premium options. One of them is to use a web application firewall (WAF). It's another layer of protection that you can set up before traffic hits your site.
Installing a firewall on your site offers many benefits. You can set rules about who can access your site and who cannot. It also controls and manages network traffic. You can block IPs and users, even entire countries that are blacklisted or have tried to damage your site in the past.
A firewall is also capable of stopping DDoS attacks in its path if it detects malicious traffic. This way, it doesn't even make it to your web server and you can't slow it down.
There are free firewalls in some security plugins (see below). However, if you really want to get the most out of it, opt for a payment provider. Like accommodation, you get what you pay for. Sucuri and Cloudflare are the gold standards in this area.
26. Lighten the load by installing a WordPress security plugin
The last tip on how to secure your WordPress site is to use a security plugin. There are a ton of all-in-one solutions out there that can do a lot of the things covered in this guide automatically. They will also alert you to weaknesses in your security settings.
Here are a few to choose from:
Please note that the characteristics are different. So do your research beforehand to choose the one most appropriate for your needs and skill level.
WordPress Website Security: Last Words
WordPress is a powerful and popular CMS that makes it easy for anyone to create a website. But being so widely used, it is also a favorite target of hackers.
Luckily, there are a number of steps you can take to protect your WordPress site. However, keep in mind that you don't have to do all of the things mentioned above. Follow basic best practices and you are ahead of the game.
After that, implement what you can and feel capable of doing. Security is an iterative process, not a one-time affair. You can always do more, but the most important thing is to get started.
What is your favorite WordPress security measure? Let us know in the comments.
