WordPress Security – Complete Step By Step Guide

In the last 20 years, we managed hundreds of WordPress installations.

Repairing the damage will take time and expense. You could be losing millions and your website visitors’ trust.

It’s all about how you can reduce risk and secure your WordPress site from hackers. It all comes down to when.

Security can be overlooked after a site has been compromised. Don’t do this.

WordPress Is It Secure?

WordPress security is assured, this’s all.

According to the data, 95% are WordPress-based. WordPress has been a powerful bullseye target.

WordPress has been the most used platform to create websites. WordPress comes in second.

WordPress is an attractive target for hackers. Security is essential.

WordPress doesn’t have vulnerabilities. WordPress code is secure. WordPress was subject to extensive security peer review.

WordPress’s weaknesses are more due to its extensibility, flexibility, and security.

WordPress may be insecure if there are two plugins. This is nearly impossible.

WordPress is configurable in many different ways. This makes it easy to make a secure WordPress blog.

Now let’s discuss the security steps that you can take for WordPress to be secure.

Although many of our tips are specifically for WordPress, others (such as strong passwords) can be used on any website.

Although hackers are still possible, our suggestions can reduce the risk. Hackers are more likely to target easier targets.

Unfortunately, many sites could be easily hacked.

1 Search for a Secure WordPress Hosting Provider

Even if you’ve got the most powerful WordPress install, it doesn’t matter if your web host is compromised.

WordPress Hosting makes a difference.

Server Hardening is the most crucial step to WordPress security.

While all WordPress hosting companies can be relied upon to protect their customers, they don’t disclose every aspect of security because hackers could attack them.

Web hosts are not taking security seriously, even though there are warning signs.

  • Outdated software – Control panels, older PHP versions, and the operating system.
  • Incomplete Transparency: Outages and security breaches are not reported to the hosting provider.
  • Status Page: There’s no page to inform you of the status of your services.
  • One Data Center-Web host shouldn’t have everything in one place (data center). It poses risks to their business.
  • DDoS attacks are not mitigated – Hackers can overpower web hosts’ networks by commanding bot network attacks on servers. This could pose a threat to your web host.
  • Continuous downtime – While not considered a security risk, it indicates how efficient operations management is.
  • Strong Password – It is possible that your web host doesn’t require you to choose complex passwords. This could indicate that other security areas are weak.
  • No Two-Factor Authentication. Administrators may not permit two-factor authentication.

What type of web hosting do you select?

Choose the best type of web hosting. Shared hosting can make it more affordable but less secure.

Sharing hosting is a way to compromise one website. The ideal situation.

This could allow hackers to root the website server and compromise all accounts.

VPS, also called cloud hosting or a virtual private server (also known as shared hosting), is the next level up from shared hosting.

Shared hosting means that you can share your web server with many customers.

A virtual machine is an instance of a server acting as a dedicated server but managed by software.

VPSes are less secure than dedicated hardware.

Managed WordPress hosting or a VPS can offer security and reliability that is unmatched.

While it might be more costly than regular WordPress hosting, you will have WordPress software that is safer.

2. Check Your WordPress Site Health

You need to understand the area and evaluate the current state of your WordPress install.

WordPress creators know the security risks. A site health option has been added to the most recent versions.

Site Health is accessible in WordPress. Click on “Tools”, and select “Site Health”.

The report provides a comprehensive overview of WordPress and makes recommendations to make security improvements.

The latest version of the software can be found under the Info tab.

  • WordPress core
  • PHP
  • Configure PHP
  • Web server
  • Operating system and release
  • MySQL
  • Theme

The overview is only a snapshot of your WordPress installation. To perform a complete audit of PHP’s configuration, you can use the WordPress plugin PHPinfo() WordPress3_.

This function will execute the php info () function. It gives you an overview of PHP installed, used modules, and caches to increase performance.

Compare all versions. Verify the version you are using is safe.

Ask your web hosting provider if you need to find newer software versions in your software.

3. Keep WordPress Up-to-Date

Keep your WordPress core, WordPress themes, and plugins up-to-date to protect your WordPress security.

It is essential to back up your WordPress website before you make any updates.

To view the WordPress admin menu section, click on ‘Dashboard.’ You’ll see an identical list.

WordPress Core

WordPress Core Updates can be automated. WordPress will automatically upgrade minor versions.

The WordPress Theme

The selection of WordPress themes can make a big difference in the user’s experience.

WordPress themes can be attacked by hackers WordPress themes with specific functionality and libraries are vulnerable to attacks.

Installed WordPress plug-ins

Hackers use insecure or outdated WordPress plugins to gain access.

WordPress plugins with less security than plugins with more are generally safer. For performance and security reasons,

Limiting the number of customizations and plugins you have in WordPress is a good idea.

Make sure you always have the most recent version of WordPress plugins. Hackers can spot vulnerabilities in WordPress plugins, and then scan the Interwebs for WordPress installations with this vulnerability.

It is important to disable all WordPress plugins you no longer use and then delete them.

Different WordPress Installations According to Purpose

WordPress extensibility makes it an excellent performance pig.

Installing WordPress is an easy way to secure it. our membership section still functions because it did not have this plugin.

Every subdomain is unique.

Every WordPress installation is its very own, separate entity. It makes the public section of our website more secure and easier to load for SEO.

The setup may be more expensive depending on which web host you choose. Many hosting plans include multiple website hosting.

4. Malware scanning

Our Take

This is the number-one WordPress service since 2015. This has been a great tool for protecting our company. It has prevented intrusions. Sucuri responded quickly to our request to remove malware.

Malware is the most popular WordPress hack. Malware can be easily detected by the general public.

In our many years of working with web hosts, I’ve seen hundreds of WordPress sites that were infected by malware.

Malware is a threat to your website. It can infect others, steal information from WordPress, or infect websites.

Sucuri can be used to detect malware and help you remove it.

Sucuri runs a daily server scan to see if there is any malware in your WordPress install. Sucuri’s monthly fee includes malware removal.

Sucuri offers WordPress plugins that include some free features. This plugin makes it easier to install WordPress securely.

5. Backup WordPress

Our Take

Backups and security are crucial to the maintenance of your WordPress blog.

You should have backup plans for your website. Even if you get backups from your web host,

You need multiple backups to protect your WordPress installation. In some cases, malware may have been installed months before backups were created.

The BlogVault plugin is great if your WordPress site is serious. You can restore your WordPress backup in minutes.

BlogVault provides a firewall and uptime monitoring, as well as automatic WordPress updates.

6. Use strong passwords

For your WordPress login, don’t use the Spaceballs password “12345”.

This is the truth. These are Lookout’s top 10 passwords.

  1. 123456
  2. 123456789
  3. Qwerty
  4. Password
  5. 12345
  6. 12345678
  7. 111111
  8. 1234567
  9. 123123
  10. Qwerty123

A password management tool is an excellent idea for managing all passwords. These parameters should be used for passwords:

  • 16-24 characters
  • Exclusive and unshared with other services
  • Use uppercase, lowercase, numbers, and special characters. (ie &,%,$ or!). ).
  • It is not allowed to be stored in any publically-accessible area.

Register to a Password Manager

Our Take

My preferred password manager is 1Password. 1Password is our preferred password manager.

Instead of writing passwords down on Post-It notes, we recommend using a password manager.

1Password is simple to set up and a must-have tool for everyone who uses the internet. Over 1,600 passwords were managed by me.

Set Up 2 Factor Authentication

WordPress can be made more secure by increasing the number of logins to up to 11.

To improve security, you don’t just need to know a password. Two options are available to authenticate an individual.

  • Your eye, hand, or fingerprint.
  • Keyfobs and RFID cards are essential for you.

It’s a great way to secure your website with two-factor authentication by phone app. It can however be tedious and less secure than other methods.

Google provides a free Android or iPhone app, but we do not recommend it.

Authy Desktop we recommend. While 1Password also supports two-factor, we prefer having our  passwords and two-factor information in separate applications/services. The other service should remain secure if one is compromised.

Two Factor Authentication requires WordPress.

This premium edition includes:

  • Trusted devices for 30 days
  • Turn on-off per user
  • Emergency codes

7. Install a Web Application Firewall

Our Take

Cloudflare has many security features to speed up your site. If you buy the “Pro” version, the Web Application Firewall will protect your website from attacks by botnets or hackers in large numbers.

It is no longer necessary to hack websites manually to find insecure servers. Hackers now have millions of bots that scan the Internet for malicious software.

Statista reported that in 2016, 51.8% was generated online by bots.

You can assume it’s higher now. Even worse, bots could appear to be users of your website, giving false information and clicking fraud.

Cloudflare can help you secure your WordPress installation.

Stop hackers knocking at your door to protect WordPress.

WordFence is a WordPress security plugin that does the same thing as Cloudflare but on a WordPress level. JetPack and

Security is important, but we would prefer it to be higher up on the network chain. WordPress can slow down unnecessarily.

Attacks can be spread widely because hackers now have access to many millions of computers. For days, you won’t be able to see the same IP address.

WordPress plugins that prevent login attempts after 3 unsuccessful attempts using the same IP address are not recommended.

Cloudflare offers

Cloudflare provides a free plan but we strongly recommend you purchase the $20/month ‘Pro’ package.

Cloudflare offers these services.

  • DNS Hosting
  • DDoS Protection
  • Web Application Firewall (WAF) (in Pro edition)
  • Managed Rules (in Pro edition)
  • Page Caching
  • Minimization of HTML, CSS, and JavaScript
  • SSL encryption is available for free

Firewall Rules Enabled

Cloudflare provides many security options to enhance your WordPress installation.

We have prevented significant traffic from the website during its 24-hour period.

This method is recommended for setting up Cloudflare.

Allow bots

To begin, we need to make sure we let bots analyze our site and monitor it. Cloudflare will not block them.

Block ‘Bad Actor’ Countries

It isn’t always simple to do commerce in all countries. our content is written in English so we won’t mind working in other countries with language barriers.

The second step of Cloudflare firewall configuration was to prevent access from any countries we do not want. Go straight to jail. This is our  Cloudflare rule.

(ip.geoip.country RU” KP” NG” IR” IQ” UA” VE” CU” BD” NP” EE” LV” YE” ZE” CG” ER” CF” KE” BR”

The following countries have placed a firewall blocking access to our  site:

  • Russian Federation
  • North Korea
  • Nigeria
  • Iran
  • Afghanistan
  • Iraq
  • Ukraine
  • Venezuela
  • Cuba
  • Turkey
  • Bangladesh
  • Pakistan
  • Nepal
  • Romania
  • Estonia
  • Latvia
  • Syria
  • Egypt
  • Haiti
  • Somalia
  • Yemen
  • Zimbabwe
  • Congo (Brazzaville)
  • Congo (Kinshasa)
  • Eritrea
  • Central African Republic
  • Kenya
  • Brazil

Surprisingly the vast majority of our attacks are from Venezuela and Cuba.

It is up to you. Be flexible.

Although our traffic is very low from China, it’s a significant source of bot traffic. we decided to block China using Cloudflare’s “Bot Test Rule” (see next section).

Steve, our friend has lots of visitors from this area. He would not hesitate to block it.

GDPR is a result of our blog Investor Junkie.

To avoid the hassles associated with GDPR compliance, we chose to ban all EU countries from our  site. Financial companies also need to comply with the FATCA laws in the USA.

The firms refused to accept foreign residents’ applications so they didn’t visit our blog. Unfortunately, we couldn’t help either of these audiences.

Block Bots

The second rule applies to countries where we accept traffic. It poses high risks to bot traffic.

(ip.geoip.country – “IN” “CN”

  • India
  • China (Mainland).

Cloudflare uses Managed challenge firewall rule. This page will be displayed to the user upon their first visit.

It doesn’t work if they’re bots. A human will be able to get through. While this interstitial page is annoying (it increases bounce rate), it’s one we are willing to take in high-risk countries.

Allow Managed Rules

Cloudflare provides thousands of pre-built firewalls that can protect your site from hackers and other attacks.

  • Cloudflare should keep the default rule in place
  • Block: Restrict access to websites for visitors
  • Disable – Turn off your rule
  • Simulate: This doesn’t do anything but log the event.
  • Cloudflare will challenge you to determine whether the bot is a user

Each rule can have a different default.

I modified the rules to meet our requirements and have fixed problems with our website’s setup. Be aware of false positives, and keep an eye on your Cloudflare traffic reports.

8. SSL enabled

Make sure it is SSL enabled.

9. Log Capture and Analysis

Our Take

Receive alerts and track WordPress events. Track user and plugin changes. Use this tool for auditing and securing your website.

Create a breadcrumb track for WordPress events.

WordPress does not have this ability out of the box. WordPress sites that contain private information will need to comply with PCI.

The Activity Log allows you to capture every WordPress event and transmit it to a remote server.

  • Sign in to wp-admin
  • WordPress plugins and themes: Installation, update, deletion

WP activity log is a plugin we use to manage our  WooCommerce membership. The plugin lets you keep track of all events that occur on your WordPress install.

We will be happy to hear your thoughts

Leave a reply

Enable registration in settings - general