Top ten best practices to keep your WordPress installation from getting hacked
WordPress is a very powerful tool to create beautiful websites, and as of April 2023 it powers over 43% of all websites on the internet. However, with such success, it is prone to exploits and hacks. The smallest threat is actually quite big: software can be injected into your site while your site remains functional, meant to harm your control of your webpage. This software is known as malware and can steal your administrative rights, spread problems to other sites and block you from using the data you and your customers access on a daily basis. The worst-case scenario is that your site can be destroyed and exploited to serve malware on other sites, machines, or in other companies. Bots are gonna bot, so it is best to follow these ten best practices to keep your WordPress installation secure and prevent it from getting hacked and infected with malware.
1 – Make sure all active plug-ins are regularly updated
Outdated plug-ins are the easiest pathways for malware to infect and destroy your website. It is of vital importance to keep all plug-ins updated. There are several ways to do this, but here are the two simplest methods.
The easiest method is to turn on “auto-updates” and have some peace of mind. This is a bit of a shortcut to updates, but many people do it… and then they come to regret it later.
When you turn on auto-updates, you run the risk of an auto-update on one particular plug-in not “playing nicely” with another plug-in. Sometimes WordPress core itself will not cooperate with the updates, resulting in a break of service to your website. You could end up with the horrid “Critical Error” page at 03:00 in the morning while you are hopefully blissfully sleeping. From personal experience, best to avoid that.
The better option is to run updates on a staging server once a week (or month) and update each plug-in one by one. It takes more time, but it is better than having a panic attack because you just broke your own website or your client’s live website that sits in production and then you will have to quickly figure out how to get the broken website back online ASAP.
2 – Have backups in place to “roll back” in case of any issues
Backups are vital. It’s possible your website could be hacked (like discussed above) or the site could break due to a poorly written or installed update. You do have a backup plan in place, yes? Good. But just in case you don’t, here are some options.
Many web hosting services have backup plans included in their hosting plans. Be sure that it is turned on and active. This is the easiest and most hassle-free option. Also, check out how many versions are kept. Many keep daily backups for 30 days. However, if only a couple of versions are kept and whatever problem is not immediately noticed, you might not be able to recover to a clean version of your site. That is a real issue for anyone who is trying to keep a streamlined and efficient business going.
I use two different backup plug-ins. You might choose different ones, but the plug-in choice isn’t of real importance. What matters is that the backup plans are used and that you are able to easily restore from backup. The first backup system I use is Updraft-Plus. This is useful when the web hosting service provides staging servers and you only need to back up your site. You just need to be able to easily roll back. The second is WP Staging Pro. This has the added bonus that you can manage both staging servers and complete backups of all files and your database. I connect both these plug-ins to remote storage and have scheduled backup plans.
3 – Get notifications if your site goes down
It’s never great news when a site does break and go offline. But, the quicker you get notified, the quicker you can resolve the issue and get everything back online.
The Jetpack plug-in offers this service and also will sometimes even let you know which plug-in broke the site so you can roll back. That way you don’t have to debug each plug-in one by one. Very helpful tool. Another service is UpTimeRobot. This service pings your website every 5 or 10 minutes (or whatever increment you set up) and sends you an email if the site is down and when it goes back online. It doesn’t tell you why the site is down, other than the 500 or 400 codes, but it’s definitely useful. Both of these services are “freemium” where you can pay for more options, but the free versions both work fine for notifications. Also, just be aware that it is very common for sites to “go offline” for a short time and come back online without any intervention on your part. So don’t necessarily panic when you get a notification but do go check for yourself.
4 – Install basic application-level firewalls and turn on two-factor authentication (2FA)
There are many different security plug-ins to chose from. There are paid ones that will also put your site into their cloud proxy servers and that is great, but not everyone can afford that – usually around a $200/year price point. There are some good free ones, for example WordFence and Defender are both good. They provide malware scans, allow for 2FA when logging in, put local firewalls in place, and stop brute-force attacks. The downside of local firewalls is that if your site receives a ton of bad traffic from an intended attacker which the firewall(s) try to defend against, the site can still get overwhelmed and go offline. At the very least, it is a good idea to ensure that all admin users for your site and your administration pages must use two-factor authentication when logging in. When choosing the level of protection for your site, your level of protection is determined by what you (or your client) can afford.
5 – Make sure the user “admin” is not being used as that is an easy line of brute-force attack
Most attacks these days are done by bots trying to propagate their malware. It’s super annoying, but rarely targeted at your site specifically. The easiest way for the bots to attack through brute-force is to try and log in on /wp-admin page using the account “admin”. At the very least, when you’re setting up your administration of the site, ensure that the user account “admin” does not exist in your WordPress instance. If you leave it there, it is insecure and highly unprofessional. Other similar account names used to attack are “administator” and the hostname for your website. In my case, this means “murchstudio” will not exist in my account list. Be sure NOT to use names of your business or roles within your company as usernames for your various log in accounts.
6 – Make sure all pages and posts are published by a user that does not have admin privileges
Another way that site can be easily attacked is by making the username of the account public (e.g.; it publishes the post or page). If this account has administrator privileges, it can be exploited. So, it’s best to ensure that all public facing posts are published by accounts that only have “editor” privileges.
7 – Review “Site Health Status”
A helpful tool provided by WordPress software is “Site Health Status”. Usually, you find this on the front page of the Dashboard, but you can access it at
https://examplesite.com/wp-admin/site-health.php There you can see “critical issues” if your site has any, and also there might be “recommended improvements” suggested as well. You can follow the steps to help improve the security and performance of your site if there are any issues.
8 – Make sure your site is secured with an TLS/SSL certificate
Your website address must start with https://. Not having a website that starts with https:// makes you and your visitors more vulnerable to exploits. Most browsers these days won’t even really direct web traffic to “non-secure” sites without a warning. Be sure to install TLS/SSL certificates on your website. On the server side, you can turn on automatic SSL certificates that usually are valid for 90 days and will automatically renew every 90 days if you use the certificate authority of “Let’s Encrypt”. There are various ways to ensure that all your website content is being served over
https://. This can be done on the server side or with plug-ins on the front end. But be sure to do one or the other, otherwise, you can send your traffic into an endless loop. Do not want.
9 – Delete unused plug-ins and themes
It is common to install plug-ins and themes and then stop using them as your needs change over the lifetime of your website. Once you have verified that you will no longer be using them, be sure to delete unused plug-ins and themes. If you leave them installed, it can be another pathway to malware being injected into your site as it’s common for them to become outdated. However, always leave one official WordPress theme installed as a fallback incase for some reason your active theme breaks. I usually leave the latest version, so in this case Twenty Twenty-Three.
10 - Check your site security
There are several websites that will check your site for security vulnerabilities and give recommendations. It’s not necessary, but is very good practice to check your site, even if you only use the free check. The free scan by nature will have limited capabilities and then will want to sell your additional services. A decent scan can be done by Mozilla Foundation which offers their site-check service at https://observatory.mozilla.org/. Two other good examples are Immuniweb https://www.immuniweb.com/ssl/ and Sucuri https://sitecheck.sucuri.net/
I hope these tips help you lock down your site to prevent malware injections, site takeovers, and downtime. In an ideal world, we could just put up the files and browse the web without any worries, but that is not reality. So, preparation and prevention are keys to online security.
This list is by no means meant to be the be-all and end-all, but lessons that I have learned along the way. Please add your suggestions of things your feel are important. If you would like me to secure or build your website, please get in touch. Either way, I look forward to hearing from you.
digital doula, builder-of-websites, photographer, wife, mother, daughter, sister, aunt, woman, immigrant, friend, traveler, geek, and observer