A common misconception is that malicious hackers only target websites with large income, or those that store valuable sensitive information. However, WordPress websites generally get a lot of unwanted attention, which is why it’s important to take preventive measures from the get-go.
The good news is that (on top of basic measures such as having a robust updating strategy) WordPress offers you a lot of options to protect your website against hack attacks. Even simple implementations, such as enabling Two-Factor Authentication (2FA) can drastically improve the security of your website or eCommerce store.
In this article, we’ll talk about why preemptive WordPress security is the way to go. We will also highlight five preventive WordPress security measures, so you won’t have to deal with messy cleanups afterward. Let’s get to work!
Why prevention is essential in WordPress security
Spending time on preemptive security is a lot like getting travel insurance before heading to a safe and well-known country. It’s a step that’s usually forgotten about by many travelers – until your hotel room is ransacked. From then on, travel insurance is always a top priority.
WordPress security works pretty much the same, although there are usually ways to clean up your site after a hack attack. However, with a little extra work, you can take the necessary preventive measures to protect your site against most common attacks in the first place. This is important because WordPress websites get a lot of malicious attention due to the platform’s popularity.
It also doesn’t matter if your site doesn’t handle sensitive data either, because most WordPress attacks are non-targeted. In fact even small websites do get hacked to be used for black hat Search Engine Optimization (SEO), DDoS attacks, malware distribution, and more. In short, preemptive security is definitely the way to go with WordPress.
7 ways to prevent attacks on your WordPress website
Protecting your WordPress website from most attacks isn’t as difficult as you’d imagine. Adopting just one of the measures below will help immensely, but for the maximum effect, you’ll want to implement them all.
1. Keep WordPress and all other software up to date
This is the easiest one to do: keep WordPress core, theme and WordPress plugins up to date. Always install the latest version of the software you use to benefit from the latest features, technology and more secure software. This applies to all software you use, including all software on your laptop, smartphone and web server. If you know how, you should also always update the firmware of all the hardware you use at home, such as the wireless router and internet modem.
2. Use Two-Factor Authentication (2FA)
By default, you only need a username and a password to login to your WordPress website. However, you can install a two-factor authentication WordPress plugin to add in an extra factor and drastically increase the security of your WordPress website login.
In practice, the second factor can come in different guises. For example, you can have your site send a one-time code via email, which users will need to input to log in. You can also have them use a dedicated app, such as Google Authenticator to generate unique codes:
The best part about 2FA is it prevents an attacker from logging in, even in a scenario where they know your username and password. Without the second factor, which is usually associated to your email or smartphone, access is restricted. This can give you enough time to update your password and stop attacks in their tracks.
As for how to implement 2FA in WordPress, your best bet is to use a plugin. There are a lot of great options to choose from and most of the best ones are free. We’ve covered these plugins in our best two-factor plugins for WordPress, so go and check out that article!
3. Maintain an audit log (activity log) to monitor your WordPress
We’ve talked a lot about activity logs in the past and it’s not without reason. WordPress activity logs essentially enable you to keep tabs on your website’s users and under the hood activity.
For example, if someone attempts to log in multiple times, it’s worthy of investigation. The same goes for cases where you can see changes made to the website, such as plugins installs, theme changes or WordPress settings changes without your authorization.\
With the right WordPress activity log plugin you will keep a close eye on what is happening on your website, what your users are doing, and how attackers are trying to hack into it.
As for your choice of activity log plugins, we recommend our own WP Security Audit Log. It is the activity log with the most comprehensive logs and best coverage. Go ahead and try the free edition of our WordPress activity log plugin to see how many benefits there are to keeping an audit log on your WordPress website.
In the premium edition you can also configure SMS notifications, so you are instantly alerted of critical changes on your WordPress website.
4. Enforce strong password policies
Let’s be honest – most people are terrible when it comes to the passwords they use. This isn’t an exaggeration either. Reading about some of the worst passwords habits and why people do not use secure passwords can be enough to make you lose faith in humanity.
The problem lies in the lack of knowledge most users have about passwords and best practices. In practice, this means there’s a large percentage of people using easy-to-crack passwords, who keep repeating them across multiple accounts.
You should educate your users about the importance of strong passwords and passwords management (so they always use strong passwords). However, enforcing their use is also very important. As such, you’ll drastically limit the risk of accounts on your website getting broken into.
WordPress is pretty good about telling you if you’re setting a password it deems unsafe. However, it doesn’t enforces the use of strong passwords. To do this, you’ll want to use the plugin Password Policy Manager for WordPress:
With the Password Policy Manager for WordPress plugin you create policies for the passwords that people use on your website. You can be as lenient or thorough as you want, and you can configure different password policies for different WordPress user roles. With the plugin you can also reset the passwords for all users in WordPress.
5. Scan your WordPress website for file changes
Changes to files on a WordPress website happen quite often. For example, they happen when you:
- upload an image or a media file
- install, update or uninstall a WordPress plugin
- install, update or uninstall a theme
- update the WordPress core.
All of these file changes are desired. However, other file changes can be malicious, or done by mistake (which could lead to sensitive data exposure / leak). For example a developer leaves a backup file that exposes database connection details and passwords, or a hacker injects malware in your theme’s header.php file. By running WordPress file integrity scans you can easily identify file edits done by mistake, developers’ left-over files and malware injections.
To be automatically alerted via email of file changes on your WordPress website install the Website File Changes Monitor plugin. We developed this plugin ourselves to address the shortcomings of other file scanning and changes plugin. For example when you update or install a new theme, the Website File Changes Monitor plugin does not alert you of hundreds of file changes. Instead it alerts you of the change on the website, allowing you to review the file changes, without raising any false alarms.
6. Disable or delete unused software, services and users
Sometimes you install a plugin or a software to complete a one off task. Sometimes you also create a temporary user on your WordPress website for a developer or contractor to help you with a task. However, very often we forget about these temporary software and plugin installs, and WordPress users.
Unused software and dormant WordPress users are a prime easy target for malicious attackers. Unused software is often forgotten, so it is never updated. The same happens with users, even if you enforce password policies. Dormant users are not used, so they will not change their password every so often, making it possible for an attacker to guess their password.
As a rule of thumb, you should always delete any unused software, plugins, themes and users. As a safety net you should also enable the dormant WordPress users policy so inactive users are locked out, making it impossible for attackers to hijack them.
7. Install a Firewall Plugin or Service
Firewall software sits between the internet and your WordPress website. It analyzes every incoming connection request before it reaches your website and blocks the malicious ones. Refer to the guide to WordPress firewalls for more detailed information on how they work and what options you have.
One of our favorite firewall and security plugins is Malcare. As part of the firewall feture Malcare enables you to harden your login page to prevent brute-force attacks, automatically scans your site for malware and more. We use Malcare and have also written a detailed review about it.
Another favorite WordPress firewall solution is Sucuri. It is an online WordPress firewall and we use it as well for some of our websites. You can read about our positive experience with Sucuri and why we use them in the WordPress firewall review we’ve written.
The good thing about both Sucuri and Malcare is that they both do free WordPress malware cleanups and have an excellent customer service.
In summary: preventing WordPress hack attacks
Unfortunately, attacks on WordPress websites are an everyday occurrence. However, this doesn’t mean your site needs to become part of the statistic. With a little prevention work, you can secure your website against most low-level attacks, and practically ensure that you won’t have to deal with the fallout.
Let’s recap seven of the best ways to protect WordPress against attacks:
- Keep all your software, WordPress core, plugins & themes up to date
- Implement Two-Factor authentication (2FA)
- Keep an activity log to monitor your website
- Enforce strong password policies
- Scan your WordPress website for file changes
- Disable or delete any unused software, services and WordPress users
- Set up a security plugin and / or a WordPress firewall.