How to improve WordPress security
Content management systems (CMS) are software applications that help users build, manage, and customize websites without needing to write the code themselves. WordPress is one of the most popular content management systems in the world, and as such, presents a high-value target for cyber attackers.
WordPress’ own internal teams provide regular security updates and patches for newly-discovered vulnerabilities in their system, but WordPress users can also take several steps to ensure that their sites remain secure against known and emerging threats. Most of these steps fall into one of two categories: threat elimination and risk reduction.
Threat elimination focuses on eliminating cyber attacks and other threats. For example, a WordPress user might install a firewall to filter malicious traffic and mitigate distributed denial-of-service (DDoS) attacks, or choose a hosting provider that offers built-in security features.
Risk reduction refers to proactive security practices, like changing the default WordPress database prefix so that attackers cannot easily locate it, enforcing stringent user access requirements, and conducting regular security scans.
How secure is WordPress?
While WordPress is a powerful and flexible tool, it is not immune to cyber attacks, vulnerabilities, or other risks introduced by user error.
Common WordPress attacks
- Password-based attacks: Brute force attacks, in which attackers repeatedly enter different sets of user credentials (username and password combinations) into a login page, are often used to gain unauthorized entry into a WordPress account. Other forms of password attacks include credential stuffing and dictionary attacks.
- Cross-site scripting (XSS): XSS allows malicious code to be injected into a WordPress site. This is most commonly carried out via WordPress plugins.
- SQL injection (SQLi): Sometimes called database injection, SQLi attacks inject malicious code into a WordPress site via data entry fields (e.g. contact forms).
- DDoS attacks: DDoS attacks flood WordPress websites with a high volume of unwanted traffic, forcing severe performance degradation or service disruption.
- Outdated versions of WordPress: WordPress regularly updates their core software to patch existing vulnerabilities and strengthen their defenses against emerging threats. Older versions of WordPress do not have these protections, and may remain susceptible to attacks.
- Third-party themes and plugins: Third-party WordPress themes and plugins provide a wide range of functionalities, but may not always conform to the latest security requirements. As such, they can create risk when installed on a WordPress site.
- Backdoors: Once a WordPress account has been breached by an attacker, a backdoor — a covert method of bypassing security measures — can be created. Backdoors allow attackers to repeatedly access a WordPress site or launch further attacks.
- Weak user authentication: Failing to practice proper password hygiene (creating strong passwords, regularly changing passwords, and so on) or implement multi-factor authentication (MFA) can increase the risk of a breach.
- Default WordPress settings: WordPress has several default settings that make it easy for attackers to identify common entry points (e.g. the /wp-login.php URL) and sensitive site information (e.g. the wp-config.php file).
WordPress security best practices
There are several steps users can take to protect WordPress websites from common cyber threats and known vulnerabilities. These typically fall into one of the following categories: site setup, proactive security features, user access, user permissions, and site security updates.
Secure site setup
- Use secure WordPress hosting. A WordPress website is only as secure as its hosting provider (a third-party service that serves content on behalf of users). Choose a host that can defend against sophisticated attacks, help scan for emerging vulnerabilities and threats, and provide disaster recovery resources.
- Change the default WordPress login page URL and database prefix. These URLS — which end in /wp-login.php and /wp-admin, respectively — are enabled by default on all WordPress sites, making them easy for attackers to find. They can be renamed in order to help avoid brute force attacks and other targeted threats.
- Move the wp-config.php file. The wp-config.php file includes WordPress security keys and other sensitive WordPress installation details. Unfortunately, it is also easy to find. Move the file above the WordPress root directory to make it difficult for attackers to locate.
- Install a secure WordPress theme. Some WordPress themes have not been updated to support the most recent version of WordPress or may not be compliant with existing WordPress security standards. As a result, they may be more easily exploited by attackers. Select a theme that is included in the WordPress theme directory, or run it through a WordPress theme validator prior to installation.
- Hide the WordPress version being used. Many WordPress attacks exploit vulnerabilities that are specific to different versions of WordPress. By hiding the version of WordPress they are using, users may be able to avoid these threats, or make it challenging for attackers to pinpoint existing weaknesses in their sites.
Install proactive security features
- Use an SSL/TLS certificate. Secure Socket Layer (SSL), also known as Transport Layer Security (TLS), is a security protocol that helps secure and encrypt data transmitted across the web. SSL certificates can be obtained from hosting providers or third-party security services like Cloudflare.
- Install a firewall. A web application firewall (WAF) sits in front of WordPress sites to filter and block unauthorized traffic. Installing a WAF can help prevent DoS and DDoS attacks from significantly impacting site service.
- Block HTTP requests using the XML-RPC protocol. XML-RPC is often used to conduct volumetric cyber attacks or brute force attempts. A plugin or firewall rule can be used to opt out of the XML-RPC feature.
- Prevent hotlinking. Hotlinking allows third parties to embed content from WordPress sites without having to host it themselves. When this happens repeatedly, it can drive up bandwidth costs for the original host of the content.
Secure user access
- Enforce MFA. MFA requires users to provide an additional form of identification before accessing a protected system or account, and makes it harder for attackers to infiltrate a WordPress site — even if they have cracked a legitimate user’s username/password combination.
- Limit the number of failed login attempts. Password attacks are more likely to succeed when attackers have unlimited tries to input credentials on a login page.
- Automatically log out inactive users. Some users may access their WordPress accounts from public computers or practice other unsafe browsing habits. Automatically log out users after a set period of inactivity to reduce the chances of snooping and other forms of unauthorized third-party access.
- Delete inactive user accounts. Even if a user is no longer using their account to access a WordPress site, their account and login credentials may be targeted by attackers.
Manage user permissions
- Restrict file and folder permissions. Users should not have admin-level privileges unless absolutely necessary. Limit the functions users can perform on a WordPress site to decrease the likelihood of unwanted data sharing and minimize the effects of a breach. (Learn more about the principle of least privilege.)
- Disallow file editing. The default WordPress file editor allows users to easily edit PHP files. If a WordPress account is breached, this feature also allows attackers to significantly modify the code of the site’s files.
- Monitor user activity. WordPress attacks may come from both external and internal sources. Regularly log and review user activity to keep track of any suspicious behavior (e.g. altering files, installing unauthorized plugins, etc.).
Update WordPress security features
- Update to the newest version of WordPress. WordPress is regularly updated to defend against known vulnerabilities. Look for the notice at the top of the WordPress dashboard that alerts users when a new version is available.
- Update WordPress themes and plugins. Every theme and plugin represents a potential entry point for attackers. Just as old versions of WordPress may contain critical weaknesses, attackers often use outdated themes and plugins to conduct attacks against WordPress users.
- Conduct regular security scans. Use a trusted security plugin, software, or third-party service to automatically check for malware and other security risks.
- Create regular backups of site data. In the event of a successful attack, users may restore any lost data from a recent site backup.
How does Cloudflare protect WordPress sites?
Cloudflare Automatic Platform Optimization (APO) is a WordPress plugin that allows users to access a variety of security and performance features, including Cloudflare WAF rulesets, Universal SSL, DDoS Protection, and more. And with Cloudflare Zero Trust, users can further strengthen their WordPress security by enabling MFA, monitoring login attempts, and restricting user access to internal assets. Learn more about how Cloudflare helps protect WordPress sites.