iThemes Black Friday & Cyber Monday Offer! Get Any Products With 40% OFFGRAB THIS OFFER!

The Ultimate WordPress Security Guide 2020 [18 Security Hacks]

I will not solve any malicious or vulnerability issues of your WordPress site. The purpose of this post is to share a guide on how to hack WordPress sites? And How can we fix them? I will not guarantee that all methods 100% works on your site. There are many reasons, Why will it not work? 

So if you want to save your site from unnecessary viruses, malicious and suspicious activity, or want to prevent hacking, you should follow this guide. 

Here I have shared all major weak points of a WordPress site. So you will learn them and be able to fix them easily.

Why WordPress Site Is Hacked?

The first thing you need to understand is why a WordPress site is hacked? It is true, all sites are not hacked because there are many reasons to hack a website. So if you find out those reasons or weak points of a site, you will be able to prevent hacking.

Hackers apply specific reasons to hack a website. Especially the hacking process is easier for WordPress sites. 

WordPress hacking report
  • Save

Most of the hacking process is automated. Hackers spread their strong virus or malicious by using specific weak secure points of a WordPress site. That is why attacks are almost done automatically.

Hackers attack many sites by applying the automated process thus increasing their odds of success dramatically.

WordPress security is all about proactivity. Proper security steps can completely help to prevent a site from being hacked. 

Basics of WordPress Security

I have talked before many cases of hacking a WordPress website. So below are the main weak points that use hackers to attack.

(1) WordPress Admin Password

Sometimes your WordPress site can be hacked for the weak admin password. Hackers attempt to find the admin password to complete the hacking process. Once they find your password, you will totally lose your site. Admin password hack means one kind of site owner transfer. 

How to fix: Do not use a weak password, instead use 10-15 character password combinations with the number, uppercase & lowercase. You can generate strong passwords from the Strong password generator tool.  

(2) WordPress Custom Admin Login URL

This is another primary step for hackers. If your site is not more secure with the admin login URL, you can lose it at any time. The default WordPress login slag is /wp-admin that hackers already know. So they try to use this slag to inject viruses or malware. 

WordPress Custom Admin Login URL
  • Save

How to fix: keep save the site from brute force attack or manually attack that mostly occurs for the default admin URL, you can change it using a plugin. I recommend WPS hide login plugin. You can also set a custom logo URL using the iThemes Security plugin.

(3) Keeping WordPress Updated

WordPress is a content management software which is regularly updated and maintained. By default, WordPress automatically installs for the minor updates, but you need to update it manually when it releases a major update of the latest version.

As it is an open-source platform so there are many third-party plugins and themes for using WordPress sites. These plugins and themes need to be regularly updated for fixing bugs or malicious. So if you do not update the latest WordPress version, the third-party plugins or themes can be harmful to your website. Even it shows fatal errors while opening.

How to fix: keep up to date your WordPress version. So check it regularly or when it available for an update, do it as soon as possible.

(4) Default “admin” username:

If you do not change username while installing the first time, your username will be ‘admin’ that is the default username of WordPress. The default username is harmful to WordPress sites.

Hot to fix: Change default ‘admin’ username as soon as possible. Normally you will not get permission to change it. So you can use a WordPress username changer plugin.

(5) Web Hosting:

According to WP White Security, 41% of WordPress websites are being hacked by the hacker for the security vulnerability of a hosting network.

A WordPress hosting service always represents enough security of a WordPress site. Good hosting service providers like Bluehost & Dreamhost have extra security layer protection that helps to protect a site from common threats.

The hosting platform is the major thing for WordPress site security. So you should carefully choose a good web hosting that has.

  • PHP and MySQL latest version
  • Optimize for running WordPress version
  • WordPress optimized firewall
  • Has malware scanning and intrusive file detection.
  • Expert support team, which always try to improve security

A good website hosting provider protects sites in the background. They take care of all your data. 

  • They always monitor their networks for suspicious activity.
  • A good hosting company has various viruses or malware prevention tools. They also save sites from DDoS protection.
  • They keep their server up to date that is good for preventing sites from suspicious activities.
  • They protect your data from malware or other suspicious activity. They keep a daily backup of data to prevent unwanted disk damage.

How to fix: A shared hosting plan cannot totally prevent sites from hackers and other suspicious activities. Because many users use the same server so the hacker can attract your site using another site that is hosted on the same server. So avoid shared hosting.

I will recommend Bluehost WordPress managed hosting for the best security and daily backup. It is the most popular among worldwide bloggers and recommended by WordPress.

(6) Limit Login Attempts

Hackers always use brute force attacks to hack a WordPress site. They use random usernames and passwords. So limit login attempts are the best way to protect a WordPress site from brute force attacks.

limit login attempts reloaded
  • Save

How To Fix: To stop hacker logging attempts, you can install Limit Login Attempts Reloaded. This plugin block users or hackers from their given IP range.

(7) Remove the WordPress Version Number

It’s another important thing for WordPress hackers to hack a site. They always observe which WordPress version you are using on your site. Normally WordPress shows the default version on your site code?

<meta name=”generator” content=”WordPress 3.9.1″>

Unfortunately, this information is the most helpful for the hacker because they will be able to easily guess which version you are using. If you are using an older version of WordPress that has a security hole, hackers easily determine your active version vulnerabilities.

How to fix: So you should better remove the WordPress version from your active WordPress site. There are many ways you can remove the version. To remove the WordPress version you can use the following code on the top of your theme funcation.php file

remove_action(‘wp_head’, ‘wp_generator’);

On the other hand, if you don’t want to add the code, you can remove the WordPress version number by installing the plugin Version Info Remover.

(8) Disable File Editing

If your site is hacked by a hacker or spammer, they can damage or change files. To keep your WordPress secure, you can disable file editing.

How To Fix: So if you would like to protect your WordPress file from the hacker or unknown editing, you can add the following code to wp-config.php file.

define(‘DISALLOW_FILE_EDIT’, true);

You can use a security plugin. I highly recommend iTheme Security pro.

(9) Consider Two-Factor Authentication

Two-factor authentication is the high-level security step for WordPress sites. If you enable two-factor authentication login, honestly your site’s security will improve.

If you enable this service, every time you will need a verification number to login. So a hacker does not take proper steps to hack sites If it is turned on.

WordFence Two-Factor Authentication
  • Save

How To Fix: 2Setp verification is another extra lear to keep more secure a WordPress site. So use a 2 step verification plugin. WordFence is the best for website security and 2setp verification.

(10) Change Regularly WordPress Salts & Keys

WordPress uses cookies and browser cache to verify identity to logged in users and commenters. WordPress stores these cookies to better protect login information data.

WordPress includes secret authentication keys and salts in the wp-configer.php file. So these secret authentication keys and salts are one kind of strong password that is more complicated and random.

Change Regularly WordPress Salts & Keys
  • Save

There are some plugins that allow you to change the WordPress salts & keys. Itheme Security is one of the best plugins that change WP salts and keys for you. But you can use WP Config File Editor

(11) Use Secure File Permissions

If anyone accesses your server directory file and writes to it, how will you protect this from happening? Directory file rewriting is another way of WordPress site hacking. 

For example of directory files are 

  • Directory – 777
  • File – 666

How To Fix: So how can you actually prevent directory permission to change files server to server? Yes, you can strongly stop directory permission through your host control panel(cPanel) or FTP clients. 

You can change those files 777 to 400 or 666 to 444 or whatever you want. To manually block WordPress directory permission is so tough. 

So that you can use iTheme security plugin that has all opportunities to block all types of directory permission with just one click.

(12) Use sFTP Whenever Possible

If you edit files on a website, you should use sFTP or FTP. Hackers are more intelligent to hack a website through the network. Let me clear about this.

sFTP and FTP both protocols are used for transferring data that are the same and more secure. File transfer protocols data works between two remote connections in plain text only.

When a user opens up a regular FTP session the entire data transmission is made between host and user sends the plain text.

So the result of anyone who has a better idea about networking can read the entire data including password information.

How To Fix: SFTP is more secure than FTP.  sFTP ensures more security of your data that transfer privately with use of the SSH2 protocol. When you use SFTP protocol instead of FTP the entire data of the session will be encrypted after the session ends. So your password information will be more secure and difficult to find out for someone using the network.

Download sFTP & FTP Software for Windows

(13) Use SSL of Your WordPress Site

What is SSL? SSL means ‘Secure Sockets Layer’. While browsing a website if you see a padlock icon (it would be the green or black) before the left side of the https or www sign that is SSL. 

SSL creates an encrypted connection between your web server and your visitors’ web browser.

secure non secure ssl example
  • Save

Hot to Fix: So you can use a good SSL for your WordPress site. Secure Sockets Layer completely establish a secure connection with your server and web visitor’s browser that helps to prevent sites from hacking.

I recommend Namecheap SSL service which is more secure and reliable.

(14) Use Automatically log out System

Sometimes existing logged-in users are away from the computer screen. In that time someone can change their password, hijack the session, and make a change to their account. 

So it is very harmful to WordPress site security. To prevent this type of case, you should use an automatic logout system.

How to Fix: You will need to install Inactive Logout Plugin. Upon activation, go to WordPress setting>Inactive logout and finally set your Idle Timeout. that’s done.

Automatically log out System
  • Save

You can also activate the ‘Popup Background’ option that will hide after logout. Activating this option will remove the transparency.

(15) Add Security Questions To Login Screen

You can use security questions to WordPress login screen. This is one kind of 2-factor authentication. Adding a security question on the login screen enhances WordPress security.

Security Questions To Login Screen
  • Save

How To Fix: To add security questions on the login box. Firstly Install WP Security Question plugin. Go WP Security Question> click plugin setting then set your question. You can remove questions by pressing the Remove text button.

WordPress Security Without Coding

(1) WordPress Backup Solution

I cannot guarantee a site will not be hacked. Because there are many reasons to hack a website. Somehow if your site hacked what can you do? You should quickly restore the site by using a WordPress backup plugin. There is no way without this.

There are many backup plugins but I only recommend Updraft plus which is a supper backup plugin for WordPress users. You can backup files manually or to remote locations like Google Drive, Dropbox, Amazon s3, etc.

 Updraft plus backup plugin
  • Save

I also recommend backup your website files daily based not weekly or monthly. You can set a backup schedule daily basis or custom time frame. The plugin is easy to use no coding needed. You can use another one. Read my other post about the best WordPress backup plugin.

(2) Best WordPress Security Plugin

We always need help from plugins because we do not know coding or designing. After successfully backup files we need to install or setup a monitoring system to keep track of unwanted activities of various or malicious.

The activists include file integrity monitoring, failed login attempts, malware scanning, etc. 

So for security purposes why will you not use a security plugin? A good security plugin can help to prevent sites from hackers and reduce time to analyze security levels or threads.

iTheme Security
  • Save

There are many WP security plugins, but I only recommend iTheme Security and Sucuri both are the premium. But both have free versions that cannot completely protect your site from hackers and suspicious activities. But you can use the free version for getting some security benefits.

(3) Enable Web Application Firewall

The easiest way to protect WordPress sites is by using a good web application firewall that will totally take care of your WordPress security. 

A best rated web application firewall blocks all malicious traffic before it reaches your website.

Sucuri Firewall
  • Save

I recommend Sucuri web firewall that is the best-rated web firewall in the web firewall industry. It will protect your site from different angles like DNS level website firewalls, application-level firewalls, network firewalls, and more.

Besides, it will provide you real-time monitoring data directly to our email inbox. So that you can be aware before happening something bad.

Sucuri Web Firewall
  • Save

Sucuri ensures malware cleanup and blacklist removal guarantee. Besides, once your site is hacked under their watch, they promise they will fix your hacked site free of extra cost.  

Normally fixing a hacked website, you may need $250-$300 bucks per hour. Usually, this amount is taken by expert developers. But if you use the Sucuri web application, you can do it for only $199 per year that is pretty low. 

Improve your Advanced WordPress Security with the Sucuri Firewall »

So finally I hope this WordPress security guide will be helpful to improve WordPress site security. Please use my recommend plugins and follow the instructions that are tested.

If you have any questions about WordPress security, please comment below. If this guide is helpful for you, please share this with your friends & colleagues.

About Palashtd

Palash Talukdar is a digital marketer & the founder of WP Basic Pro. He has been building and managing WordPress websites for 5+ years. He loves to write about WordPress, SEO, marketing, productivity, and web performance.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Share via
Copy link