Securing WordPress has become easy thanks to the amazing work the WordPress team continuously do to fix vulnerabilities and improve the security of the platform. With the addition of Wordfence, it is possible to run a secure WordPress site and sleep well at night knowing your investment is safe.
Today I’m going to provide you with a checklist you can get through in 15 minutes that will help you secure your WordPress website. Time is short, so lets get started!
1. Ensure that your site is backed up
Backups are the first step in securing your website. Your backups ensure that even if your site is compromised or damaged in some way, you can always recover it. We suggest running a full backup before making the changes below so that you can recover your site if you break anything.
Your hosting provider may already provide free backups. If not, there are a wide range of backup plugins available for WordPress. We like UpdraftPlus which is well maintained, has excellent ratings and has a large install base of over 2 million sites.
For a more in-depth article about the importance of WordPress backups visit our blog post here.
2. Delete any old public WordPress installations and other old software
Sign in to your WordPress website using FTP or a file manager. You need to be able to view all files in your hosting account. Check to see if you have any old WordPress installations lying around. For example in a directory called ‘backup’, ‘doc_root.old’, ‘old_wordpress’ or something similar.
If you are unsure what a directory is, ask your hosting provider or a developer if you work with one. Any directories that are old and no longer used should be deleted. They are probably not being maintained and hackers may eventually discover them and use vulnerabilities in the out-of-date software to gain access to your site.
Now do the same for any other software that you have installed but aren’t using or maintaining. This includes old PHP applications like phpmyadmin, MediaWiki, Joomla and Drupal.
3. Delete any themes, plugins or extensions that you don’t need or that aren’t maintained
Sign in to your WordPress site and go to Plugins > Installed Plugins. Delete any plugins that you no longer use. Check everything else and make sure you recognize it and use it.
You can click the “Details” link next to each plugin to see when it was last updated. We strongly recommend that you delete any plugin that has not been updated for 2 years or more. It is unlikely that the author is maintaining the plugin and if a vulnerability is reported, it may not be fixed quickly.
Do the same for WordPress themes. Go to Appearance > Themes. Then delete any themes you no longer use. If you switched themes at some point and still require images in another theme directory, we recommend you delete as much as you can of the legacy theme and just preserve static assets like images and stylesheets.
If you use Joomla, Drupal or other applications, sign in to each application and remove old extensions that you no longer use or that are not being maintained by the author.
Deleting old extensions, plugins and themes will remove them as potential entry points for a hacker.
4. Secure your WordPress admin accounts and CPanel
Secure any admin accounts on your site. Sign in to WordPress. Go to Users > All Users and then click on ‘Administrator’ at the top of the screen to view all administrator level accounts. Make sure you recognize all admin accounts. If you don’t recognize an account, find out who it belongs to. If you have an unauthorized admin account and suspect you may have been hacked, you may need to contact our security services team.
Delete any admin accounts that are no longer needed.
If you aren’t sure if your admin passwords are secure, go in and change them to something random and ensure your admin account owners are alerted to the change. We strongly recommend using WordPress’s automatically generated password which is very secure. Use a password manager like 1Password to store the generated passwords.
Sign in to CPanel and make sure you are using a secure password there too. It should be random and preferably 20 characters or more. You can use 1Password or another password manager to generate a random password and store it.
5. Update absolutely all software in your hosting account
You need to bring everything up-to-date. Under absolutely no circumstances should you be running out of date software. Complete the following steps:
- Update all WordPress core installations.
- Update all WordPress plugins.
- Update all WordPress themes.
- Update any Joomla, Drupal, MediaWiki, PHPMyAdmin or other applications you have installed.
- Update any extensions in any applications like Joomla or Drupal that you have installed.
A special note on custom WordPress themes
If your theme is custom designed and you aren’t able to update it, you are going to need a developer to maintain that software. This is an unfortunate reality and expense of having a custom theme installed. You can’t just install and forget.
Many themes use libraries that eventually have vulnerabilities discovered in them. If your theme is not maintained, your site will eventually become hacked through this vulnerable software. When engaging the services of a company that designs custom WordPress websites, you should ask them if they will be maintaining any custom software they install on your WordPress site.
6. Install the Wordfence Firewall in “Extended Protection” mode
Install the Wordfence plugin on your WordPress site. Go to the “Firewall” menu and enable “Extended protection”. This ensures the following:
- The Wordfence firewall code will inspect any request before it executes any PHP code including WordPress core code. That allows Wordfence to intercept and stop any vulnerability before it even reaches your PHP applications.
- Wordfence will also protect any other PHP applications that are installed off your WordPress base directory. This happens automatically and is an added benefit of Wordfence that many people aren’t aware of.
We recommend you upgrade to Wordfence Premium if you can, to ensure that you receive the IP Blacklist, firewall rules and malware signatures in real-time as new attacks emerge.
7. Perform a full Wordfence scan on your site
Go to the Wordfence > Scan menu. Click the button to perform a Wordfence scan. This will perform a large number of security checks on your site and will ensure that your site is clear of any infection. Any issues that are found will be clearly displayed and need to be resolved.
You can visit the Wordfence options page and scroll down to “Scans to Include” where you’ll find an option to “Scan files outside your WordPress installation”. You can enable this to have Wordfence scan all files outside of your WordPress root directory, even web applications that are not part of WordPress. This is a great way to get extended scan coverage for all of the files in your hosting account.
8. Enable 2 Factor Authentication, aka Cellphone Sign-in
Go to Wordfence > Tools. Click the tab at the top titled “Cellphone Sign-in”. Enable cellphone sign-in on all your administrator accounts. You can sign in using an SMS to your cellphone or using the Google Authenticator app.
Enabling this feature will significantly improve the security of your WordPress admin accounts because anyone who signs in as an admin on your site will now have to verify that they know their password and also are in possession of their cellphone. A hacker will have to steal your cellphone and know your password to be able to sign in as you.
Note that cellphone sign-in is a Premium Wordfence feature.
Now share it!
Completing these easy steps will provide you with a significantly more secure website than most WordPress installations on the web today. Share this post with the community to help other WordPress site administrators secure their websites.
Now that you are done, we suggest you pour yourself a glass of something tall and cold and take a well deserved break. You’ve earned it!
For a deeper dive on WordPress security, check out The WordPress Security Learning Center.