How to Secure a WordPress Site (Beginner Version)

Share on linkedin
Share on facebook
Share on twitter

Table of Contents

According to WordFence, there are 90,000 attacks a minute on WordPress websites. Although the platform comes with many measures to mitigate potential risks, the complexity of modern threats requires your regular active involvement in order to secure your WordPress site from hackers who are constantly scanning the web. Here are six easy measures you can put in place today to better secure your WordPress site:

Keep all software up to date

Outdated software is often one of the primary point of entry for hackers attempting to breach your website, since updates are often released to patch a specific attack discovered by hackers and shared all over the internet. Attackers use automated scans that looks for every possible website with outdated plugins, so it’s always a matter of “when will it happen?”.

The WordPress software is the core of your site and should always be kept updated. Failing to update it can leave your site vulnerable to attacks that are public knowledge and being attempted on an ongoing basis. WordPress should also run on the latest version of PHP. Old versions of the language have vulnerabilities that could lead to a full takeover of your site.

In addition, not only should you keep your plugins and themes updated very thoroughly, but you should also do your due diligence before installing any plugin, to ensure that it has been backed by the community and has been deemed to be reliable. This will go a long way to securing your WordPress site, but your journey doesn’t stop there.

Switch to HTTPS

HTTPS, also known as SSL or TLS, is an encryption protocol that secures the information that transits between your site and its visitors. Securing your WordPress website with HTTPS encryption is an absolute necessity today, especially if you handle sensitive user data.  When a website doesn’t use HTTPS, hackers can intercept and modify data shared between users and the server.

A TLS digital certificate can easily be obtained for free. Any hosting company worth using makes secure hosting available. This should be one of your top priorities to secure your WordPress site.

Want to know how Vumetric has helped hundreds of organizations secure their WordPress site?

No matter how complex your website, our experts understand the most intricate risks WordPress vulnerabilities that could potentially be disastrous if a hacker exploited them.

Enforce Strong Passwords

Users with any sort of administrative privileges should create strong passwords comprised of special characters, numbers and capitalized letters. More importantly, they should generate unique passwords that are not used by any of their personal or work accounts. This measure should be strictly enforced and the reason is simple. Millions of leaked passwords, usernames and emails can easily be purchased on the dark web for a small price. Hackers incorporate these large databases into hacking tools, allowing them to attempt millions of passwords that could potentially grant them access to one of your accounts with administrative access, should that user’s password be disclosed on the dark web following the data leak of a compromised website. These attacks, known as brute-force attacks, can also be mitigated by installing a plugin that limits the number of consecutive login attempts. With that said, another layer of protection can also be added to secure your WordPress website if an attacker is able to connect to an account.

Implement Strict User Permissions

People are too often careless when it comes to protecting their accounts. They do not adhere to strong password policies, or they let a malicious email message trick them into revealing their credentials. If an account gets compromised, the impact of the breach is significantly less important when it can’t actually access anything sensitive.

This is where the principle of least privilege comes in to save the day. It can be summarized to giving each account only the strict necessary permissions for their roles.

WordPress defines six roles: Super Administrator, Administrator, Editor, Author, Contributor, and Subscriber. A website should have just one Administrator account (Super Administrator is only for multisite installations.) People who only create content should have the Author or Contributor role. Only trusted people should be Editors.

While you’re at it, change the name of the “admin” account to something else. That makes it a little more difficult to identify and target by attackers. It could also be important to consider adding a plugin to control your users’ roles access granularly, allowing you to create new user roles and give them very least access you can.

Setup Two-factor Authentication

On a similar note as the previous one, this measure should add an extra layer of security for users using a compromised password. Multi-factor authentication requires an additional confirmation from the user to validate their identity. When the user logs in, the server will verify the access by sending a text message, making a voice call, or using a mobile application. While this is not entirely bulletproof, the risks are very limited and this will simply add another step to discourage hackers from targeting your website.

Users have to demonstrate something they have (a phone number or instance of an app) in addition to what they know (the username and password). Additional logins over a short period of time from the same IP address usually don’t require repeating the confirmation.

The accounts with the higher levels of responsibility — administrators and editors — should always use two-factor authentication. Authors and contributors can have it as well, but it’s less critical. Several plug-ins are available for multi-factor authentication.

Backup your site on a regular basis

Absolute security is impossible, unless disconnecting entirely from the internet. If your site is compromised by a motivated attacker, you need the tools to remove the cause and then get back to a working state quickly. This can easily be done if you run regular, automated, offsite backups. An onsite backup can be ruined at the same time an attacker compromises the files on the server. An offsite, remote backup is safer.

Offsite backups normally update only what was changed since your last user session, so, the actual volume of data to restore since the attack isn’t much. Especially when it’s possible to back up your website every hour.


Want to know if your website could be hacked?

Our penetration testing services were designed to help organizations like yours improve their cybersecurity against the latest threats. Contact our specialists to get started.

A penetration test is a simulated hacking attempt that identifies opportunities for real hackers to break through your defences and perform various malicious acts. It generally leverages tools used by hackers and various professional methodologies to replicate the steps that modern hackers would take to intrude into your IT systems.

A pentest attempts to exploit your vulnerabilities to determine their potential impact, should they be used in a real hacking scenario. They provide a list of vulnerabilities with their respective level of severity, as well as technical recommendations to help your team apply corrective measures and focus on the most critical vulnerabilities.

These services allow your organization to answer the following questions, among several others:

  • Can a hacker gain access to any sensitive information?
  • Can a hacker hijack my technologies for any malicious acts?
  • Could a malware infection spread through the network?
  • Can an attacker escalate access to an administrative user?

Learn more about penetration testing →

There are many contexts in which a penetration test should be performed.

Here are some common use cases for a pentest:

  • As part of the development cycle of an application. (To test the security of a new feature/app)
  • To comply with security requirements. (3rd-parties, PCI, ISO27001, etc.)
  • To secure sensitive data from exfiltration.
  • To prevent infections by malware. (Ransomware, spyware, etc.)
  • To prevent disruptive cyberattacks. (Such as denial of service)
  • As part of a cybersecurity risk management strategy.

All businesses are advised to conduct a penetration test at least once a year, as well as after any significant upgrades or modifications to the company network. Given the rapid rate at which new exploits are discovered, we generally recommend that quarterly tests are performed.

Various steps are taken over the course of the project to prevent the potential impact of our tests on the stability of your technological environment and the continuity of your business operations.

For this reason, a communication plan will be put in place at the beginning of the project to prevent and mitigate any potential impact. A representative of your organization will be identified to act as the main point of contact to ensure rapid communication in the event of a situation directly impacting the conduct of your daily operations, or if any critical vulnerabilities are identified, for which  corrective measures need to be implemented quickly.

While we use a simple 4 levels risk rating approach (Critical, High, Moderate, Low), our risk assessment is actually based on the Common Vulnerability Scoring System (CVSS) standard. Two main criteria are considered when  assessing the risk level of each vulnerability:

  • Potential impact: The potential impact of an attack based on a vulnerability, combined with its  potential effect on the availability of the system, as well as the confidentiality and integrity of  the data.
  • Exploitability: The potential exploitability of a vulnerability; a vulnerability that is easier to  exploit increases the number of potential attackers and thus the likelihood of an attack.  Different factors are considered when evaluating the exploitability potential of a vulnerability  (e.g.: access vector, authentication, operational complexity, etc.)

Related Vumetric Blog Posts

Cyberattack impact

How Cyberattacks Impact Your Organization

A cyberattack is a malicious assault by cybercriminals aiming to damage a computer network or …

Read The Article
penetration test vs bug bounty

Penetration Testing vs Bug Bounty

Due to the recent spate of ransomware incidents, organizations and nervous IT administrators are wondering …

Read The Article
How Wordpress Gets Hacked and How to Prevent

How WordPress Sites Get Hacked And Fixes to Prevent it

WordPress sites get hacked on a regular basis, as it is by far the most …

Read The Article


We've Earned Internationally-Recognized Certifications

Contact a Certified Expert

Talk with a real expert. No engagement. We answer within 24h.
penetration testing provider

Stay Updated on Cyber Risks!

Subscribe to the Vumetric Monthly Bulletin to keep up with breaking news in the cybersecurity industry.

Want to Know if Your Website Could be Hacked?

or give us a call directly at: