Complete peace of mind
Secure your Website with our Comprehensive Guide to WordPress Security!
WordPress is the most widely used CMS on the Internet, with over 43% of sites using this content manager and a current market share of 63.6% compared to other content managers or SaaS web services.
The existence of such a large volume of installations in turn makes it very attractive to malicious people who create tools (robots) to snoop around the Internet looking for vulnerable WordPress sites.
Don’t let malicious users tamper with your WordPress website!
If your WordPress is hacked, the costs can be substantial. Not just because you have to pay technical staff to clean up your website, you also have to consider the loss of sales and potential customers, and the damage to the reputation of your site, business or brand.
Follow our security guide and act now to cut the risks of suffering hacking to your WordPress website. Don’t risk your reputation, sales, and potential customers because of a hack.
At Webempresa, after 19 years’ experience in the hosting sector, we strive to offer our clients secure, satisfying hosting for WordPress. Follow our security guide and act now to minimize the risk of suffering WordPress hacking.
Easier still?
Our obsession: Security · Support · Speed
We’re excited to share our knowledge and to support you in your WordPress experience! 
WordPress and security
Most important of all
Risks are ever-present
Your WordPress security will never be 100%. Malicious actors are continually innovating and bugs are frequently found in the plugins.
There are a lot of things you can do to minimize the risk though.
Remember that maintaining security requires continuous effort which you must not neglect. We’re here to help you with this process.
Is WordPress insecure?
WordPress security is a recurring concern among users. Note, though, that WordPress is no less secure than other content managers.
You need to keep it up to date, use a theme obtained from a reliable source, use strong passwords, and have a security system installed on your computer to minimize the risk of being attacked.
According to a study conducted by wpdoctor.es, 33.74% of sites aren’t updated with the latest version of WordPress, which is worrying. It is essential to take measures to update and to improve site security.
Avoiding being negligent with your website security is crucial. It would be like leaving your auto with the keys in and the engine running in a shopping mall. Unthinkable!
Take care of your web projects
You are the weakest link
Be careful with your Internet connection
The security of your Internet connection is crucial to protecting your WordPress website.
Connecting to the Internet using an Ethernet cable instead of Wi-Fi is advisable. If you decide to use Wi-Fi, make sure you use WPA-2 security and change your access password for router administration.
Use a strong password and avoid connecting to your WordPress website from untrusted external devices, such as a hotel computer.
It’s also important to disable WPS on your Wi-Fi connection, as this makes it easier for attackers to get your connection password.
Free Wi-Fi: high price for security
Avoid connecting to open or public Wi-Fi networks as these entail security risks.
If you have to use them, having updated security software, such as antivirus software and firewall, or connecting through a trusted VPN, is critical.
Lots of security programs include a private VPN, and you can also buy a specific service such as CiberProtector.
Use a VPN if you connect regularly from unsecured networks, because this will increase your security substantially. You are better off using your mobile phone’s 4G connection than connecting to unknown Wi-Fi networks.
Proxy? No, thanks
Using a proxy server to browse the Internet isn’t advisable, especially if it is a free one.
Although some people may recommend using a proxy to browse anonymously, it doesn’t guarantee the security of your connection or the privacy of the content you visit.
When you use a proxy, all your traffic passes through a server controlled by a stranger. This means private data from your browsing, such as access to banks, shopping platforms, etc. could be spied on and stolen.
Using extra security measures to protect your privacy and data, such as a VPN, is better than relying on a proxy.
SSL to encrypt data
One recommendation is to install an SSL certificate on a WordPress website and access it through HTTPS protocol to ensure that the data is transmitted in an encrypted form.
Using HTTPS means all the information sent to the server is encrypted. This prevents third parties with access to the same network from intercepting private information.
You can learn more about this in the article What is an SSL certificate and how does it protect my data.
A standard SSL certificate, such as Let’s Encrypt, can be a very suitable option to ensure encryption of your browsing data.
Always use strong passwords
Use strong passwords to protect your accounts and personal data. This is critical.
Avoid using obvious or easily guessed passwords such as “12345” or “password”. Although this might sound obvious, a lot of people still use them, unfortunately.
A good password should contain uppercase and lowercase letters, numbers and special characters, and it should be at least 12 characters long.
This is an example of a strong password: 7sP3@$zjT1b3_?=J
Never store passwords in your browser. Use an encrypted password manager to save them securely.
The use of two-factor authentication, or 2FA, is also recommended. This adds a second layer to your logins.
Double the security by using double authentication
Two-factor authentication is an essential tool to increase the security of your accounts and protect your personal data.
It’s easy to set up and use, and it gives you an extra layer of security by requiring a second factor to access your accounts.
Use 2FA on all the platforms that offer it, especially in password managers and in your email, because lots of passwords or reminders are sent by that route.
Don’t lapse into laziness, enable two-factor authentication to protect your data effectively!
Your computer or device
Make sure you keep your computers and devices clean and protected when you connect to your WordPress administration.
Malicious users often find a way to get in through compromised devices or computers using malware, Trojans, or keyloggers. These let them capture your login passwords and cause havoc on your computers.
Keep your computers and devices infection-free and up to date to protect your WordPress website.
Updated operating system and browser
Keep your operating system and browser up to date to protect your computer from potential vulnerabilities.
Configuring automatic updates to keep them in their stable versions at all times is recommended.
Avoid browsing suspicious websites. They may try to install unwanted programs on your computer. Don’t use pirated operating systems or programs from dubious sources, because they could contain Trojans.
Always download programs from the developer’s official website.
Antivirus and firewall
To keep your computer and devices secure, it’s important to have up-to-date antivirus software and a firewall.
Antivirus software helps detect and remove viruses and malware. The firewall helps protect your computer or secure mobile devices from external attacks.
Keep the security options enabled on your antivirus and run a full scan of your computers regularly.
If your antivirus software doesn’t include a firewall, you should consider installing one. If you use Windows, you can install “Windows Defender” as your antivirus software and use the built-in Windows firewall.
You can see how to use Windows Defender to scan for malware at this link: Using Windows Defender.
You can also see how to enable or disable the Windows Firewall at this link: Enable and disable the Windows firewall.
User control
Connect to your computer with login data with user privileges, instead of administrator.
This will reduce the chance of unwanted applications being installed on your machine. If someone else has to use your computer, create guests or users with restricted permissions to protect your information. The physical security of your computers and devices is just as important as the online security of your WordPress website.
Access control
Use unique, strong passwords for each of your services, such as WordPress management, your webmail, or your hosting control panel.
Avoiding the use of FTP is advisable, because this is a common way for attackers to obtain access information and get into hosting control panels.
If you have no choice other than to use FTP though, go for SFTP or FTPS to protect your data using encryption.
Isolate your work environment
Consider using a virtual machine if you only have access to one computer for work.
This lets you move your workspace from one device to another with ease, as well as make backups and carry out other useful tasks.
It will also help you separate your personal life from the professional, to prevent any problems with your personal device or equipment affecting your work.
What really matters
Taking care of your WordPress
Keep your WordPress up to date!
Having an old version of the tool is like opening a door to malicious users, because they will specifically take advantage of known security flaws to attack.
Update your WordPress every time you see an update notification in administration; it’s very simple and will just take a minute.
If you can’t update the WordPress version from web administration for any reason, you can also update it manually. Check out the article Updating WordPress manually to see how to do it.
As always, make a backup before updating, to avoid setbacks.
Take care of the theme you are using
You can use both free and paid themes, but always make sure you use the latest version available.
If the theme you are using is in the wordpress.org directory, WordPress administration will display any updates automatically. For paid or free themes downloaded from other websites, you will usually have to check back from time to time to see if they have published new versions to fix security problems.
Again, NEVER use themes from download managers or suspicious pages: they can come hacked as standard.
Only install themes from wordpress.org or its developers’ websites.
Admin user, NO thanks
What is best is to create a new user with administrator privileges (remember to use a strong password).
Once you have done that, log out and reconnect with the new user you created.
Then access the user manager, edit the “admin” user and change its administrator privileges to subscriber or delete the “admin” user all together.
If you delete it, make sure you reassign the posts and pages that were assigned to the “admin” user to another existing user.
This change means a malicious actor won’t only need to know an administrator user’s password, but their name too.
If you are an advanced user and prefer to make the account change directly, you can do that by following the steps in our article Changing the WordPress user from phpMyAdmin.
Make regular, automated backups
Some hosting providers already make automatic backups but, just in case, it’s a good idea for you to make regular copies of your website.
The copy-making frequency will depend on the quantity of information you add.
It’s important to make backups before actions such as updating plugins or WordPress, installing new plugins, making changes to the database, etc…
Unwanted results occur sometimes and if your last copy is a recent one, you won’t lose your previous work.
There are plugins for WordPress that enable you to automate this task, such as XCloner, which we talk about in our blog.
Make the backups to external storage, such as Dropbox, external FTP accounts or Amazon S3, or download the copies you make, because if someone deletes all the data from your website, you’ll lose the backup itself too.
To avoid space problems in your hosting account, delete the backups after you download them.
Additional protection with Captcha and two-factor authentication
WordPress administration
We recommend protecting access to your WordPress administration with a Captcha authentication form or two-factor authentication such as Latch.
We talk about the two options in our blog articles Increase WordPress security using two-step authentication and Protect and lock your WordPress dashboard with Latch.
Forms
Web forms are commonly used to SPAM using bots. To prevent this, you need to protect comment creation with a Captcha.
You can use the Akismet plugin to protect against spam. This is installed by default in WordPress.
We also have an article on this. Don’t miss Keep spam at bay in WordPress with Akismet.
Make sure you maintain the essential users and keep them with minimal privileges
Users created on your website with administrator privileges will most likely have a weak password, so compromising your WordPress security. Granting users just the essential privileges reduces the chances of compromised security.
If in doubt, you can reset all your WordPress user passwords easily. You just need to follow the steps in the article WordPress security: How do you reset all passwords?.
Check regularly which users actually exist and eliminate any that are unused or that should not have access to your WordPress.
Hide the WordPress version number
It’s the wp_head() function that displays the version number in your WordPress on your website, which includes a call to the wp_generator() function.
You need to include the following line in your WordPress functions.php file to hide this information:
remove_action('wp_head', 'wp_generator');Plugins are wonderful, take care of them!
Al igual que sucede con el propio WordPress, las actualizaciones suelen corregir problemas de seguridad, por lo que debes mantener tus plugins actualizados.
Puedes hacer las actualizaciones desde la administración de WordPress de forma automática y, al igual que en el anterior punto, es muy recomendable realizar una copia de seguridad antes de actualizar.
Limita el uso de plugins
Utiliza solo los plugins que vayas a necesitar: no es una buena idea instalar plugins en grandes cantidades ya que cada uno podría ser una puerta de entrada para hackear tu WordPress.
Quédate solo con los plugins imprescindibles y si has instalado un plugin que ya no utilizas… ¡desinstálalo!.
También es importante que utilices plugins fiables. Lo ideal es que utilices el propio buscador de plugins que tienes en la administración de WordPress o que los descargues de la página oficial de plugins.
Si se trata de un plugin de pago asegúrate de que lo descargas desde la página de sus desarrolladores.
Nunca (repetimos, NUNCA) instales un plugin que hayas obtenido desde un torrent (red P2P), un gestor de descargas o una página sospechosa tipo “super-plugins-depago-gratis” ya que es muy posible que con el plugin venga un “regalo” en forma de código malicioso.
Es preferible pagar por la licencia de un plugin que quedarnos sin web.
The majority of attacks on WordPress come through its plugins.
Just like WordPress itself, updates usually fix security issues, so you need to keep your plugins up to date.
You can update them from WordPress management automatically. As in the previous point, making a backup before updating is highly recommended.
Limit the use of plugins
Use only the plugins you are going to need. It’s not a good idea to install large numbers of plugins, as each could be a gateway to hacking your WordPress.
Just keep your essential plugins, and if you have installed a plugin you don’t use any more… uninstall it!
Using reliable plugins is also important. Ideally, you should use the plugin search engine in WordPress administration or download them from the official plugin page.
If it is a paid plugin, make sure you download it from its developers’ page.
Never (repeat, NEVER) install a plugin you have obtained from a torrent (P2P network), a download manager or a suspicious page of the “super-paid-plugins-free” type, because it’s quite possible that the plugin will come with a “gift” in the form of malicious code.
Paying for the plugin license is preferable to losing your website.
Look at the number of plugin downloads (the more the better) and at the latest update date (if it’s from 2 years ago, that’s suspicious ).
If you want to try a plugin, make a clone of your website and try it on that, never on your real, published website.
Limit failed login attempts
This consists of trying to access the administrator with all the possible user and password combinations. These attacks are usually based on password dictionaries, so it is important to use complex or strong passwords.
Limiting the number of failed connection attempts from a single IP address can reduce the risk of illicit access.
The majority of security plugins already let you set this limit, but if you prefer not to use them, there are plugins for this specific purpose such as Automattic’s BruteProtect. You can find further information on our blog: Limiting failed connection attempts to the dashboard.
We block IP addresses automatically in our hosting when we detect several failed attempts to access administration or the WePanel dashboard.
Audit your WordPress
Webempresa offers a free security analysis for WordPress from wpdoctor.es.
With wpdoctor you can automatically check if you are up to date with many of the points covered in this guide:
It lets you know if you’re not using the latest version of WordPress and its most important plugins.
It checks whether access to the administrator is protected against brute-force attacks.
It shows you what information can be collected from your installation and tells you how to hide it.
You can check the health of your WordPress with Google Safe Browsing: https://www.google.com/transparencyreport/safebrowsing/diagnostic/?hl=es
Or also directly in Google Console (formerly Webmaster Tools): https://www.google.com/webmasters/tools/security-issues
Make sure to keep essential and least privileged users
When in doubt, you can easily reset all your WordPress user passwords. You just have to follow the steps in the article Security in WordPress, how to reset all passwords?.
Periodically check which users exist and remove those that are not used or should not have access to your WordPress.
Protection for your websites
The first line of defense: Hosting
Use a professional web hosting provider
Check the features of the hosting service you are planning to buy for your website and make sure security is one of its top priorities.
Operating system
We recommend you choose Linux over Windows. Both platforms have security issues and are often subject to attacks by malicious actors; however, Linux continues to have some advantages thanks to its developer community.
Linux isn’t risk-free but, so far, it is capable of solving security problems much faster and more efficiently than Windows.
Is your hosting up to date on security?
Here are some of the measures you should consider in a shared hosting service.
The correct permissions for your hosting should be:
- 644 for files.
- 755 for folders.
If you don’t have these by default, you can start thinking about changing your hosting.
Use of an isolation system by the hosting service, so bad behavior or hacking of one website hosted on the server doesn’t affect the rest.
Use of systems to prevent Denial of Service (DDoS) attacks.
Preventive measures against brute-force attacks on WordPress.
Use of a WAF (Web Application Firewall). This lets you set security rules which will stop the majority of attacks on WordPress.
Then, even if any your website plugin has a vulnerability in its code, the WAF will probably prevent an attack.
Protecting databases. The right thing to do, among other measures, would be to allow access to databases only from the server itself, not from remote computers.
MySQL port closed: Ideally the MySQL port is closed, and if you need to access it from home, get them to enable access only from your IP address.
You will need a fixed IP address or a DynDNS account for this.
An added value a hosting service can offer is making automatic backups of your data, so if you need to go back to a previous website state, there is always a backup.
But remember, the fact that your hosting service already makes automatic backups doesn’t exempt you from making your own copies.
These are just a few of the measures we apply in Webempresa that let us and our clients sleep more peacefully.
We monitor all our services 24 hours a day, and our technical team gets alerts when suspicious activities are detected, so we can act immediately and in coordination with the client.
Our system administrators regularly update the rules protecting the WordPress sites hosted on our servers against security vulnerabilities or flaws.
Tracking new ways of attacking WordPress needs to be a daily, ongoing task – you can’t let your guard down!
For expert minds
More fuel for intermediate and advanced users
Enable auto-update in your WordPress
If you keep this option enabled, you ensure installation of security updates as soon as they become available.
You can configure automatic WordPress core updates from the wp-config.php file. You just need to add the following lines for each of the configurations:
//All core updates disabled define( 'WP_AUTO_UPDATE_CORE', false ); //All core updates enabled define( 'WP_AUTO_UPDATE_CORE', true ); //Only minor updates enabled define( 'WP_AUTO_UPDATE_CORE', 'minor' );
Plugin and template updates are best done manually, because they can be more sensitive and could lead to errors on the website if WordPress version compatibility isn’t properly verified.
Protect files that could compromise your website’s security
Some of the files added when you install WordPress are merely informative, but the information in them can be useful to attackers.
You can see how to protect them in our blog: Files that compromise WordPress security.
Protect the wp-login.php file
If you don’t allow front-end user registration and login to WordPress, it’s advisable to protect access to wp-login.php or only allow access from authorized IP addresses (if you connect using fixed IP addresses).
Would you like to learn how to protect it? We show you how in this article: How to protect the wp-login.php file.
Caution! You should only do this if visitors to your website don’t need to identify themselves as users.
For example, you shouldn’t protect the wp-login.php file in an online store.
Install a WordPress security plugin
There are lots of options, such as:
Wordfence
iThemes Security (previously known as Better WP Security)
If you are interested in the features Wordfence offers, we present them in this article: How to improve WordPress security with Wordfence Security.
Remember to disable the statistics (wfhits table) to avoid overloading your WordPress.
A valuable Wordfence option is checking of basic WordPress files to find out whether they have been modified.
Be careful when configuring these types of plugins, because you could block your own access with these tools.
Before installing any plugin of this type, make a backup. You can then go back to the previous state if you hit any problems.
Don’t go crazy installing plugins!
Bear in mind that installing all the security plugins you can find won’t make your WordPress more secure, and having several plugins modifying files that are key to your WordPress operation, such as the .htaccess file, could lead to unexpected behaviors.
Add an X-XSS-Protection header
After adding the header, whether in the .htaccess file or in the functions.php file, be sure to check that your website is working as expected.
If you see that it affects your website operation in any way, remove the code you added to undo the change.
Remember always to make a backup of the files you are going to edit.
Additional protection through wp-config.php
define('DISALLOW_FILE_EDIT', true);
If the website has already been created and you don’t need to add new plugins or templates, you can also disable installation of themes and templates by adding:
define('DISALLOW_FILE_MODS',true);User-agent blocking
This will prevent a specific user-agent accessing your website.
Here are some example user-agent blocking codes:
RewriteEngine On RewriteCond %{HTTP_USER_AGENT} ^.*(Baiduspider|HTTrack|Yandex).*$ [NC]
RewriteRule .* - [F,L]
SetEnvIfNoCase user-Agent ^Baiduspider [NC,OR]
SetEnvIfNoCase user-Agent ^Yandex [NC,OR]
SetEnvIfNoCase user-Agent ^[Ww]eb[Bb]andit [NC,OR]
SetEnvIfNoCase user-Agent ^HTTrack [NC] Order Allow,Deny
Allow from all Deny from env=bad_botModify your WordPress login URL
Attackers are aware of this access and try to exploit it by launching brute-force attacks.
Changing this administration access URL will prevent those brute-force access attempts.
Learn how to do this by checking out the article Modify the WordPress login to avoid brute-force attacks.
At Webempresa we already incorporate security measures aimed at protecting access to /wp-admin and /wp-login.php against these types of attacks for our clients, so you don’t need to implement these types of security measures.
Protect your database by changing the default table prefix
You can imagine how very attractive it is to crackers and spammers, who try to send automated codes to access your data.
Many users forget to change the database prefix when installing WordPress.
This makes it easier for malicious actors to plan a massive attack by targeting the default database table prefix, which is: wp_.
We recommend changing the default prefix when installing WordPress.
If you already have it installed, you can easily change the prefix with the Brozzme DB Prefix & Tools Addons plugin.
Remember to make a backup of the database before you make any changes.
Add an X-Content-Type header
It can be prevented using the simple change we explain in the article: X-Content-Type-Options header to prevent security problems.
Add an X-Frame-Options header
You also prevent clickjacking-type attacks with this and they won’t be able to impersonate your website by loading it from an external location.
If you let this happen, someone could place your content in another domain and you could have problems with Google if it sees this as duplicate content.
We explain all the details in the article X-Frame-Options header to improve your website security
Disable XMLRPC to prevent DoS attacks
These WordPress websites will go to check whether you have really linked to them by downloading your page, and when you receive so many download requests together from so many websites, your website will crash.
You can avoid this in two ways:
1. Completely disable XMLRPC functionality. The problem with disabling XMLRPC is that you lose some useful features, such as pingbacks and trackbacks.
2. Have a Web Firewall (WAF) that protects you through advanced rules to count all the XMLRPC requests you receive and, if this number gets too high, block all that traffic. We have this option successfully deployed at Webempresa.
If you decide to disable XMLRPC, you can do that manually or using the XMLRPC Disable plugin.
To do it manually, you need to add this line in the functions.php file:
add_filter('xmlrpc_enabled', '__return_false');Referrer blocking
RewriteEngine On RewriteCond %{HTTP_REFERER} example.com [NC,OR]
RewriteCond %{HTTP_REFERER} example.net RewriteRule .* - [F]
SetEnvIfNoCase Referer "example.com" bad_referer
SetEnvIfNoCase Referer "example.es" bad_referer
Order Allow,Deny Allow from ALL Deny from env=bad_referer
This blocking lets you block access to your website from a link located in a given domain.
Crypto.php
It directly affects templates and plugins not authenticated by the official wordpress.org repository and is usually integrated into pirated or illicitly obtained templates or plugins.
The malware aims to add links to other websites to your website, where these normally link to sites with malicious purposes.
It can also be used for other purposes, because this infection can communicate with control servers to perform other tasks (sending SPAM, hosting other content, carrying out attacks on other websites, etc.)
The infection is usually in a short line of code such as the following:
include(‘assets/images/social.png’);
As you can see, what it does is to include a script calling code hidden in a .png file, which in theory should be a simple image.
How do you avoid it?
The primary measure to avoid this vulnerability is to avoid downloading plugins or templates from unproven sites. Our recommendation is always to download from the official wordpress.org repository.
If your site gets infected, we recommend installing the Wordfence security plugin. This includes an option to analyze images as if they were PHP code.
Be wary if you see PHP files in directories where there should only be images, such as the/wp-content/uploads directory, for example.
Further resources
- CiberProtector security pack with VPN, password manager and 2FA: CiberProtector.com
- Free WordPress audit: wpdoctor.es
- Sucuri blog: https://blog.sucuri.net/espanol/
- How to reset all passwords: http://goo.gl/d9tM4A
- Check whether you have vulnerable plugins: https://www.webempresa.com/comprueba-rapida-y-facilmente-si-tus-plugins-de-wordpress-son-vulnerables/
Hosting Vitamins
Hosting Tutorials
