It is 2024 and just as websites have found new ways to protect themselves from hackers – hackers too have found newer ways to carry out malicious attacks on websites.
So, here’s a short, no-fluff WordPress security checklist that lists exactly what you need to do to keep your website safe.
Table of Contents
Actionable WordPress Security Checklist –
1. Get rid of all unused plugins and themes
How:
Before you start getting rid of unnecessary plugins or themes, be sure to
- Try this on a test replica of your website and carry out extensive testing
- Take a backup of your live website as well
- Deactivate unused plugins and themes
- Test your live website again thoroughly
- Delete all deactivated plugins and themes
- Test your live website again thoroughly
Why:
Old, unused plugins or themes only add to the burden of keeping your website safe from hackers. Also, very often these plugins get ignored when it is time to update your website.
2. Update WordPress Version, all themes and all plugins
How:
After you get rid of unnecessary plugins and themes, make sure you update all the remaining active plugins, themes and of course your WordPress version.
Why:
As soon as vulnerabilities are reported, security patches are released along with a new version of a theme, plugin or WordPress. If you don’t keep your website up-to-date, it could leave your website exposed to malicious attacks.
3. Enforce strong user passwords
How:
Set up and implement a strict password policy for all users, using a good WordPress security plugin.
Why:
Simple passwords can easily be hacked using hacking algorithms and those user accounts could then be misused.
4. Implement 2FA or Biometrics
How:
Force accounts to login via 2-Factor Authentication or password-less biometrics key
Why:
Two factor authentication adds an extra layer of protection for your user accounts. And logging in via biometrics like fingerprints, helps genuine users to login easily without the hassle of remembering passwords. On World Password Day in 2023, Google announced it’s support for passkeys and published data related to Passwords Vs Passkeys. Using passkeys are a no-brainer and one of the easiest ways for you to make your website’s authentication process strong.
5. Switch your website from HTTP to HTTPS and use a valid SSL certificate
How:
Install a SSL certificate and switch your WordPress website from HTTP to HTTPS
Why: The main reason why you should make your website HTTPS is that any data exchanged between your website and your website’s visitor is encrypted and so it becomes harder for hackers to read sensitive data.
6. Change your website’s login URL
How:
While there are several ways to hide your WordPress login URL, the quickest is to use a plugin, like this free WP hide login plugin.
- Install and activate WP Hide Login
- Click on ‘Settings’
- Set the new login URL for your website and click on ‘Save Changes’. Be sure to bookmark or remember your new url, because after you change it, you will not be able to access the old wp-login and wp-admin URL.
Why:
It is extremely simple for hackers to find your WordPress admin / login URL, if you use the default links. That makes it easier for them to attack your website.
7. Change the administrator’s default username ‘admin’
How:
First, make sure you have at least one user with the role as ‘Administrator’ and you are able to login using those credentials.
Then, delete the default ‘admin’ user. Before you do that, make sure you attribute all posts and assets created by that administrator to another user. Else, all of those will get deleted along with the administrator.
Why:
Just as important as changing your website’s login URL, is to change the administrator’s username from ‘admin’ to something else.
8. Encourage users to change their WordPress login credentials
How: You can either make this part of your password policy or manually force users to reset their passwords using a WordPress plugin to set password reset reminders.
9. Limit login attempts for users
How: Best to use a premium or free WordPress plugin to limit login attempts and block malicious bots.
Why:
Hackers can carry out a series of attempts to find out your login credentials using various input combinations. So it is recommended that you block such brute force attacks by limiting the number of incorrect login attempts.
10. Use a web application firewall
How: Best to use Cloudflare so that no one can guess your website server’s IP address and all data goes through a firewall. Cloudflare can help you to repel DDoS attacks, enable a Web Application Firewall and more.
Why: A firewall can add an extra layer of security by preventing traffic from bad elements from reaching your website.
11. Disable File Edits
How:
- Open your website’s wp-config.php file, which is usually in the main, root folder of your website.
- Find this line in the wp-config.php file and make sure the value is set to true
define(‘DISALLOW_FILE_EDIT’, true);
Why:
If your files can be easily accessed and edited, then they could add malicious code into your website files.
12. Disable PHP scripts execution for specific WordPress directories
How:
There are a couple of simple ways to prevent bad actors from running PHP scripts on your website. This is a well-written post that explains it in detail.
Why:
If left unrestricted, hackers could inject malware and execute PHP scripts on your website.