12 Steps to Secure WordPress Sorted by Effort

In the digital realm, where security breaches are increasingly common, safeguarding your WordPress site is more crucial than ever. In this article, I share a roadmap of twelve critical security measures, from the simplest to the more involved tasks.

These recommendations are for personal and small business websites. From removing unnecessary plugins to securing your hosting environment, each step is designed to add a layer of security to your site.

1. Remove unnecessary plugins
2. Update plugins, core, themes
3. Enable auto updates on plugins and themes
4. Change admin username
5. Set strong password requirements
6. Change admin URL
7. Add SSO for admin logins
8. Add 2FA for user logins
9. Setup email notifications
10. Enable backup
11. Use a Security plugin
12. Secure hosting environment

1. Remove Unnecessary Plugins

Removing unnecessary plugins from your WordPress site improves your site’s performance and security both. Each additional plugin can potentially introduce vulnerabilities and slow down your site. Keeping only essential plugins reduces the risk of security breaches and improves load times.

Regularly auditing your plugins helps identify and eliminate those that are outdated, no longer used, or redundant. A leaner set of plugins means fewer updates and compatibility issues, leading to a more stable and efficient website.

Go ahead and do this now. Delete unnecessary plugins. Make sure to take backups of your system before making major changes.

2. Update Plugins, Theme, Core

Regularly updating plugins, themes, and WordPress core is arguably the most important maintenance action you can take to maintain the security of your WordPress site. Updates often include patches for security vulnerabilities, enhancements, and compatibility fixes. Neglecting updates can leave your site exposed to security risks and operational issues.

3. Enable Auto Updates

Enabling auto-updates for plugins takes you out of the equation so that the plugins are updated timely as new versions are released, minimizing the window of vulnerability. You can set up email notifications to receive notifications if a plugin update fails.

4. Change Admin Username

Bad actors have automated tools that try to brute force passwords in WordPress sites. They use the typical admin usernames. Changing your admin username is another layer of security for your site.

WordPress doesn’t allow username changes by default. To change the admin username:

• Create a new admin user
• Assign all the content from the old admin account to the new account
• Ensure all posts and pages are correctly attributed to your new account
• Log out and log back in to test the new credentials
• Check your website to ensure everything is functioning correctly
• Delete the old admin account

5. Set Strong Password Requirements

Start with the basics. Set strong password requirements for both admin and regular users. You can achieve this by a standalone or WordPress security plugin.

• Standalone Plugin: Password Policy Manager
• Free Comprehensive Security Plugin: Wordfence

6. Change Admin URL

Modifying the admin URL is a smart defense against automated attacks. Default WordPress admin URLs are common targets for hackers. Changing them adds an extra layer of obscurity, reducing the likelihood of unauthorized access.

• Select a regularly updated plugin like ‘WPS Hide Login’
• Install and activate it via the WordPress dashboard
• Configure the settings

7. Add SSO for Admin Login

Integrating SSO in WordPress typically involves selecting and integrating a trusted SSO service through a plugin. This setup reduces the risk of password-related breaches and improves login efficiency for administrators.

Check out an earlier guide I wrote on WordPress Admin SSO Login w/ Google Workspace

Choose an SSO Service Provider

Research and select a trusted SSO service provider that suits your organization’s needs (e.g., Google, Okta, OneLogin).

Install an SSO Plugin:

• In your WordPress dashboard, go to ‘Plugins’ > ‘Add New’.
• Search for an SSO plugin compatible with your chosen provider (e.g., ‘Google Apps Login’ for Google SSO).
• Install and activate the selected plugin.

Configure the SSO Plugin:

• Navigate to the settings page of your installed SSO plugin.
• Enter the required details from your SSO provider, such as the client ID and secret key.
• Configure additional settings as needed, like user role mapping and login behavior.

Test the SSO Integration:

• Attempt to log in to your WordPress site using the SSO option.
• Verify that the login redirects to your SSO provider for authentication.
• Ensure you can access the admin dashboard successfully post-login.

Finalize and Communicate Changes:

• Once tested, finalize the SSO configuration settings.
• Inform your team or other admin users about the new SSO login process.
• Provide guidance or training if necessary for a smooth transition.

Optional Security Enhancements:

• Consider disabling traditional WordPress logins for administrators to enforce SSO exclusively.
• Regularly review and update your SSO configuration to align with security best practices.

8. Setup Email Notifications

Email notifications can be configured natively for basic alerts or through plugins for more advanced needs.

Install a Notification Plugin

• For more advanced notifications, select a plugin like ‘WP Mail SMTP’
• Install and activate the plugin

Customize Plugin Settings

• Access the plugin’s settings page from your dashboard.
• Configure the types of notifications you want to receive and their frequency.
• Set up email templates if the plugin allows customization.

9. Add 2FA for User Logins

Adding Two-Factor Authentication (2FA) for user logins greatly enhances the security of your WordPress site. This method requires users to provide two types of verification, making unauthorized access significantly more difficult.

2FA can be implemented using various methods like SMS codes, email codes, or authentication apps. Integrating 2FA ensures an additional security layer beyond just usernames and passwords.

Free Plugin: WP 2FA

10. Setup Backup

Enabling regular backups is a critical safety measure for any WordPress website. Backups protect your data against loss due to hacking, server failures, or accidental deletions, ensuring that your website can be restored quickly and efficiently.

You should aim to back up the following pieces regularly:

• Database: this is where all your site’s data is at. I suggest setting this backup in your hosting provider.
• Uploaded files such as pictures.
• WordPress theme and customizations

Install a Backup Plugin

There are lots of backup plugins out there. I’ll try to write an article about them specifically at a different time. For the purpose of this article, I recommend Jetpack VaultPress backup.

Configure Backup Settings:

• Access the settings page of your backup solution.
• Set up the frequency of backups (daily, weekly, etc.).
• Choose what to back up (database, files, or both).
• Select a storage location for your backups (like Dropbox, Google Drive, or Amazon S3).

Run a Test Backup:

• Initiate a manual backup to ensure everything is working correctly.
• Verify that the backup files are correctly saved in your chosen storage location.

Schedule Automatic Backups:

• Set the plugin or service to perform automatic backups at regular intervals.
• Ensure that older backups are rotated or removed to manage storage space.

Backup Restoration Test:

• Conduct a test to restore your site from a backup to ensure the process is smooth and effective.
• This step is crucial to confirm that your backups are reliable in case of an actual need.

Monitor and Maintain

• Regularly check that your backups are running as scheduled.
• Keep your backup solution updated and review settings periodically to adjust to any changes in your site’s needs.

11. Use a Security Plugin

Using a security plugin is essential for reinforcing WordPress site defenses. These plugins offer features like firewalls, malware scanning, and more, providing comprehensive protection against various threats.

Choose a plugin based on your specific needs and website complexity. Popular options include Wordfence, Sucuri, and iThemes Security, each offering a unique set of security tools and configurations.

I use Wordfence on my sites and plan to start testing Scuri soon.

Research and Select a Security Plugin

• Evaluate your site’s security needs.
• Research and compare security plugins like Wordfence, Sucuri, or iThemes Security.
• Consider factors like features, user reviews, and compatibility with your WordPress version.

Install and Activate the Plugin

• In your WordPress dashboard, go to ‘Plugins’ > ‘Add New’.
• Search for your chosen security plugin.
• Install and activate the plugin.

Configure Plugin Settings

• Navigate to the plugin’s settings page.
• Configure the settings according to your security requirements. This may include setting up a firewall, enabling malware scanning, and configuring login security options.

Enable Features as Required

• Turn on features like brute force attack protection, malware scanning, and firewall protection.
• Set up email alerts for security incidents or updates.

Run Initial Scans

• Perform an initial security scan to check for vulnerabilities or existing issues.
• Address any security recommendations or issues identified by the plugin.

Regularly Update the Plugin

• Keep the security plugin updated to ensure the latest security features and patches are in place.
• Regularly check for and apply updates as they become available.

12. Secure Hosting Environment

A secure hosting environment protects against threats and ensures reliability and performance. Look for features like regular backups, malware scanning, SSL/TLS encryption, and a strong firewall. Reliable customer support and a commitment to updating server software are key indicators of a security-focused host.

If you’re setting up and managing your own hosting environment for a WordPress site, here are some crucial points to secure your infrastructure:

Use a Secure Server Operating System:

• Choose an operating system known for its security and stability, like Ubuntu Server or CentOS.
• Regularly update the OS to patch any known vulnerabilities.

Implement a Firewall:

• Set up a firewall to control incoming and outgoing network traffic based on security rules.
• Consider using tools like iptables or UFW (Uncomplicated Firewall) for Linux servers.

Install SSL/TLS Certificates:

• Use SSL/TLS certificates to secure data transmission between the server and users’ browsers.
• Let’s Encrypt offers free SSL certificates, which can be easily installed and automated for renewal.

Regularly Update Software:

• Keep all server software, including the web server (like Apache or Nginx), PHP, and database server (like MySQL or MariaDB), up to date with the latest security patches.

Secure Database Access:

• Use strong, unique passwords for database access.
• Limit database connections to localhost or specific IP addresses.

Configure Secure File Permissions

• Set strict file permissions for your WordPress files and directories.
• Regularly check and correct permissions to prevent unauthorized access.

Implement Network Security Measures

• Use tools like fail2ban to monitor and block suspicious IP addresses.
• Consider implementing intrusion detection systems (IDS) for advanced monitoring.

Create Regular Backups

• Set up a system for regular automated backups of both your site files and database.
• Store backups in a secure, off-site location.

Monitor Server Logs:

• Regularly review server logs for any unusual activity or security breaches.
• Consider using log management tools for efficient monitoring.

Restrict Access:

• Limit SSH access to the server to specific IP addresses.
• Use SSH keys instead of passwords for added security.