How do I keep my WordPress site secure against hackers?

We’re sometimes asked how to keep WordPress secure against “hackers”, which is a great question!

The first thing to understand is how WordPress sites get hacked. Almost all of the hacked WordPress sites we see are from one of these three causes:

  1. Customers didn’t update plugins or themes they installed;
  2. A WordPress administrator account used a weak password that was easily guessed (or reused and stolen from another service that suffered a data breach); or
  3. A WordPress administrator installed a “premium” paid plugin or theme from a site that offers “nulled” versions of the software (in many cases that “nulled” software actually contains malware).

We almost never see any other cause. But fortunately, all three of these things are easy to defend against:

Enable automatic updates

The first thing to do is to enable automatic updates for all your plugins and themes:

WordPress plugin automatic updates
WordPress theme automatic updates

Use two-factor authentication for WordPress

The second is to use a security plugin that provides two factor authentication. That prevents “hackers” from logging in even if they somehow steal or guess a WordPress password. (You should also use strong, random passwords that are different for each site, but hopefully you're already doing that.)

Don’t download “nulled” software

The third thing is obvious: never download software from “nulled” software sites. Always get it from the official author to make sure it doesn't contain malware.

You’re 99% of the way there

If you do these three simple things, your site will be more secure than 99% of all other WordPress sites, and you’ll be very unlikely to have any trouble.

We’re sometimes asked what we do on our end to improve WordPress security, too. How do we catch the other 1% of attacks? And what happens when a customer hasn’t followed these suggestions and gets attacked anyway?

Those questions have long and complicated answers, because when done properly, security is an ongoing process that requires constant changes, not a simple product you buy. (You should be skeptical of any company trying to make you pay extra for a security “product” — if it’s important, it should be included as part of the service.) We’ve been hosting WordPress sites since 2005, and the experience we’ve gained could fill a book.

A few things that are part of that (that many hosting companies don’t do) include:

  • We use mod_security, a web application firewall (WAF), to block known attacks, and we update the rules often.
  • We have rate limits on outgoing mail, so any site that starts sending spam due to malware quickly gets flagged for human review.
  • We verify the core files of every WordPress site we host, several times each day, to make sure they haven’t been modified by malware (or anything else). A human reviews every changed file manually.
  • Twice a day, we check every site we host to verify it hasn’t been added to the Google Safe Browsing database. If it has been, a human helps you fix it.
  • We run each website under a different Unix user ID to prevent cross-site contamination, even if they’re under the same customer account.
  • We protect your files even if you accidentally change every file and directory to be world-writable (mode 777), using an additional layer of Linux “access control list” rules on your top-level directories.
  • We make automatic daily backups that we can use to compare modified sites against, and to restore from if there’s any problem. (Many hosting companies charge extra for backups, or don’t keep backups at all so they can’t restore your site even if you notice a problem.)

Perhaps most importantly: If your site is somehow hacked, we’ll help you restore it and find and fix the cause so it doesn’t happen again. We consider that a basic part of our service, not something extraordinary, or something to charge you for.