WordPress Security: Your Guide on Securing WordPress Sites

Apr 16, 2024  | How ToWebsite Maintenance

If you run a WordPress website, you’re risking all kinds of malicious attacks. It’s estimated around 13,000 sites using the WordPress engine get hacked each day.

Getting attacked could mean losing data, revenue, and reputation. It’s time to get secure.


GIPHY

Below, we take you through 22 ways to secure and protect your site against potential threats, split up by complexity level.

We start with some basic security tips, followed by seven intermediate ideas. If you’re technically minded, we have seven advanced tips to close.

Why WordPress Security Is Important

Without a strong WordPress security plan, you could get hacked and lose:

  • Your access to the WordPress dashboard
  • Sensitive client and visitor data
  • All your published posts and pages
  • Revenue from customers who, understandably, want more security
  • Your reputation among your clients and across the industry.

It’s easy to assume that WordPress has security measures by default. However, default WordPress site security doesn’t make the cut. Much of the everyday protection falls to you.


GIPHY

Despite its security credentials, WordPress is the most infected website platform on the planet. Sucuri’s research found that 96.2% of all website infections targeted WordPress.

That’s partly due to WordPress being the most popular content management system of its kind. However, it’s also due to hackers knowing the service has security vulnerabilities and that many site owners are lax about the risk of cyberattacks.

Simple errors such as forgetting to update your WordPress site, using flimsy passwords, and choosing shady hosting providers can all lead to security nightmares. What’s more, WordPress hackers are constantly adapting.

Lucky for you, the following security best practices help website owners like yourself firm up their sites and ensure they’re as safe as possible.

We’ve split our WordPress security checklist into the following categories:

  • Eight basic tips to start with right away
  • Seven intermediate steps that require a little more effort
  • Seven advanced strategies that require technical knowledge (and take the longest)

We’ll begin with the basics of how to secure WordPress sites.

8 Basic Ways to Secure Your WordPress Site

It’s easier than you think to start securing your WordPress site. At this stage, we recommend you:

  1. Keep WordPress updated
  2. Keep your plugins and themes updated (and remove unused ones)
  3. Use strong passwords and practice permission management
  4. Pick a top WordPress host
  5. Run regular backups
  6. Install a top WordPress security plugin
  7. Enable a web application firewall (WAF)
  8. Use the SSL (Secure Sockets Layer) protocol

Let’s get started.

1. Keep WordPress updated

Installing WordPress core security updates means you have the latest tweaks and adjustments to core files. That means hackers can’t attack your site through any vulnerabilities exposed by outdated code.

It’s normally easy to tell if you need to install a newer version of WordPress. Log into your dashboard and take a look at the left-hand sidebar. Under “Home,” there should be a red circle with a number inside next to “Updates,” like so:

Select this, and an option appears for you to “Update Now.”

Once you’ve finished your WordPress installation, it’s also wise to check the plugins you use are compatible with the latest WordPress update. The best way to do this is to simply keep your plugins and themes updated.

2. Keep your plugins and themes updated (and remove unused ones)

WordPress theme and plugin updates run separately to WordPress’s core file patches, meaning, again, you need to keep your eyes peeled for any new releases.

Thankfully, this is easy to do through the same screen we used in step one. Head to the “Updates” screen again:

As with updating WordPress, follow the “Update Now” process.

We also recommend you remove any plugins you don’t use or which are incompatible with WordPress’s latest version.

Finally, head to “Appearance” and “Themes” in your dashboard, and select your active theme.

If you’re running WordPress 5.5 or later, there should be the option to “Enable auto-updates.” Automatic updates will ensure you won’t need to worry about this step for the foreseeable future.

3. Use strong passwords and practice permission management

It’s extremely easy for hackers to break into WordPress sites with weak passwords without ever leaving the WordPress login page.

In fact, 30% of people experience security breaches because of this. Hackers can process millions of brute-force password guesses per minute.

A strong password should ideally contain a random string of characters:

  • A mix of uppercase and lowercase letters
  • Symbols
  • Numbers

However, none of this matters if your password is short. Ideally, the longer the password, the longer it takes hackers to break in.

We recommend using Security.org’s password strength checker. This software tells you how long it should take for hackers to break your password on average, like so:

You need to set strong passwords for various areas of WordPress and, most importantly, for access to your admin account.

Head to the standard WordPress login screen and click “Lost password?” when the dialog box appears.

To reset passwords for multiple users, you can make changes directly through your WordPress dashboard. Head to “Users” and “All Users” to pull up the list of people who can access your site via login.

Select “Edit” next to the user you want to reset.

Now, head down to “Account Management.” You can generate a random password or create your own from scratch.

You should also ensure the password you use to access your web server host’s dashboard is strong in case hackers try an alternative route. It’s also wise to contact your host about resetting FTP, or File Transfer Protocol, credentials if you use other programs to edit WordPress.

Don’t forget to manage user permissions. It’s wise to keep WP-admin access exclusive and for your eyes only.

To manage other users and their permissions, we recommend using the User Role Editor plugin, which you can access from your dashboard once installed.

4. Pick a top WordPress host

The best WordPress hosting services work hard on your behalf to protect you from security threats, monitor network traffic, and update your backend software and hardware.

Many top-rated hosts also have disaster recovery and backup plans to ensure their users can recover from malicious attacks.

Consider choosing a managed or private WordPress hosting service over a shared plan. Shared hosting means you split resources with other sites, leaving you at the mercy of attackers who break into your neighbors’ sites.

We recommend looking at the following highly-rated hosts:

  • WP Engine
  • SiteGround
  • Kinsta
  • DreamHost

Right now, we’re using WP Engine to secure and manage our content. It’s one of the most popular WordPress hosts online for efficient updates, eagle-eyed protection, and all-around support.

5. Run regular backups

Backing up your WordPress site ensures you always have “save points” you can reload if you fall to a hacker or contract malware.

You should run automated backups regularly so you know your data is ready to restore in the worst-case scenario.

One of the fastest ways to do this, for example, is to run a backup plugin, such as UpdraftPlus. You can search for the software through the “Plugins” and search option on your dashboard, like so:

Install and activate the plugin once you find it, and head to “Settings” and “UpdraftPlus Backups” in your dashboard.

Then, head to “Settings” within UpdraftPlus and choose where to save your backups.

You can then choose how often you’d like to schedule backups, which is still under the “Settings” tab.

You should ideally back up your site every few days or even daily if you regularly add new content.

If you’d prefer not to use a plugin, you can also back up your site through your web host – but, as mentioned above, make sure to choose a reputable provider with a private or managed package.

6. Install a top WordPress security plugin

Just as you’d install malware or antivirus programs for your physical devices, it’s also worth securing your WordPress site with a security plugin to monitor your content.

The best WordPress security plugins actively monitor any access attempts made on your site, run malware scans for suspicious files, and send you notifications when suspicious activity (such as file changes) arises.

WordPress users highly rate services such as Jetpack and Sucuri, and we certainly vouch for the latter.

Start by installing Sucuri through the Plugins search engine in your dashboard or by heading directly to Sucuri’s website.

Once installed, you can head to “Sucuri Security” from WordPress and select “Dashboard.”

From here, select “Generate API Key” to activate the plugin’s key features (such as alerts and logging). Fill out the form on the page that appears like so:

Head to “Hardening” and select the security options you’d like Sucuri to manage. Ideally, select them all and then “Apply Hardening.”

Although we highly recommend Sucuri, never assume you can leave it to do all the hard work. There are still plenty of steps left to firm up your security in WordPress!

We also suggest you choose a subscription with Sucuri to remove malware upon detection.

7. Enable a web application firewall (WAF)

Like firewalls you’d install for devices such as your PC, a web application firewall, or WAF, acts as a first line of defense against malicious traffic.

There are several types of WAF to consider, but consider using a cloud-based model, which a third party manages if you’re running a small business.

That means maintaining and running the firewall falls to an outsourced company, which proves cost-effective and takes time and hassle off your plate, all while keeping your site safe.

Sucuri takes care of this for you, too. When exploring the plugin via WordPress for the first time, you can see “Firewall (WAF)” as an option on the dashboard.

To activate Sucuri’s firewall, generate an API key from the dashboard, paste it, and save it in the box provided on the Firewall screen.

8. Use the SSL (Secure Sockets Layer) protocol

Your SSL, or Secure Sockets Layer, helps to reduce hacking attempts by encrypting sensitive data shared across your site. Like installing a WAF, it’s another crucial line of defense.

It’s easy to see which websites use SSL. They have “HTTPS” instead of “HTTP” at the start of their URLs.

In some cases, you might not need to install SSL certificates yourself. If you registered your website via WordPress.com, the service’s turnkey hosting solution, it’s already taken care of.

However, if, like most users, you register through WordPress.org, you must arrange an SSL certificate through your web host. Which, again, is all the more reason to find a reputable provider!

If your web host doesn’t offer SSL certificates, use a service such as Domain.com, where you can buy a reputable certificate to install manually.

Alternatively, consider checking out the offers on WordPress.com, as you can invest in additional features such as CDN connectivity, unlimited bandwidth, and DDOS protection.

The premium Creator tariff is considerably more expensive than basic SSL certificates through Domain.com, but it’s arguably better value.

Then, contact your web host or, better yet, an experienced developer at StateWP to install and manage your certificate for you.

7 Intermediate Ways to Secure Your WordPress Site

This part of our guide focuses a little more on extra steps to tighten up your site that go beyond the “must-dos.”

Remember, if you need help or don’t have time to manage them yourself, StateWP is only a phone call, email, or Proto message away.

In this section, we suggest you:

  1. Harden your WordPress login practices
  2. Scan for malware and vulnerabilities weekly
  3. Turn off file editing
  4. Limit login attempts
  5. Add Captcha to forms and comments
  6. Enable two-factor authentication (2FA)
  7. Automatically log out idle users

1. Harden your WordPress login practices

You should never run WordPress with a default username such as “admin.” This is simply because hackers need to guess your username and password to sneak into your site. If it’s just “admin,” you’re halving their workload.

In most cases, WordPress should request you set a secure WordPress admin name when installing the software. There are a few ways you can create a new username if this isn’t the case.

The easiest way is to head to your WordPress dashboard, select “Users,” and “Add New.”

Here, you simply create a new user with admin permissions.

Once the new user’s live, log out of your old admin account and back in with the new one. Then, head back to “Users” and delete your old account.

You can edit admin users through phpMyAdmin through your web host (the most technical route) or use a plugin such as Easy Username Updater.

Next, it’s good practice to change the URL of your login page. We suggest downloading the WPS Hide Login.

Once installed, you can find the plugin on your WordPress dashboard. Select it, and then enter your new preferred login URL in the field provided.

Lastly, it’s worth password-protecting your admin directory if hackers try to break into your site from the server side and attack without accessing the login page.

To do this, you need to use a program called cPanel. You can either log into your own account through cPanel if you have one or access it through your host.

In cPanel and under “Files,” look for “Directory Privacy.”

Now, open “public_html.” You should then see a new folder with your domain name (displayed below as “devenvironment”):

Click “EDIT.” On the next screen, check the box “Password protect this directory” and click “Save.”

Then, click “Go Back,” enter a secure username and password, and click “Save.” These credentials now allow you access to the admin directory from the server side.

2. Scan for malware and vulnerabilities weekly

We suggest you scan for malware and potential vulnerabilities regularly, at least weekly, where possible.

This ensures you can keep up with any nastiness that sneaks in regardless of your preventative measures.

Scanning for malware with plugins differs from software to software. Through WordFence, for example, you can simply install the plugin, open the app through the WordPress dashboard, and click “Start New Scan.”

WordFence is one of several malware scanners that lets you check suspicious activity and erase malicious files. Not all plugins offer this as standard, so make sure to compare features between software before you decide which is best for you.

3. Turn off file editing

File editing is a useful functionality that lets you customize plugins and themes. It’s an asset if you have coding skills, but as you can imagine, it’s also an open goal for hackers. This is because of cross-site scripting, or XSS, a security risk in which hackers edit files to insert malicious code.

The quickest way to switch this off is to use our good friend Sucuri. If you’ve already followed the plugin’s “Hardening” process, turning off file editing is easy to check off in the list the software provides.

Otherwise, you can log into your site through FTP and edit the wp-config.php file. To do this, get login credentials from your web host and download a free client such as FileZilla.

Launch the software, log in, and look for public_html, your site’s root folder. Then, look for wp-config.php. Your site depends upon this important configuration file, so right-click and download a hard copy to your drive or drag it to a local directory.

Open up wp-config in the FTP window and see a list of code. Look for the line that says:

/* That’s all, stop editing! Happy blogging. */

Add the following code before this line, and click “Save.”

// Disallow file edit
define( ‘DISALLOW_FILE_EDIT’, true );

4. Limit login attempts

Like strong passwords, limiting login attempts helps to stop hackers trying to brute-force attack your site.

This feature isn’t available through WordPress by default, so consider using a free plugin such as Limit Login Attempts Reloaded.

Installing and activating this plugin automatically adds a maximum of four login attempts to your WordPress site.

You can adjust this to shorten allowed attempts by heading to “Settings” and “Limit Login Attempts” in your dashboard. You can also adjust how long attempted users stay locked out.

5. Add CAPTCHA to forms and comments

CAPTCHA forms are pretty recognizable. They’re tick boxes and puzzles you need to complete to show a website you’re a human, i.e., not a bot or malicious code.

Some websites use Google’s reCAPTCHA technology, which is more accessible (because it doesn’t expect people to complete puzzles).

There’s a chance that, without CAPTCHA, you could end up registering malicious accounts on your site that either leave noxious links or even provide hackers access to pry open your WordPress.

Again, CAPTCHA isn’t something WordPress offers as standard, so you need to ideally use a plugin to add it to your login pages and registration forms.

There are several available through the Plugins search engine, but we suggest Google Captcha (re CAPTCHA), software that installs CAPTCHA tech that just requires users to check a box.

Install this plugin, and you can toggle reCAPTCHA boxes that spambots can’t read.

6. Enable two-factor authentication (2FA)

Two-factor authentication, or 2FA, requires website users to confirm their login through two different methods, such as through a login form and by confirming a code sent by email.

With 2FA, no one can log in unless they have access to a registered email address, are logged in on another device, or can receive text or voice messages.

Adding 2FA to WordPress means you’d need to log in as usual and confirm the login with a limited-time PIN or link via your registered email.

Some web hosts offer 2FA as standard through their user portal. For instance, through WP Engine, simply log into your portal account, click on your “Profile,” and then “Multi-factor Authentication.”

You can then add and save credentials through where you’d like to confirm future logins, such as your phone number.

Alternatively, WP Engine recommends using plugins such as Rublon, which is easy to set up and use in a few clicks.

7. Automatically log out idle users

Idle users are WordPress accounts left logged in but away from their screens. That might not seem like much of a threat, but if you manage multiple WordPress users remotely, there’s no way to tell if they physically lock their screens or use shared devices.

What’s more, there’s a chance your users might log in via public, unsecured WiFi, where hackers can spy on traffic and sneak in, potentially even claiming usernames and passwords.

Thankfully, you can prevent malicious physical access to user accounts by asking WordPress to log out idlers after a certain time.

By default, WordPress logs users out after 48 hours. That’s ample time for trouble to strike.

Therefore, install software such as Inactive Logout, a plugin that, again, you can find through Plugins and search through WordPress. Install the plugin as you normally would, and look for “Inactive Logout” under “Settings” in the dashboard.

In the settings screen, you can set how long you want WordPress to wait before logging users out:

You can even set a custom message to warn idle users that you logged them out when they return.

7 Advanced Ways to Secure Your WordPress Site

The following WordPress security tips are some of the most complex and technical, but that doesn’t mean you should skip them.

We’ve broken down these steps so you can follow them at your own pace, but if you don’t feel confident or comfortable making these changes or would prefer someone to guide you, contact StateWP.

Through Proto, our dashboard, you can raise service requests for support by securing your WordPress site no matter how many tips you’ve read and tried.

In the meantime, we suggest the following final ways to secure your site:

  1. Use a CDN (Content Delivery Network)
  2. Disable PHP file execution
  3. Change your WordPress database prefix
  4. Disable XML-RPC
  5. Harden wp-config.php
  6. Block hotlinking from other websites
  7. Fix a hacked WordPress site

1. Use a CDN (Content Delivery Network)

Content Delivery Networks (CDNs) are widespread server connections that help speed up webpage delivery to users. Instead of using a single, fixed server, CDNs split the workload between several servers across broad distances.

Say your users are browsing from the East Coast of the US. In this case, your CDN might prioritize loading assets from a server based in Florida instead of in Alaska or California.

However, CDNs also offer security benefits to WordPress users. For instance, some CDN services, such as Cloudflare, offer additional firewall technology to protect your login page. Cloudflare, too, is well known for its anti-DDoS (Distributed Denial-of-Service) attack features.

You might even find that CDNs arrive with extra security rules and free SSL certificates. You’re effectively adding yet another layer of defense to WordPress.

When considering a CDN, consult with your host first. Many hosts offer CDN services as extra features, so be sure to browse their available packages.

Otherwise, consider using Cloudflare or, yet again, Sucuri! Both are leading names in this side of WordPress protection.

Once you’ve chosen a package and have signed up for a CDN, you need to set it up and optimize it for your site.

This can get somewhat complex if the service doesn’t provide a plugin. Therefore, follow any instructions your CDN provides and consult either your host or a WordPress developer to help set you up.

2. Disable PHP file execution

Many directories within your WordPress site are wide open for running certain programs, accepting uploads, and adding media to your website.

Unfortunately, this default access also allows hackers to execute malicious PHP files (written in your website’s coding language) to steal data, edit content, and wreak general havoc.

The best way to stop this is to disable PHP file execution in folders where you don’t need it. It’s not always easy to know which folders to block initially, but take it from us – start with the uploads folder.

It’s here where many hackers plant malicious code, leaving it to execute like a ticking time bomb.

First, stop this in its tracks by creating a blank text file in your chosen program. In that text file, paste this code:

<Files *.php>
deny from all
</Files>

Save this file to your drive as “.htaccess” and head to your FTP client, e.g., FileZilla.

Open the folder marked “/wp-content/uploads” in the right pane, and search for your new .htaccess file in the left pane.

Drag the file across, and it uploads your PHP execution blocker to your uploads folder.

If you’re unsure if other folders need the same blocker, contact a WordPress developer for guidance.

3. Change your WordPress database prefix

Changing WordPress databases can get tricky, but this tip is worth following if you’re serious about shutting out malicious attacks.

Put simply, hackers can run SQL injections to attack WordPress databases with only a few details. Once inside, they can change your data and steal sensitive information. Not only that, but they could also lock you out.

Renaming table prefixes is a sensitive affair, so back up your site before you start. You never know when you might need to reload a checkpoint.

To change database prefixes and prevent hackers from breaking into your SQL, you need to add a line of code to wp-config.php – but there are further steps to take, such as logging into phpMyAdmin via your host and changing table names line by line.

Beyond that, you also need to update user meta tables and options credentials. It’s a lot of work!

No pressure, either, but you could take your site offline if you fail to follow these steps correctly.

Take it from us. At this stage, speak to your host directly or ask a StateWP dev to safely rename your prefixes so you can keep your site online and spare yourself the headaches.

4. Disable XML-RPC

XML-RPC is a useful background program, or API, that helps WordPress users manage their sites using third-party services. Sadly, as with most software, hackers have ways of exploiting it.

Unless you’re updating your site through mobile apps or running software other than the official WordPress dashboard, it’s likely safe to disable XML-RPC outright.

The fastest and most painless way to disable this service is to head to your FTP and open .htaccess in your root folder.

Once you open the file, add the following code and save.

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from xxx.xxx.xxx.xxx
</Files>

Replace the “x” line with any IP addresses you want to retain mobile access to the service. If you’re happy to close it outright, remove this line.

A perhaps safer and more user-friendly option is to use the Disable XML-RPC-API plugin. Once installed and activated, you can see it in your dashboard’s sidebar.

Open the new menu, toggle XML-RPC on or off for specific purposes, and add IPs you want to whitelist if needed.

5. Harden wp-config.php

As mentioned earlier, wp-config.php is a crucial file that contains many of your site’s configurations. Therefore, it makes sense to harden it against attacks so malicious users can’t edit it.

A good first step is to make a quick protective edit in .htaccess, assuming you’re running an Apache server in version 2.4. Log into FTP, look for .htaccess in your root, and add the following code at the top:

<FilesMatch “wp-config\.php”>
Require all denied
</FilesMatch”>

 

This code stops people from accessing .htaccess without the proper level of authority. You’re effectively locking another door into your WordPress site.

Beyond this, it’s worth resetting file permissions for wp-config as an extra measure. To do this, in FTP, right-click wp-config and select “File permissions” to bring up a new screen.

change permissions of wp-config screen

Here, you need to enter a number that determines how permissible you want the file to be. Sucuri recommends using “600.” Once you add the number, click “OK.”

6. Block hotlinking from other websites

Hotlinking is an annoying phenomenon where other websites link to assets from your media library, such as images and videos, while stealing your bandwidth. Essentially, they do this so they don’t have to upload files on their own server.

Stopping this type of data theft is possible by using a CDN, again, such as Cloudflare, which uses a feature called Scrape Shield.

Alternatively, you could use a plugin such as AIOS (All-In-One Security) or edit .htaccess.

In FTP, open up .htaccess and add the following code to the bottom, changing the names of websites you’d like to block:

/* Prevent image hotlinking in WordPress */
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?pinterest.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?google.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?twitter.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ – [F]

 

Simply add more lines starting with RewriteCond to block further sites if you wish, and save the file.

Blocking hotlinking is also a great way to speed up WordPress, giving you all the more reason to prioritize this step.

7. Fix a hacked WordPress site

Lastly, if you suspect your website has already been hacked (for example, if common errors suggest foul play), it’s worth running through some fixes and fortifications so you can recover and protect your data.

We recommend you consult our guide on what to do if your WordPress site is hacked. However, here’s a quick cheat sheet to show you how to get started if your site gets hacked.

  1. Put your site into maintenance mode using a plugin such as LightStart
  2. Check malware logs in your security plugin (e.g., Sucuri)
  3. Use plugins such as Asset CleanUp to remove unwanted code
  4. Clean out potential database nastiness with the WP-Optimize plugin
  5. Reset all your user passwords and delete users you don’t recognize
  6. Make sure you update WordPress, plugins, and themes, and remove plugins you don’t use
  7. Run your security plugin to find malware and remove it
  8. Restore your site from a backup if necessary
  9. Use Yoast SEO’s plugin to clean up your sitemap and contact Google to re-rank your site

This probably all sounds like a lot. We get it! When confused, simply reach out and ask a StateWP dev to fix up your hacked site in a matter of a day or two.

Make WordPress Security Your Immediate Priority

If you’re not already taking WordPress security seriously, now’s the time to start.


GIPHY

A poorly secured WordPress site is wide open to hackers and malicious code. That means you risk losing data, reputation, and revenue. And hey, think about your visitors, too!

The tips listed in this tutorial give you all the tools you need to improve WordPress security, but it’s faster and easier to have StateWP on your side as your 24/7 security expert.

Remember, you can raise service requests through Proto anytime, anywhere – and our experts pick up and get to work within a day of your contact.

In the meantime, if you’re hungry for more WordPress security tips, dive into our website maintenance checklist and get into good habits.

WordPress and Security FAQs

Now you know how to secure a WordPress site, let’s close with some commonly asked questions about WordPress security.

Is WordPress secure?

Yes, WordPress is somewhat secure, but you need to manage your website’s security carefully. WordPress offers some security features as standard, but if you install the software through WordPress.org, you need to set up your own SSL certificate. Make sure to ask your host or a WordPress developer for advice.

Beyond this, running some basic security checks and fortifying your site is always a good idea. We have a few quick steps you can follow in our WordPress security guide.

What are some common WordPress security issues?
  • DDoS attacks
  • Hosting vulnerabilities
  • Malware
  • SQL injections
  • Phishing attempts
  • Outdated plugins and themes
  • Malicious software
  • Backdoor attacks
  • Weak passwords
  • Dictionary attacks
  • Hotlinking abuse
  • Outdated core files
  • Insecure protocols (HTTP)

We explore how to protect against WordPress security issues in our complete guide above.

How do I make a WordPress site secure?
  1. Choose a secure hosting option
  2. Update WordPress and all plugins and themes
  3. Back up your site
  4. Make sure your usernames and passwords are strong and secure
  5. Install and run reputable security or malware plugins
  6. Protect your site with a firewall and/or a CDN
  7. Install an SSL certificate and register to HTTPS
What is the best security plugin for WordPress?
  1. Sucuri
  2. Jetpack
  3. WordFence
  4. All-in-One
  5. Defender

Different WordPress security plugins have pros and cons, but these are the best-reviewed software choices for the platform. Remember, in some cases, you need to pay for a premium service to remove malware and scan it.

We have more details on scanning malware in our guide.

What are WordPress vulnerabilities?
  1. Outdated themes and plugins
  2. SQL database weaknesses
  3. Flimsy passwords that are easy to guess
  4. Idle WordPress users
  5. Poor hosting standards
  6. Lax file and folder permissions
  7. Older PHP versions
  8. Outdated core files
  9. Insecure protocol (HTTP)
x