Secure Your WordPress Site Against Attacks in 2022

Aug 29 2018 Updated Sep 24 2021

Securing your site against potential hackers is super important these days. Although the rewards of investing in site security are not always obvious—if you do things right, you won’t see any visible effects because you won’t get hacked and you won’t have to spend dozens or hundreds of hours repairing the impacts of identity theft, lost content, or stolen customer data.

Yes, It Can Happen to You

People often dismiss the necessity of web security because they think, “Who would target me?” Often, they’re right—it’s not common for most sites to be targeted individually.

But that doesn’t mean you’re safe. While hackers may not be targeting you personally, they are targeting the software and web hosts you use.

These targets are chosen because they make for a much bigger prize if successfully hacked. Why invest time in breaking into individual sites, when you could try hacking a popular web hosting provider and walk away with data for hundreds of thousands of sites?

Hackers are smart. That means your site needs to be smarter.

Basic Defense Steps

Software developers work hard to make their code as secure as possible, but developers are humans—they make mistakes the same way you and I do. At the end of the day, all software needs constant maintenance to keep it secure, and while you cannot personally fix security gaps in the software you use, you can make your own sites much safer with just a few basic steps.

Use Strong, Unique Passwords

Don’t use just simple passwords to secure your site, and don’t use the same password everywhere! Remembering multiple logins is hard, but thankfully, there are services like 1Password and LastPass that can manage your passwords for you. Look into password generators to help you set strong, unique passwords for each of your accounts and logins.

Stay Up-to-Date

Be honest: When you see updates available for a new plugin, theme, or WordPress core, do you tend to put off the actual updating? Many of us do, and that’s a bad habit we need to break.

As noted above, all software has security vulnerabilities —and updates fix them! Whenever new updates are available, software should be updated as soon as possible.* The older the code on your site, the less secure your site is. Full stop.

*Note: We always recommend testing updates on a staging site before rolling them out on your live site.

Make Frequent Backups

To secure your site, making backups regularly counts as a security task. The backups are useful in their own right, of course—if something were to get weird with your site, backups help you repair things and prevent data loss.

Having backups also means you can be more aggressive with updating software as soon as it’s available. We often delay the task of updating software on our sites because we worry about the impact on existing plugins, themes, etc. But if you make good, frequent backups and something goes wrong with an update, you can simply restore the site from a backup. No harm, no foul. This will encourage you to back up more often, which will keep your site safe.

Extra Steps to Secure Your Site

Once you’ve mastered the basics, it’s time to add one or more of the following things to your site to take its security to the next level.

Hackers often use bots or a script to attempt to log into a site, using as many combinations of usernames and passwords as possible until it gets the right combo to gain access.

As the name implies, these plugins will make it so any given IP address can only attempt to log into your site a certain number of times over a specific timeframe, such as three login attempts within a one-hour time span. If all login attempts fail, that IP address is “locked out” and won’t be able to try logging in again for a set amount of time (often 24 hours).

You can easily add this type of security by adding a “Limit Login Attempts” plugin to your WordPress site.

Enable Two-Factor Authentication

In security terms, limiting access to something can be done by requiring one of three things: something you know (e.g. passwords), something you have (e.g. a physical key), or something you are (e.g. thumbprint or eye scanners).

The best option is requiring multiple types to gain access—for example, requiring a user to both know and have something to gain access to. And that’s exactly what “two-factor authentication” is. In modern terms, it mostly means that when you log in to a site, you’ll first provide a password and if that’s correct, you’re then sent a text message with a login code that you have to enter, confirming your identity before giving you access to the site.

There are two ways to set up two-factor authentication on your WordPress site:

SMS verification – verification code is provided via text message
Google Authenticator – verification code is provided in an app

For a step-by-step walkthrough of both, check out WPBeginner’s two-factor authentication tutorial.

Set Up Basic Monitoring

Security monitoring services help surface vulnerability issues quickly by routinely scanning for signs of malicious activity. Popular services such as Sucuri and WordFence help you stay on top of any attempted attacks, giving you the upper hand so you can respond swiftly.

If You Do Get Hacked

If you’ve been hacked, it’s best to seek assistance from a security professional to help you repair the damage from the attack. They’ll also revisit your site’s construction and perform an audit to figure out how the attack happened in the first place so you can prevent additional attacks in the future.

It’s All About Prevention

You’ve worked hard to build your site, so make sure you keep it safe. The security improvements we outlined here will go a long way towards preserving all the effort that went into creating it.

The key is to never become complacent, and never take for granted the security of your content, user data, and especially your site itself. There’s no shortage of hackers with bad intentions out there, so it’s vital to put in solid efforts to secure your site.