Did you know that at an average over 30,000 new websites are hacked every single day?
According to Sucuri, 90% of the infected websites belong to WordPress CMS.
WordPress is an easy target for hackers because of weak passwords and plugin vulnerabilities.
Most beginners don’t know how to secure their websites and majority of them don’t even think about securing their WordPress websites. If you are one among them, you are in danger.
Some time ago, some of the links from search engine results of BloggersPassion got stolen from hackers. Backdoor malicious script was injected in some of my blog files to steal backlinks. It was so painful for us not just because it costed a lot of money but it eventually dropped the blog sales.
Only until the security attack was happened on BloggersPassion, we started taking more precautions to secure WordPress sites.
If you are also one among those people who had never bothered about securing WordPress sites, stop wasting time and go secure your WordPress sites as soon as possible. Otherwise, even your blog links might also get stolen by hackers.
That being said, this detailed post is written for the purpose of securing your WordPress sites from hackers stealing your backlinks, data or passwords. Let’s dive into the details without further ado.
How to Secure Your WordPress Sites from Hackers
Secure Your WordPress Sites from Malware and Viruses
This is the reason why our blog got hacked. It was a malware attack, which was a backdoor script inserted into one of our blog files to steal over 100 links from BloggersPassion. The issue is resolved now and my blog is completely secure from the attacks.
It might happen with your blog as well and you never know who’s going to hack your site by injecting bad files into your website folders.
We highly suggest you to install Anti-malware security plugin from WordPress as it can secure your WordPress sites from all the malware and viruses.
This plugin runs a total scan on your website files to automatically remove all the security threads and backdoor scripts (if you have any). It will also keep your blog safe from known vulnerabilities.
Here are few features of this WordPress security plugin.
If you want to keep your blogs safe from malware attacks, you should definitely install the above plugin.
Secure from WordPress Brute Force Attacks
Bruce force attack is the simplest way to gain access to your WordPress sites by hackers. It is a password guessing attack usually aims to steal all your data or backlinks from your sites.
If you are not ready to combat against these attacks, your WordPress sites might get easily hacked.
Here’s how it looks like;
As they say “prevention is better than cure”, here are few simple ways to secure your WordPress sites from brute force attacks. You can easily prevent them by implementing the following techniques.
Secure Your .htaccess File
.htaccess file is one of the most complicated files in your WordPress setup.
If done right, you don’t have to install any of the above mentioned plugins and just by editing .htaccess file, you can save your WordPress site from hackers. It is such a powerful file.
But I don’t recommend anyone (unless you know what you are doing) to edit the file as it can collapse your WordPress sites from even opening up.
Then, how to secure your .htaccess file?
By using BulletProof security plugin from WordPress. Again, it’s a free tool for WordPress users but it has a TON of features to secure your WP sites along with securing .htaccess file.
This plugin completely protects your .htaccess file by providing a rocking firewall around it. Without your permission, no one can access your root files and it also restricts access to the admin dashboard. You can also prevent directory browsing by using a firewall around your .htaccess file. And this plugin exactly does that.
Along with the above security features, this plugin also helps you with the following things.
Set Up Website Firewalls
A firewall is a security network that protects your computers and websites. Having a firewall setup is a must if you want to harden your security levels of your website files.
Every firewall uses filtering to filter all the data coming to your servers, networks and websites. It also analyzes data by inspecting all the files so you will be safe from hacking attacks.
If you are wondering how to setup a strong firewall system on your WordPress sites, there’s a great plugin is available for you which is called “Ninja Firewall”.
This plugin itself is a web application firewall, a stand-alone firewall system that sits in front of your WordPress sites to secure your files.
This plugin can scan, inspect or reject any HTTP requests sent to PHP scripts on your websites there by securing your files from malware or other security breaches.
Apart from the above encoded PHP scripts, hackers shell scripts and backdoors will also be filtered by NinjaFirewall.
Here are few incredible features of this plugin.
Take Regular Backups of your Website Files
Creating regular backups for your website is the key to keeping it safe.
In the worse case scenario, even if your site gets hacked, you don’t need to worry about the loss of all your blog posts, pages, comments and links.
You can simply restore your data points to get all that data back. Even if your site might not get hacked or if you simply might lose all the data while making design changes on your sites, then also keep regular backups can help you immensely.
We highly recommend you to start using BackupBuddy. It’s a premium tool to regularly backup all of your website files and you can restore at any moment in case of file loss.
If you are searching for a free option, try BackWPup. It’s a free plugin which is useful for backing up all your files including your databases.
This plugin automatically saves your complete installation including /wp-content/ and saves them to an external backup Service like Dropbox, S3, FTP etc.
BackUpWordPress is also another great (free) WordPress plugin for taking regular backup all your website files. This plugin works in low memory, “shared host” environments so your site speed won’t affect much and it also have options to have each backup file emailed to your inbox. You can also exclude few files which you don’t want to take a backup from.
So what are you waiting for? Make sure to use any one of the above mentioned plugins to start taking backups of your whole sites. We recommend you to take backups every week (in the least case scenario) to avoid regretting in the future.
Top 10 Best WordPress Security Plugins
Hands down, WordPress is the most popular CMS in the world which is used by millions of websites. WordPress is also the #1 platform which is mostly targeted by hackers all around the world.
That’s the reason why you should always secure your WordPress site from all security attacks. Fortunately, there are a ton of WordPress security plugins available which can help you easily secure your sites.
Here’s a list of top 10 best WordPress security plugins (in no particular order) you can use in 2019 to protect your blog from hackers.
This is one of the most downloaded and popular WordPress security plugins which includes an endpoint firewall and malware scanner to protect your WordPress sites.
The good thing about their firewall is that it identifies and blocks malicious traffic so you can avoid invalid traffic and clicks (which can be especially helpful if you’re using AdSense ads within your site).
And it also offers you an integrated malware scanner which blocks requests that include malicious code or content. Using this plugin, you can also prevent brute force attacks by limiting login attempts.
iThemes security which was formerly known as Better WP Security is another most popular security plugin used by millions of people worldwide as it offers you over 30 ways to secure your WordPress sites.
It offers you a ton of features including the ability to prevent brute force attacks, scan your site for security issues, changes the URLs for WordPress dashboard areas including login, admin and the list goes on.
Above all, it also helps you detect all the hidden 404 errors on your website which are affecting your SEO including toxic backlinks and missing images and so on.
This security plugin offers you a wide range of security features along with a firewall to prevent malicious attacks on your site and it also offers limit login attempts feature.
Here’s how the backend of this plugin looks like;
All in one WP Security easily detects if there is a user account which has the default “admin” username and easily change the username to a value of your choice for better security.
You can also easily backup your original .htaccess and wp-config.php files if you need to use them to restore broken functionality within your WordPress websites.
This plugin can be considered as an all in one security plugin which offers you a ton of security features including malware scanner, firewall, login security, database backup, anti-spam and so on and also offers you one click setup wizard to easily configure this plugin on your WordPress sites.
Using this plugin, you can easily access your .htaccess and configure those files and you can use their database backup to take partial or full backups of your WordPress websites.
All in all, it’s a great plugin even for beginners who’re looking for an easy to use and all in one security plugin to secure their sites.
Sucuri security is another most effective WordPress security plugin that helps you perform auditing, malware scanning, security hardening and so on your WordPress sites.
There are a ton of security threats you can prevent using this plugin as it offers you exceptional features like
The best part is, if somehow your site gets hacked for whatever reasons, this plugin offers you post-hack security actions can be taken which includes a section to help you walk through the 3 important things you should do after a compromise.
6. from UpdraftPlus
This is the most popular 2 factor authentication plugin for WordPress with over 2 million active downloads and it’s also developed from the #1 WordPress plugin called UpdraftPlus.
If 2-factor authentication is enabled on your site, you will require a one-time code in order to log in. This plugin supports standard TOTP + HOTP protocols and also supports Google Authenticator, Authy etc.
It also displays graphical QR codes for easy scanning into apps on your phone or tablet. So if you want to add extra steps to log into your WordPress dashboard, 2 factor authentication plugin like this one is essential.
If you want to limit access your site to visitors who are logged in or accessing the site from a set of specified IP addresses, you can use this plugin.
This plugin is especially useful for multi-author websites or if you’re accepting guest posts from a ton of other users who need to access your site to publish those posts. You can also use this plugin to send restricted visitors to the login page, redirect them or display a message or page, literally you’ll have full control over your site.
You can easily customize the redirect location or send them to the same requested path and set the HTTP status code and the list goes on.
Want to prevent brute force attacks? Want to add 2 step authentication to login to your website for added security? Then, use this plugin as it blocks login for the IP after it reaches maximum retries allowed (you can also set the maximum limits).
Not just that, you can blacklist or whitelist IPs for login using this plugin and this plugin gives you a wide range of features including 2 factor authentication, reCAPTCHA, PasswordLess Login etc to improve security of your WordPress website.
This is also one of the popular WP security plugins downloaded nearly by 1 million people and also offers you features like renaming WP login page, admin URL and so on.
Most hackers try a ton of different ways to login to your website and they also use techniques to find your login information through your login page, WP admin URL and so on.
This plugin helps you safely rename wp-login.php and closes access to the WordPress admin panel. The good thing is, it does not change the code of your site, does not rename files and does not make any changes to your server configuration.
You can do a ton of things including hiding wp-login.php, wp-signup.php and block access, hiding WP admin directory and block access and it also allows you to rename login URL easily.
This plugin performs security checks on your website to find it there are any security vulnerabilities within your site.
It also helps you prevent 0-day exploit attacks, optimize and speed up your databases, checks if WordPress core is up to date, checks if automatic WordPress core updates are enabled, checks if plugins are up to date and so on
Above all, this plugin runs over 50+ security tests instantly and discovers issues you didn’t even know existed so you can easily tighten the security of your WordPress sites. All in all, it’s a time saver plugin to safeguard your site from security threats.
Top 3 Most Secure WordPress Hosting Sites
One of the best and easiest ways to secure your WordPress sites is to invest in a secure web host. Yes, that’s plain and simple advice.
A couple of years ago, we were hosted on HostGator (it sucks both security wise and customer support is pathetic too) and our site got hacked. That’s when we moved to WPX hosting.
Although it’s a bit expensive when compared to HostGator but we haven’t encountered any security issues so far. That’s why we highly recommend you to invest in a secure web host.
Here are the top 3 most secure WordPress hosting sites for all kinds of budgets.
Let’s talk about each one of them so you can pick the best one that suits your budget and website needs to safeguard your WordPress site from all the hackers and malware attacks.
1. WPX Hosting
WPX hosting is the same web host we’re currently using at Bloggers Passion and we’re extremely satisfied with their security features and their cloud hosting is what gives you super fast website speeds.
Why you should use WPX hosting?
WPX hosting offers you “fixed for you” guarantee.
One of the major reasons to invest in a web host like WPX hosting is it offers you an incredible service called “fixed for you” guarantee. For instance, if you run into any technical related issue on your website, you can contact their Support Team and they will instantly fix the issue for you at FREE of cost.
The good news is that, their support system (live chat) is extremely fast which replies to your queries within 30 seconds (yes, you heard it right). Explain your problem and they will take care of it and fix your site at free of cost.
How much does WPX hosting cost?
WPX hosting offers you 3 pricing plans which are listed below.
(on the first month hosting)
WPEngine provides you “managed hosting for WordPress” and that’s the reason why all the sites hosted on their platform load extremely faster. Not just that, WPEngine is known for providing bulletproof security to all the sites hosted on it.
Why you should use WPEngine hosting?
WPEngine hosting offers you a deep level scan.
If your website is affected by malware, WPEngine customer support team will perform a deep level scan and malware cleaning to help you get back up and running.
WPEngine also updates all the WordPress sites hosted on their platform automatically so you don’t need to worry about installing the latest version of WordPress on your site.
How much does WPEngine hosting cost?
There are 3 pricing plans offered by WP Engine which are listed below.
1. Startup plan comes at $35 per month (you can save Save $70 by getting 2 months free with annual prepay) and includes;
2. Growth plan: This is the most recommended hosting plan from WPEngine comes at $115 per month (you can save Save $230 by getting 2 months free with annual prepay) and includes;
3. Scale plan: This is the advanced hosting plan from WPEngine which comes at $290 per month (you can save Save $580 by getting 2 months free with annual prepay) and includes;
So what are you still waiting for? Use the following link to sign up for WPEngine hosting.
The above mentioned 2 web hosts are bit expensive as they cost you around $25 per month and if you’re on a tight budget but still want a highly secured web host to host your WordPress sites, SiteGround is just for you (as the pricing starts at just $3.95/mo).
Why you should use SiteGround hosting?
SiteGround offers you SSH access and you can easily enable it from SiteGround control panel.
Basically, SSH (Secure Shell) is a network protocol that allows secure remote access over an encrypted connection. That way, you can easily manage all your website files along with the folders and do other things such as modifying their permissions, edit files directly on the server and so on.
SSH access also helps you easily prevent brute force attacks on your website because they are often performed on the root user of a server. By making the root user inaccessible via SSH, you can easily prevent such attacks.
It also has an incredible uptime guarantee.
How much does SiteGround hosting cost?
SiteGround shared hosting offers 3 pricing options which are listed below.
Use the following link to save 70% on SiteGround hosting.
If you want to secure your WordPress sites from getting hacked, make sure to use and follow the following 8 point WordPress security checklist as it covers almost all the things.
Let’s briefly talk about the above things so you can understand better and use this WordPress security checklist effectively.
Important note: Make sure to always backup your files before you update plugins, WordPress, themes etc. That way, if something horrible happens, you can always restore them without losing any data or content on your blog.
1. Update WordPress regularly: Every now and then, WordPress releases new updates which are helpful for fixing common security threats and other stuff. So it’s always better to update to the latest WordPress version.
There are few web hosts like WPX hosting, WPEngine etc which update your website whenever there’s a new version released from WordPress (so you don’t have to worry about manually updating them). Or you can simply pick WordPress optimized hosting from web hosts like Bluehost to avail automatic updates from WordPress.
2. Update your themes and plugins: Most of us use a lot of themes and plugins on our WordPress sites and many of them get updated regularly. It’s always better to update to their latest versions as most of these plugins and themes get updated to fix bugs and security threats.
3. Take regular backups of your website: There are a lot of backup plugins available for WordPress such as VaultPress (premium version backup plugin that we’re using at Bloggers Passion) or BackupBuddy which can easily help you take regular backups of your site.
That way if you accidentally loss any data, you can easily recover all your files. There are web hosts like WPX, SiteGround, WPEngine that regularly take backups, so you might want to consider them if you want regular backups for free.
4. Limit login attempts for login protection: Most of the attacks on WordPress sites happen due to weak passwords as hackers try to guess your passwords (or use tools to guess your passwords) to login to your site.
That’s why limiting the login attempts from WP login panel gives you extra security as you can limit the number of brute force attacks. You can easily do this by installing few security plugins which are already mentioned above.
5. Install a security plugin: We’ve already discussed above the 10 of the best security WordPress plugins (in case you’ve missed it, read that section again) and pick any 1 or 2 best plugins among them to secure your WordPress sites from hackers.
6. Create a custom WordPress login URL: Don’t use the default custom WordPress login URL.
We all know that by default, WordPress sites all use identical URL structures for this page. If your website’s domain is www.example.com, for instance, you can log in by visiting www.example.com/wp-login.php or www.example.com/wp-admin.
But it’s the easiest way to let hackers login to your site as your using the default URL login system, instead use plugins like WPX hide login to easily change your login URL to anything of your choice.
7. Move your WordPress site to https: Https version is helpful to encrypt sensitive information that’s transferred between the browser and the hosting servers.
You need to install SSL certificates if you want to move your WordPress site from http version to secured https version. There are few web hosts like WPX hosting, SiteGround, Bluehost etc provide SSL certificates at free of cost.
Or you can simply use sites like CloudFlare to get free SSL certificates. Not only you’ll be able to move your site from http to https with Cloudflare free CDN but it also increases your website performance and loading speeds.
8. Use a secure web host: We’ve already talked about the 3 highly secure web hosts for WordPress including WP Engine, WPX hosting and SiteGround. By using these secure web hosts, you can definitely improve the overall security of your WordPress sites as they take security precautions like frequent network monitoring, SSH access, malware protection etc.
Stay Safe from Most Common WordPress Security Threats
WordPress has its own security threats and vulnerabilities which include the following.
If you want to safeguard your WordPress from hackers, you need to keep an eye on fixing the above WordPress security threats. So let’s talk briefly about these WordPress vulnerabilities to keep your WordPress site safe in 2019 and beyond.
Denial of Service
A denial-of-service (DDoS attack) is one of the most common cyber attacks performed by hackers to get access to a site where the attackers attempt to prevent legitimate users from accessing the service.
Here’s how it looks like;
The hackers usually send a ton of random messages asking the network or server to authenticate requests that have invalid return addresses. That way, they get hold of your site.
The best way to prevent such attacks is to create a firewall around your site and you can go through our best security plugins section (which is mentioned above) to easily create firewalls using few plugins.
Malicious redirects simply means, hackers or attackers get access to your website and change your pages to redirect to other websites (that they own or endorse). That way, you’re not only losing your traffic but also sales if those attacks are done on any sales pages on your site.
In fact, we faced this issue over 3 years ago when our blog Bloggers Passion was hosted on HostGator. Their customer support team couldn’t help us in anyway and that’s when we migrated to WPX hosting and they resolved this malicious redirects issue within a day.
The best way to deal with this issue (or prevent malicious redirects issue from happening on your website) is to create a firewall and often checking for malware. You can also use web hosts like WPX hosting so this kind of issue won’t even occur.
Cross-Site Scripting (XSS)
Cross-site scripting (XSS) is a type of security vulnerability where the attackers inject client-side scripts into web pages and this can be mostly found in web apps and plugins.
The best way to deal with this issue is to create a firewall, install anti-virus software in your PC (or laptop) and secure your databases.
Brute-force Login Attempts
A brute force attack is a trial and error and one of the most popular password cracking methods used to get access to your WordPress website.
Whether you know it or not, around 80% of confirmed data breaches are due to weak or stolen passwords. That’s the reason why you always need to make sure your WordPress login passwords are really strong and hard to guess.
The best way to prevent such brute force login attempts is to limit your “invalid login” attempts and make use of stronger passwords. Regularly change your login passwords for extra security.
3 More Essential Things We Did at BloggersPassion After The Security Attack
Here are few most important things we did at Bloggers Passion to secure it from hackers.
1. We ditched HostGator and moved to WPX hosting
HostGator hosting sucks. They don’t value their customers when the help is most needed. They are also least bothered about providing security to the sites that are hosted on their servers. If you are someone who is looking for reliable hosting that is secured, don’t even think about HostGator.
We moved to and they are amazing. They are also providing full security to the sites along with the daily backups. We highly recommend you to check out their hosting plans if you want a secured, fast and reliable hosting service.
2. We started using VaultPress
The reason for using VaultPress is it is hands down one of the best tools for taking backups and securing your WordPress site from hackers.
If you are using VaultPress, you are safe from hackers, host failures, viruses, user errors, malware attacks and exploits. It’s so useful for taking real time backups and also for automated security scanning.
3. Give a try to Sucuri
Sucuri is a great platform for securing your WordPress sites from all kinds of attacks. When BloggersPassion was under security attack, so many guys have recommend it.
So if you are looking for a peaceful tool that saves you from various WordPress attack, give a try to Sucuri. They are #1 security team to protect your sites from hackers, malware, blacklists, DDos attacks etc.
FAQs About WordPress Security In 2019
Here are a few important questions around WordPress security to secure your websites in 2019 and beyond.
1. What are the most common WordPress security issues?
Although there are a ton of security vulnerabilities happen with majority of the WordPress sites but following are the most common WordPress security issues.
2. What are the best WordPress security tips and tricks for 2019?
Here are 3 quick WordPress security tips and tricks that you can use in 2019.
Here are a few easy yet most effective ways to secure a WordPress blog in 2019.
4. What’s the best security plugin for WordPress?
We already have mentioned 10 of the best WordPress security plugins in the same post (make sure to check out all of them). If you’re still curious, here are the top 3 security plugins you can consider.
5. How to perform WordPress security scans to find WordPress vulnerabilities?
The good thing about using WordPress is that it offers you few excellent plugins to easily scan your WordPress sites to find if there are any vulnerabilities. Here are few WordPress vulnerabilities scanners to perform WordPress security scans in 2019.
Final thoughts on securing your WordPress site from hackers
Each WordPress security attack is different. Hackers can get access of your sites by using various ways like password guessing, inserting malicious codes into your files, brute force attacks etc.
So you must be always ready for all the attacks to secure your WordPress sites from hackers or intruders. You never know who is going to hack or crack your website files.
Taking backups, keeping your websites safe from malicious codes, installing the most essential security tools like BulletProof security, iThemes security can save you a lot of time, money and efforts. NEVER take your WordPress security lightly as prevention is always better than cure.
So make sure to implement the WordPress security tips mentioned in this guide to harden the security of your WordPress sites.
This content was originally published here.