How To START Securing Your WordPress Site

Updated March 04, 2019 at 16:28 ET.
Minor revisions.
Updated December 09, 2016 at 22:28 ET.
Published December 09, 2016 at 16:02 ET.

If you’re reading this blog, you’re reading a WordPress based site.  WordPress is one of the most popular content management systems, and powers over 18% of all sites on the internet.  ( Source )  Perhaps you run a WordPress site yourself.  If you do, then you need to read this article.

This is about WordPress security.  I’m referring primarily to self hosted sites using software from rather than sites hosted at .  (By the way, says WordPress powers 27% of the internet.)

The security plugin I use on my site is Wordfence.  A tech support representative over at Wordfence suggested I write a review during one of our interactions.  He did not say what to put in it, and these are my honest feelings about the product.  I was not compensated for the review.  I decided to expand it and also make it an article about how to secure your WordPress site.

I’ve been running a WordPress based blog for several years.  Over time, I’ve learned a number of things that I didn’t want to know.  One of these is that, if you run a WordPress site, you must … MUST … MUST!!! have security.  The Wordfence security plugin is one of the best options out there.  It’s the only one I’ve tried and I like it very much.

Here’s the deal.

Just a minute ago, I chose a day at random from a few days ago and looked at the Live Traffic display on my blog on my Wordfence control panel (a Wordfence feature).  This shows what IP addresses have been hitting the blog and what URL’s they’re requesting.  On that day, there were about 200 hits excluding the GoogleBot.

The OVERWHELMING number of hits to the blog are attempted attacks!  Most of the rest are search engines.  (Maybe I need to write more and market better.  8-)  )  If you have a WordPress site … YOU will be under attack too, whether you know it or not.

Here’s what I found in the logs.  This is a real geography lesson.

BAD Locations trying to attack me (there may be good queries from these too): Philippines, Ukraine, Malaysia, India, USA, Tobago, Algeria, Bulgaria, Romania, Vietnam, Latvia, Uruguay, unknown, Dominican Republic, Tunisia, Morocco, Venezuela, France.

GOOD Locations sending legitimate queries (there may be bad queries from these too) (includes search engines): China, France, USA.

And, this is just a review of the logs for one day.  My site is REALLY popular … with the AttackBots and malicious Hackers.  Many of those attacks are probably coming from other compromised WordPress sites or IOT (Internet Of Things) things but there’s no way to tell.

Need more proof?

Google search for (hacked or compromised) WordPress sites

Google search for (hacked or compromised) iot things

Here’s an article from my site on IOT security.  A WordPress site is not an IOT thing per se but the principles of attack and compromise and corruption of the site are similar.  Once compromised, your IOT thing or website would be used to attack and terrorize other people.

You should care about IOT security

Bruce Schneier Security Blog

Brian Krebs Security Blog

Here’s what you can do to START securing your WordPress site.

01) Use LastPass or something similar to generate a really long password, say 50 plus characters, for your website for administration.  Do this RIGHT and make sure you have the password saved in LastPass and somewhere else before installing it or you could lock yourself out of your site.  Yes, this is ridiculously long, but nobody will guess it!  And NO … you can’t remember it. You must use a password manager.

02) Install Google Authenticator or something similar on 2 of your devices.  I use my tablets.

03) Install Wordfence on your site.  Make sure you set up the administrative email address so the site can send you notifications.  Test this email.  Make sure messages don’t end up in your junk or spam folder.  GMail is notorious for filtering out messages that IT thinks you shouldn’t see.  Make sure you get them.

04) Upgrade to Wordfence premium.  It’s totally worth the minimal cost.  You get live threat updates, premium support, extra features, and you help fund further product improvements and security research and development.

05) Learn to use the 2FA (2nd factor authentication) features of Wordfence.  They call it cell phone sign-in.  I don’t recommend cell phone text messages for authentication.  They’re not secure.  But, you can use Google Authenticator or similar.  This way, you append a 6 digit changing code to your login credentials.  Install your blog credentials on Google Authenticator on both of your devices at the same time.  If you lose one, you’ll have the other.

06) Scan your site and fix any problems.  Observe the results of scans periodically.

07) Use the Live Traffic feature to see what’s hitting your site.  Check this periodically – say every week.  It may help to only look at one day at a time.

08) Learn to use Country Blocking and use if appropriate.  You have to decide this.

09) Reduce the page access throttling limits if applicable.  See the help file.  I’ve noted that attackers try to hit the site quickly with lots of page accesses, usually for plugins I don’t have, trying to find a weakness.

10) Learn to use the other options in the Wordfence setup.  Click the help icon beside each to find out what it does.

11) Learn to use the Wordfence support ticket system to ask questions when needed.  The staff there are excellent and willing to help.

12) Join the Wordfence mailing list to receive email updates of important security news.

13) Minimize plugin and theme use to the absolute minimum.  Every extra thing you have enabled is a potential attack vector.  Install updates as soon as they come out.

14) Use a hosting provider that provides safe mode or something similar. offers this.  This means they configure and maintain your server including WordPress upgrades and underlying server configuration.  You maintain WordPress and Plugin and Theme updates and configuration.  Do yourself a favor and PAY a nominal fee to get good hosting and support.  Sometimes, free things are the most expensive.

15) PAY a little extra if needed to get an SSL / TLS certificate so you can run your site with https encryption.  Then, use the Force SSL plugin or similar to run your site in https mode at all times.  This encrypts traffic between the user and your site.  This also protects you when you’re administering the site since your login and admin traffic will also be encrypted.  When you login to your site, use https:// in the address bar right from the start.  Preferably, your password manager or the login link on the main page should already do that for you.

If you have full control over your server configuration, might be an option for you to get a free SSL / TLS certificate and use it.  They’re turning to crowd funding to cover operational costs, so who knows how long they’ll stay free or financially stable.  If you’re running the server in safe mode from your ISP, you may not have a choice of using this option.  You may have to get the certificate from the ISP and probably pay for it.

16) You may want to consider other plugins such as these: Disable REST API and Disable XML-RPC to help prevent automated attacks on your site.  This may also prevent automated use of the site, such as blogging from your smart phone.  I always use the web interface to interact with my site, so I don’t need those features.  XML-RPC in particular allows an attacker to quickly try huge numbers of passwords to try to break into your site.  On the Wordfence blog, they point out that there are pros and cons to doing this.  They also point out that their plugin already limits login attempts. Do your homework and understand what you’re doing before implementing these procedures.

17) Hopefully, your site won’t be compromised.  But, if it is, I would wholeheartedly recommend hiring the experts at Wordfence to clean it for you.  That’s what I would do.

The moral of the story is: Yes I strongly recommend Wordfence.  Yes you must actively be conscious of and actively involved in the security of your site.  Yes you WILL be under attack whether you know it or not.

You can get more info about Wordfence at: