How to boost your WordPress site security for free

Olga K. | September 22, 2021
12 mins

WordPress is the most popular content management system available in the world. According to W3Techs, WordPress has a commanding 65.2% market share as of August 2021, making it the undisputed king of the CMS marketplace today.

As a result of its popularity, WordPress sites are one of the biggest targets for hackers. They can use one single successful exploit to turn into multiple lucrative site breaches. And the scope is massive- according to data available, up to 90,000 attacks occur per minute. This may be an underestimate too because SiteLock has reported that the average small-to-medium business website is attacked 44 times per day.

To keep their sites safe, WordPress site owners and operators have to do everything in their power to keep their sites up to date and free of security weaknesses. And that's no small undertaking. To help, here is a six-step action plan for WordPress site owners and operators to secure their sites.

Step 1: Upgrade to the latest WordPress version

The developers of the WordPress platform do an excellent job of identifying vulnerabilities in their code and fixing them. And yet, vulnerabilities in WordPress installations persist. This is because site owners fail to apply updates promptly, leaving them open to preventable attacks.

The data around this is stark. The latest surveys indicate that as many as 70% of current WordPress websites are running versions with known vulnerabilities. And the majority of those sites' owners cite the same two reasons for their inaction. They either don't have the technical proficiency required to complete an upgrade, or their sites rely on plugins that won't work with newer versions of WordPress.

If you’re the first type and not well-versed in web development yet, here are some simple ways to keep your WordPress up-to-date.

Once a new WordPress version is available, a notification will pop up prompting you to upgrade:

Although, usually it’s perfectly fine to hit that button right away, making a complete site backup first could save you a lot of trouble in future. As mentioned above, your third-party plugins and all the customization you’ve done might not be compatible with the core engine. Which can result in errors or broken design.

Luckily, preparing a full WordPress backup is quite easy. Some hosting providers allow you to create your website copy with just one click. This is a great feature since you have all your backups in one place and can restore them or download the files in the blink of an eye. 

In case you don’t have that option, there’s a variety of WordPress backup plugins to save your day. One of the most popular solutions, with over three million active users, is Updraftplus. While the plugin has both free and paid versions, in most cases, the basic features should do the trick for you. 

All in all, security vulnerabilities can cost your business a reputation and a great deal of revenue. So it makes sense to hire professional help if necessary to perform an upgrade and to transition away from legacy plugins that won't work. Even if it costs some money in the short term, the risk reduction is more than worth it.

While there are products and practices identified here that can protect your identity in the event of an attack, they serve as reactive vs proactive. From the very beginning, as you choose your brand name and domain, security must be a priority.  When purchasing a new domain, it’s important to protect against identity fraud with Whois protection & private domain registration from a reputable company. 

Step 2: Upgrade to the latest available PHP version and reduce PHP vulnerability

Even if you're using the latest version of WordPress, your site may still be vulnerable to attack using flaws in the underlying programming language that the platform uses – PHP. That's why it's important to make certain that your hosting provider offers the most recent PHP version on their servers, and that your site is configured to use it. And if your hosting provider uses an outdated PHP version, you should migrate your site to one that doesn't.

To check what PHP version you’re running, go to Tools > Site Health in your WordPress dashboard and look for the Server tab. Simply click on it to expand a section containing all the necessary server information including your current PHP version:

At a minimum, you should be using PHP version 7.4. But if a newer version is available, always upgrade. And then, you should make a few changes to your site's configuration to defend it against some of the more common PHP-related attacks. First, you'll want to disable PHP execution in folders that don't require it. Doing so requires you to create and upload a simple text document to a few folders in your site's storage directories.

And next, you should instruct WordPress not to display PHP errors. This prevents an attacker from probing your site for certain types of PHP vulnerabilities that could lead to a successful attack. Turning errors off is a simple matter of editing the site's wp-config.php file. It's a simple change that will make it far harder for attackers to discover any security flaws you have yet to fix.

Step 3: Weed out unused plugins and keep the remaining ones updated

One of the biggest benefits of using WordPress is that it's so easy to add functionality through the use of plugins. And at the time of this writing, there were over 58,000 free plugins available through the official WordPress plugin directory. And the types of features they support are almost endless. You can use a plugin to turn WordPress into a fully functional eCommerce store, a gaming portal filled with addictive games like FreeCell and Mahjong, or a hotel booking portal. You can even add a plugin that improves your site's SEO performance at the click of a button.

But that flexibility comes with a cost. It's that every plugin you add to a site increases the site's complexity and adds additional code that could be vulnerable to attack. So the third step in the security action plan is to go through your site's installed plugins and remove anything the site no longer requires to function.

For example, go to Plugins in your WordPress dashboard and then click the Inactive filter above. This will list all the plugins on your website that are currently disabled. Now, it might not necessarily mean you should dispose of them right away. But it’s a good place to start your cleanup. 

Other possible disqualifying factors:

  • You have several plugins for the same purpose but use only one of them; 
  • Plugins that are no longer supported by developers;

But don't stop there. You should also look for plugins that have duplicate functionality or that may have simpler alternatives. The bottom line is that every plugin you manage to remove or replace will improve the site's security substantially. And when you pare down your plugins to just what's needed, make sure that everything remaining is updated to its most recent version.

Step 4: Turn on 2FA and consider a physical security key

Although code vulnerabilities are a major threat to WordPress websites, they're not the only ones. There's a much bigger threat that affects all WordPress websites and that leads to the majority of successful attacks: vulnerable passwords.

Some quick tips on how to manage your passwords:

  • Don’t use the same password for all your accounts;
  • Avoid using information in your password that’s publicly accessible (your birthday, pet’s name, etc.);
  • Passwords longer than 16 characters are usually more secure. Turn it into a phrase that’s also be easy to remember;
  • Change it up. Use both lower and upper cases, add numbers, special characters or even spaces. 

Weak passwords are a major reason why the rate of attacks on WordPress sites and hosting providers is so high – they're mostly the result of ongoing brute-force password hack attempts.

A brute-force hack involves the use of automation to keep guessing at a site's account passwords until the attacker hits upon one that works. And because they don't have to execute such attacks by hand, they can target multiple sites at once to increase their odds of success. They can just sit back and relax while their computer does all the work. But there's a simple way for site owners to thwart brute-force attacks. They can turn on two-factor authentication (2FA), or better yet, turn to physical security keys to enhance their site security.

In case you’re not familiar with the term 2FA, here’s a quick breakdown. In a nutshell, this security method adds a second layer of protection to your account in addition to passwords. Instead of just typing in your credentials, you also need to verify logins via your mobile device.

WordPress features 2FA support on all recent versions, and every site owner should use it for added protection. It makes a successful brute-force attack almost impossible because authentication isn't tied solely to passwords any longer. But because hackers can bypass or overcome certain types of 2FA configurations, an even better solution is to turn to physical hardware keys. These small, inexpensive devices rely on complex cryptography to replace passwords, and can all but eliminate any chance of an account-related site breach.

Step 5: Reduce account permission levels wherever possible

Even with 2FA or security keys in place, there is always the chance that an unknown code vulnerability might allow an attacker to access a protected account. So, the next step in the security action plan is to try and reduce the odds that an attacker will gain access to an account that can do significant damage. And this means reviewing the permissions granted to every account with access to your WordPress site.

By default, WordPress offers you 5 user roles: 

  1. Administrator has control over the whole website, from installing and removing plugins and themes to creating and deleting users of all levels. 
  2. Editor can only manage the content of your website, like publishing or deleting posts or handling comments. 
  3. Author’s role is similar to the Editor’s but their rights are limited to their own content.
  4. Contributors can create content but don’t have the rights to publish it. 
  5. Subscriber’s role is the most limited one. They can only manage their own account info and don’t have access to other parts of the admin area. 

Generally speaking, the best security posture permissions-wise is to keep super administrator and administrator accounts to a minimum – no more than two of each, and fewer if possible. Since those types of accounts represent the greatest potential for harm, the fewer of them you have, the safer your site will be. And although lower-level accounts like editors, authors, or contributors do have the right to make certain changes, they can't make system-wide changes and aren't as much of a threat.

That said, it's important to only grant users the minimum amount of permissions needed for their role. So if you've granted editor access to anyone that doesn't need it, reduce their access level. And if you have user accounts that are no longer necessary, the faster you get rid of them the better. Disused accounts can represent a threat that goes unnoticed until it's too late, so proper ongoing account maintenance is essential.

Step 6: Remove access to the WordPress theme and plugin editor

The final step in the WordPress security action plan is to turn off access to the built-in WordPress theme and plugin editor. It's a change that will offer a last line of defense to slow down anyone that's gotten unauthorized access to your site in their efforts to deface pages or install malicious code. And again, you can do this by making some simple additions to your site's wp-config.php file.

The change makes it harder for anyone that's gotten access to your site's administrative interface to do any serious harm because it removes their ability to alter core site files. After you make this change, the only way to access those files will be to use your hosting provider account to gain direct access to them. And since you can make sure your WordPress administrator account and your hosting accounts feature different usernames and passwords, this is a remarkably effective security measure.

To be clear, however, there are other ways an attacker with access to your administrator control panel can damage your site. But most of their remaining options will be visible – offering you a chance to detect their presence and take steps to re-secure your site. As long as you've made sure to keep complete backups of your site's configuration and contents, you should never end up more than a restore away from getting your WordPress site back to normal.

The bottom line

With the number of WordPress websites out there and the number of attacks they face each day, anything you can do to improve your site's security is worth doing. And just as a car with an obvious security system makes a much less inviting target for car thieves, these six security measures will increase the chances that an attacker will move on to a more vulnerable target.

But remember, they're only as effective as your dedication to maintaining your site. So devise a plan to keep everything up-to-date. If you want to make sure you cover every aspect, you can always refer to our guide on WordPress security.

It’s also a good idea to remove disused plugins and user accounts as often as possible. Then you can enjoy the many benefits of your WordPress website and rest a little easier in the knowledge that it's safe from harm.


Picture of Olga K.

Olga K.

More content by Olga K.

Security & Privacy

For more protection

From must-have tools to best practices, this is everything you need to secure your site.

See more
Join Our Newsletter

Stay inspired

Get all the latest offers, articles, and industry news straight to your mailbox every month.

Need help? We're always here for you.