• United States



Top tools and best practices for WordPress security

Mar 16, 20229 mins
Internet SecuritySecurity

Poorly secured WordPress websites are a favorite hacker target. Use these tools and advice to keep them out.

If you run a WordPress website, you need to get serious about keeping it as secure as possible. WordPress continues to be a widespread target for hackers. Last November, more than a million GoDaddy-managed WordPress customers were part of a breach that could have exposed their email addresses, private SSL keys, and admin passwords. The attacker was apparently able to operate undetected inside the company’s networks for two months.

In February, Ukrainian university WordPress websites were attacked as the Russian invasion began. Another attack on a WordPress server redirected traffic to malicious websites where visitors would receive malware. Going back in time, a botnet used compromised WordPress servers to attack others in 2018 and another series of attacks in 2019.

These recommendations and tools can put you in the best position to avoid this fate.

Why attackers target WordPress

WordPress is popular, perhaps the most popular content/blogging software in use today. The folks at W3techs say it is used by two-thirds of the blogging sites that they can analyze. This popularity also makes it worthwhile for hackers, too.

WordPress owners don’t always upgrade to the most recent versions. Some are even behind by several major releases. (The most current release is v.5.9.1.) This makes it easier for hackers to locate the most vulnerable sites and launch attacks on them. Keeping up is a challenge because the software is updated frequently. Because of this administrative burden, most organizations are better served by hosting their sites with a managed WordPress hosting service. These services will generally update you to new versions of WordPress and its underlying software as they become available, but you should confirm their policies. They also typically provide backup facilities and may have other security features.

You can run WordPress on your own in-house server. Doing so gives you lots of control, but you need the right collection of skills and infrastructure to be successful. If you already have that infrastructure supporting other websites, in-house could be the way to go, but it imposes a responsibility that you should recognize.

WordPress runs PHP scripts, which have had their own problems over the years. IT managers should nip this issue in the bud by making sure their version of PHP is current. WordPress itself has provided this handy list of suggestions on how to check your version and upgrade it safely. This dependence is perhaps the biggest security weakness of WordPress, so periodically check and see what PHP version your site is using.

WordPress has a lot of other moving parts. In addition to the underlying PHP engine, most WordPress sites run plugin tools and use themes to enhance their appearance and add functionality. Ensuring that these plugins are free of infections or, worse yet, aren’t stalking horses for malware isn’t an easy task. Some have been exploited over the years, such as Form Lightbox, Appointments, RegistrationMagic-Custom Registration Forms, WooCommerceWP No External Links, and Flickr Gallery.

An extreme example of this is a plugin that had good intentions to help with enforcing GDPR compliance. However, it contained two privilege-escalation bugs that granted admin access to the entire WordPress site. The problems were eventually found and fixed in v.1.4.3 of the plugin. This brings up an important point. Not every plugin or theme developer will pay attention to code security.

Many WordPress administrators are novices when it comes to IT operations in general and security specifically, and attackers know that it is easy to set up an insecure WordPress site. Consider this phishing campaign seen in 2018 that targeted WordPress admins. The message stated that the “WordPress DataBase [sic] Upgrade” was required, and many people fell for the lure. At one DefCon conference, hackers were able to locate a fresh new WordPress site within 30 minutes of going online. This attack, named WPSetup, exploited transparency in the issuance of new SSL certificates.

Choosing a WordPress security software vendor

Several vendors specialize in securing WordPress sites using the plugin architecture. You can find these security plugins on the WordPress website, where you can see if the tool has been tested with the latest version of WordPress, the last time the plugin was updated, and the number of users who have downloaded and are using the software. Most of these tools will send you regular email reports about the status of your WordPress security when the volume of attacks increases from a single IP source and other potential issues.

Before you settle on a particular tool, make sure you understand the implications of these reports, along with how to use its configuration pages on the main WordPress dashboard page, where you can control their behavior and show you a summary of your site security status. While you don’t strictly need any of these tools to make your site more secure, you will be much better off using one.


Wordfence comes in both free and paid ($100 per year) versions, and at more than 4 million downloads, it is the most popular tool. The free version is fine for most small businesses. It comes with its own WordPress firewall that covers login security, IP blocking, and security scans for malware. The premium version offers real-time updates for IP blacklists, malware signatures, and firewall rules, as well as two-factor authentication (2FA) and country blocking. It has been tested to v.5.9.1.

IThemes Security

Formerly Better WP Security, IThemes Security has more than a million downloads and includes 2FA and support for v5 of WordPress. It comes in free and paid versions (starting at $50 per year for a single site). Premium features include password generation and policy settings, online file comparison, user action logging, and malware scan scheduling. It has been tested to v.5.8.3.

All-in-One WP Security

Arsenal21’s All-in-One WP Security also has more than a million downloads. One notable and worthwhile feature is automatically changing the admin account to another name. It is free and open source. Key features include vulnerability scanning, implementation and enforcement of WordPress security practices, and a security scorecard for your WordPress site. It has been tested to v.5.9.1.

Sucuri Scanner

Sucuri’s Scanner also comes in both free and paid versions. It has malware scanning, blacklist monitoring, and (for a fee) its own WordPress firewall. More than 900,000 sites have downloaded Sucuri, and plans start at $200 per year for each site. It has been tested to v.5.9.1.

Two tools to steer clear of are Comodo’s free scanner and Jetpack. The former is just a lure to obtain your email address and then sell you consulting services. The latter is made by the company that runs, but its protection is less robust than the four products highlighted above.

WordPress security best practices

Before we get into best practices, let’s mention one of the worst: how WordPress administrators choose their admin authentication details. One of the best things you can do is change your account name from “admin” to something else, like a random string of letters. Many WordPress brute-force attacks begin by trying this account name and guessing your password from dark web clues.

This beginner’s guide covers other basic security steps, such as limiting login attempts, making specific directories read-only, and disabling directory browsing. Another suggestion: while you are setting up your server for the first time, use the .htaccess file to restrict access to your WordPress site to just your own IP address. Remember to remove this restriction when you finish setup or nobody else will be able to view the site and you could get locked out when your ISP gives you a new address.

Harden your logins with multifactor authentication (MFA). Several plugin vendors offer MFA as a feature, including the free version of Defender and the paid version of iThemes. The free versions of many of these are quite adequate for smaller installations. 

Reduce the overall number of plugins. When I first put up my WordPress server, I went plugin crazy, installing more than a dozen of them to do various things. Now I realize the error of my ways, and the most secure server has the minimum number of plugins. Resist the temptation to add all sorts of plugins that will compromise your security.

Updating a site with numerous plugins can be challenging because many plugins and themes can break with the new software. (This was an issue for the latest major update to v.5, for example.) So, when you plan an update, consider other software running on your site. Of course, you also need to keep all your add-on software updated, too.

While you are picking a theme for your site, make sure you only download those themes and plugins from trusted sources. Simply put, do what you can to decrease your attack surface. One plugin you should use is the anti-comment spam tool Akismet, which does a good job at screening trolls and identifying potential phishers.

Keep your WordPress themes up to date. WordPress themes, which define the site’s visual style, are code and so have security implications. Updates to themes sometimes include fixes to security problems in them, so you should make sure to apply them. Better still, you can set themes to auto-update, although you have to do this manually for each theme you install, even if it’s not active.

Enable SSL/HTTPS access to your site to encrypt communications. Make sure your hosting provider supports this and provides you with an SSL certificate. Make sure to keep it updated, or your users will get disturbing browser error messages on your site.

Make regular backups of your site’s content. One of the more vexing problems is how best to back up your site. WordPress has a simple export function to create an XML file that you should store offline, and you can automate this process with appropriate PHP scripts if you have that expertise. Some hosting providers offer automated backups as part of their managed plans. Or you can do it manually, with regular calendar reminders. Another option is to use one of’s free plans and import your content as a backup. In addition to having an off-site backup, it could also be useful if only to see the new WordPress features when they roll out their updates.

Stay current with WordPress-security specific sources such as Plugin Vulnerabilities and Wordfence’s own blog. Both post frequently about exploits and zero-day attacks that their own instrumentation networks have uncovered. What’s more, a recent semi-automated tool developed by researcher Krzysztof Zajac can scan various weak areas for potential issues.