How to improve security of a wordpress site?

dimensionav used Ask the Experts™
I had this question after viewing How to restore a wordpress site?.

Considering the related question, I would like to know how to improve the security with wordpress sites, we have had alot of malware and hacking attacks, maybe what we need isn't just an isolated solution but an strategy made by many aspects.

Thanks in advance.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Most Valuable Expert 2011
Top Expert 2016
I think your instincts are right about considering security "strategies" instead of treating it as a one-time thing.  Threats are always evolving, and a general awareness is important.

For a good organization that you might want to join and support, consider OWASP:

WordPress is written in PHP, and PHP has its own security manual:

WordPress Specific:

Good hosting is important, too.  These are the pros:
I have found (to my downfall)   the best thing is to take regular automated backups as hackers will always find a way in.   then when it happens you can simply restore the last backup.

for Wordpress the number one thing is to keep everything updated (wordpress, plugins, php etc..)
there is a list here:

then use a paid for security enhancement for Wordpress such as WordFence
and talk to your Hosting company about what security they offer in terms of hardening the OS and server
Most Valuable Expert 2011
Top Expert 2016

+1 for @chilternPC recommendation of Hongkiat.  Much good advice there.
Learn Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

btanExec Consultant
Distinguished Expert 2018
Indeed reatoration with backup tested is critical as recent ramsomware such as ctb locker has even locked website demanding ransom prior to any form of access. It need to
-reinforce on fundamental hardening to start off
-build the layer of site defences
-maintain continuous oversight and regime for security testing
-enforce strict timely patch management of the sites used software and dependencies.

Vulnerable CMS and plugin in Wordpress are low hanging fruits for attck and invites easy penetration to exploit the vulnerability. So be kept informed on the updates and received timely alert via email or means to monitor the latest release for all plugin.

Have a web application firewall to form that extra layer of hurdle that attacker need to overcome before they hit on the actual gap ib the site due to insecure coding or unpatched plugin in. It also buy some time for site upgrade to change any necessary codes or upgrades.

Consider the OWASP guidelines for virtual patching. But pls still fix the codes etc.

Also as mentioned to strike off the low hanging fruit, focus minimally to make sure the necessary input validation done to prevent SQLi, XSS, Clickjacking, CSRF..See the OWASP top 10 vulnerabilities.

There is also WPfence which is worth considering and they have been active on the securing the wordpress as main core outcome..see the checklist recommended.

Separately have surcuri sitecheck to maintain the site posture to actively discovered any potential holes in the fact, they can even help you to monitor and may be good to prevent possible defacement..

There are more like data leakage prevention to work with web appl FW, audit trails to monitor etc but I should say to focus on a/m to ascertain the baseline before delving too deep and getting small wins first instead of a big bang revamp...
Jason C. LevineDon't talk to me.

All of the above is fantastic advice and if you really want to spend a lot of time and effort learning this stuff, you will greatly enhance your employment prospects as well as expertly securing your sites.

However, if it all looks and sounds like technobabble, then you need to take slightly different steps to secure your site from the hosting forward. In this case, you will want to move your site to a company that specializes is WordPress hosting and also handles your security, backups, and restores for you. The best known of the bunch is currently WPEngine and they will take responsibility for your security, backups, site speed, and more.  There are others, so do your research.
btanExec Consultant
Distinguished Expert 2018

Agree with all good sharing. The objective is to help customer or end user appreciate the real 'needs' compared to the 'wants'.

For the internal for the site (more of housekeeping diligence), focus on the hosting and secure coding to set the baseline for getting the first time right on what the service and vendor providers should do. Those checks serves as expected outcome as part of the security acceptances. Even if the codes are from inhouse team, there should be some form of development practices for defensive coding. The hardening of the server and application is the must have and already to be part of baseline.

For the perimeter for the site (more of external front end "fight" to settle before reaching internal), focus on the aspect of considering services like cloudflare, akamai on a ddos. protection standpoint which also covers the WAF shared earlier. Such service does not change anything at backend codes though there may be some tuning expected to be done for the false positives.
Jophiel SilvestroneCEO/ Web Developer
The Securi plugin: is one of the best sandboxes for preventing any threats getting into your WordPress site. Also, WordFence is pretty good as well:

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial