Wordpress security

How To Secure WordPress?

Updated: June 9, 2020 by Agnes Talalaev

In this article, we won’t dive into technical details, but try to address a common misconception instead. We will explain what website security is in general and how to secure WordPress.

As per calculations, approximately 380 new websites are created every minute. However, the actual number of new websites being created every day is probably a little more than 500 000. In a perfect world, security should be kept in mind from the beginning of the development process, but this, unfortunately, is always not the case.

Unfortunately, people usually get acquainted with website security when a website is experiencing an attack which results in being defaced, stuffed with SEO spam, being blacklisted, or spreading malware.

There are hundreds of WordPress security providers out there who all claim their plugin to be “the best”, “most complete” and the “only thing you need”. We understand the marketing efforts, but there are concerns in this kind of message.

Why is WordPress security important?

WordPress sites are being hacked and infected every day. Some statistics say that about 30,000 websites are infected with some type of malware daily. Every public website is a resource available on the internet and therefore it’s a target.

Whether it’s your customers’ data such as emails, shipping details, and credentials or just the server resources (processing power and storage), it’s all something that hackers can monetize or use for their own good.

WordPress security how to secure wordpress
How to secure WordPress – WebARX blog

It’s important to understand that as soon as your website is available to the public, it immediately becomes a target. Your website will be scanned on a daily basis for vulnerabilities and outdated software, configuration errors and it will most definitely be actively brute-forced.

how to secure wordpress
Screenshot from the WebARX dashboard. Blocked brute-force attacks.

Even if you don’t keep any visitor data such as emails, your website is still perfect for conducting a watering hole attack or to just host malware and redirect traffic to malicious sources.

WordPress security is not plug-and-play

WordPress security cannot be plug-and-play. Never trust services that promise 100% security, because security is a process and should be considered more like continuous risk management.

Paying a company so that you don’t have to worry or think about security creates opposite results in the long term.

WordPress security how to secure wordpress
How to secure WordPress – WebARX blog

Why using multiple security plugins is not a good idea?

When it comes to WordPress security (or any other CMS) site security, the owners and developers load their sites with multiple security plugins, because the more is better right? Unfortunately, this can cause more harm than good.

WordPress security plugins also need to be updated, and they too can have vulnerabilities. (e.q WordFence XSS vulnerability). Security plugins, especially the ones that connect the site with a web application firewall or some simpler filtering engine can create conflicts and the traffic might not be properly monitored and filtered.

how to secure wordpress
How to secure WordPress – WebARX blog

Some also change the settings on a hosting environment via .htaccess and nginx.conf file. When multiple plugins try to push their own changes, you can end up with an unstable site with questionable security configurations.

Why should you question “one-click malware removal” tools and services?

We often see service providers that offer “daily malware removal”, “one-click malware removal” and similar services that seem to be working well for website owners because every time they do it, a report shows that the website is clean. And it seems to be good because it does it often.

WordPress security how to secure wordpress
How to secure WordPress – WebARX blog

Instead of throwing out the bad guys on a regular basis, maybe it’s time to make a real effort and instead of investing in a fancy bucket to throw water out of a sinking ship, invest in tools to keep the water out.

Malware infection is the result of a problem. Does it really make sense to focus on the consequences? As far as you don’t solve the problem, you will end up in a dead circle of infections and cleanups.

How to secure WordPress? How should security be approached?

Monitoring actionable insights

When it comes to content management systems like WordPress, it’s highly important to have a proper overview of every single component your website uses. If you’re an agency or a developer, it’s important to be able to set alerts and receive the information from a single place.

Whether it’s a vulnerable PHP version, a vulnerable plugin version, or a buggy theme, you want to know this information immediately. It’s not only about the internals, but the external information as well.

secure wordpress
Screenshot from the WebARX dashboard. External security monitoring results.

You should always know and be alerted about:

  • Is the website blacklisted?
  • Is the website mentioned in defacement databases or hacking forums?
  • What kind of information can be enumerated from your site with the use of simple tools?
  • Is the SSL certificate properly set up and when is it expiring?
  • Is the domain expiration date around the corner?

Receive alerts about plugin vulnerabilities and activate firewall now!


Comprehensive website monitoring is essential, it’s not just about up-time, it’s about the integrity and about knowing where to look at. If you know where to look and what to improve, it will be much easier to keep pace with the latest and modern security practices.

Focus on prevention

It can take just days from a disclosed plugin vulnerability to a full-scale attack campaign. Attacks in this nature are almost always automated. To be able to fight back, you have a small time window to take action. In such cases, web application firewalls have critical importance.

Web Application Firewall will monitor traffic your website receives and will take action on malicious or suspicious traffic. Web application firewalls are of critical importance to block exploitation attempts when a vulnerability is present which is yet to be patched.

WordPress security
Screenshot from the WebARX dashboard. Blocked plugin vulnerability exploitation attempts.

For example. WebARX web application firewall is managed and virtual patches will be distributed automatically among the sites when vulnerabilities are discovered. Threat intelligence and prevention are our main focus and thus our firewall engine is updated on a daily basis.

What to do when a website is hacked?

First of all, we have offered remediation services and malware removal since 2014 and have tested a lot of different tools. Many of them claimed to find malware on 100% accuracy. This has never happened.

Scanners are either heuristic or pattern-based and malware is always engineered to be invisible from scanners. Some scanners find malware better, some struggle with false positives, and many just don’t work at all.

Over the years of experience, we have stayed to supervised remediation. It means that we use different techniques to clean up the site and make sure that not a single backdoor remains on the site.

After double-checking, we install and configure a web application firewall and monitoring on the site. We have written a tutorial which is considered to be the most comprehensive malware removal guide available for WordPress.

Remember, WordPress Security is a process!

WordPress security is much more than just a security plugin and strong passwords. It’s a process.

We tend to get lost and confused in the world of ads and marketing messages without really knowing what is good for us. If you have the proper tools, sometimes the most effective way is to just take an hour per week to look at what could be improved.

Keep in mind, security is a process, not a plugin you can install.

Start protecing your sites with WebARX today

Start free trial

Is WordPress secure?

WordPress itself is secure, but what makes it vulnerable is the third party components or plugins that are used to improve its functionality. Statistics say that 98% of WordPress vulnerabilities are related to plugins.

How WordPress sites get hacked?

WordPress sites get hacked mostly by hackers targeting vulnerable software. It means that your site is not the target in most cases but the software (plugins, themes) that you use. It is mostly being done with bots and automated tools.

How to choose a WordPress security plugin?

This will require some critical thinking as many of the providers offer “100% security”. This can never be promised. When choosing, make sure the security provider offers a managed web application firewall with virtual patches and active support.

What do I ned to secure my WordPress site?

The essentials are:
1. Choose a good hosting for your site.
2. Install an endpoint and cloud-based web application to your site (e.g. WebARX + Cloudflare free).
3. Use strong passphrases.

Which firewall to choose (endpoint or cloud-based)?

The truth is, you should use both. While they have their pros and cons, it’s always good to have multiple layers of security for the sites. Cloud WAF for reducing bot traffic and preventing DDoS attacks, and Endpoint WAF for protecting the website from hacking attempts.

We always suggest a combination of Cloudflare Free (Cloud WAF) and WebARX (Endpoint WAF) for a good layered website security strategy.

Wordpress security

Start your free 7-day trial now

Protect your websites from malicious traffic - set-up in under 3 minutes.

Try it now

WebARX is compatible with the following platforms: