Are WordPress sites secure?

WordPress out of the box is reasonably secure, out of the box.

However, if you install plugins or themes that aren’t maintained by their authors, you could be leaving your website vulnerable.

Can WordPress be hacked?

Yes it can, particular if you don’t update your WordPress software, or install abandoned plugins or themes (plugins or themes which are no longer in development by the author).

Here are the steps to securing your WordPress website from being hacked.

Install a Website Firewall

The best WordPress firewall is Wordfence. It has a rating or 4.8 out of 5 stars by WordPress users.

You can only install Wordfence on the WordPress.org version (self-hosted) WordPress. If you use WordPress.com, you’ll be protected by WordPress.com’s own firewall.

If you’re not using the WordPress.com version, go to your WordPress dashboard > Plugins > Add New.

If you don’t see Plugins or Plugins > Add New, you’ll need to ask your website administrator to install Wordfence for you.

In Plugins > Add New, search for Wordfence, and click Install when you see it in the search results. Once installed, Activate it.

Once activated, step through the free registration process.

Once registered, you’ll be prompted to activate the Wordfence Firewall.

Proceed through the setup process by agreeing and following each step. If you run into a problem or error, you could ask your web hosting support for help, post a question at the Wordfence support forum, or hire someone to help you.

Once your Firewall is activated, it’s a good idea to adjust your Wordfence Options:

  1. Go to your WordPress dashboard > Wordfence > All Options,
  2. Open a new tab in your browser, and visit www.whatismyip.com. Copy your IP4 address into your clipboard
  3. Go to “Advanced Firewall Options” in your Wordfence options
  4. Paste your IP address into “Whitelisted IP addresses that bypass all rules”
  5. Go to “Brute Force Protection”,
  6. Change “Lock out after how many login failures” to a lower figure, perhaps 4 or 5,
  7. Do the same for “Lock out after how many forgot password attempts”,
  8. Change “Count failures over what time period” to 5 minutes
  9. Change “Amount of time a user is locked out” to 2 months (the maximum)
  10. Go to “Rate Limiting”,
  11. Change “If a human’s pages not found (404s) exceed” to 15/minute then “block it”
  12. At top right of the page, click Save Changes.

Now you have set your Wordfence options, it’s a good idea to perform a Wordfence Scan.

Go to your WordPress dashboard > Wordfence > Scan.

Step through the welcome wizard.

Go to Scan Options and Scheduling. Enable the following extra options.

  1. Scan theme files against repository versions for changes
  2. Scan plugin files against repository versions for changes
  3. Scan images, binary, and other files as if they were executable

Click “Save Changes” at top right of page.

At top left of the page, click “Back to Scan”.

Click Start New Scan.

You now leave this window/tab to proceed on its own, and you will be emailed at the WordPress site administrator email address if any issues are found.