{"id":93889,"date":"2026-05-02T14:46:05","date_gmt":"2026-05-02T19:46:05","guid":{"rendered":"https:\/\/www.bricktowntom.com\/blog\/?p=93889"},"modified":"2026-05-02T14:46:05","modified_gmt":"2026-05-02T19:46:05","slug":"guide-to-wordpress-security","status":"publish","type":"post","link":"https:\/\/www.bricktowntom.com\/blog\/05\/guide-to-wordpress-security.html","title":{"rendered":"Guide to WordPress Security"},"content":{"rendered":"<p>A great-looking, high-performing website can be the key to success online, and WordPress checks all the boxes. It\u2019s almost infinitely scalable and capable of nearly endless functionality. However, as with any website, WordPress requires security measures to keep it online and running at its best.<\/p>\n<p>This WordPress security guide will empower you to thwart bad actors seeking to exploit the website you so lovingly crafted. Implement the strategies included here, and you\u2019ll likely leave hackers and attackers tooting their sad trombones as they look for an easier target.<\/p>\n<p><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/bricktowntom.com\/wp-content\/uploads\/2022\/07\/wordpress-973439_12801-300x169-1.jpg?w=993&#038;ssl=1\" \/><\/p>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_83 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.bricktowntom.com\/blog\/05\/guide-to-wordpress-security.html\/#Quick_navigation\" >Quick navigation<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.bricktowntom.com\/blog\/05\/guide-to-wordpress-security.html\/#Is_WordPress_a_secure_platform_Are_WordPress_websites_vulnerable_to_attacks\" >Is WordPress a secure platform? Are WordPress websites vulnerable to attacks?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.bricktowntom.com\/blog\/05\/guide-to-wordpress-security.html\/#Why_you_need_to_secure_your_WordPress_website\" >Why you need to secure your WordPress website<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/www.bricktowntom.com\/blog\/05\/guide-to-wordpress-security.html\/#How_to_secure_WordPress\" >How to secure WordPress<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/www.bricktowntom.com\/blog\/05\/guide-to-wordpress-security.html\/#Security_plugins\" >Security plugins<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/www.bricktowntom.com\/blog\/05\/guide-to-wordpress-security.html\/#Features_to_look_for_in_WordPress_security_plugins\" >Features to look for in WordPress security plugins\u00a0<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/www.bricktowntom.com\/blog\/05\/guide-to-wordpress-security.html\/#Recommended_WordPress_security_plugins\" >Recommended WordPress security plugins\u00a0<\/a><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/www.bricktowntom.com\/blog\/05\/guide-to-wordpress-security.html\/#Sucuri_Security\" >Sucuri Security<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/www.bricktowntom.com\/blog\/05\/guide-to-wordpress-security.html\/#Wordfence\" >Wordfence<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/www.bricktowntom.com\/blog\/05\/guide-to-wordpress-security.html\/#iThemes_Security\" >iThemes Security<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/www.bricktowntom.com\/blog\/05\/guide-to-wordpress-security.html\/#Shield_Security\" >Shield Security<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-12\" href=\"https:\/\/www.bricktowntom.com\/blog\/05\/guide-to-wordpress-security.html\/#All_in_One_WP_Security_Firewall\" >All in One WP Security Firewall<\/a><\/li><\/ul><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-13\" href=\"https:\/\/www.bricktowntom.com\/blog\/05\/guide-to-wordpress-security.html\/#Best_practices\" >Best practices<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-14\" href=\"https:\/\/www.bricktowntom.com\/blog\/05\/guide-to-wordpress-security.html\/#Update_core_files_plugins_and_themes\" >Update core files, plugins and themes<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-15\" href=\"https:\/\/www.bricktowntom.com\/blog\/05\/guide-to-wordpress-security.html\/#Remove_unused_plugins_and_themes\" >Remove unused plugins and themes<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-16\" href=\"https:\/\/www.bricktowntom.com\/blog\/05\/guide-to-wordpress-security.html\/#Install_an_SSL_certificate\" >Install an SSL certificate<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-17\" href=\"https:\/\/www.bricktowntom.com\/blog\/05\/guide-to-wordpress-security.html\/#Enforce_strong_passwords\" >Enforce strong passwords<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-18\" href=\"https:\/\/www.bricktowntom.com\/blog\/05\/guide-to-wordpress-security.html\/#Use_captcha_on_forms\" >Use captcha on forms<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-19\" href=\"https:\/\/www.bricktowntom.com\/blog\/05\/guide-to-wordpress-security.html\/#Limit_login_attempts\" >Limit login attempts<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-20\" href=\"https:\/\/www.bricktowntom.com\/blog\/05\/guide-to-wordpress-security.html\/#Turn_off_file_editing\" >Turn off file editing<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-21\" href=\"https:\/\/www.bricktowntom.com\/blog\/05\/guide-to-wordpress-security.html\/#Change_security_keys\" >Change security keys<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-22\" href=\"https:\/\/www.bricktowntom.com\/blog\/05\/guide-to-wordpress-security.html\/#Secure_core_files_with_an_htaccess\" >Secure core files with an .htaccess<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-23\" href=\"https:\/\/www.bricktowntom.com\/blog\/05\/guide-to-wordpress-security.html\/#Disable_XML-RPC\" >Disable XML-RPC<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-24\" href=\"https:\/\/www.bricktowntom.com\/blog\/05\/guide-to-wordpress-security.html\/#Audit_file_permissions\" >Audit file permissions<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-25\" href=\"https:\/\/www.bricktowntom.com\/blog\/05\/guide-to-wordpress-security.html\/#Disable_PHP_error_reporting\" >Disable PHP error reporting<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-26\" href=\"https:\/\/www.bricktowntom.com\/blog\/05\/guide-to-wordpress-security.html\/#Have_a_backup_plan\" >Have a backup plan<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-27\" href=\"https:\/\/www.bricktowntom.com\/blog\/05\/guide-to-wordpress-security.html\/#How_to_identify_vulnerabilities_how_to_prevent_them\" >How to identify vulnerabilities how to prevent them<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-28\" href=\"https:\/\/www.bricktowntom.com\/blog\/05\/guide-to-wordpress-security.html\/#Step_1_Find_the_WordPress_updates_page\" >Step 1: Find the WordPress updates page<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-29\" href=\"https:\/\/www.bricktowntom.com\/blog\/05\/guide-to-wordpress-security.html\/#Step_2_Update_WordPress_core_themes_and_plugins_as_necessary\" >Step 2: Update WordPress core, themes and plugins (as necessary)<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-30\" href=\"https:\/\/www.bricktowntom.com\/blog\/05\/guide-to-wordpress-security.html\/#How_to_run_a_security_scan\" >How to run a security scan<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-31\" href=\"https:\/\/www.bricktowntom.com\/blog\/05\/guide-to-wordpress-security.html\/#Importance_of_strong_password_two-factor_authentication\" >Importance of strong password two-factor authentication<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-32\" href=\"https:\/\/www.bricktowntom.com\/blog\/05\/guide-to-wordpress-security.html\/#Strong_passwords\" >Strong passwords<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-33\" href=\"https:\/\/www.bricktowntom.com\/blog\/05\/guide-to-wordpress-security.html\/#Two-factor_authentication\" >Two-factor authentication<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-34\" href=\"https:\/\/www.bricktowntom.com\/blog\/05\/guide-to-wordpress-security.html\/#Importance_of_limiting_the_number_of_WordPress_users_and_admins\" >Importance of limiting the number of WordPress users and admins<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-35\" href=\"https:\/\/www.bricktowntom.com\/blog\/05\/guide-to-wordpress-security.html\/#Types_of_WordPress_user_roles\" >Types of WordPress user roles<\/a><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-36\" href=\"https:\/\/www.bricktowntom.com\/blog\/05\/guide-to-wordpress-security.html\/#Administrator\" >Administrator<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-37\" href=\"https:\/\/www.bricktowntom.com\/blog\/05\/guide-to-wordpress-security.html\/#Editor\" >Editor<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-38\" href=\"https:\/\/www.bricktowntom.com\/blog\/05\/guide-to-wordpress-security.html\/#Author\" >Author<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-39\" href=\"https:\/\/www.bricktowntom.com\/blog\/05\/guide-to-wordpress-security.html\/#Contributor\" >Contributor<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-40\" href=\"https:\/\/www.bricktowntom.com\/blog\/05\/guide-to-wordpress-security.html\/#Subscriber\" >Subscriber<\/a><\/li><\/ul><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-41\" href=\"https:\/\/www.bricktowntom.com\/blog\/05\/guide-to-wordpress-security.html\/#Ready_to_dial_in_your_WordPress_security\" >Ready to dial in your WordPress security?<\/a><\/li><\/ul><\/nav><\/div>\n<h2 id=\"quick-navigation\"><span class=\"ez-toc-section\" id=\"Quick_navigation\"><\/span>Quick navigation<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Ready to dive in? Here\u2019s what we\u2019ll cover:<\/p>\n<ul>\n<li><a href=\"#is-Wordpress-secure\">Is WordPress a secure platform?<\/a><\/li>\n<li><a href=\"#secure-your-wordpress\">Why you need to secure your WordPress website<\/a><\/li>\n<li><a href=\"#how-to-secure-wordpress\">How to secure WordPress<\/a><\/li>\n<li><a href=\"#security-plugins\">Security plugins<\/a><\/li>\n<li><a href=\"#security-best-practices\">Security best practices<\/a><\/li>\n<li><a href=\"#identify-vulnerabilities\">How to identify vulnerabilities how to prevent them<\/a><\/li>\n<li><a href=\"#security-scan\">How to run a security scan<\/a><\/li>\n<li><a href=\"#strong-passwords-and-two-factor-authentication\">Strong passwords two-factor authentication<\/a><\/li>\n<li><a href=\"#limiting-users-and-admins\">Limiting the number of WordPress users and admins<\/a><\/li>\n<\/ul>\n<h2><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/bricktowntom.com\/wp-content\/uploads\/2022\/10\/0-0-0-0-AWordPress-Security-2020376658.jpg?w=993&#038;ssl=1\" \/><\/h2>\n<h2 id=\"is-Wordpress-secure\"><span class=\"ez-toc-section\" id=\"Is_WordPress_a_secure_platform_Are_WordPress_websites_vulnerable_to_attacks\"><\/span>Is WordPress a secure platform? Are WordPress websites vulnerable to attacks?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>When it comes to the overall security of WordPress, it might be helpful to imagine it as an old-fashioned safe. If you keep that safe maintained and run it as intended, then yeah, it\u2019s going to keep out the bad guys. But if you let your safe get rusty or, worse, leave it unlocked, then it\u2019s not going to be very secure.<\/p>\n<p>While a WordPress site might get targeted by bad actors \u2014 just like any website application \u2014 security incidents most often stem from negligence. Also consider that WordPress is supported by an entire community striving to keep it secure.<\/p>\n<blockquote><p>If you\u2019d like to keep track of the security measures and updates in WordPress, check out the <a href=\"https:\/\/wordpress.org\/news\/category\/security\/\" rel=\"nofollow external noopener\" data-wpel-link=\"external\">security section of their blog<\/a>.<\/p><\/blockquote>\n<p>A panel of industry experts watch over the platform\u2019s core; release cycles are stable and regular, and security best practices are firmly established for developers across both themes and plugins.<\/p>\n<p>WordPress is an increasingly locked-down platform. Standard procedures for keeping safe as a WordPress site owner are also now widely understood.<\/p>\n<p>All that said, it remains worth your while to regularly keep up to speed with security issues and developments in both the platform\u2019s core and the wider ecosystem of themes and plugins.<\/p>\n<p><strong><a href=\"#quick-navigation\">Back to Top<\/a><\/strong><\/p>\n<h2><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/bricktowntom.com\/wp-content\/uploads\/2022\/10\/0-0-0-0-AWordPress-Security74289380.jpg?w=993&#038;ssl=1\" \/><\/h2>\n<h2 id=\"secure-your-wordpress\"><span class=\"ez-toc-section\" id=\"Why_you_need_to_secure_your_WordPress_website\"><\/span>Why you need to secure your WordPress website<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Even if you\u2019re only dabbling with WordPress, your site can still be a target for hacks and attacks. Imagine sending friends and family to that WordPress website you\u2019re so proud of building, only to find your pages displaying odd messages for prescription medication or online gambling.<\/p>\n<p>That\u2019s called <a href=\"https:\/\/blog.sucuri.net\/2022\/02\/how-to-get-rid-of-the-most-common-types-of-seo-spam.html\" rel=\"nofollow external noopener\" data-wpel-link=\"external\">SEO spam<\/a>, and it\u2019s one of the most common types of infection. It doesn\u2019t matter if you\u2019re small time \u2014 hackers only care about gaining access to a site in order to further their schemes.<\/p>\n<p>Sounds embarrassing, right?<\/p>\n<p>Well, now imagine you\u2019re running a business and store sensitive data on your WordPress website, like customers\u2019 payment information or other types of personal details. If a hacker gained access to that, you could face serious legal repercussions, not to mention the damage to your business reputation.<\/p>\n<p>Thankfully, it\u2019s not a huge chore to make your WordPress website more secure from hacks and attacks. Simply by skimming this guide, you\u2019re setting yourself apart from less responsible website owners who are headed for Hacktown.<\/p>\n<p><strong><a href=\"#quick-navigation\">Back to Top<\/a><\/strong><\/p>\n<h2><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/bricktowntom.com\/wp-content\/uploads\/2022\/10\/0-0-0-0-AWordPress-Security1-3253936618.png?w=993&#038;ssl=1\" \/><\/h2>\n<h2 id=\"how-to-secure-wordpress\"><span class=\"ez-toc-section\" id=\"How_to_secure_WordPress\"><\/span>How to secure WordPress<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Securing a WordPress website is achievable through a combination of software applications and your own best practices. But keep in mind, even the most advanced WordPress plugin won\u2019t save you if your security posture is lax. Similarly, even the strongest, security-first mindset could use a little reinforcement from technology.<\/p>\n<p>In this section, we\u2019ll look at some of the best WordPress security plugins, as well as best practices you should employ to keep your site secure.<\/p>\n<p><strong><a href=\"#quick-navigation\">Back to Top<\/a><\/strong><\/p>\n<h2><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/bricktowntom.com\/wp-content\/uploads\/2022\/10\/0-0-0-0-AWordPress-Security-1-1875602676.jpg?w=993&#038;ssl=1\" \/><\/h2>\n<h2 id=\"security-plugins\"><span class=\"ez-toc-section\" id=\"Security_plugins\"><\/span>Security plugins<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>For the new WordPress user, you probably ask yourself, \u201cDo I need a WordPress security plugin?\u201d The answer is a resounding \u201cYES,\u201d especially if you\u2019re not code-savvy enough to tackle the Hardening WordPress section of the\u00a0<a href=\"https:\/\/codex.wordpress.org\/Hardening_WordPress\" rel=\"nofollow external noopener\" data-wpel-link=\"external\">WordPress Codex<\/a>.<\/p>\n<blockquote><p>Security is a big deal. WordPress security plugins help you protect your investment of time and money to create your website.<\/p><\/blockquote>\n<p>In not protecting your investment, you risk losing parts of your website or all of it. Whether it is a website geared to selling items online, or an informational website to get people to come to your brick-and-mortar location, it needs to be up to help you succeed in your online endeavor.<\/p>\n<h3><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/bricktowntom.com\/wp-content\/uploads\/2022\/10\/0-0-0-0-AWordPress-Security1-1-939571175.jpg?w=993&#038;ssl=1\" \/><\/h3>\n<h3><span class=\"ez-toc-section\" id=\"Features_to_look_for_in_WordPress_security_plugins\"><\/span>Features to look for in WordPress security plugins<i>\u00a0<\/i><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Before listing some of the top WordPress security plugins, you really need to understand\u00a0the features that you want to look for when choosing the right security plugins to lock down your WordPress site.<\/p>\n<ul>\n<li><b>Includes a strong malware scanner<\/b>\u00a0\u2013\u00a0There are so many ways to be hacked, and if the scanner on your WordPress security plugin doesn\u2019t scan for several types of hacks, then it is useless in helping to detect anything that doesn\u2019t belong on your website.<\/li>\n<li><b>Includes a Web Application Firewall or some type of reliable firewall<\/b>\u00a0\u2013\u00a0Or at least a way to purchase the service. Some plugins might not offer this feature for free, but a firewall really helps in blocking malicious bots from reaching your website. It prevents your website from bigger problems like being hit with tons of bots at the same time, which exhausts your website\u2019s resources and can take your site down.<\/li>\n<li><b>Emphasizes strong password and logins<\/b>\u00a0\u2013\u00a0Your security plugin should help educate you a little bit on what you need, especially basic things like having a strong username, password, and the ability to log in in more security. A security plugin that has\u00a0two-factor authentication\u00a0can help you implement a more secure way to log in on your website.<\/li>\n<li><b>Can help repair files that might be compromised<\/b>\u00a0\u2013\u00a0You probably don\u2019t have the time to\u00a0<a href=\"https:\/\/www.godaddy.com\/garage\/smallbusiness\/secure\/what-is-malware-and-how-can-you-protect-your-wordpress-website\/\" target=\"_self\" rel=\"follow noopener\" data-wpel-link=\"internal\">edit malware<\/a>\u00a0out of the files on your website. If your security plugin can compare some of the WordPress core files, as well as free WordPress.org plugins, to their originals, and even provide a way to restore those files, it can save you a lot of time.<\/li>\n<li><b>Checks your website against Google\u2019s Safe Browsing list<\/b>\u00a0\u2013\u00a0Google is the number-one search engine in the world, and if your website has malware or may be labeled as hacked content, then you could be losing traffic.\u00a0<a href=\"https:\/\/www.google.com\/transparencyreport\/safebrowsing\/malware\/#region=ALL&amp;period=90&amp;size=LARGEST&amp;compromised&amp;attack&amp;asn=11282&amp;page=1\" rel=\"nofollow external noopener\" data-wpel-link=\"external\">Google actually labels websites<\/a>\u00a0that have been found with malicious hacks or suspicious content.<\/li>\n<li><b>The plugin actually works!<\/b>\u00a0\u2013\u00a0Yes, some people choose older plugins that are no longer compatible with their current version of WordPress. If your WordPress security plugin isn\u2019t working, then you\u2019re sitting there with a sign that welcomes an eventual bot attack or hacking.<\/li>\n<\/ul>\n<h3><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/bricktowntom.com\/wp-content\/uploads\/2022\/10\/0-0-0-0-AWordPress-Security-3452925911.jpg?w=993&#038;ssl=1\" \/><\/h3>\n<h3><span class=\"ez-toc-section\" id=\"Recommended_WordPress_security_plugins\"><\/span>Recommended WordPress security plugins<i>\u00a0<\/i><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Below are five of the best WordPress security plugins available. Some of these can be stacked together, but others should be used alone. It\u2019s important to read each plugin\u2019s description and review their features to pick one you\u2019re comfortable with.<\/p>\n<ul>\n<li>Sucuri Security<\/li>\n<li>Wordfence<\/li>\n<li>iThemes Security<\/li>\n<li>Shield Security<\/li>\n<li>All In One WP Security Firewall<\/li>\n<\/ul>\n<p>As a note, all of the plugins listed below have hundreds of thousands of users who have attested to their trustworthiness.<\/p>\n<p><i>*The features and information listed below were verified to be correct at the time of publication<\/i><b>\u00a0<\/b><\/p>\n<h4><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/bricktowntom.com\/wp-content\/uploads\/2022\/10\/0-0-0-0-A-WordPress-Security3855952014.jpg?w=993&#038;ssl=1\" \/><\/h4>\n<h4><span class=\"ez-toc-section\" id=\"Sucuri_Security\"><\/span>Sucuri Security<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>Sucuri Security\u00a0is a highly popular WordPress security plugin with the following features:<\/p>\n<ul>\n<li>Monitors user activity<\/li>\n<li>Monitors files and if they\u2019ve been changed<\/li>\n<li>Has hardening settings to block bots from adding malicious files to your site<\/li>\n<li>Offers a website firewall for premium users (paid upgrade)<\/li>\n<li>Has blocklist monitoring in case you\u2019ve been blocklisted from places like Google, McAfee, Norton and more<\/li>\n<\/ul>\n<h4><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/bricktowntom.com\/wp-content\/uploads\/2022\/10\/0-0-0-0-A-WordPress-Security.jpg?w=993&#038;ssl=1\" \/><\/h4>\n<h4><span class=\"ez-toc-section\" id=\"Wordfence\"><\/span>Wordfence<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>Wordfence has more than 2 million active installs across the world. This plugin offers a means to purchase their strong premium Web Application Firewall, and features like:<\/p>\n<ul>\n<li>Blocks bad bots and fake Googlebots<\/li>\n<li>IP or country blocking (paid feature)<\/li>\n<li>Live monitoring or real-time blocking<\/li>\n<li>Options to throttle or block users or bots in ways that may be suspicious or a potential risk to your website<\/li>\n<li>Two-Factor authentication<\/li>\n<li>Enforces users to create strong passwords<\/li>\n<li>Brute force login security<\/li>\n<li>Scans files against WordPress core files, WordPress themes, and WordPress plugins<\/li>\n<li>Located at WordPress.org<\/li>\n<li>Scans for malicious code like trojans, backdoors and more<\/li>\n<li>Has support for WordPress multisite<\/li>\n<\/ul>\n<h4><span class=\"ez-toc-section\" id=\"iThemes_Security\"><\/span>iThemes Security<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>iThemes Security, formerly known as Better WordPress Security, was created by adding a bunch of features from different WordPress security plugins to make one huge plugin. The intention was to prevent having to stack myriad WordPress plugins while providing a means for the WordPress user to go through a security checklist. This plugin offers many different options to help guide users through securing their WordPress website.<\/p>\n<h4><span class=\"ez-toc-section\" id=\"Shield_Security\"><\/span>Shield Security<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>Shield Security\u00a0has a lot of different options for securing and hardening websites. Here are some of the features:<\/p>\n<ul>\n<li>Two-factor authentication<\/li>\n<li>Renaming WordPress login URL<\/li>\n<li>Brute force protection<\/li>\n<li>File integrity checking<\/li>\n<li>User monitoring<\/li>\n<li>Email reporting<\/li>\n<li>Firewall<\/li>\n<li>User management<\/li>\n<li>Help with\u00a0reducing comment spam<\/li>\n<li>Hack protection<\/li>\n<li>Option for auto-repairing compromised files for WordPress core, or plugins or themes from WordPress.org<\/li>\n<li>IP manager<\/li>\n<li>Lockdown on areas like hiding WordPress version, blocking XML-RPC, prevent file editing, and more<\/li>\n<\/ul>\n<h4><span class=\"ez-toc-section\" id=\"All_in_One_WP_Security_Firewall\"><\/span>All in One WP Security Firewall<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>All in One WP Security Firewall\u00a0is designed with many of the same features as iThemes security. Why All In One over iThemes Security? Some web hosting and plugin setups cannot handle iThemes but might be able to handle All In One. My suggestion is to install and test each plugin to see what works best for you.<\/p>\n<p><i>In the end, the important thing is to choose a WordPress security plugin that actually works!<\/i><b>\u00a0<\/b><\/p>\n<p>These are just a handful of the great WordPress security plugins available to help protect your website. Do your research, pick one or more security plugins to try, and start taking a more proactive approach to WordPress website security.<\/p>\n<p><strong><a href=\"#quick-navigation\">Back to Top<\/a><\/strong><\/p>\n<h2 id=\"security-best-practices\"><span class=\"ez-toc-section\" id=\"Best_practices\"><\/span>Best practices<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>While the plugins listed above can go a long way in securing your WordPress website, they\u2019re by no means the only measures to implement. Your behavior and habits are just (if not more) important in keeping a site secure, so let\u2019s explore best practices for keeping the baddies away from your WordPress site.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Update_core_files_plugins_and_themes\"><\/span>Update core files, plugins and themes<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>WordPress updates almost always involve security patches. This should always be the first step in securing a\u00a0site \u2014 and the steps couldn\u2019t be simpler. All you have to do is log in to the wp-admin dashboard, hover over the dashboard button on the sidebar, and then in the dropdown menu click <b>Updates<\/b>.<\/p>\n<p>Select the items you want to update \u2014 which should be every one listed. You can make this process even easier by enabling automatic updates for core files, plugins and themes. If you\u2019re using a managed WordPress solution, it likely includes this function. You can also enable automatic updates for plugins from the Plugins section of wp-admin.<\/p>\n<p>And if you don\u2019t mind going under the hood, you can set up automatic updates by adding this line of code to the wp-config.php file:<\/p>\n<blockquote><p>\/\/ Enable automatic updates for all<\/p>\n<p>define( \u2018WP_AUTO_UPDATE_CORE\u2019, true );<\/p>\n<p>add_filter( \u2018auto_update_plugin\u2019, \u2018__return_true\u2019 );<\/p>\n<p>add_filter( \u2018auto_update_theme\u2019, \u2018__return_true\u2019 );<\/p><\/blockquote>\n<p>Automatic updates can drastically change how a theme or plugin works. It actually might break some occasionally, but this might be favorable compared to leaving vulnerabilities in the site.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Remove_unused_plugins_and_themes\"><\/span>Remove unused plugins and themes<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>One of the greatest features of WordPress is its ability to download and run plugins, potentially improving the functionality of your website. That being said, it is possible to have too much of a good thing.<\/p>\n<p>The quality of code across plugins and themes can vary, as some are created by businesses and others by hobbyists \u2014 and neither are perfect.<\/p>\n<p>With each plugin installed on your WordPress site, the more likely the site is to be hacked, as new vectors are opened with each installation. It is not enough to simply deactivate plugins that you aren\u2019t using. You actually have to delete them in order to remove the vulnerable code from the server.<\/p>\n<p>Removing unused items is equally important for performance and should be part of any WordPress security scan. The fewer active plugins, the safer and faster the site will run.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Install_an_SSL_certificate\"><\/span>Install an SSL certificate<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>It should be painfully obvious by now that every website should have an SSL certificate. Put simply, SSL secures traffic, protects users against phishing, and can boost Google rankings.<\/p>\n<p>With the certificate installed, you can change the WordPress Address and Site Address in WordPress by going to General Settings and changing the protocol from HTTP to HTTPS. Click <b>Save Changes<\/b> and the installation is complete.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Enforce_strong_passwords\"><\/span>Enforce strong passwords<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>The most commonly used passwords typically range from <i>123456 <\/i>to <i>password <\/i>\u2014 which are painfully obvious, insecure and pretty much guarantee that the account will be accessed by an unauthorized user.<\/p>\n<p>A\u00a0strong password contains a mixture of at least eight digits, punctuation, and upper- and lowercase characters.<\/p>\n<p>You should never use the same password twice. It is also important your password doesn\u2019t include words that can be found in a dictionary or a proper noun, as they are especially prone to the appropriately named dictionary attack.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Use_captcha_on_forms\"><\/span>Use captcha on forms<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>A hacker doesn\u2019t need to compromise login access to deface sites and spread malware.<\/p>\n<p>If your WordPress site has a contact form without a Captcha, you can bet that eventually it will be used to send as many spam and malicious emails as your server can handle. Additionally, Captcha tools also prevent the brute force attack of your admin accounts.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Limit_login_attempts\"><\/span>Limit login attempts<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>The plugin <a href=\"https:\/\/wordpress.org\/plugins\/limit-login-attempts-reloaded\/\" rel=\"nofollow external noopener\" data-wpel-link=\"external\">Limit Login Attempts<\/a> will keep your admin page protected with a customizable limit to the failed logins that are allowed before a user is blocked from submitting a login form. You can also add an allowlist in case a user tends to forget their password.<\/p>\n<p>Some hosting providers already offer this as a built-in feature, so it\u2019s a good idea to do your research before attempting the installation.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Turn_off_file_editing\"><\/span>Turn off file editing<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>You might notice WordPress allows you to edit your theme and plugin files directly from the admin panel. This exposes a vital vulnerability that can have unintended consequences.<\/p>\n<p>It\u2019s best to disable it to prevent hackers or other users from defacing the site intentionally or otherwise.<\/p>\n<p>Thankfully, the remedy involves another change to your wp-config.php file. Just add this to the file on its own line:<\/p>\n<blockquote><p>\/\/ Disable file editing<\/p>\n<p>define(\u2018DISALLOW_FILE_EDIT\u2019, true);<\/p><\/blockquote>\n<h3><span class=\"ez-toc-section\" id=\"Change_security_keys\"><\/span>Change security keys<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>The security key stored in your wp-config.php file encrypts login session stored in your cookies. Changing these keys will invalidate all sessions, logging all users out of the dashboard, but also preventing hackers from hijacking open sessions.<\/p>\n<p>Changing these keys is as simple as copying and pasting.<\/p>\n<p>First, use the <a href=\"https:\/\/api.wordpress.org\/secret-key\/1.1\/salt\/\" rel=\"nofollow external noopener\" data-wpel-link=\"external\">WordPress security key generator API<\/a> to get your new secret keys, and then copy them. You\u2019ll find a block of code that looks similar, which you can replace with the new block that you have copied. It will look like this:<\/p>\n<blockquote><p>define(\u2018AUTH_KEY\u2019,\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u2018HeW#zltmGurr@u{B97hDiOr;3@&lt;1&gt;-^bbtua-:bC&amp;K4`]*r 6V&lt;-s-GtTq?lLL|h\u2019);<\/p>\n<p>define(\u2018SECURE_AUTH_KEY\u2019, \u2018B &gt;t.QYHTKXRv\/)ewR 5$iswZrLM}kAE#15?:2lu]zPd!KuB78?4fopw3QsHtx#4\u2019);<\/p>\n<p>define(\u2018LOGGED_IN_KEY\u2019,\u00a0\u00a0\u00a0 \u2018gI:T2,v7|E[.Q&amp;[yGK|$a+s1;&amp;$8-[?|6dE+FX|9|Ex|N[EPiQ0YzoXas=.7`4;&amp;\u2019);<\/p>\n<p>define(\u2018NONCE_KEY\u2019,\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u2018Z_-$xVrv0+VqtoVl#8|s\/zeOlm^h# zHh(3me1X\/S(l[(h;-+KI&amp;cyDuLbm&lt;!DR.\u2019);<\/p>\n<p>define(\u2018AUTH_SALT\u2019,\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u2018-~i[ahut&amp;xhfTLlnk+u^[GC2?:324X\/Lo*&lt;i{|K75j)6HI&lt;y1&lt;Vc$|(,-xZ+{ O]\u2019);<\/p>\n<p>define(\u2018SECURE_AUTH_SALT\u2019, \u2018B|M9s9a*iwp44|ldOHJlG9.#-Hb$t?kY|st;D9 )]FALOWt[\/fYrtanxrjoxfD(z\u2019);<\/p>\n<p>define(\u2018LOGGED_IN_SALT\u2019,\u00a0\u00a0 \u2018z_ Drd6Rip3upj:P*|2UsToIkVtaG|Nk3JKO yNq=xQZpVy7u!d@.TO8P:b5#s*H\u2019);<\/p>\n<p>define(\u2018NONCE_SALT\u2019,\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u20185\/af{*Wq82Gzq56&amp;$b)&lt;]X=-3#NW3x++~ D|PD-oCs=(#_y-~Z=w[]W9#jBfgJ *\u2019);<\/p><\/blockquote>\n<h3><span class=\"ez-toc-section\" id=\"Secure_core_files_with_an_htaccess\"><\/span>Secure core files with an .htaccess<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Utilizing the .htaccess file is probably one of the most powerful tools in\u00a0WordPress security.<\/p>\n<p>We\u2019ll start with securing the core files from being accessed from the browser, as these do nothing for a legitimate viewer and are usually only accessed from the browser to find and exploit vulnerabilities.<\/p>\n<p>As a quick fix, you can add this block of code from the WordPress team before or after the BEGIN\/END wordpress tags:<\/p>\n<blockquote><p># Block the include-only files.<\/p>\n<p>RewriteEngine On<\/p>\n<p>RewriteBase \/<\/p>\n<p>RewriteRule ^wp-admin\/includes\/ \u2013 [F,L]<\/p>\n<p>RewriteRule !^wp-includes\/ \u2013 [S=3]<\/p>\n<p>RewriteRule ^wp-includes\/[^\/]+.php$ \u2013 [F,L]<\/p>\n<p>RewriteRule ^wp-includes\/js\/tinymce\/langs\/.+.php \u2013 [F,L]<\/p>\n<p>RewriteRule ^wp-includes\/theme-compat\/ \u2013 [F,L]<\/p><\/blockquote>\n<h3><span class=\"ez-toc-section\" id=\"Disable_XML-RPC\"><\/span>Disable XML-RPC<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Most users don\u2019t utilize the functionality behind XML-RPC, which lets you make blog posts and interact with some plugins. This type of functionality is good if you have an automated feed that posts new content to the site, but it\u2019s highly sophisticated and rarely taken advantage of.<\/p>\n<p>In most cases, just disable it to deny hackers a way to brute force user passwords. In order to disable it, you\u2019ll just need to add another block of code to your .htaccess file:<\/p>\n<blockquote><p>#disable xmlrpc<\/p>\n<p>order allow,deny<\/p>\n<p>deny from all<\/p><\/blockquote>\n<h3><span class=\"ez-toc-section\" id=\"Audit_file_permissions\"><\/span>Audit file permissions<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>According to WordPress, developers and admins should avoid 777 file permissions at all costs. Holding files with this type of permission allows anyone on the machine to read, write and execute any file with 777 permissions.<\/p>\n<p>Instead, WordPress suggests that you use 755 permissions for folders and 644 permissions for files.<\/p>\n<p>Because WordPress files constantly update, change and make new additions, regularly audit the website files, looking for bad permissions in order to maintain a secure environment.<\/p>\n<p>If you want to quickly run an audit, you can run this command from SSH to view all files in the current working directory that do not follow the WordPress guidelines for file permissions:<\/p>\n<blockquote><p>find . -type f ! -perm 0644; find . -type d ! -perm 0755<\/p><\/blockquote>\n<h3><span class=\"ez-toc-section\" id=\"Disable_PHP_error_reporting\"><\/span>Disable PHP error reporting<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Disabling PHP error reporting prevents hackers from gaining vital information about your website and the environment it\u2019s on.<\/p>\n<p>A common technique in hacking is to view a file displays an error in order to identify the operating system, website path on the server, and even what applications are running.<\/p>\n<p>As an example, suppose you access a file on the website that returns this error:<\/p>\n<blockquote><p>Warning: Cannot modify header information \u2013 headers already sent by (output started at \/home\/jchilcher\/public_html\/wp-content\/plugins\/twitter-profile-field\/twitter-profile-field.php:28) in \/home\/jchilcher\/public_html\/wp-includes\/option.php on line 571.<\/p><\/blockquote>\n<p>This error already tells me the server is using Linux with cPanel, and it\u2019s the main domain for this cPanel account and the website is using the twitter-profile-field plugin. I now know where to start looking for vulnerabilities and where to exploit them.<\/p>\n<p>The fix to this problem is as easy as the rest. Create or modify the php.ini for the site and ensure that the directive display_errors is off. You can do this by adding the line:<\/p>\n<blockquote><p>display_errors = Off<\/p><\/blockquote>\n<p>Once your settings have gone into effect, any error that would normally display on a page will be gone.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Have_a_backup_plan\"><\/span>Have a backup plan<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Lastly, here\u2019s the most important yet neglected task involved with WordPress security: a backup plan. If the worst-case scenario becomes a reality and your website becomes a host to malware, you should already have a plan on how you will get the website back.<\/p>\n<p>In most cases, those who refuse to regularly back up their sites end up regretting it. Without a clean backup, your hacked site might never be clean again without having to start all over.<\/p>\n<p><strong><a href=\"#quick-navigation\">Back to Top<\/a><\/strong><\/p>\n<h2 id=\"identify-vulnerabilities\"><span class=\"ez-toc-section\" id=\"How_to_identify_vulnerabilities_how_to_prevent_them\"><\/span>How to identify vulnerabilities how to prevent them<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>WordPress often releases updates to its core files, and they usually include fixes for the latest security issues. Your installed themes and plugins will also need updates, and you\u2019ll be notified of available new versions via your WordPress dashboard:<\/p>\n<p>There are a couple big reasons for staying on top of WordPress security updates:<\/p>\n<ul>\n<li>You\u2019ll be protected against any recent threats that present a danger to your site or visitors.<\/li>\n<li>Any incompatibilities between plugins, themes and the WordPress core are likely fixed, creating a more stable system.<\/li>\n<\/ul>\n<p>In short, it just makes good sense to keep your WordPress core files, themes and plugins up to date. However, protecting your site involves much more than simply applying updates.<\/p>\n<p>You\u2019re about to learn how to check and update your WordPress website in two steps. Before you begin, you\u2019ll want to back up your website, in case something goes wrong, and you need to restore it.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Step_1_Find_the_WordPress_updates_page\"><\/span>Step 1: Find the WordPress updates page<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>First, log in to your WordPress backend. Go to the Dashboard section, and then click <b>Updates<\/b>. This\u00a0offers a handy, at-a-glance guide for any themes, plugins or core files that need updating.<\/p>\n<p>Here, you\u2019ll see a reminder of when you last checked for updates, along with a prompt to check again. You can also find your currently installed WordPress version and an overview of any themes or plugins that have available updates.<\/p>\n<p>This is where you can reinstall the latest version of WordPress if you need to, for example, if you\u2019ve had to migrate a site or install a backup. If you use a translated version of WordPress, you\u2019ll also get the option to install either the U.S. version or one in your own language.<\/p>\n<p>Once you\u2019ve become acquainted with this screen, the next step is to actually perform the updates.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Step_2_Update_WordPress_core_themes_and_plugins_as_necessary\"><\/span>Step 2: Update WordPress core, themes and plugins (as necessary)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Before actually updating WordPress, it\u2019s important to mind a few important things. These make the whole update process run much more smoothly. Here\u2019s what you should remember:<\/p>\n<p>Create a full backup before updating your site, in case anything goes wrong.<\/p>\n<p>If you can, update WordPress using a staging or local site first, and then migrate it once you\u2019re happy the change has been successful.<\/p>\n<p>Update the WordPress core first, then your themes, and finally your plugins. That way, it will be easier to determine the cause of any errors.<\/p>\n<p>To carry out an update, go to <b>Dashboard<\/b>, and then click <b>Updates<\/b>. Take a look at what\u2019s displayed there. Depending on what you find as you get through your WordPress security updates, you might need to get the latest version of:<\/p>\n<ul>\n<li>WordPress \u2014 Simply click <b>Update Now<\/b>. If you don\u2019t see it, you\u2019re likely running the latest version.<\/li>\n<li>Themes \u2014 If updates are available, you\u2019ll see the information displayed under Themes. Check the appropriate boxes, and then click <b>Update Themes.<\/b> You\u2019ll be notified when it\u2019s done, and then prompted to return to the Themes or Updates pages.<\/li>\n<li>Plugins \u2014 Check the boxes for the plugins you\u2019d like to update, and then click <b>Update Plugins<\/b>. It should only take a few moments.<\/li>\n<\/ul>\n<p>Keep in mind, you can either update everything at once, or individual items as needed. The former option is more efficient, although the latter will make it easier to figure out the cause of any sudden problems. It\u2019s not a bad idea to perform one update at a time, testing your site in between and looking for errors or compatibility issues.<\/p>\n<p><strong><a href=\"#quick-navigation\">Back to Top<\/a><\/strong><\/p>\n<h2 id=\"security-scan\"><span class=\"ez-toc-section\" id=\"How_to_run_a_security_scan\"><\/span>How to run a security scan<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Malware is not new to WordPress, but it still makes its mark on user sites every day. This software is specifically designed to intrude on your website and gain unauthorized access to your files. It\u2019s usually accidentally installed via a corrupted file, although certain advertisements can also contain malware.<\/p>\n<div class=\"callout\">The effects of malware are wide-ranging.<\/div>\n<p>&nbsp;<\/p>\n<p>It can compromise your login data, steal personal information, create spam, or hijack your computer. Some hackers even use malware to launch Direct Denial of Service (<a href=\"https:\/\/blog.sucuri.net\/2022\/01\/how-to-stop-prevent-ddos-attacks.html\" rel=\"nofollow external noopener\" data-wpel-link=\"external\">DDoS<\/a>) attacks, so making sure your site is clean should be a top priority.<\/p>\n<p>The first step is to scan your site for any pre-existing malware. While some plugins such as Wordfence Security include a malware scanner, there are also dedicated services you can turn to, such as <a href=\"https:\/\/www.godaddy.com\/web-security\/website-security\" target=\"_self\" rel=\"follow noopener\" data-wpel-link=\"internal\">GoDaddy\u2019s Website Security, powered by Sucuri.<\/a><\/p>\n<p>Next, you\u2019ll want to eradicate the malware itself. Fortunately, most of the services we\u2019ve mentioned will <a href=\"https:\/\/www.godaddy.com\/help\/remove-malware-from-my-site-26793\" target=\"_self\" rel=\"follow noopener\" data-wpel-link=\"internal\">do this for you<\/a>. Finally, you\u2019ll also want to change your passwords, so you don\u2019t get compromised again.<\/p>\n<p><strong><a href=\"#quick-navigation\">Back to Top<\/a><\/strong><\/p>\n<h2 id=\"strong-passwords-and-two-factor-authentication\"><span class=\"ez-toc-section\" id=\"Importance_of_strong_password_two-factor_authentication\"><\/span>Importance of strong password two-factor authentication<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The process of logging into WordPress can present one of the most attractive vectors for hacks and attacks. However, a strong password paired with two-factor authentication (2FA) can mitigate much of the potential risk.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Strong_passwords\"><\/span>Strong passwords<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>The simplest website security measure you can take is to use strong, unique passwords. This means skipping your dog\u2019s name, kid\u2019s name, birthdays and common words, including the word \u201cpassword.\u201d<\/p>\n<p>When creating your passwords, make sure they include:<\/p>\n<ul>\n<li>More than eight characters<\/li>\n<li>A mix of uppercase and lowercase letters<\/li>\n<li>At least one number<\/li>\n<li>At least one special character<\/li>\n<\/ul>\n<p>You should also make sure that every password you create is unique. Do not use the same password for multiple websites or online profiles, and do not use your WordPress password for anything else \u2014 especially for a social media profile.<\/p>\n<p>I know managing all of the different passwords can be tough, especially when you avoid any common words and add in numbers and special characters, but there is an easy solution. Use a password manager like <a href=\"https:\/\/www.lastpass.com\/\" rel=\"nofollow external noopener\" data-wpel-link=\"external\">LastPass<\/a> or <a href=\"https:\/\/1password.com\/\" rel=\"nofollow external noopener\" data-wpel-link=\"external\">1Password<\/a> to manage all of your unique passwords and provide you with one master password.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Two-factor_authentication\"><\/span>Two-factor authentication<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Two-Factor authentication\u00a0is a security measure that has come sharply into focus recently. Many large online companies, such as Google and Facebook, use this technology to help protect your accounts.<\/p>\n<div class=\"callout\">Essentially, 2FA is an extra layer of security.<\/div>\n<p>&nbsp;<\/p>\n<p>When you log into your account, you\u2019ll be asked to verify your identity through a second device, such as your mobile phone or 2FA hardware. Without that authorization, you\u2019ll be locked out. This is vital technology for anyone who values their site\u2019s security \u2013 and it\u2019s easy to implement for WordPress users.<\/p>\n<p>One recommendation for getting started with 2FA is the <a href=\"https:\/\/wordpress.org\/plugins\/two-factor-authentication\/\" rel=\"nofollow external noopener\" data-wpel-link=\"external\">Two Factor Authentication plugin<\/a>. This tool uses the Google Authenticator app to generate passcodes on your device and is simple to set up. Some larger security plugins also include 2FA as a premium feature, such as Wordfence Security, and Automattic\u2019s Jetpack offers a secure, free authentication option.<\/p>\n<p><strong><a href=\"#quick-navigation\">Back to Top<\/a><\/strong><\/p>\n<h2 id=\"limiting-users-and-admins\"><span class=\"ez-toc-section\" id=\"Importance_of_limiting_the_number_of_WordPress_users_and_admins\"><\/span>Importance of limiting the number of WordPress users and admins<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>When it comes to the principle of least privilege (more on that in a sec), Michiel Heijmans, formerly of Yoast, said it well:<\/p>\n<blockquote><p>\u201cContrary to popular belief, not every user accessing your WordPress instance needs to be categorized under the administrator role. Assign people to the appropriate roles and you\u2019ll greatly reduce your security risk.\u201d<\/p><\/blockquote>\n<h3><span class=\"ez-toc-section\" id=\"Types_of_WordPress_user_roles\"><\/span>Types of WordPress user roles<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>The first step is to understand the different user roles and capabilities, and how they relate to business functions. This is where our principle of least privilege comes in: grant users only the permissions they need to execute their business function.<\/p>\n<p>Let\u2019s look at the roles available in WordPress. Although it is possible to customize WordPress user roles with code adjustments or plugins, these are the five default user roles for a single WordPress site.<\/p>\n<h4><span class=\"ez-toc-section\" id=\"Administrator\"><\/span>Administrator<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>The WordPress Administrator has full access and control over the WordPress Dashboard. The administrator can install plugins, adjust themes, add users, manage widgets, and publish posts and pages.<\/p>\n<p>An Administrator can do everything related to creating, managing and deleting the WordPress site. In instances when there are multiple WordPress sites, there is a role for Super Administrator who has control over the entire network.<\/p>\n<p>Ideally, a WordPress Administrator is a web developer with knowledge of WordPress plugins and potential plugin conflicts. They also know what the marketing and editorial departments need in terms of site menus and sidebars, since managing the menus and sidebars are administrative functions by default.<\/p>\n<h4><span class=\"ez-toc-section\" id=\"Editor\"><\/span>Editor<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>The WordPress Editor is the site content manager. They can set up categories, assign authors, and publish posts and pages. They can also delete content.<\/p>\n<h4><span class=\"ez-toc-section\" id=\"Author\"><\/span>Author<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>WordPress Authors can write and publish their own content, including files and images, but cannot publish anyone else\u2019s content. Authors can also delete posts, but only their own.<\/p>\n<h4><span class=\"ez-toc-section\" id=\"Contributor\"><\/span>Contributor<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>WordPress Contributors can write their own content but cannot publish it to the site. Contributors cannot upload files or images. Contributors cannot delete or edit anything they\u2019ve contributed.<\/p>\n<h4><span class=\"ez-toc-section\" id=\"Subscriber\"><\/span>Subscriber<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>Subscribers are the most limited out of all user roles. Aside from being able to manage their own user profile, the rest of their access to the site is read-only.<\/p>\n<p><strong><a href=\"#quick-navigation\">Back to Top<\/a><\/strong><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Ready_to_dial_in_your_WordPress_security\"><\/span>Ready to dial in your WordPress security?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Nice work getting through our WordPress security guide. Hopefully you learned a lot and are ready to act on those lessons. As mentioned before, GoDaddy\u2019s <a href=\"https:\/\/www.godaddy.com\/web-security\/website-security\" target=\"_self\" rel=\"follow noopener\" data-wpel-link=\"internal\">Website Security<\/a> covers much of what we\u2019ve just learned.<\/p>\n<p>And if you\u2019re\u00a0managing multiple websites for clients, check out <a href=\"https:\/\/www.godaddy.com\/pro\/hub-dashboard\" target=\"_self\" rel=\"follow noopener\" data-wpel-link=\"internal\">The Hub by GoDaddy Pro<\/a>. It saves busy professionals hours each month by letting them handle in bulk security-related tasks like scans and backups.<\/p>\n<p>Again, great job\u00a0improving your security posture. Your diligence and efforts contribute to a safer internet for everyone.<\/p>\n<p>The post <a href=\"https:\/\/www.godaddy.com\/garage\/wordpress-security-guide\/\" target=\"_self\" rel=\"follow noopener\" data-wpel-link=\"internal\">Guide to WordPress Security<\/a> appeared first on <a href=\"https:\/\/www.godaddy.com\/garage\" target=\"_self\" rel=\"follow noopener\" data-wpel-link=\"internal\">GoDaddy Blog<\/a>.<\/p>\n<p>Source: Go Daddy Garage<\/p>\n<p id=\"kc_opp\"><small>Republished by  <a href=\"http:\/\/www.blogtrafficexchange.com\/\">Blog Post Promoter<\/a><\/small><\/p>","protected":false},"excerpt":{"rendered":"<p>A great-looking, high-performing website can be the key to success online, and WordPress checks all the boxes. It\u2019s almost infinitely scalable and capable &hellip;<\/p>\n","protected":false},"author":1,"featured_media":93896,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_post_was_ever_published":false},"categories":[23511],"tags":[126],"class_list":["post-93889","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ebusiness-emarketing","tag-information"],"aioseo_notices":[],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/www.bricktowntom.com\/blog\/wp-content\/uploads\/2022\/10\/0-0-0-0-AWordPress-Security-3452925911.jpg?fit=400%2C267&ssl=1","jetpack_shortlink":"https:\/\/wp.me\/p3k0YU-oql","jetpack-related-posts":[{"id":92987,"url":"https:\/\/www.bricktowntom.com\/blog\/05\/distributed-work-is-here-to-stay-how-your-business-can-adapt.html","url_meta":{"origin":93889,"position":0},"title":"Distributed work is here to stay \u2014 how your business can adapt","author":"admin","date":"May 5, 2026","format":false,"excerpt":"It\u2019s no secret that the business world and working environments have changed drastically since 2020. With fierce competition in recruiting for skilled labor becoming a critical issue for businesses, having employees in varied locations around the U.S. or even internationally has become an increasingly common solution. It looks like this\u2026","rel":"","context":"In &quot;E-business &amp; E-marketing&quot;","block_context":{"text":"E-business &amp; E-marketing","link":"https:\/\/www.bricktowntom.com\/blog\/category\/ebusiness-emarketing"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":93187,"url":"https:\/\/www.bricktowntom.com\/blog\/05\/godaddy-team-innerview-website-security-care.html","url_meta":{"origin":93889,"position":1},"title":"GoDaddy Team Innerview: Website Security\u00a0Care","author":"admin","date":"May 14, 2026","format":false,"excerpt":"For pros, website security can be one of the toughest areas of web design and development. It\u2019s why Sucuri has been refining the experience since 2009. Now a member of the GoDaddy family of brands, Sucuri powers Website Security from GoDaddy. For nearly a decade, Krystle Herbrandson has held leadership\u2026","rel":"","context":"In &quot;E-business &amp; E-marketing&quot;","block_context":{"text":"E-business &amp; E-marketing","link":"https:\/\/www.bricktowntom.com\/blog\/category\/ebusiness-emarketing"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":92136,"url":"https:\/\/www.bricktowntom.com\/blog\/04\/a-look-at-data-retention-and-deletion-policies-and-compliance.html","url_meta":{"origin":93889,"position":2},"title":"A Look at Data Retention and Deletion Policies and Compliance","author":"admin","date":"April 25, 2026","format":false,"excerpt":"There\u2019s an aspect of the compliance conversation too many organizations overlook, and it\u2019s nearly as important as how data gets used: data retention and deletion policies. Recently, a \u20ac14.5 million GDPR fine was issued for a non-compliant data retention schedule. And a new report from 451 Research reveals that 31%\u2026","rel":"","context":"In &quot;A Head Start&quot;","block_context":{"text":"A Head Start","link":"https:\/\/www.bricktowntom.com\/blog\/category\/a-head-start"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.bricktowntom.com\/blog\/wp-content\/uploads\/2022\/02\/blog-data-retention-compliance-scaled.jpg?fit=1200%2C675&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.bricktowntom.com\/blog\/wp-content\/uploads\/2022\/02\/blog-data-retention-compliance-scaled.jpg?fit=1200%2C675&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.bricktowntom.com\/blog\/wp-content\/uploads\/2022\/02\/blog-data-retention-compliance-scaled.jpg?fit=1200%2C675&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.bricktowntom.com\/blog\/wp-content\/uploads\/2022\/02\/blog-data-retention-compliance-scaled.jpg?fit=1200%2C675&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/www.bricktowntom.com\/blog\/wp-content\/uploads\/2022\/02\/blog-data-retention-compliance-scaled.jpg?fit=1200%2C675&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":93118,"url":"https:\/\/www.bricktowntom.com\/blog\/04\/5-business-goals-for-digital-entrepreneurs.html","url_meta":{"origin":93889,"position":3},"title":"5 business goals for digital entrepreneurs","author":"admin","date":"April 27, 2026","format":false,"excerpt":"As a digital entrepreneur \u2014 from selling products to customers online to providing services to global organizations \u2014 goal-setting is critical for your success. But digital entrepreneurs operate in a specialized arena that presents unique challenges and opportunities. Those considerations color the process of setting business goals \u2014 beyond revenue\u2026","rel":"","context":"In &quot;E-business &amp; E-marketing&quot;","block_context":{"text":"E-business &amp; E-marketing","link":"https:\/\/www.bricktowntom.com\/blog\/category\/ebusiness-emarketing"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":93372,"url":"https:\/\/www.bricktowntom.com\/blog\/04\/how-to-test-php-updates-on-wordpress.html","url_meta":{"origin":93889,"position":4},"title":"How to test PHP updates on WordPress\u00a0","author":"admin","date":"April 29, 2026","format":false,"excerpt":"As you may know, WordPress is written with the PHP coding language, which requires updates to the latest version in order to remain secure and running its best. But before getting on the latest version, it\u2019s important to test PHP updates to ensure it works with the other components of\u2026","rel":"","context":"In &quot;E-business &amp; E-marketing&quot;","block_context":{"text":"E-business &amp; E-marketing","link":"https:\/\/www.bricktowntom.com\/blog\/category\/ebusiness-emarketing"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":92953,"url":"https:\/\/www.bricktowntom.com\/blog\/05\/essential-plugins-to-build-better-wordpress-sites-for-clients.html","url_meta":{"origin":93889,"position":5},"title":"Essential plugins to build better WordPress sites for clients\u00a0","author":"admin","date":"May 1, 2026","format":false,"excerpt":"With over 55,000 known plugins available for WordPress, it can get just a little confusing \u2014 to say the least \u2014 knowing the essential plugins for a WordPress site. There are plugins for functionality, SEO, security, and more. While there is no end-all-be-all plugin or plugin array, certain plugins one\u2026","rel":"","context":"In &quot;E-business &amp; E-marketing&quot;","block_context":{"text":"E-business &amp; E-marketing","link":"https:\/\/www.bricktowntom.com\/blog\/category\/ebusiness-emarketing"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.bricktowntom.com\/blog\/wp-content\/uploads\/2022\/05\/wordpress-ga87cc388a_12801-300x200-1.jpg?fit=300%2C200&ssl=1&resize=350%2C200","width":350,"height":200},"classes":[]}],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.bricktowntom.com\/blog\/wp-json\/wp\/v2\/posts\/93889","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.bricktowntom.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.bricktowntom.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.bricktowntom.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.bricktowntom.com\/blog\/wp-json\/wp\/v2\/comments?post=93889"}],"version-history":[{"count":5,"href":"https:\/\/www.bricktowntom.com\/blog\/wp-json\/wp\/v2\/posts\/93889\/revisions"}],"predecessor-version":[{"id":102265,"href":"https:\/\/www.bricktowntom.com\/blog\/wp-json\/wp\/v2\/posts\/93889\/revisions\/102265"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.bricktowntom.com\/blog\/wp-json\/wp\/v2\/media\/93896"}],"wp:attachment":[{"href":"https:\/\/www.bricktowntom.com\/blog\/wp-json\/wp\/v2\/media?parent=93889"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.bricktowntom.com\/blog\/wp-json\/wp\/v2\/categories?post=93889"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.bricktowntom.com\/blog\/wp-json\/wp\/v2\/tags?post=93889"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}