WordPress Security: Keeping Your Site Secure



WordPress has ~800 million installations. That’s a lot — about 40% of all sites on the internet are using some version of it!

With such a vast number of installations, the core codebase of WordPress benefits from having a large pool of experts evaluating the code before it is released. However, this also makes it a target for automated scanning tools that look for outdated and vulnerable versions to exploit. That’s why WordPress security is crucial.

This post goes over some of the security best practices we employ on WordPress sites and some that clients can take themselves once keys to their sites are in their hands!


How Hark Protects Your Site


Core and Plugin Updates

Regularly updating your WordPress core, themes, and plugins is crucial in fortifying your site.  Our testing environments automatically receive updates for WordPress core and plugins in the WordPress plugin repository. These are then integration-tested for compatibility with one another, and the site theme and deployed to your live site once confirmed good.

Limit Login Attempts

Brute force attacks are a common attack method involving repeated attempts to guess your login credentials in an automated fashion using a dictionary of potential passwords. We mitigate this by limiting the number of login attempts by IP address and temporarily locking out suspicious ones making repeated failed attempts.

Disable Theme Editor

By disabling the built-in file editor within WordPress, we remove one-way users in the backend can make a direct change to the theme and core PHP code driving client sites.  This makes it so a bad actor in the backend can’t simply use the editor to overwrite the contents of front-page.php to print out whatever they want.

Disable Directory Listing

By default, web servers display the contents of directories if no resource (e.g., index.php) is not present.  Suppressing this behavior ensures directory listings aren’t exposed to the broader internet.

Obfuscate Admin URLs

Changing the default admin URL routes away from the default also helps mitigate simple automated brute force attacks, as those scripts may be unable to figure out the correct URL to send a login request to under those conditions.

Disable REST API Endpoints Unless Needed

Since WordPress 4.7, WordPress has featured a REST API, allowing developers to do some nifty things with headless installations and SPAs. While these are cool, any external-facing API is a target that any bad actor in the broader internet can make HTTP requests to,

This can also be done on a per-endpoint basis; so if your site needs a /products endpoint to expose something like woo-commerce product data to external APIs, but you don’t care about embeds for blog posts, the embed endpoints can be disabled while leaving the products endpoint functional.


What You Can Do


Limit Third Party Plugins

Every bit of new plugin code has more surface area for vulnerabilities. Frequently, plugin code is some of the least well-designed and well-maintained code with the fewest eyes on its repository activity.

While the functionality plugins provide can be nice, the fewer of these—especially ones of uncertain provenance—that you install, the less likely your site will be subjected to common plugin vulnerabilities that bad actors are scanning for.  As above, keeping them up to date also helps!

Use Strong Authentication

Strong passwords are essential for WordPress security. This ensures any automated system trying to guess its way into your admin account has to work for it.  These should ideally be long and complex to present a significant entropy barrier to brute force attacks.  Chrome’s password utility is an easy way to generate such passwords.

Consider implementing two-factor authentication (2FA) for an additional layer of security and using passkey authentication or physical security tokens for even more. WP-WebAuthn supports U2F and Passkey authentications, while the Two Factor Authentication plugin provides a more old-school TOTP option compatible with apps like Google Authenticator.

Limit Administrator Accounts

You can use the Editor role for users who only need to edit content and not perform administrative tasks in the WordPress backend.

The damage an Editor can do if their account becomes compromised due to user carelessness with credentials is far less than a compromised Administrator could do to an installation.  While an editor can wipe an article’s contents, that is easy to recover.  A bad actor administrator could add new plugins, install a new theme, make a site serve malware, and put it in maintenance mode!

If you’re in need of assistance with WordPress site security, please contact us.


Explore more posts in the Hark blog –>

Want to learn more about how Hark can help?