9 Free Must Do Ways To Secure Your WordPress Site

Introduction

Keeping your WordPress site secure is essential to protect your content, user data, and overall website. This article will cover the top 9 essential to enhance your site’s security for free!

1. Enable Automatic Updates

Stay ahead of security threats by keeping your WordPress core, themes, and plugins up to date. It sounds easy, and it almost always is.

Outdated plugins, themes and WordPress versions are one of the leading causes of sites getting hacked!

Automatic updates are now a part of WordPress and ensure you’re always running the latest versions, which often include critical security patches. They can be enabled through the ‘wp-admin’ dashboard beside by clicking on ‘Enable auto-updates‘ beside each plugin and theme. WordPress Core can be enabled by clicking ‘Enable automatic updates for all new versions of WordPress‘.

Be aware that you will need to enable this for each new plugin and theme you install

WordPress Updates Admin Menu
Picturing showing how to enable automatic updates for a WordPress theme
Picturing showing how to enable automatic updates for a WordPress plugin

2. Remove Unneeded Plugins & Themes

Deleting unneeded plugins and themes is a crucial step in maintaining the security and performance of your WordPress site. Hackers can’t hack or exploit vulnerabilities in code you don’t have!
Every plugin and theme installed on your site adds potential entry points for hackers, especially if they’re outdated or poorly coded.

Even if they’re deactivated, they can still pose a risk if they’re not kept up to date. By removing plugins and themes that you’re not actively using, you reduce the surface area for attacks and make it easier to manage updates and security patches for the ones that are essential. Additionally, a leaner site often performs better, as it has fewer resources to load and maintain, leading to faster page load times and a smoother user experience.

Removing unused themes and themes can be easily deleted through the WordPress admin dashboard.

Picture showing how to delete WordPress plugin
Picture showing how to delete WordPress theme

3. Protect Comments with Antispam Bee

Don’t let spam comments clutter your site and ruin your sites reputation. Antispam Bee is a free and effective WordPress plugin that protects your site from spam comments without the need for captchas.

It offers various configuration options to customise its behavior to your needs, such as blocking comments from specific countries, however works excellent out of the box.

We use it on almost all our sites and frequently see it blocking tens of thousands of comments with almost perfect accuracy.

Graph showing the number of received spam comments blocked by the Antispam Bee WordPress plugin

4. Secure Your Contact Forms With reCaptcha

Contact forms are frequently targeted by bots and spam submissions scripts. Integrating reCaptcha into your contact forms can significantly reduce spam and help prevent your site being suspended. Many popular contact form plugins, such as Contact Form 7 and WPForms, offer easy integration with reCaptcha.

5. Disable XML-RPC

XML-RPC is a legacy feature of WordPress that allows remote management of your WordPress site. While it can be useful for a limited number of plugins, it is also a common target for brute-force attacks. If you do not use XML-RPC, it is best to disable it to prevent unauthorized access attempts.

You can follow our guide What is XML-RPC and Should It Be Blocked? which outlines this feature and how to edit your sites .htaccess file to disable it.

To test if your site still has XML-RPC, you can use the free XML-RPC Tester

Picture of the IPtools.net.au XML-RPC tester being used to see if XML-RPC is active on a site

6. Consider Using Cloudflare

One of the smartest ways to secure your site is to the free Cloudflare Web Firewall. This works by routing all traffic visiting your site through Cloudflare first, instead of being directly exposed to the internet.

The Cloudflare WAF is specifically designed to block malicious traffic before it even reaches your server, protecting your site from SQL injections, cross-site scripting (XSS), denial of service attacks (DoS) and other vulnerabilities. Additionally, Cloudflare’s global content delivery network (CDN) ensures that your site remains fast and responsive for visitors, no matter where they are in the world.

We use Cloudflare on many of our sites and observe the platform block significant number of automated attacks every day.

Cloudflare graph showing the number of threats received against a website and from what country

7. Update Your PHP Version

Running the latest version of PHP ensures that your site benefits from the latest security patches and performance improvements.

Many hosting providers offer an easy way to update your PHP version through their control panel. Check with your host and update to the latest stable PHP version to keep your site secure and fast.

PHP Selector within Cloudlinux

8. Install Wordfence & 2FA Authentication

Wordfence is a powerful security plugin that provides robust protection against malware, hacks, and other security threats. It comes with a built-in firewall, malware scanner, and real-time threat database.

In addition to the standard security measures, Wordfence also offers two-factor authentication (2FA). Enabling 2FA adds an extra layer of security by requiring a second form of verification, such as a code sent to your mobile device, before you can log in.

This significantly reduces the chances of unauthorized access, even if someone manages to get hold of your password. With Wordfence and 2FA in place, you’re taking significant steps to safeguard your site against potential threats. Wordfence comes in both a very capable free version and paid version delivering further protection.

Wordfence Plugins to be installed in WordPress

9. Check Your Backups Are Working

Regular backups are essential to recover your site in case of a security breach or data loss.

We recommend checking the backups are working correctly every few months. It’s sadly not uncommon to find backups have stopped working for a number of reasons only after the event.

It is a good idea to not fully rely on your hosting provider for backups and take your own. Many free plugins, such as UpdraftPlus, offer reliable backup solutions to backup your site to services such as Dropbox or to a FTP Storage location.

cPanel full backup page
Acronis Backup showing a list of available backups

Conclusion

To wrap up, securing your WordPress site doesn’t have to be complicated or costly. By following these nine simple steps, you can significantly reduce the risk of the most common threats.

What techniques do you find work the best? Let us know in the comments below

Leave a Reply

Your email address will not be published. Required fields are marked *

You may also like these