Ultimate Guide to the 60 Best Security Resources for WordPress

Ultimate Guide to the 60 Best Security Resources for WordPress

WordPress security. Oh boy, you just can’t get enough, can you? Luckily, today isn’t about teaching you something new about WordPress security. We already know what the platform’s weaknesses are and how to protect our sites from outside threats.

Nope, today’s guide is going to delve into the 60 best security resources for WordPress. You can read through all of them today or you can bookmark and have them at the ready when you do need to brush up on proper WordPress security protocols. You should always be looking for ways to enhance the security of your WordPress site–especially as new insecurities and threats become known–and this guide will keep you well-informed.

Remember: WordPress security is never a one-and-done kind of thing. While I’d love to tell you that a solid security plugin like Defender is all you need to keep malware, spammers, and other bad guys off your site, it just isn’t enough. It’s an essential piece in your security strategy, but it can’t be the only one.

Stock up on these resources now and keep yourself attuned to the latest and greatest news on WordPress security, so you’re never in the dark on the most recent threats that could potentially be making their way towards your site.

60 Best Resources to Harden and Secure Your WordPress Site

As you know, security can’t just be handled with one clear and well-defined approach. There are just too many ways your WordPress site could possibly be infected, hacked, or otherwise compromised.

That’s why I’ve broken the following guide down into the different types of resources you may find useful. I’ll start by tackling resources that discuss WordPress insecurities more generally and then delve a bit into how to take a granular approach by targeting plugins, themes, etc. I’m also including not just articles and guides, but step-by-step tutorials, as well as influencers who focus on WordPress security.

WordPress Security Guides You Absolutely Need to Use

Let’s start by looking at WordPress and general web security guides you need to know inside and out. These resources come from trusted web authorities like Google and WordPress, so there’s no conjecture here. These are the security facts and you need to know them.

  • WordPress Codex: Hardening WordPress: This super comprehensive article from WordPress deals with all things security. It covers why security matters, where you need to focus your efforts both inside and outside WordPress, and how to harden your system with code and third-party tools.
  • OWASP WP Security Implementation Guideline: The Open Web Application Security Project actually serves as a reference point for WordPress security. They look to OWASP for information on security best practices as well as where the biggest threats to the CMS are coming from at any given time. This guide provides a good overview of this information.
  • Google Web Fundamentals: Security: Of course, Google is going to view security from a browser standpoint, which means their main focus is on encrypting. This information hub will provide you with everything you need to know about HTTPS.
  • Mozilla Wiki: Security/Guidelines/Web Security: If you want to see how browsers like Mozilla tackle security (and you should), you can reference this web security guide. There’s also a very handy checklist at the top of the page that breaks down what types of security protocols you must have and ones you can probably skimp on.

Best Articles and Roundups About WordPress Security

WordPress security guides are great because they give you the essentials you need to lay down a super-secure base for your website. Articles and roundups, however, take those security guidelines and frame them in a more practical and recognizable setting. So, if you want quick advice on how to harden your WordPress site’s security or a more in-depth understanding of particularly problematic areas within WordPress, check these roundups first.

  • Is WordPress Secure?: If you’ve ever wondered about security at the WordPress core level, then you need to read this article. It talks about The WordPress Project and how they maintain security for the CMS.
  • The Ultimate Guide to WordPress Security: Is this the end-all, be-all guide to WordPress security? It may very well be if you want a better understanding of the platform’s weaknesses and learn some methods for hard-coding security into it.
  • How to Secure Your WordPress Website: This is a super simple guide to securing WordPress. It breaks it down into ten easy-to-follow steps, with an extra emphasis on what you can do at the hosting level to make your site extra safe.
  • The Ultimate Security Guide for Your WordPress Site in 2017: Rather than focus on recommending specific tools you can use to harden security in WordPress, this article takes a crack at the high-level practices you need to implement. That makes this security guide a good reference when you want to quickly verify that you’ve covered your bases.
  • Beefing Up WordPress Security – A Complete Guide to Securing WordPress Sites: This is a great guide for implementers, web designers, WordPress project managers, business owners, and basically anyone who isn’t a skilled programmer. It teaches WordPress security best practices and provides firm recommendations for plugins that can be used for each.
  • Fortifying Security in WordPress: In this two-part series, you’ll first learn how to secure your site’s files on the backend (through .htaccess). The second part then delves into plugins that will support your security efforts.
  • The Definitive Guide to WordPress Security: The best thing about this WordPress security article is that it doesn’t just touch on the usual “secure your host” and “secure your WordPress backend”, it also makes suggestions on how to protect your site from a personal standpoint. This refers to things like using an antivirus and antimalware on your computer, using two-factor authentication in email, etc.
  • 5 Common WordPress Security Issues: Although there are tips presented in this article to help you protect your WordPress sites, the real value lies in the types of vulnerabilities you’ll most commonly run into. Memorize these as they’ll come back time and time again.
  • How to Run a Security Scan on Your WordPress Site: General security guides and tips are great for when you want to troubleshoot what could potentially go wrong with your site. But for when you want to know what actually is wrong and putting your site at risk, you need a security scanner to conduct the assessment for you.
  • A History of WordPress Security Exploits and What They Mean: Think of this like a collection of horror stories for the WordPress developer. Trust me, after reading about these documented WordPress vulnerabilities, you’ll never want to leave your site unattended or unprotected again.
  • The Dangers of Cross-Site Contamination and How to Prevent It: There may be times when a security breach on one website actually had nothing to do with a poorly secured host, database, or plugins. If your website resides on Multisite or on a shared host, you need to know about this potential security risk caused by other websites.
  • A Comprehensive Guide to Editing .htaccess for WordPress Security: A lot of power resides within the .htaccess file. Let it fall into the wrong hands, and your WordPress website is toast.
  • How to Use SSL and HTTPS with WordPress: SSL certificates really aren’t optional for websites anymore, thanks to Google’s initiatives to create a more secure web and penalizing websites that won’t play along. Here is everything you need to know about SSL and HTTPS.
  • Google Safety Center: Although this is for all online users (not just people building websites), there are good tips here for how to secure accounts and passwords better.

Best Step-by-Step WordPress Security Guides and Tutorials

Sometimes what you want isn’t so much a better understanding of why WordPress might be insecure or where to look for those weak spots. Sometimes what you want is a practical and actionable guide that instructs you on how to mend your site’s vulnerabilities. The following WordPress security checklists, step-by-step guides, and tutorials cover a variety of security lockdown processes you’ll eventually find a need for in your WordPress development work.

Best WordPress Security Plugin Roundups

In Sucuri’s Hacked Website Report from Q3 of 2016, they called special attention to WordPress plugins since they’re known as one of the leading sources of infections. That said, WordPress plugins can be incredibly useful in fending off malicious attacks. It’s simply a matter of finding plugins that have been well-built and will do as promised. Here are some of the best security plugin roundups.

Best WordPress Theme Security Guides

Plugins aren’t the only third-party extension often found responsible for introducing security problems into a WordPress site. Poorly coded themes and those left un-updated can also wreak havoc. That’s why you should always have at least one of these WordPress theme security guides on hand.

Best WordPress Security Experts to Follow

While most of the people who created the security content mentioned above will work to keep their guides updated, nothing beats getting up-to-the-minute news. If you’re looking for an easy way to stay up on the latest in WordPress security, you can subscribe to these blogs or follow the Twitter users mentioned below. Security is a primary focus for each of them, so you’ll be in good hands.

  • WordPress Security News: WordPress provides a running log here of all the latest security and maintenance releases, what they discovered, and what the patches were.
  • Open Web Application Security Project (OWASP): OWASP is a great resource in general when it comes to WordPress security. If you’re curious to know the latest and greatest though, be sure to check out their Top 10 list.
  • WPMU DEV Blog: You should have at least one blog you follow regularly for news on all things WordPress. WPMU DEV, in general, takes a keen interest in security, so this is a good one to bookmark and add to your RSS feed, newsletter list, and Twitter so you can keep attuned to all of the latest.
  • Sucuri Blog: WordPress Security: Sucuri is a good one to keep a close eye on since they seem to know all the dirty details about which plugins are misbehaving and can spot major WordPress vulnerabilities from a mile away.
  • Wordfence Blog: Wordfence is another one focused on delivering the not-so-positive news about WordPress security. It’s definitely much appreciated though as they seem to have in-depth knowledge and insights into up-to-the-minute vulnerabilities and attacks.
  • Kinsta Blog: Because Kinsta is a managed WordPress services provider, you’re going to find that their blog takes a special interest in WordPress security.
  • SiteGuarding Blog: This professional web security services provider is obviously going to have a laser-sharp focus on security when it comes to their blog content. However, they’re not strictly looking at WordPress, though, so if you happen to develop sites in Joomla, Drupal, and other CMS, you might find this resources especially helpful.
  • WP Fix It Blog: These guys blog regularly about security and the posts aren’t always what you’d expect to find. Take, for instance, “What to Expect While Your Infected Website Gets Cleaned”.
  • Aaron D. Campbell Blog: Aaron D. Campbell is one of the leads on the WordPress security team, so… yeah. You need to follow this blog.
  • @WordPress: Even if you subscribe to WordPress news and pay attention to every minor release that comes out, the Twitter page is also a super helpful resource in staying up on the latest security news.
  • @vaultpress: VaultPress shares security news from all around the web on their Twitter page. This is a great feed to tap into if you want easy access to relevant and helpful news about security.
  • @Michele_Butcher: Michele Butcher-Jones works for WP Rocket, a WordPress caching plugin developer, so you know she’s going to be obsessed with performance. If you look at her Twitter feed though, you’ll find she has an interest in security as well as she retweets really awesome content from others on a regular basis.
  • @wpsitecare: If you prefer straight-to-the-point and practical tips on how to secure and overall improve your WordPress website, you should follow WP Site Care on Twitter.

Wrapping Up

A security threat could come from a plugin you believed to be completely harmless or a seemingly innocent comment left on your blog. It could also come from a direct brute force attack against your site’s wp-admin area. With so many different methods of attack, your best bet in fending them off is to stay well-informed. Security will be a never-ending struggle for web developers, so bookmark this guide to make it just a little bit easier on yourself going forward.

Over to you: What’s the worst security breach you’ve experienced on one of your sites and how did you handle it?
Brenda Barron
Brenda Barron Brenda Barron is a freelance writer from Southern California. She specializes in WordPress, tech, business and founded WP Theme Roundups. When not writing all the things, she's spending time with her family.