Ultimate Guide to the 60 Best Security Resources for WordPress

WordPress security. Oh boy, you just can’t get enough, can you? Luckily, today isn’t about teaching you something new about WordPress security. We already know what the platform’s weaknesses are and how to protect our sites from outside threats.

Nope, today’s guide is going to delve into the 60 best security resources for WordPress. You can read through all of them today or you can bookmark and have them at the ready when you do need to brush up on proper WordPress security protocols. You should always be looking for ways to enhance the security of your WordPress site–especially as new insecurities and threats become known–and this guide will keep you well-informed.

Remember: WordPress security is never a one-and-done kind of thing. While I’d love to tell you that a solid security plugin like Defender is all you need to keep malware, spammers, and other bad guys off your site, it just isn’t enough. It’s an essential piece in your security strategy, but it can’t be the only one.

Stock up on these resources now and keep yourself attuned to the latest and greatest news on WordPress security, so you’re never in the dark on the most recent threats that could potentially be making their way towards your site.

60 Best Resources to Harden and Secure Your WordPress Site

As you know, security can’t just be handled with one clear and well-defined approach. There are just too many ways your WordPress site could possibly be infected, hacked, or otherwise compromised.

That’s why I’ve broken the following guide down into the different types of resources you may find useful. I’ll start by tackling resources that discuss WordPress insecurities more generally and then delve a bit into how to take a granular approach by targeting plugins, themes, etc. I’m also including not just articles and guides, but step-by-step tutorials, as well as influencers who focus on WordPress security.

WordPress Security Guides You Absolutely Need to Use

Let’s start by looking at WordPress and general web security guides you need to know inside and out. These resources come from trusted web authorities like Google and WordPress, so there’s no conjecture here. These are the security facts and you need to know them.

• WordPress Codex: Hardening WordPress: This super comprehensive article from WordPress deals with all things security. It covers why security matters, where you need to focus your efforts both inside and outside WordPress, and how to harden your system with code and third-party tools.
• OWASP WP Security Implementation Guideline: The Open Web Application Security Project actually serves as a reference point for WordPress security. They look to OWASP for information on security best practices as well as where the biggest threats to the CMS are coming from at any given time. This guide provides a good overview of this information.
• Google Web Fundamentals: Security: Of course, Google is going to view security from a browser standpoint, which means their main focus is on encrypting. This information hub will provide you with everything you need to know about HTTPS.
• Mozilla Wiki: Security/Guidelines/Web Security: If you want to see how browsers like Mozilla tackle security (and you should), you can reference this web security guide. There’s also a very handy checklist at the top of the page that breaks down what types of security protocols you must have and ones you can probably skimp on.

Best Articles and Roundups About WordPress Security

WordPress security guides are great because they give you the essentials you need to lay down a super-secure base for your website. Articles and roundups, however, take those security guidelines and frame them in a more practical and recognizable setting. So, if you want quick advice on how to harden your WordPress site’s security or a more in-depth understanding of particularly problematic areas within WordPress, check these roundups first.

• Is WordPress Secure?: If you’ve ever wondered about security at the WordPress core level, then you need to read this article. It talks about The WordPress Project and how they maintain security for the CMS.
• The Ultimate Guide to WordPress Security: Is this the end-all, be-all guide to WordPress security? It may very well be if you want a better understanding of the platform’s weaknesses and learn some methods for hard-coding security into it.
• How to Secure Your WordPress Website: This is a super simple guide to securing WordPress. It breaks it down into ten easy-to-follow steps, with an extra emphasis on what you can do at the hosting level to make your site extra safe.
• The Ultimate Security Guide for Your WordPress Site in 2017: Rather than focus on recommending specific tools you can use to harden security in WordPress, this article takes a crack at the high-level practices you need to implement. That makes this security guide a good reference when you want to quickly verify that you’ve covered your bases.
• Beefing Up WordPress Security – A Complete Guide to Securing WordPress Sites: This is a great guide for implementers, web designers, WordPress project managers, business owners, and basically anyone who isn’t a skilled programmer. It teaches WordPress security best practices and provides firm recommendations for plugins that can be used for each.
• Fortifying Security in WordPress: In this two-part series, you’ll first learn how to secure your site’s files on the backend (through .htaccess). The second part then delves into plugins that will support your security efforts.
• The Definitive Guide to WordPress Security: The best thing about this WordPress security article is that it doesn’t just touch on the usual “secure your host” and “secure your WordPress backend”, it also makes suggestions on how to protect your site from a personal standpoint. This refers to things like using an antivirus and antimalware on your computer, using two-factor authentication in email, etc.
• 5 Common WordPress Security Issues: Although there are tips presented in this article to help you protect your WordPress sites, the real value lies in the types of vulnerabilities you’ll most commonly run into. Memorize these as they’ll come back time and time again.
• How to Run a Security Scan on Your WordPress Site: General security guides and tips are great for when you want to troubleshoot what could potentially go wrong with your site. But for when you want to know what actually is wrong and putting your site at risk, you need a security scanner to conduct the assessment for you.
• A History of WordPress Security Exploits and What They Mean: Think of this like a collection of horror stories for the WordPress developer. Trust me, after reading about these documented WordPress vulnerabilities, you’ll never want to leave your site unattended or unprotected again.
• The Dangers of Cross-Site Contamination and How to Prevent It: There may be times when a security breach on one website actually had nothing to do with a poorly secured host, database, or plugins. If your website resides on Multisite or on a shared host, you need to know about this potential security risk caused by other websites.
• A Comprehensive Guide to Editing .htaccess for WordPress Security: A lot of power resides within the .htaccess file. Let it fall into the wrong hands, and your WordPress website is toast.
• How to Use SSL and HTTPS with WordPress: SSL certificates really aren’t optional for websites anymore, thanks to Google’s initiatives to create a more secure web and penalizing websites that won’t play along. Here is everything you need to know about SSL and HTTPS.
• Google Safety Center: Although this is for all online users (not just people building websites), there are good tips here for how to secure accounts and passwords better.

Best Step-by-Step WordPress Security Guides and Tutorials

Sometimes what you want isn’t so much a better understanding of why WordPress might be insecure or where to look for those weak spots. Sometimes what you want is a practical and actionable guide that instructs you on how to mend your site’s vulnerabilities. The following WordPress security checklists, step-by-step guides, and tutorials cover a variety of security lockdown processes you’ll eventually find a need for in your WordPress development work.

• Wordfence: The WordPress Security Learning Center: Looking for basic and easy-to-follow pointers on WordPress security? Wordfence has a ton of tutorials available.
• WordPress Security For Beginners: Beginner guides are always a good place to turn to if you’re just starting out. These step-by-step tutorials include a plentitude of screenshots to walk you through different WordPress security processes.
• WordPress Security Tutorial: Learn How to Improve the Security of Your WordPress Website: There are actually three security tutorials within this SiteGround section of resources: one for basic security, one for spam protection, and one for changing the admin username.
• The Ultimate Step by Step Guide to WordPress Security: If you’d prefer hands-on training that takes you through all the steps needed to secure a WordPress site, then start with this course from Udemy.
• WordPress Security: The Ultimate 32-Step Checklist: One of the tough things about WordPress security is that there are so many steps to keep track of. This well-laid-out checklist will change that.
• WordPress Security – 19+ Steps to Lock Down Your Site: Kinsta’s security checklist is beyond comprehensive. Not only does it include the usual tips (i.e. use a plugin, hide your WordPress version), but it also includes more specific and helpful ones like how to prevent hotlinking and adding an HTTPS security header.
• WordPress Security – Complete 17-Step Guide: This is a really well-organized and descriptive checklist for WordPress security. They’ve also simplified much of what has to be done so you shouldn’t have problems following along.
• The WordPress Security Learning Center: Checklist – How to Secure Your WordPress Site: Don’t have time to read an entire article? Or maybe you’re already fluent in WordPress security, but still want a little handholding? Wordfence has created a simple checklist you can use here.
• 15 Ways to Harden the Security of Your WordPress Site: WP Engine has provided a good checklist of security tips here. The main difference between this and many of the others you’ll find on the list? There’s much more of a reliance on tools than on coding if that’s what you prefer.
• 20 Simple Tricks to Secure Your WordPress Website in 2017: Want a super organized step-by-step guide to securing your site through different access points? Refer to this CodeinWP article then.
• 12 Ways to Secure Your WordPress Site You’ve Overlooked: If the checklists above have got you to a good place with your site, but you’re still not quite feeling like you’ve done everything you could, it’s probably because you haven’t. Check out these 12 often-overlooked ways your site might need further hardening.
• Google Search Console Help: Secure your site with HTTPS: Switching to HTTPS isn’t as simple as buying or downloading an SSL certificate. Use this Google checklist to move you through all necessary steps.
• Google Search Webmasters: Hacked Sites: Curious as to how to spot the signs your site has been hacked? Google provides some of them here along with an easy-to-follow checklist to quickly repair it.
• WPShout Blog: While WPShout does provide tutorials on a number of WordPress-related topics, much of what they teach on this blog has to do with security. So, if you’ve read one of the guides above and just aren’t sure how to execute one of those fixes or security protocols, there’s a good chance they’ve covered it here.

Best WordPress Security Plugin Roundups

In Sucuri’s Hacked Website Report from Q3 of 2016, they called special attention to WordPress plugins since they’re known as one of the leading sources of infections. That said, WordPress plugins can be incredibly useful in fending off malicious attacks. It’s simply a matter of finding plugins that have been well-built and will do as promised. Here are some of the best security plugin roundups.

• 7 Best WordPress Security Plugins: Straightforward and to the point: InfoSec’s picks for the best of the best security plugins.
• Top 10 Essential WordPress Security Plugins: If cost is a concern or you’re trying to secure a smaller site that doesn’t need as robust of a security solution as a premium plugin would offer, check out these free security plugins from the WordPress repository.
• 13 of the Best Security Plugins to Keep Your WordPress Site Safe: The plugins recommended here aren’t just your typical all-in-one solution. You have ones that specifically work to secure the login, ones that back up your site, and ones that add extra layers of encryption.
• The Best WordPress Security Plugins and Services (Both Free and Premium) 2017: This is an interesting mix of security plugins, both free and premium. Take a look at these if you’re curious to see what sort of easy-to-use plugins exist outside of the usual recommendations.
• A Collection of the Best Security Plugins: This is a fairly short list of security plugins, but that’s because the descriptions and reviews of each go more in-depth than what you’ll find in most of these roundups. If you want details on the main features, then this one is for you.
• 6 Best WordPress Firewall Plugins (2019): A firewall is an important part of WordPress security, which is why WPBlog has created this separate roundup of firewall plugins. Many of these also happen to include a CDN, so you’ll get improved performance as a bonus side effect.
• 11 Free Quality Backup Plugins for Protecting WordPress: The first step in securing a website? Preserving a backup copy. The final step in securing a website? Restoring your site to a previously saved version. You can’t do either of those without a backup plugin.
• 7 Best WordPress Backup Plugins Compared (Pros and Cons): Want more suggestions on the best WordPress backup plugins to use and our take on which are the best? Check this out.
• The 5 Best Backup and Restore Plugins to Keep Your WordPress Site Safe: This is a simple guide to backup-and-restore plugins. There’s also a short section at the end that mentions an easy-to-follow strategy for backup.

Best WordPress Theme Security Guides

Plugins aren’t the only third-party extension often found responsible for introducing security problems into a WordPress site. Poorly coded themes and those left un-updated can also wreak havoc. That’s why you should always have at least one of these WordPress theme security guides on hand.

• How to Find the Best (and Most) Trustworthy WordPress Themes: Do you know how to identify a trustworthy and secure WordPress theme? Is there even such a thing? Find out here.
• WordPress Theme Safety – How to Ensure the Theme You Are Using Is Secure: This guide to WordPress theme safety also includes a shortlist of tools you can use to verify the security of them. Very helpful if you’re not sure you can trust the data and reviews left in the WordPress repository.
• How to Make Sure You Pick a Secure WordPress Theme: If you’re curious about which sites you can rely on to find secure WordPress themes, ThemeIsle has some good suggestions.

Best WordPress Security Experts to Follow

While most of the people who created the security content mentioned above will work to keep their guides updated, nothing beats getting up-to-the-minute news. If you’re looking for an easy way to stay up on the latest in WordPress security, you can subscribe to these blogs or follow the Twitter users mentioned below. Security is a primary focus for each of them, so you’ll be in good hands.

• WordPress Security News: WordPress provides a running log here of all the latest security and maintenance releases, what they discovered, and what the patches were.
• Open Web Application Security Project (OWASP): OWASP is a great resource in general when it comes to WordPress security. If you’re curious to know the latest and greatest though, be sure to check out their Top 10 list.
• WPMU DEV Blog: You should have at least one blog you follow regularly for news on all things WordPress. WPMU DEV, in general, takes a keen interest in security, so this is a good one to bookmark and add to your RSS feed, newsletter list, and Twitter so you can keep attuned to all of the latest.
• Sucuri Blog: WordPress Security: Sucuri is a good one to keep a close eye on since they seem to know all the dirty details about which plugins are misbehaving and can spot major WordPress vulnerabilities from a mile away.
• Wordfence Blog: Wordfence is another one focused on delivering the not-so-positive news about WordPress security. It’s definitely much appreciated though as they seem to have in-depth knowledge and insights into up-to-the-minute vulnerabilities and attacks.
• Kinsta Blog: Because Kinsta is a managed WordPress services provider, you’re going to find that their blog takes a special interest in WordPress security.
• SiteGuarding Blog: This professional web security services provider is obviously going to have a laser-sharp focus on security when it comes to their blog content. However, they’re not strictly looking at WordPress, though, so if you happen to develop sites in Joomla, Drupal, and other CMS, you might find this resources especially helpful.
• WP Fix It Blog: These guys blog regularly about security and the posts aren’t always what you’d expect to find. Take, for instance, “What to Expect While Your Infected Website Gets Cleaned”.
• Aaron D. Campbell Blog: Aaron D. Campbell is one of the leads on the WordPress security team, so… yeah. You need to follow this blog.
• @WordPress: Even if you subscribe to WordPress news and pay attention to every minor release that comes out, the Twitter page is also a super helpful resource in staying up on the latest security news.
• @vaultpress: VaultPress shares security news from all around the web on their Twitter page. This is a great feed to tap into if you want easy access to relevant and helpful news about security.
• @Michele_Butcher: Michele Butcher-Jones works for WP Rocket, a WordPress caching plugin developer, so you know she’s going to be obsessed with performance. If you look at her Twitter feed though, you’ll find she has an interest in security as well as she retweets really awesome content from others on a regular basis.
• @wpsitecare: If you prefer straight-to-the-point and practical tips on how to secure and overall improve your WordPress website, you should follow WP Site Care on Twitter.

Wrapping Up

A security threat could come from a plugin you believed to be completely harmless or a seemingly innocent comment left on your blog. It could also come from a direct brute force attack against your site’s wp-admin area. With so many different methods of attack, your best bet in fending them off is to stay well-informed. Security will be a never-ending struggle for web developers, so bookmark this guide to make it just a little bit easier on yourself going forward.