An Overview of WordPress Security

An Overview of WordPress Security

As one of the most popular website platforms, WordPress gets a lot of attention. Unfortunately, sometimes this attention is from malicious users looking to hack websites.

Sucuri estimates about 9 million websites are currently hacked or infected.

Related Stories:

Unfortunately, since WordPress sites make up a significant amount of total websites, they also make up a significant amount of those that are hacked. The number of WordPress sites hacked in 2012 was 170,000 and even though there are no official 2014 statistics, it’s easy to see this number has exponentially increased by looking at a few cases of hacked websites.

In July of 2014, 50,000 WordPress websites were compromised due to a flaw in the plugin, MailPoet Newsletters. In October 2014, hackers stole 800,000 banking credentials through WordPress sites. In December 2014, 100,000 WordPress websites were hacked through a vulnerability in the plugin, Slider Revolution. These are just a few of the big cases in 2014.

If you think only high-traffic sites are targeted, think again. Even low traffic sites are targeted. Being hacked can be detrimental to your site credibility and cost time and money to recover from. Some sites never recover from being hacked. 

It’s easy to ignore the posibility of your site being hacked by thinking it could never happen to your site. As a WordPress user, it is important to realize your website might be vulnerable to security breaches and to address these issues before you’re attacked.

There are several main reasons a WordPress site is vulnerable to attacks. This could be due to faults in the hosting platform, theme, plugins, or weak passwords. We will go into detail about each of these and more.

Securing your WordPress site is about risk reduction. If you invest in security measures that make it harder for hackers to access your site, the risk of your site being hacked will be reduced.

Below are some tips for increasing WordPress security. This information will help those who just started their site and need to implement security measures and those whose site’s security needs tuning up.

Choose the Right Hosting Company

A simple way to increase the security of your site is to check your hosting company. Choose a WordPress hosting company that supports the latest versions of PHP and MySQL and is optimized to run WordPress.

The company should provide support from trained individuals in case of a security issue. They should also provide account isolation so problems with one account on the server cannot cause problems for your site.

It’s also useful to go with a hosting company that scans for malware and has daily internal backups. The bottom line is if you want a secure site, it’s important to go with a host that cares about security.

Update WordPress Core and Plugins

Another way to reduce the vulnerabilities in your site is to make sure you are using the most up-to-date version of WordPress. Every new version of WordPress addresses security issues present in the previous version.

This is also true for plugins. Keep your plugins updated and choose plugins that are updated regularly. Try to use plugins which has brands or know developers standing behind them. Don’t use plugins that are out of date or support abn old version of WordPress. This will reduce the risk of being hacked.


Backup Your Site Often

It is important for the overall security of your site to do regular backups. That way if your site is hacked, you are able to restore it quickly. If your site is not backed up, the result of being hacked can be losing your entire site.

You can use backup options through your host server, or you can use an external backup service like a plugin. It’s good to have more than one mode of backup, including an external one, that way if the host’s data center fails, you can still retrieve your data through another source.

Some good external backup options are plugins like BackupBuddy and Updraft.


Enhance Login Security

An important aspect of creating a secure site is creating secure logins. There are several simple ways to do this.

First, make sure your passwords are strong. A weak password is an easy target for hackers. Also, change your passwords frequently. Don’t use “admin” as a username, even though it is the default option. Since hackers know this is the default and having this username can make their job a lot easier.

Since hackers try random passwords over and over, limit the amount of login attempts allowed. This can be done with a plugin. One of the best is Login Lockdown.


Also, consider using two-step authentication. This involves providing both a password and authorization code to login to your site like Google Authenticator plugin.

Some of these login security features, such as limiting login attempts, are part of the all-in-one security plugin.

Check your Directory Access and .htaccess Files

WordPress directory permissions can prevent unauthorized users from viewing and changing files required to run WordPress. To enhance security, make it so visitors to your site cannot view WordPress directory which are not part of your site content . Make rules for who can and cannot access parts of your site.

You can modify access using .htaccess files. Use these to your advantage so that when a potential hacker tries to view certain parts of your site, such as the directory, they are redirected or shown a “403 forbidden” page.

You can even restrict access to your WordPress admin page to a certain IP address by creating an .htaccess file and uploading it to the directory. Read this article about hardening WordPress for more information about using .htaccess

All-In-One Security Plugin

If you’re looking for comprehensive security in one installation, you might want to get an all-in-one security plugin. This plugin offers many features that address common security issues.

There are several good options out there for similar plugins. One good one is iThemes Security. This is the most downloaded security plugin on It finds vulnerabilities in your site and gives a comprehensive view of what should be done to protect your site.

ithemes security

BruteProtect is a security feature that is part of the popular Jetpack plugin. BruteProtect stops brute attacks against WordPress sites. Another is All in One Security, which is an all-in-one security and firewall plugin.

Jetpack by

Installing an all-in-one security plugin is a great option if you’re looking for a thorough approach from a source that can provide feedback.

Scan your Site Often

There are several options to scan your site for threats. Scanning is important for detecting activity that could harm your site. These options alert you of any suspicious activity, so you know right away if your site is being targeted.

WordFence is one of the most trusted security plugins. It scans sites frequently, detecting malicious activity and acting as a firewall to keep attacks from happening.


Sucuri is a company that offers a firewall and antivirus for complete security. They offer a WordPress security plugin that scans sites and offers information on how to strengthen security. They also offer a free website scanner that allows you to see if your site has been compromised.


Penetration Testing

Penetration testing is the most expensive and intensive method of ensuring your site is secure. It involves hiring a company to attempt to hack into your site using bots, scanners, and manual techniques. This method will challenge your site’s security and show you holes that resulted in a hacked site during the testing period.

Monitoring Your WordPress Site

It’s important that in the event that your site is attacked, you know as soon as possible. There are several services that monitor your website and notify you if something is wrong.

One of the most comprehensive monitoring services out there is Sucuri’s AntiVirus service. It monitors your site, checking for malware and providing in-depth reports.

The Sucuri Security plugin also offers monitoring services. It allows site administrators to see activity concerning the security of their site straight from the dashboard. It also monitors file integrity.

With Sucuri, you can edit your notification settings, choosing which notifications you want to receive via e-mail. This way, you can stay up to date with the security of your site.


Sucuri security notification settings

WordFence is another resource that monitors site traffic, logins, and comments to make sure there is no suspicious activity.

Where to Learn More

WordPress security is a huge issue. If you have a WordPress site, it’s important you understand at least the basics of security, if not more. Here are some online resources to help you out:

-WPMUDEV has a nice comprehensive guide to WordPress security. They also have a popular video tutorial on security basics and offer some more in-depth security videos on the WPMUDEV YouTube channel.

WP White Security touches on a lot of security issues in their tutorials.

Sucuri also has a lot of great information about WordPress security and they keep updated on security breaches, since they are often on the frontlines.

-Another good video tutorial is this one by Katrinah.

As you’ve seen in this post, there are many ways you can protect your WordPress site and there is a lot of good information out there to help you. Making your website harder to hack is the key to a secure site.  If you haven’t already, try some of these options.

Good WordPress security requires some forethought to protect from potentially devastating attacks. As Benjamin Franklin said, “An ounce of prevention is worth a pound of cure.” Consider this and the advice in this post as you work to strengthen your WordPress site’s security.