WordPress Security is Serious Business

Wordpress-Security-Shield1There are so many poorly implemented websites, not just WordPress, that are not properly hardened for security when originally built. Proper website maintenance should also include keeping up to date with your websites security. With the amazing growth of WordPress as a website platform comes the pitfall of being a target of hackers because of the large number of unsecured sites. Your WordPress website is most likely visited daily not only by spammers looking to get links in your blog comments but by software robots. These “bots” are looking to simply log in to your site by figuring out your username and password or take advantage of security holes in themes, plugins, or the WordPress code base itself.

Hackers hack websites for a number of reasons, they want to use your computer, to steal services or information, hijack affiliate links or to use your site as a platform for denial of service attacks or other automated activities like spreading malware.

What should I do to protect my WordPress site from hackers?

  • The first defense is simply keeping your WordPress version and plugin versions up to date. One of the primary reasons for updates is not just new functionality and bug fixes but often includes the closing of security flaws in WordPress, WordPress Plugins and Themes.
  • Second, NEVER EVER use admin/password as the admin name and password, it seems like common sense but I hear this regularly when I get calls about sites that have been hacked. A secure password should include upper/lower case letters, numbers and throw in a symbol for good measure. This combination makes guessing your password through trial and error nearly impossible
  • Third, make sure all plugins and themes that you are not using are removed from your installation. YES, a site can even be attacked through a non-active theme or plugin that contains a security flaw.
  • Fourth, absolutely use a good WordPress backup utility. DO NOT depend on your hosting service for your backup, they may not keep current and it could take more time than you would like to get your site back up and running. More on WordPress backups in a future post. You also need a good regular clean backup to restore your site pre-malware if your site is attacked, hacked or worse yet completely erased.

One of the ways that WordPress protects you is by monitoring these plugin vulnerabilities and removing the offending plugins from the WordPress.org plugin repository. Now of course if you don’t keep up with this or monitor updates to your plugins you may be caught out cold. Below is a link to a great article listing the latest batch of security issues with WordPress. You should also check out the WordPress Codex for information on Hardening WordPress: http://codex.wordpress.org/Hardening_WordPress

Recommended Plugin for WordPress Security

I currently recommend and use Wordfence.  Wordfence has a great free version and a premium version available with advanced features.  The free version of Wordfence includes scanning for malware, bad URL’s and a real-time security network.  The plugin also will block IP’s, networks, fake Googlebots, brute force attacks and enforce strong passwords as well as limiting login attempts to block username and password hackers.


  • Thanks for the great advice!

  • Hi Jim,
    This post is indeed a great alert to those who use WordPress base.
    I recently migrated my blogger.com stuff to wordPress base with the
    help of one of my friends, and its working well. Thanks for the connected
    links given here. I will surely inform/refer my friend to have a look at this page
    Hey, After March I could not locate any post here, pl. do update and inform
    your friends thru G+ etc so that it will be a great help to your readers and visitors
    Keep informed
    Nice speaking to you.
    Have a good and godly day.
    ~ Philip