According to the data from w3techs.com, every third website is based on WordPress. No wonder that hackers and crackers scan websites for vulnerabilities both in the installed plugins and in the core itself. A leak found on one website usually occurs on others based on the same CMS, and this enables the entire spectrum of attacks. In the following sections we will show you how to impede or prevent them and how to defend from unauthorized data access.

1. Update WordPress core whenever possible

WordPress is an open-source platform, which means that anyone can add their code to the repository and there is a chance of its publication in the next CMS version. It gives you the ability to quickly catch any errors. The more people have access to the code and manage to find the error, the sooner it can be fixed.

WordPress is written by people, which means it might require “patching”(we all make mistakes sometimes :). Frequent updates of the CMS itself allow avoiding problems related to gates that were left in previous versions. Thanks to these updates, unauthorized persons have less time to detect new errors and to take advantage of previously detected vulnerabilities that circulate around the internet.

2. Make backup copies

If the hacker somehow gains access to the database, they may try to paste their code on ​​our site (i.e. for advertising) or delete the database and blackmail us to pay the ransom in order to restore it.

Of course, none of us would like to lose all posts, photos and comments. Fortunately, we do not have to comply with the blackmailer. It is enough to simply restore the backup, which is best done after each major interference to the site. Digging through lines of code in order to find the place where the ad code was injected can also be rather annoying. It is a time-consuming process, and as we know – time is money, so it’s better to be safe than sorry by preventing it all from happening in the first place.

3. Only install checked plugins

As mentioned above, the WordPress repository is open. It means that any user can apply to add their original plugin to the general WordPress repository. To reduce the likelihood of page hijacking or the occurrence of unexpected errors, always use proven plugins.

What does it mean? Take, for example, the Advanced Custom Fields plugin – it has over a million active installations and was last updated on August 31, 2021. The probability of the plugin containing a code fragment that can cause critical errors is therefore minimal. If the plugin is permanently supported and has been tested on your WordPress version, you can consider it proven.

4. Logging in with admin/admin123 is a bad idea

One of the steps in the process of automatic installation of WordPress is to indicate the login and password of the administrator. We try to choose accesses that are easy to remember or associate. Unfortunately, this is not the best way.

Both login and password should provide solid security for our site. The username should be easy to remember, but it is not advisable to use the form of “admin” or “administrator”. In turn, when setting a password, it is best to use generators such as Enpass. This tool allows you to generate and save a complex string of letters and characters. Such a solution will effectively hinder or prevent hackers from using the brute force method to crack our password.

5. Limited login attempts

There are many plugins in the WordPress repository that limit the number of logins if too many attempts have been made in a given time. An example of such a plugin is Limit Login Attempts Reloaded. If an unauthorized person tries to guess the password, access to the account will be temporarily blocked. Optionally, you can enable logging attempts or even sending failed ones to an e-mail address.

6. Two-factor authentication

If we want to have greater security with little additional work, we might want to consider implementing two-factor authentication. Password can be stolen by using e.g. hardware or software keyloggeers. When two-factor authentication is active, however, the stolen password will not be useful to the hacker. Confirmation of logging in via SMS or in the application will be required. Duo Two-Factor Authentication offers such a service. To secure the site, install the plugin and then follow the instructions recommended during activation. You will also need to install the application from Play Store or AppStore.

7. Using the wp-admin link as an access to the panel is asking for trouble

Most people who want to get to your site unauthorizedly will try to guess the login and password in the login form. Why not make scheming harder for them by having to guess the link leading to it? The best way is to change your login address. This link should be chosen carefully (setting /login, /admin or /logging in will not make it difficult to guess).

Change wp-admin login is an example of plugin that makes it easy to change the address.

8. Editing theme files from the dashboard is easier – for others, too

When we introduce quick-fixes on the page, it is most convenient for us to enter the administrative panel, hover over the “Appearance” tab and click “Theme editor”. Most users don’t even wonder if this option is entirely secure. But what if an unauthorized person gets access to the site? Unfortunately, the intruder will have access to edit the theme code. The best option in this case is to disable the ability to edit files in the panel. To do so, we need to add the following line to the file wp-config.php.

define('DISALLOW_FILE_EDIT', TRUE);

9. Database table prefix – using wp_ may allow easier SQL Injection

When we use a large number of plugins or custom themes with many places where the user can enter data (such as comments or other forms), we are at risk of SQL Injection.

This method involves entering a modified SQL query in such a way that the interpreter performs the actions given by the modifier. With wp_ as tables prefix we make it easier for the attacker to proceed with the outbreak. It is much more obvious to add "DROP TABLE wp_options;" to all forms than "DROP TABLE tjmnt_options;".

10. Update plugins at every opportunity

This point is very similar to the first one. During the development process, many plugins are vulnerable to attacks or have bugs that show up under certain circumstances. Regular, systematic plugin updates patch some vulnerabilities. Please also note that you MUST NOT edit plugin codes ever. All modifications of functionalities or their extension should be kept in separate files (a separate plugin) or in the files of our theme, since each update will overwrite the changes made.

11. Check if you don’t reveal the WP version to everyone

The easiest way to check this is to view the page source and search for the current version of WordPress. It is often added when loading styles/scripts or is included in the header. Revealing the WP version allows you to easily check which patches have not yet been implemented on the page.

To hide the version from the header, I recommend adding the following code to the functions.php file of our theme:

function remove_wp_ver() {
return ‘’;
}
add_filter(‘the_generator’,’remove_wp_ver’);


12. Block RestAPI – share only used endpoints

WordPress from version 4.7.0 offers the possibility of using its REST API. It means that by using the appropriate endpoints, we can receive or add/change data on our website. This in turn enables us to connect our WordPress to various external APIs.

Many users are not aware that REST API has been enabled on their site since the website was implemented. An example of an endpoint (to which we would rather not wish for third parties to have access) is “/wp-json/wp/v2/users/”. It allows you to get a list of all users along with their avatars and post slugs. The best form of protection, in this case, will be full deactivation of the REST API, if we don’t connect with external services. If you need to share data “outside”, I recommend writing your endpoints and taking care of their proper protection.

13. SSL certificate

Many people wonder why some of the websites have a “padlock” next to the address bar and some have the inscription “Unsecured”. Does it really have such an impact on security? The answer is yes.

This “padlock” means that the SSL (Secure Socket Layer) certificate is installed on the page. Simply said, it lets you know that the connection between the site and the user is secure. This certificate is responsible for encrypting the provided information, which means that intercepting data “on the fly” by third parties is impossible. When the website you are visiting is an e-store, you certainly don’t want your credit card information to “wander around” the internet. For this reason, we should always pay attention to whether a given site is secured by a certificate and definitely avoid visiting unsecured sites using publicly available wireless networks.

Basic WordPress security involves many steps. The approach to each site requires an individual assessment of the situation and setting the direction that an unauthorized person can take. We must try to make it unobvious. By using the knowledge from the above examples, you will definitely avoid many unpleasant surprises on your blog or in e-commerce. 🙂

And if you need support in this area, let us know at office@osomstudio.com. We’ll help you secure your website effectively.