According to the data from w3techs.com, every third website is based on WordPress. No wonder that hackers and crackers scan websites for vulnerabilities both in the installed plugins and in the core itself. A leak found on one website usually occurs on others based on the same CMS, and this enables the entire spectrum of attacks. In the following sections we will show you how to impede or prevent them and how to defend from unauthorized data access.

1. Update WordPress core whenever possible

WordPress is an open-source platform, which means that anyone can add their code to the repository and there is a chance of its publication in the next CMS version. It gives you the ability to quickly catch any errors. The more people have access to the code and manage to find the error, the sooner it can be fixed.

WordPress is written by people, which means it might require “patching”(we all make mistakes sometimes :). Frequent updates of the CMS itself allow avoiding problems related to gates that were left in previous versions. Thanks to these updates, unauthorized persons have less time to detect new errors and to take advantage of previously detected vulnerabilities that circulate around the internet.

2. Make backup copies

If the hacker somehow gains access to the database, they may try to paste their code on ​​our site (i.e. for advertising) or delete the database and blackmail us to pay the ransom in order to restore it.

Of course, none of us would like to lose all posts, photos and comments. Fortunately, we do not have to comply with the blackmailer. It is enough to simply restore the backup, which is best done after each major interference to the site. Digging through lines of code in order to find the place where the ad code was injected can also be rather annoying. It is a time-consuming process, and as we know – time is money, so it’s better to be safe than sorry by preventing it all from happening in the first place.

3. Only install checked plugins

As mentioned above, the WordPress repository is open. It means that any user can apply to add their original plugin to the general WordPress repository. To reduce the likelihood of page hijacking or the occurrence of unexpected errors, always use proven plugins.

What does it mean? Take, for example, the Advanced Custom Fields plugin – it has over a million active installations and was last updated on August 31, 2021. The probability of the plugin containing a code fragment that can cause critical errors is therefore minimal. If the plugin is permanently supported and has been tested on your WordPress version, you can consider it proven.

4. Logging in with admin/admin123 is a bad idea

One of the steps in the process of automatic installation of WordPress is to indicate the login and password of the administrator. We try to choose accesses that are easy to remember or associate. Unfortunately, this is not the best way.

Both login and password should provide solid security for our site. The username should be easy to remember, but it is not advisable to use the form of “admin” or “administrator”. In turn, when setting a password, it is best to use generators such as Enpass. This tool allows you to generate and save a complex string of letters and characters. Such a solution will effectively hinder or prevent hackers from using the brute force method to crack our password.

5. Limited login attempts

There are many plugins in the WordPress repository that limit the number of logins if too many attempts have been made in a given time. An example of such a plugin is Limit Login Attempts Reloaded. If an unauthorized person tries to guess the password, access to the account will be temporarily blocked. Optionally, you can enable logging attempts or even sending failed ones to an e-mail address.

6. Two-factor authentication

If we want to have greater security with little additional work, we might want to consider implementing two-factor authentication. Password can be stolen by using e.g. hardware or software keyloggeers. When two-factor authentication is active, however, the stolen password will not be useful to the hacker. Confirmation of logging in via SMS or in the application will be required. Duo Two-Factor Authentication offers such a service. To secure the site, install the plugin and then follow the instructions recommended during activation. You will also need to install the application from Play Store or AppStore.

7. Using the wp-admin link as an access to the panel is asking for trouble

Most people who want to get to your site unauthorizedly will try to guess the login and password in the login form. Why not make scheming harder for them by having to guess the link leading to it? The best way is to change your login address. This link should be chosen carefully (setting /login, /admin or /logging in will not make it difficult to guess).

Change wp-admin login is an example of plugin that makes it easy to change the address.

8. Editing theme files from the dashboard is easier – for others, too

When we introduce quick-fixes on the page, it is most convenient for us to enter the administrative panel, hover over the “Appearance” tab and click “Theme editor”. Most users don’t even wonder if this option is entirely secure. But what if an unauthorized person gets access to the site? Unfortunately, the intruder will have access to edit the theme code. The best option in this case is to disable the ability to edit files in the panel. To do so, we need to add the following line to the file wp-config.php.

define('DISALLOW_FILE_EDIT', TRUE);

9. Database table prefix – using wp_ may allow easier SQL Injection

When we use a large number of plugins or custom themes with many places where the user can enter data (such as comments or other forms), we are at risk of SQL Injection.

This method involves entering a modified SQL query in such a way that the interpreter performs the actions given by the modifier. With wp_ as tables prefix we make it easier for the attacker to proceed with the outbreak. It is much more obvious to add "DROP TABLE wp_options;" to all forms than "DROP TABLE tjmnt_options;".

10. Update plugins at every opportunity

This point is very similar to the first one. During the development process, many plugins are vulnerable to attacks or have bugs that show up under certain circumstances. Regular, systematic plugin updates patch some vulnerabilities. Please also note that you MUST NOT edit plugin codes ever. All modifications of functionalities or their extension should be kept in separate files (a separate plugin) or in the files of our theme, since each update will overwrite the changes made.

You can always ask us to do that – check our maintenance plans 😊

11. Check if you don’t reveal the WP version to everyone

The easiest way to check this is to view the page source and search for the current version of WordPress. It is often added when loading styles/scripts or is included in the header. Revealing the WP version allows you to easily check which patches have not yet been implemented on the page.

To hide the version from the header, I recommend adding the following code to the functions.php file of our theme:

function remove_wp_ver() {
return ‘’;
}
add_filter(‘the_generator’,’remove_wp_ver’);


12. Block RestAPI – share only used endpoints

WordPress from version 4.7.0 offers the possibility of using its REST API. It means that by using the appropriate endpoints, we can receive or add/change data on our website. This in turn enables us to connect our WordPress to various external APIs.

Many users are not aware that REST API has been enabled on their site since the website was implemented. An example of an endpoint (to which we would rather not wish for third parties to have access) is “/wp-json/wp/v2/users/”. It allows you to get a list of all users along with their avatars and post slugs. The best form of protection, in this case, will be full deactivation of the REST API, if we don’t connect with external services. If you need to share data “outside”, I recommend writing your endpoints and taking care of their proper protection.

13. SSL certificate

Many people wonder why some of the websites have a “padlock” next to the address bar and some have the inscription “Unsecured”. Does it really have such an impact on security? The answer is yes.

This “padlock” means that the SSL (Secure Socket Layer) certificate is installed on the page. Simply said, it lets you know that the connection between the site and the user is secure. This certificate is responsible for encrypting the provided information, which means that intercepting data “on the fly” by third parties is impossible. When the website you are visiting is an e-store, you certainly don’t want your credit card information to “wander around” the internet. For this reason, we should always pay attention to whether a given site is secured by a certificate and definitely avoid visiting unsecured sites using publicly available wireless networks.

Conclusion

Basic WordPress security involves many steps. The approach to each site requires an individual assessment of the situation and setting the direction that an unauthorized person can take. We must try to make it unobvious. By using the knowledge from the above examples, you will definitely avoid many unpleasant surprises on your blog or in e-commerce. 🙂

FAQ

Q: What are the first steps to improve WordPress security?

A: The initial steps to enhance your WordPress site’s security include keeping your WordPress version, plugins, and themes updated, using strong passwords for all accounts, and implementing a reputable WordPress security plugin. Regularly conducting malware scans and backing up your website also play a crucial roles in protecting your site.

Q: How can security plugins help protect my WordPress site?

A: Security plugins add an extra layer of defense by scanning for malware, monitoring for security vulnerabilities, and blocking suspicious activity. They can also implement firewalls, login security measures, and security patches automatically. Selecting best WordPress security plugins can significantly reduce your site’s risk of a security breach.

Q: What are some best practices for maintaining WordPress security?

A: WordPress security best practices include regularly updating WordPress core, plugins, and themes, using secure and managed WordPress hosting services, implementing strong passwords, enabling two-factor authentication for WordPress login, and using security keys. Additionally, restricting access and permissions can help protect your WordPress admin area from unauthorized use.

Q: Why is it important to keep my WordPress updated?

A: Keeping your WordPress updated is crucial because each update not only brings new features but also security patches for known vulnerabilities. Outdated versions of WordPress, plugins, and themes can leave your site exposed to attacks. Regular updates ensure you have the latest security measures in place.

Q: How can I secure my WordPress login to prevent unauthorized access?

A: To secure your WordPress login, you can implement two-factor authentication, limit login attempts to prevent brute force attacks, change the default “admin” username, and use a strong, unique password. Additionally, consider using a security plugin that provides login security features to protect your WordPress user accounts.

Q: What role does hosting play in WordPress security?

A: Your WordPress host plays a significant role in security. Managed WordPress hosting services typically offer enhanced security features, such as automatic updates, advanced malware scans, and dedicated support if a security issue arises. Choosing a hosting provider dedicated to WordPress security can significantly reduce vulnerabilities and security risks.

Q: How can I protect my WordPress site from malware and attacks?

A: To protect your WordPress site from malware and attacks, use security plugins to detect and remove malware, keep all components of your site up to date, choose a secure hosting provider, limit login attempts, and use strong passwords. Additionally, regularly backing up your WordPress files and database ensures you can restore your site in case of an attack.

Q: What should I do if my WordPress site gets hacked?

A: If your WordPress site gets hacked, immediately change all passwords, update all site components to their latest versions, remove any unfamiliar or suspicious WordPress plugins or themes, and run a comprehensive malware scan using a trusted security plugin. Contact your hosting provider for assistance, and restore your site from a backup if necessary. It’s also wise to notify your customers as soon as possible if sensitive information may have been compromised.

Q: How important are backups for WordPress security?

A: Backups are a critical component of WordPress security. They ensure that, in the event of a security breach, malware attack, or accidental data loss, you can restore your WordPress site to its previous state. Employing regular, scheduled backups—ideally in multiple, secure locations—protects your site’s data and minimizes the impact of attacks.

Q: How can hiding your WordPress version improve security?

A: Hiding your WordPress version can improve security by making it more difficult for hackers to exploit specific vulnerabilities related to known issues in particular versions. This is a simple, yet effective way to protect your WordPress site as part of a comprehensive security strategy, alongside other measures like updates, backups, and the use of security plugins.

Get Professional WordPress Security and Maintenance Support

If you need support in this area, let us know at office@osomstudio.com. We’ll help you secure your website effectively. You can also hire us to maintain and support your website. Check our WordPress maintenance plans.