Website security is serious business. Knowing how to maximise your WordPress security can be the difference in losing your business or ruining your reputation. The rise in compromised websites has (and in my opinion will always) increase due to the nature of the Internet’s popularity and the demand from consumerism.

1. stuartjdavidson.com http://stuartjdavidson.com/wordpress-security/
WordPress Security: How To Avoid Being Hacked
Website security is serious business. Knowing how to maximise your WordPress security can be the difference in
losing your business or ruining your reputation. The rise in compromised websites has (and in my opinion will
always) increase due to the nature of the Internet’s popularity and the demand from consumerism.
Since 2009, the number of WordPress security hacks has increased over twofold. In 2012, the number was
reported to be over 170,000 sites.
If you work in online marketing, the odds are that
you would have worked on, or will at some point
work on a WordPress site. Thousands of malware
types and infections are active on the Internet but
fortunately, not all apply to WordPress. What
makes WordPress security vulnerable? Here’s the
most common exploits you will come across to
WordPress security:
Out-of-date software
Poor servers
Poor credential management
Poor system administration
Lack of technical knowledge
Cutting corners
Being knowledgeable of the reasons why your WordPress security may be compromisable is half the battle.
Knowing the typical types of attack could also be of great benefit. Here is a breakdown of the most common
WordPress security issues you should be aware of.

2. Back-doors
A back-door allows an attacker to gain access to your website via what you would consider to be abnormal
methods (i.e. FTP, WordPress admin etc). Back-doors are exceptionally dangerous and if left unchecked, can
cause havoc on your server.
Drive-by downloads
A drive-by download is usually embedded on your website via some type of script injection. The point of a drive-by
download is often to download something onto your user’s local machine. One of the most common downloads
informs the user that their website has been infected with some sort of virus and that the user needs to install an
anti-virus product to fix it.
Pharma hacks
A pharma hack is one of the most prevalent exploits. It is actually categorized as SPAM (stupid-pointless-annoying-
messages) and if you are found to be distributing SPAM, you run the risk of being flagged by Google
with various alerts to deter visitors, such as “This site may be compromised”.
Malicious redirects
Quite simply, a malicious redirect sends a user to a malicious website. If a visitor is redirected to a website other
than the main one, the website may contain infectious software, advertisements or what might appear to be
random or foreign sites.
Brute force attacks
Brute force attacks occur when someone tries to gain access to your site by attempting an enormous number of
different username and password combinations, until the right one is found. Password guessing is very fast when
used to check all short passwords but for longer passwords, other methods can still be used to the same effect.
Zero-day Attacks
A zero-day attack exploits a previously unknown vulnerability on your site and occurs prior to awareness of the
vulnerability. It is sometimes difficult for you to prevent this, as these attacks occur before developers have time to
realise and address the vulnerability and thus, find a secure solution or update to provide you with.
Armed with this knowledge, here are my top 10 security tips to ensure your WordPress site is and remains
secure:
1. Make contact with your web host
Its reported that 41% of hacks occur as a result of hosting. You should contact your web host and ask them
what they have put in place to establish WordPress security on their servers. Your hosts will be able to
delete any generic accounts, so you should always know who is accessing your website. Avoid any
unnecessary credentials or access points, including FTP, wp-admin and SSH. Stay clear of cheap hosting
providers without solid customer service and high WordPress security measures in place.
2. Undertake regular backups
Prevention is one thing, but if all else fails then you should have a backup plan. You should never rely only
on your web host for your site backups. Some hosts do periodic backups, but either way it should be
standard practice to routinely backup your whole site and database in case your WordPress security is

3. compromised.
3. Default site information
Brute force attacks on WordPress security are mostly attempting to compromise the websites administrator
panels by exploiting hosts with default credentials (i.e. “admin” as a username). If your site’s username is
still admin, you need to change this immediately.
Have very secure passwords, that uses a good mix of capital and non-capital letters, numbers and
characters and is at last 8+ characters long is advised. Try to avoid common phrases and password
variations like stuart123. Instead, use 9St1u3a!rt~? (remember to make a note in a secure place, as
guessing these types of passwords is next to impossible).
WordPress databases are like the brain for your entire WordPress site – every single piece of information
is stored in there and thus, makes it every hacker’s favourite target. The smartest way you can protect your
database and increase the WordPress security is by changing the database prefix from wp_ to anything
else – perhaps something like wp_st6u3a88r0t.
4. Directory hardening
Many web hosts often provide the ability to browse a site’s directories as a default configuration.
Unfortunately, this also allows a hacker to see the contents of these directories. Updating your .htaccess
file can disable this (read here for more information).
Your “uploads” folder stores all the media that gets uploaded to your WordPress site. By default, this folder
is also visible to anyone online. Updating your .htaccess file will prevent online users from viewing this
folder too (read here for more information).
Lastly, updating your file permissions enables your core files to be secured against various other attacks.
For a full list of recommended file permissions, read this article.
5. Default WordPress files
You should rename or delete your install.php, upgrade.php and readme.html files as these are completely
unnecessary after installation and actually serve as WordPress security vulnerabilities. If you don’t want to
delete these files for any reason, then you can just rename them.
You should also remove any mentions of WordPress, so that your not providing hackers with useful
information that might lead to potential exploits. Remove the “Powered by WordPress” tag, the WordPress
version meta data from your theme and any links back to WordPress from your website.
6. Keep everything up-to-date
Hackers will look for vulnerabilities that they can exploit in older versions of WordPress, including outdated
versions of WordPress plugins and themes. Ensure that all of your WordPress files, plugins, themes etc
are always up-to-date to maintain strong levels of WordPress security.
Consider a situation where a security flaw is found in a older version of WordPress. If you don’t keep
current with WordPress updates and don’t remove the unnecessary WordPress mentions, it is easy for
people to know how best to exploit your WordPress security. Its essential to update everything as soon as
new versions become available.
7. Security plugins
Using additional security measures can be effective in preventing your WordPress site from being hacked.
There are a number of free WordPress security plugins available that address many of the common
security issues that most WordPress website owners face. Here is a list of the better security plugins I have
come across:

4. Better WP Security
Bullet Proof Security
WP Login Security 2
All In One WP Security & Firewall
Wordfence
Sucuri WordPress Security Plugin (paid plug-in)
8. Universal registration
If your website is currently set up so that anyone can register
as a user, then this can be a potential method for hackers to access your website. This option should only
be necessary if you are running a community site where signing up is encouraged. So if don’t run this type
of website, then you should prevent anyone from having the opportunity to register. Simply go to Settings -
> General in your WordPress dashboard.
9. Do your research
Plug-ins and themes are great. They make life easier and allow those without coding knowledge or the
time needed to build a site from scratch to have a site ready in a short space of time. But beware. Many
free themes are potential security risks. And out-of-date plugins can be good places for hackers to find
holes in your security. Do your research and make sure only to install plugins that are tested with the latest
version of WordPress and have solid reviews.
10. Fire-power!
Deploying a web application firewall (WAF) on your server helps protect your site against vulnerabilities
found in plug-ins, out-of-date software and zero-day attacks. You should ask your hosting provider if they
offer web application security as a service. If they don’t, then it may be a good indicator of the overall level
of security they can offer.
WordPress Security: Conclusion
I am of course just scratching the surface here. The knowledge and tips above should allow you to begin
optimising your WordPress security. The aim of my article was not to frighten you, or point out various
vulnerabilities in the WordPress platform. The reality is that any website can be hacked. But there are significant
measures you can take to avoid common hacking practices from threatening your website.
Has your WordPress site been hacked before? Feel free to share your horror stories.
Website by TheSocialShark © 2014. All rights reserved.
Privacy Policy Cookie Policy Terms & Conditions Sitemap
↑ Back to top