The Complete WordPress Security Guide

WordPress websites had always remained an easy target for hackers. If you don’t cover all the loopholes of your blog, then the chances of being hacked by a professional hacker is always there. I’ve seen this situation happen to very professional bloggers, so don’t think that it can’t happen to you.

Usually, a hacker is looking for vulnerable installations of WordPress using different tools. When it finds a vulnerable blog, they exploit the vulnerability to access the blog and insert links to various sites of ill-repute. This technique is an effort to use your blog to increase those sites’ Google PageRank scores (Nowadays it’s called Domain Authority and Page Authority).

From what types of attacks to defend themselves

The attacks from which to defend in a different and WordPress are all of the different nature, but not of the same severity. Let’s see the most common:

  • Bruteforce login attempts: BruteForce is a common technique that aims to login on the WordPress platform to take possession of data and administration capabilities. It is not easy to create an attack, but now the possibility to use low-cost resources has increased the possibility that the brute force is the one chosen in order to gain access to our blog.
  • SPAM in the comments: One of the most common attacks for blogs that do not use any protection technique, the bots enter thousands of comments in the post at a time without leaving the admin time to remove them and thus creating confusion and failures in the WordPress platform.
  • Vulnerability old versions and plugins: to have installed an older version of WordPress can be the best way to be attacked, many of the bugs are now known and have many exploits available for use. Same for the recently updated plugins representing a possible security flaw with the passage of time.
  • SQL injection: although reduced compared to the past, this attack method is the most dangerous. The entry form can provide access to sensitive information and may allow the modification of database information.

For these types of attacks, there are specific solutions to be implemented through plugins or settings that allow you to decrease the likelihood that our WordPress is hit. Most often the attacks point to dozens of machines hosted by the same hosting provider and can lead to very automated binding systems.

Also useful to consider the protection techniques applied by their hosting providers, many providers now provide hosting solutions for CMS, thus making the safety easier for the simple fact that the servers are already set for this specific CMS.

Precautionary Measures To Prevent Hacking

Let’s take a look how can we protect our WordPress site by taking these steps.

1. Limit Login Attempts

Blog security is the most important thing that us bloggers have to always keep in mind. There are always online threats out there, hackers and most of all idiots who are jealous of the success of our blog and try to sabotage it in some sort of way. This is why we must take security very seriously and make sure we have a killer set up. One thing to always do is limit login attempts to help combat these spammers who use automated software to try to register on multiple blogs to submit spam comments or spammy blog posts.

If you have money to invest in security now, I would strongly suggest using the iThemes Security Pro plugin. If not, follow this blog post and blog for many security tips.

For this reason, this is why the default membership role you should select should always be set to Contributor.

By making this selection, a contributor can only submit a blog post for review and cannot publish them. This stops unwanted blog posts from going live if you the admin or hired staff must-read blog post before they go live. This is one setting I commonly notice on brand new blog installs with novices bloggers.

Let’s turn back to secure the login form from bad actors. The one plugin I found to be effective and is free is the Limit Login Attempts plugin.

What this plugin basically does is that it limits the login attempts. Let’s say someone is trying to login to your admin account using the “admin” username in which you should never use for your login username and is trying to get into your account. After x amount of bad login attempts, they basically blocked for x amount of months or forever from trying to login again. You set the rules.

You can block IP’s altogether if you come across a list of spammers someone posted on a blog elsewhere. Don’t forget to whitelist your own IP and your staff so they don’t get blocked by accident.

The reporting feature is to look at reports. You should constantly check these to see what’s going on and figure out if you have to block an IP or not.

Give Limit Login Attempts a try to let me know if this has resolved any issues for you.

2. Make Sure to Update As Soon As Possible

With the development of WordPress the security issues also increasing, so, first of all, make sure that you’re running the most up-to-date and secure version, upgrade to the latest release as soon as you can. The outdated version can support malicious attacks and can increase the vulnerability to hacker attempts. Most WordPress security failures occur when a user is running an outdated version of WordPress on his website.

Latest updates come out often with the efforts of the core developers. All you have to do is grab the opportunity. You can only avail these facilities if you keep your site updated to its latest version. This way your site will be automatically protected from the external viruses.

Security updates apply automatically but some major releases need to be updated manually by going to their respective pages. So if you don’t take out time for these updates, you might leave your site prone to attack from hackers.

3. Password Strength

This is of utmost importance that you keep a secure password for your website, this way you are giving the hacker a tough time in intruding your site.

If you keep simple passwords like “your name” or “12345” then it will be easy for the hackers to guess it and log in to your site. Hackers are very good at understanding human psyche so even if you think some simple word like “password” could not be guessed, DON’T take the risk. Once hacked, you might lose your account. As the hacker may immediately change the password and start adding malware to your site.

So this is a rule of thumb; always choose some complicated yet related password which you are sure that no one other than you can easily break down. It’s recommended your password contains uppercase letters, lower case letters as well as random numbers so that your hacker is given some tough time.

You don’t necessarily need a long password, just a unique one that only YOU can easily relate to.

4. Use SSL Certificate

Secure Socket Layer certificate is used by many websites like Google, Facebook, and Twitter. Instead of HTTP in the link, you may see https which is indicating the SSL certification. This ensures that the connection is encrypted and safe to use.

So if your site involves entering usernames or passwords, then it’s necessary that you use SSL certificate for securing everyone’s personal information.

Easy HTTPS Redirection and Verve SSL are two good SSL plugins currently available.

5. Use Trusted WordPress Themes

There are many directories which are full of various themes and plugins which you can use for your WordPress site, however, not all of them can be trusted. The entire themes list is created independently. There are some top-notch banks which contain themes, all well approved by volunteers but you never know if one of them contains any malicious code which might cause major WordPress malfunction.

So much so these faulty plugins might contain some security loopholes. Hence hackers can easily intrude your site through these plugins.

The best you can do is always check reviews from people before downloading a theme for your site. Make sure the site which is offering you that theme directory is known for its excellence like WPMU DEV. Search for reviews from volunteers and then choose the best.

  • ThemeForest – Themeforest is probably currently the most popular premium WordPress theme marketplace. Created by the great team over at Envato, they have over 6,000 WordPress themes that cover a wide variety of styles and features.
  • Mojo Themes – Mojo Themes puts a little more emphasis on quality than Theme Forest – the average theme at Mojo Themes tends to be better than the average theme at Theme Forest. While Mojo Themes only has about 600 marketplace items.
  • SpyroPress – Our Themes is probably currently the most popular premium WordPress theme with 100+ project push it on Themeforest and much more..

See more with List Theme here

Once you’ve got your theme installed, use the WordPress Exploit Scanner plug-in that
searches through your website’s files and database tables and notifies you of any suspicious code.

a. Exploit Scanner

This plugin searches the files on your website and the posts and comments tables of your database for anything suspicious. It also examines your list of active plugins for unusual filenames.

Download here

b. TAC (Theme Authenticity Checker)

TAC stands for Theme Authenticity Checker. Currently, TAC searches the source files of every installed theme for signs of malicious code. If such code is found, TAC displays the path to the theme file, the line number, and a small snippet of the suspect code. As of v1.3 TAC also searches for and displays static links.

Download here

c. WordPress Antivirus

This plugin is another very useful plug-in and it scans your theme directory. It specifically detects WordPress permalink back door which is a very malicious malware for WordPress and used in to access the database.This plug-in show green color if your file is out of danger and red if your file may be in danger.

Download here


6. Never keep a Default Username

Once your site is created, the username is already set to “admin”. In this case, it’s easier for hackers to attack your site as you have already provided the username. Now they only have to guess the password. So give them some tough luck and set a related username. Hacker is now one extra step behind you once you have manually changed the username.

Change the username “admin” in Mysql, run this query in your MySQL admin

update wp-users set user_login=’newuser’ where user_login=’admin’;

or create a new /unique account with administrator privileges.

  1. Create a new account with unique username
  2. Assign as an administrator role
  3. Log out and log back in with New account
  4. Delete admin account

Be careful while confirming the Deleting of admin account because it will ask you to delete all Posts and links related to that account as follow:

7. Secure wp-config.php file

Like other Content management systems on the web, WordPress is keeping updating files to make it more secure. The WP-Config.php file is one of the most important files in the WordPress file system that contains very sensitive information about your WordPress installation, including your database details, table prefix, and Secret Keys. It is essential that it be protected from vulnerabilities. WordPress team are trying hard to improve the system security at their own end but you should try to keep up to date with the latest version of WordPress and keep hiding your WordPress version from crackers and you should take additional security steps to make it more secure.

So wp-config.php file should be secure from hackers because they can find the valuable information stored in the wp-config.php file. If someone gets to access this file, he can get website database username and password, he could log in and undo everything that you’ve built! Therefore, take whatever steps you can to secure that file so that no one can access it.To do so, follow these steps:

The wp-config.php file contains Database credentials, so make them secure as more as you can, keep in mind following tips for a secure and strong password:

  • Must be at least 15 characters.
  • Must be a combination of upper and lower case letters, must include number and symbols if your hosting company does allow to do that for MySQL database.
  • Must be unique and not included names or dictionary passwords.
  • You can use Strong Password Generator:  Use this strong password generator to generate secure, random passwords. It’s free. But I recommend creating your own password.
  • Must be same as your FTP, cPanel, wp-admin, database, email or similar to any other social media account like Facebook and Twitter.
  • Try to change your password frequently.
  • For security purposes never save or write your password on a piece of paper, make it secure as much as you can.

If you move the wp-config file to an unpredictable location and change the code, it would create a problem every time you upgrade WordPress. So there is a better solution, create a separate PHP file in a non-WWW location and add the location of WP-Config file in it.

So you can change the location of your wp-config.php file from




Protect it the .htaccess Way

Here’s the code to protect wp-config.php file:

# protect wpconfig.php
<files wp-config.php>
order allow,deny
deny from all

After updating your wp-config.php, Change file permission (chmod) on wp-config.php to 640.

2 thoughts on “The Complete WordPress Security Guide

  1. Vignovich

    Thanks-a-mundo for the blog.Much thanks again. Really Great.

Comments are closed.