The Ins and Outs of WordPress Security

WordPress is free and open-source nature, making it a popular target for hackers.

WordPress is the leading content management system and web builder, powering 40 percent of the web — including the official White House website and Microsoft’s blog.

That said, being number one comes with a price. Its open-source nature and its popularity mean that its various elements — the core software, themes, and plugins — are hot targets for hackers.

WordPress has a dedicated security team of 50 experts that collaborates with security researchers and hosting companies to identify and resolve top security threats to the core WordPress software. Even though WordPress is pretty secure already, hackers are always fighting to get in.

Site owners and administrators need to ensure they monitor their WordPress site 24/7 to detect security threats and vulnerabilities; with increased security, the lower the risk of a cyberattack.

In this article, we’ll look at what you can do to make your WordPress site more secure.

12 common web security mistakes

Studies show that there have been more cyberattacks in the first half of 2020 than in all of 2019. If there’s ever been time to safeguard your website, it’s now! Despite the increase of cyber threats, many site owners are not prioritizing their website security. Here are some of the most common mistakes site owners are making when securing their websites.

Email Lead Generation

Bad password hygiene

In 2021, people are still using “password” as a password. It’s true! And, according to a TechRepublic study, 53 percent of people admitted to using the same password for different accounts. Using a weak password or using the same password for all your accounts is like leaving your car doors unlocked — you are inviting trouble.

Email Lead generation

No password encryption

In this day and age, even if you have extremely strong passwords, it is imperative to add an extra layer of security by encrypting them. Encryption is a process that converts data into something unreadable to anyone without permission to access the information. Choosing strong passwords and encrypting them is like locking your car doors and having a security guard that looks like ‘The Rock’ watch over it.

To encrypt and keep track of your passwords, we recommend using a password manager like 1Password. 1Password protects data with the industry-standard 256-bit AES encryption algorithm (the same level of protection used by banks and governments).

Email Lead generation

No two-factor authentication

Two-factor authentication (2FA) is a security process that requires users to verify their login with another security step. For example, a user will enter their username and password, and instead of getting access immediately, they will be prompted to provide another piece of information — like a one-time pin (OTP) via text message. This extra security measure is one of the most effective ways to secure your account.

The Ins and Outs of WordPress Security

Too many admin privileges

With great power comes great responsibility — and not everyone might understand the liability of admin privileges. The more admins you have on your site, the easier it is for a bad guy to get in. Ideally, you should have as few admins as possible, and those who have been granted rights should follow appropriate measures to prevent any attacks.

The Ins and Outs of WordPress Security
The Ins and Outs of WordPress Security

Cheap web hosting

There are many vital factors to take into consideration when choosing a web hosting provider. Many people want to go with the cheapest one, but remember — you get what you pay for. Most web hosting providers don’t have adequate security solutions in place; therefore, the websites they power have weak protection from hackers. A good host can protect your site against hackers and help you recover quickly if in an attack.

The Ins and Outs of WordPress Security

Outdated FTP

FTP, short for “file transfer protocol,” is a network protocol for transferring files between computers. When FTP was developed, web security was not the issue that it is today. FTP’s data is transparent, and in most cases, is transmitted in plain text, leaving it vulnerable to a third-party interloper. While FTP was once the premier file transfer protocol, cybersecurity makes it almost impossible for it to exist in the modern age.

The Ins and Outs of WordPress Security

Dodgy software

Non-genuine, dodgy software is usually bundled with lots of dangerous malware. If you download and install illegal software, such as nulled plugins, the malware hidden within can not only steal information from your computer, but it can even go on to download more malware — exacerbating a problem that could have been avoided in the first place.

The Ins and Outs of WordPress Security

No WordPress hardening

WordPress hardening is the process of adding layers of protection to harden your website security further. This is done to make it as difficult as possible for hackers to get in. There are three key ways to harden your WordPress and amp up your security. Users can disable the file editor in the WordPress dashboard, store wp-config.php outside of the website root, and use secure file permissions.

The Ins and Outs of WordPress Security

Combined hosting and domain

We highly recommend buying your domain and web hosting from two different companies. There’s too much at risk by tying your domain name to your web host. Firstly, you could lose it if you ever decide to switch to another host, and if you get hacked, you could potentially lose control over your domain.

The Ins and Outs of WordPress Security

Insecure web connections

When your browser connects to a website, it can either use HTTP (insecure) or HTTPS (secure). When you see a little padlock in the URL, you know that a site is secure. If you don’t install an SSL (Secure Sockets Layer) certificate, users will feel unsafe on your site as their information can be easily compromised.

The Ins and Outs of WordPress Security

Enabled logs

Certain WordPress software and web servers have logs enabled. Keeping logs enabled can lead to serious security issues. Log entries contain user-sensitive data, which is very easy for a hacker to access.

The Ins and Outs of WordPress Security

OWASP’s top 10 web security risks

Open Web Application Security Project (OWASP) is a non-profit online community dedicated to helping software development teams improve software security. They have identified a list of their top 10 critical security risks for websites and applications.

1. Injection flaws

Injection flaws happen when invalid data is sent as part of a command or query. The attacker intends to trick the application into doing something it was not supposed to do, like giving private data access.

Solution: To prevent injection attacks, a user should lock down the WordPress editor, remove all plugins that allow direct file access to WordPress, and use data sanitization to sanitize WordPress functions.

2. Broken authentication

Functions related to authentication are often implemented incorrectly. This makes it easy for cyber attackers to compromise passwords, keywords, and session tokens.

Solution: Strategies to mitigate authentication vulnerabilities include auditing all user accounts on your site so that each user only has the access needed to perform their work. It’s also important to set up two-factor authentication and have password policy management tools in place.

3. Sensitive data

If sensitive data like credit card numbers and social security numbers aren’t protected,  attackers can access that data from exposure due to a network compromise or ransomware attack.

Solution:  Implementing a firewall can prevent DDOS attacks. A Web Application Firewall like CloudProxy Website Firewall analyzes traffic to your applications to stop cyberattacks.

4. XML external entities (XXE)

An XML external entity attack is a type of attack against an application that parses XML input. An XML parser can be tricked into sending data to an unauthorized external entity, passing private data directly to an attacker.

Solution: Use less complex data formats like JSON, upgrade XML parsers and disable the use of external entities in an XML application.

5. Broken access control

Access control means putting a limit on what sections of a site users can reach. If restrictions are not properly enforced, attackers can get access to user accounts and change access rights.

Solution: Monitor developments and regular update schedules of WordPress plugins that may unintentionally leave you vulnerable to this type of attack. Get rid of unnecessary accounts and assign proper user roles for each user in WordPress.

6. Security misconfiguration

Most successful attacks on WordPress happen when the default security settings have not been changed, or the software hasn’t been patched with the latest security updates.

Solution:  Review your site for proper configuration of any authentication or security-related functions in WordPress.

7. Cross-site scripting

Cross-site scripting, otherwise known as XSS, is a vulnerability that allows attackers to steal users’ cookies and impersonate them.

Solution: Enforce robust HTTPS configurations to prevent man-in-the-middle attacks and quickly release security-related patches to all WordPress software.

8. Insecure deserialization

Deserialization is the process that transforms serialized data from a file and converts it into an object. This leaves the web application open for the attacker to run remote code execution attacks and exploit this vulnerability.

An example of this could be a comments box on your website that doesn’t properly sanitize the data before sending it through the function. This allows an attacker to send malicious code via that comment box, allowing them an entry point to launch attacks such as DDoS.

Solution: Review your website code for the presence of unsterilized functions and replace them as needed. Use a safe data interchange format like JSON to pass serialized data.

9. Using components with known vulnerabilities

Hackers are always trying to figure out new ways of exploiting websites. As these exploits are discovered, the website’s components need to be updated as soon as possible to reduce the risk.

Solution: All website components (themes, plugins, WordPress core) need to undergo regular monitoring for the presence of modules with known vulnerabilities. As soon as any vulnerabilities are discovered, ensure they’re patched right away.

10. Insufficient logging and monitoring

Like with a common cold, it is better to stop a sniffle before it becomes pneumonia — the same goes for managing your website. Maintaining detailed logs of every action helps to find details of any exploit as soon as possible.

Solution: Track all WordPress user activity for your website. Monitor any file changes at the server level to detect the presence of malicious or wrongly modified code and your sites for responsiveness and whether it’s online.

How to beef up your WordPress security

Now that we have a solid understanding of WordPress sites’ threats, let’s look at what you need to do to strengthen your site’s security.

The Ins and Outs of WordPress Security

Plan for hacks and malware removal

Malware is a term used to describe any malicious software programmed to attack a computer, service, or network. If cybercriminals had a weapon, this would be it. It’s typically used to extract personal data that can be leveraged over victims for financial gain. Malware can also be installed on a computer through remote administrator access or physical access to a computer.

Prevention is better than cure when it comes to malware, but there are ways to remove it in the case of an attack. Tools like Malwarebytes, Avast, and Kaspersky could help you get rid of malicious software.

Read more about anti-malware tools.

Backup, backup, backup

Data backups are critical in a time where cyber-attacks are on the rise. There are multiple benefits to backing up your data to a remote, cloud-based server — this includes accessibility at any time and anywhere. It’s more cost-effective than hardware storage, and many cloud storage providers add additional layers of security.

According to Tech Radar, cloud-backup platforms can vary greatly, but some of the top ones include IDrive, Nordlocker, pCloud, and Dropbox Business.

Invest in anti-spam protection

Not to be confused with the canned lunch meat, spam refers to any unsolicited digital communication sent out in bulk. Other than being a nuisance, spam messages are dangerous because they could carry viruses or malware. It’s best to avoid any spam messages at all costs.

You can protect yourself from spam by installing anti-spam software or a trusted antivirus with spam-blocking functionalities.

Block brute-force attacks

A brute force attack is essentially trying every possible key to open a lock. But in this context, the key is a password. The most common form of brute force attack is a dictionary attack. The attacker uses a dictionary that contains millions of passwords and attempts to log in to your account.

The easiest way to block a brute force attack is to enforce a strong password policy. You could also limit failed login attempts and use two-factor authentication.

Mitigate DDoS attacks

A DDoS (distributed denial-of-service) attack targets websites and online services. It’s when a hacker makes your website inoperable by flooding it with an overwhelming amount of traffic.

You can prevent a DDoS attack by securing your infrastructure with multi-level protection strategies — this could include implementing a system that combines firewalls, VPN, anti-spam, content filtering, and other security techniques.

Why WordPress?

Outsourcing your WordPress security

Now that we have a solid understanding of WordPress sites’ threats, let’s take a look at what you need to do to strengthen your site’s security.

With the rise in cyber attacks and the ever-changing tactics of cyber threats, more and more businesses outsource their web security.

Besides being freed up to focus on your core services, outsourcing your web security will save you money and ensure that your business stays safe and compliant when it comes to data. Ask yourself, can you afford a data breach? Are you doing everything in your power to avoid one? If not, trust a security expert to keep your website safe.

Some of the important security features that every WordPress maintenance partner should offer include managed updates, 24/7 malware monitoring, activity tracking, SSL certificates, and firewall protection. Check out SiteCare’s comprehensive solution here.

WordPress Security

WordPress security made easy with SiteCare.

Let SiteCare’s security experts help you secure your WordPress site.

Get in touch today.

WordPress security FAQs

  • How can I secure my WordPress site against hackers?

    Follow these best practices when securing your WordPress site

    1. Use safe plugins and themes.
    2. Make use of a firewall.
    3. Monitor your site with a security plugin.
    4. Run updates regularly.
    5. Make passwords strong and change them often.
    6. Limit login attempts.
    7. Limit access and manage user permissions.
  • Where can I see what changes have been made to my version of WordPress?

    After a manual upgrade, you will be redirected to the About WordPress screen for details of changes. You will receive an email after an automatic update has been completed detailing the changes.

  • Where can I see WordPress security notifications?

    When a new release becomes available, a notification will appear on your site dashboard to alert you to upgrade your WordPress software.

  • Are some WordPress security updates automatic?

    The WordPress Security Team resolves some security threats with automated security enhancements. These enhancements update and install automatically, with no action required from the site owner or administrator.

  • What are the most common WordPress security threats?

    Brute-force login attempts, DDOS attacks, Backdoors, Pharma hacks, SQL injections, Malicious redirects, Cross-site scripting attacks.

WordPress security glossary of terms

Brute-force attack

A brute-force attack is an attack that uses a combination of passwords with the hope of eventually guessing it correctly.

DDOS Attacks

A DDOS or distributed denial-of-service attack is designed to target websites. The aim is to flood them with more traffic than the server or network can accommodate, making the website unavailable to users.


A firewall is a security system that monitors incoming and outgoing network traffic based on security rules. A firewall acts as a barrier between a trusted network and an untrusted network.


FTP or file transfer protocol is a way of transferring files from a server to a client computer.


Breaching the defenses and gaining unauthorized access to data in a system.


A file that records every event executed on a system.


A piece of software that is designed to damage or gain unauthorized access to a computer system.


Open-source software is software with source code that is released under a license allowing anyone to modify and enhance it.


The Open Web Application Security Project (OWASP) is an online community that produces free, publicly-available documentation and tools in the field of web application security.


Phishing is a type of social engineering attack where the attacker impersonates themselves as trustworthy entities to obtain sensitive information such as usernames, passwords, or credit card details. This can be done via email, text, or instant messages.


Spam is unsolicited digital communication that gets sent out in bulk.


SSL Stands for secure sockets layer. It’s designed to provide communications security over a computer network.

SSL Certificate

SSL Certificates are small files that digitally bind a security key to an organization’s details. When a web browser contacts your secured website, the SSL certificate enables the encrypted connection.


SQL stands for Structured Query Language. It is designed for managing data held in a relational database management system.

WordPress hardening

The process of adding layers of protection to reduce the risk of website attacks.

Web filtering

A program designed to restrict what web content users can visit on their computer.

Need help with WordPress Security?

Our WordPress experts are ready to help you manage, maintain, safeguard, and improve your website.

Get in touch