New Tips for WordPress Security

Earlier this month, WP Mayor ran an article about WordPress Security, including the following statistics on the 117,000 WordPress sites hacked in 2013:

41% were hacked via their hosting provider. This means that the hackers exploited a vulnerability, or took advantage of insecure hosting provider configuration to be able to hack into the WordPress blogs and websites hosted by the vulnerable hosting provider.

29% were hacked via a vulnerability in the WordPress theme they were using. This means a hacker identified a vulnerability in a theme that was installed on the WordPress installation and by exploiting it, the attacker managed to gain access to the WordPress website.

22% were hacked via a vulnerability in a plugin that was installed on WordPress. The same as above, this means that a hacker exploited a vulnerability in an installed plugin.

8% were hacked because an account on that WordPress installation was using a weak password.

Here are a few tips to prevent each of these types of hackers:

Password security

People who use common dictionary words, or easily-searched song lyrics or phrases, are at risk of having their passwords cracked by hackers. Even people who turn “thequickbrownfox” into “t4equ!ckbr0wnf0#” get their passwords hacked, as crackers run common letter substitutions along with these well-known password phrases.

Currently, using a string of unrelated dictionary words, such as XKCD’s famous example “correcthorsebatterystaple,” is one of the most secure methods of password creation. However, users should also add additional security, such as a two-step authentication plugin.

Plugin security

Plugin security is only as good as the plugin developer. If there is a vulnerability in a plugin, a hacker can use that vulnerability to enter your WordPress site. Only install plugins from developers you trust, like developers you’ve used before or developers who have high ratings or reviews. It’s difficult to judge whether a plugin has vulnerabilities, so you’ll need an additional layer of network security to protect your WordPress site and your computer.

Theme security

Like plugin security, theme security is only as good as the developer. Add a level of protection by only choosing themes listed in WordPress’s theme directory, rather than from random sites found online. However, as with plugins, you won’t really be able to tell if any given theme is vulnerable, so you’ll need an additional level of protection.

Hosting security

Hosting security is difficult because you can’t control the network security of your hosting provider. If they go down, you’re vulnerable even though you had no control in the matter. Nearly all hosting providers are reputable and trustworthy, but they are vulnerable to hackers in the same way that banking websites, social media websites, and any other major site relying on a large number of user logins is vulnerable.

Improving your network security

As noted above, it’s difficult to fully control plugin security, theme security, or hosting security. Because of this, consider adding an additional layer of network security that addresses the need for enterprise risk management,  thereby protecting you with deep cyber intelligence. These solutions are especially effective for businesses that use WordPress as their primary website, or who use a WordPress-hosted shopping cart for sales transactions. Since working with WordPress does include a small amount of risk, it’s your responsibility to take the appropriate level of risk management.

What about for individuals? If you’re using WordPress simply to host your personal blog, it’s probably enough to use a secure password and make sure that the same password doesn’t unlock other important sites such as your bank account. However, as soon as you start using WordPress to sell merchandise or otherwise promote a brand or business, especially if you use WordPress to collect personal information from customers or fans, you need to start thinking about your network security and considering risk management options.

117,000 WordPress accounts got hacked last year. Use these tips to make sure yours isn’t part of this year’s tally.

If you enjoyed this post, make sure to subscribe to WP Mayor’s RSS feed.

Alyona Galea
Alyona Galea
Alyona is a WordPress enthusiast, focused on sharing interesting things she comes across during her work with this great CMS. She loves exploring new destinations and maintains a travel blog at

Consider sharing this post so others can find it:

Share on facebook
Share on twitter
Share on linkedin
Share on reddit
Share on telegram
Share on whatsapp
Share on pocket
Share on email

Join thousands of people receiving real-world, genuine evaluations of WordPress products and services just like this one every week.

Our Sponsors
Prevent Direct Access

2 Responses

  1. A series of malware software scans are now available. It really is worth running them occasionally. You might also want to check the files on your server for directories that are inaccessible to you.

Leave a Reply

Your email address will not be published. Required fields are marked *

The Beginner’s Handbook
From an introduction on how WordPress works to our recommendations on products and services.
👋 Hey there! We're Gaby and Mark
Every week we share tutorials and genuine reviews of WordPress products and services in our newsletter.
Thousands of people read it!
We’d love for you to join.
We’d love for you to join. Here’s what you’ll be getting:

A single weekly email directly to your inbox.