New Tips for WordPress Security

Written by Alyona Galea
Written by Alyona Galea

Partner Sponsors


Full disclosure: If you purchase through a link on our site, we may earn a commission. Learn more.

Earlier this month, WP Mayor ran an article about WordPress Security, including the following statistics on the 117,000 WordPress sites hacked in 2013:

41% were hacked via their hosting provider. This means that the hackers exploited a vulnerability, or took advantage of insecure hosting provider configuration to be able to hack into the WordPress blogs and websites hosted by the vulnerable hosting provider.

29% were hacked via a vulnerability in the WordPress theme they were using. This means a hacker identified a vulnerability in a theme that was installed on the WordPress installation and by exploiting it, the attacker managed to gain access to the WordPress website.

22% were hacked via a vulnerability in a plugin that was installed on WordPress. The same as above, this means that a hacker exploited a vulnerability in an installed plugin.

8% were hacked because an account on that WordPress installation was using a weak password.

Here are a few tips to prevent each of these types of hackers:

Password security

People who use common dictionary words, or easily-searched song lyrics or phrases, are at risk of having their passwords cracked by hackers. Even people who turn “thequickbrownfox” into “t4equ!ckbr0wnf0#” get their passwords hacked, as crackers run common letter substitutions along with these well-known password phrases.

Currently, using a string of unrelated dictionary words, such as XKCD’s famous example “correcthorsebatterystaple,” is one of the most secure methods of password creation. However, users should also add additional security, such as a two-step authentication plugin.

Plugin security

Plugin security is only as good as the plugin developer. If there is a vulnerability in a plugin, a hacker can use that vulnerability to enter your WordPress site. Only install plugins from developers you trust, like developers you’ve used before or developers who have high ratings or reviews. It’s difficult to judge whether a plugin has vulnerabilities, so you’ll need an additional layer of network security to protect your WordPress site and your computer.

Theme security

Like plugin security, theme security is only as good as the developer. Add a level of protection by only choosing themes listed in WordPress’s theme directory, rather than from random sites found online. However, as with plugins, you won’t really be able to tell if any given theme is vulnerable, so you’ll need an additional level of protection.

Hosting security

Hosting security is difficult because you can’t control the network security of your hosting provider. If they go down, you’re vulnerable even though you had no control in the matter. Nearly all hosting providers are reputable and trustworthy, but they are vulnerable to hackers in the same way that banking websites, social media websites, and any other major site relying on a large number of user logins is vulnerable.

Improving your network security

As noted above, it’s difficult to fully control plugin security, theme security, or hosting security. Because of this, consider adding an additional layer of network security that addresses the need for enterprise risk management,  thereby protecting you with deep cyber intelligence. These solutions are especially effective for businesses that use WordPress as their primary website, or who use a WordPress-hosted shopping cart for sales transactions. Since working with WordPress does include a small amount of risk, it’s your responsibility to take the appropriate level of risk management.

What about for individuals? If you’re using WordPress simply to host your personal blog, it’s probably enough to use a secure password and make sure that the same password doesn’t unlock other important sites such as your bank account. However, as soon as you start using WordPress to sell merchandise or otherwise promote a brand or business, especially if you use WordPress to collect personal information from customers or fans, you need to start thinking about your network security and considering risk management options.

117,000 WordPress accounts got hacked last year. Use these tips to make sure yours isn’t part of this year’s tally.

If you enjoyed this post, make sure to subscribe to WP Mayor’s RSS feed.

This article was filed in our , archives.
Written by Alyona Galea
Alyona is a WordPress enthusiast, focused on sharing interesting things she comes across during her work with this great CMS. She loves exploring new destinations and maintains a travel blog at

In this article

Discover More

2 Responses

  1. A series of malware software scans are now available. It really is worth running them occasionally. You might also want to check the files on your server for directories that are inaccessible to you.

Share Your Thoughts

Your email address will not be published. Required fields are marked *

New discoveries, every week.
Join thousands of designers, developers, and builders that come to WP Mayor to find the best guides, tools, and services for their next website. One email, once a week.
WP Mayor Newsletter

Claim Your Free Website Tip 👇

Leave your name, email and website URL below to receive one actionable improvement tip tailored just for your website within the next 24 hours.

"They identified areas for improvement that we had not previously considered." - Elliot

By providing your information, you'll also be subscribing to our weekly newsletter packed with exclusive content and insights. You can unsubscribe at any time with just one click.

What's missing?