Instructions Quick Tips WordPress


Tens of thousands of WordPress sites get hacked and blacklisted every week. No matter what you’re using your WordPress site for, you don’t want yours to become one of these.

This is especially true if you’re using it for business. Imagine all your business clout, all your links, and connections, gone in a flash.

Pretty scary, right?

The WordPress platform is fairly secure by default. Despite that, because it’s so popular and so frequently updated, new security holes pop up almost every day.

Because of that, you need to do everything in your power to harden your website and protect it against attacks – in this article; you’ll learn how to do that and more!

This guide contains both the basic and advanced techniques used for improving WordPress security, as well as tips on how to build your site to be secure from the ground up while also reinforcing it after the fact.

Don’t worry – even if you’re not too tech-savvy, you’ll find this information useful. 

So, let’s get started!

WARNING: This guide is very long. Use the following buttons to browse through sections.

Table of Contents:

WordPress Security Basics

The Importance of WordPress Security

Is WordPress Secure Enough?

The Types of Attackers that Could Target Your Website

Why Would Attackers Target Your Website

How to Implement Good WordPress Security When Starting Your Website

How to Choose Secure WordPress Hosting

How to Make Sure Your Workstation is Secure

How to Use the Best Version of WordPress

How to Find the Right WordPress Security Plugins

The Most Common WordPress Security Vulnerabilities – And How to Avoid Them

Denial of Service

Brute-Force Login Attempts

PHP Code Vulnerabilities

Pharma Hacks


Cross-Site Scripting

SQL Injection Attacks

Malicious Redirects

Keeping Your WordPress Site Secure on a Day-to-Day Basis

How to Sign-In Securely

How to Secure Your Password

How to Create New Pages and Posts Securely

How to Securely Create New Users

How to Keep the Comment Section Secure

Securely Adding Themes, Plugins, and Widgets

Securely Using the File Transfer Protocol

Advanced WordPress Security Tips

Restricting File Permissions

Protecting Your wp-config.php File

Protecting Your WordPress Admin

Enable the HTTPS Protocol

Hide WordPress Version Information

Disabling XML-RPC

Implement a WordPress Security Audit Log

Enable a WAF

Customizing Your .htaccess File

Hotlinking Prevention

Make Sure to Use WordPress Backup

How to Check if Your WordPress Website Has Been Hacked

Final Word

WordPress Security Basics

Here you’ll learn about the basics of WordPress security – why it’s essential, how secure is WordPress by default, how your WordPress website could be targeted, by whom and why.

If you know where the attack is coming from and what’s being targeted, it will be easier for you to defend yourself in the long run.

If you’ve ever asked yourself “how secure is WordPress?” or “who would ever want to hack my small gardening blog?” this is where you’ll find the answers.

↑ Table of Contents ↑

The Importance of WordPress Security

You might think – ‘ah, it’s no big deal, I don’t need to secure my website further, nothing will happen’ – and it might not. You might be fine – but on the other hand, you might lose a website that you poured hundreds to thousands of hours of your life into.

Not securing your WordPress website properly is like not locking your door at night because no one ever tried to break into your house before and you live in a safe neighborhood.

Sure, there’s a high possibility that nothing will happen but if and when it does, you’ll be left completely vulnerable, and you’ll get all your stuff stolen.

The worst things that could happen to you if you don’t secure your site correctly include:

  • losing your website
  • losing your personal info
  • losing the personal info of your website users
  • losing money on your credit card
  • losing access to your bank account
  • losing your accounts on other websites (including your email account and more)

Now, WordPress security is not just a one-time thing, nor is it just one thing. It’s a process, a constant cycle of continuous maintenance, updates, and improvements designed to prevent security holes from appearing and plugging up ones that do arise.

It’s not something you do once and forget about it – it’s something you need to worry about all the time.

Also, you need to keep in mind that you will never be able to make your website completely safe – you’re only reducing the risk and potential damage to an absolute minimum.

Even if someone does manage to break into your website, keeping up good security will limit the possible damage.

↑ Table of Contents ↑

Is WordPress Secure Enough?

All of this might make you wonder – is WordPress secure enough? The answer to that question is a bit more complicated than a simple ‘yes’ or ‘no’ since WordPress is an incredibly complex platform.

The WordPress core development team does have a dedication to making the platform as safe as it can be in its default form and they are doing an excellent job of it. Community efforts at reporting bugs and weak spots are also helping. So, core WordPress is relatively safe.

Some of the safety features included in the core of WordPress include automatic updates, update notifications for new versions of the core platform, plugins and themes, password generation, user roles, and a lot of back-end protections.

However, keeping WordPress secure requires a bit of effort from the user as well – that means you.

Here are a few simple things you can do to make sure that your core WordPress is secure.

  • Keep WordPress Updated – One of the best ways to keep your WordPress site secure is to keep your WordPress core up-to-date. That way you will have fixes to new security holes as soon as they’re available.
    Doing this is rather straightforward – on your dashboard, go to the updates tabwhere you can see what your current version of WordPress is and check for WordPress updates.

    Minor versions should update by default unless you’ve changed the settings, but larger versions require you to perform a manual update. 
  • Keep Plugins and Themes Updated – Besides the core of WordPress, plugins, and themes are among the most vulnerable parts of a WordPress website.

    Keeping them up to date will help you reduce the risk, and this can be done manually in the updates tab on the dashboard. Some plugins and themes might have automatic updates, but most don’t – check their settings just in case. 
  • Reduce the Attack Surface – There are many avenues that attacks can come from – if you close most of them, you’re already more secure. 

    In practice this means running only the plugins and themes that are necessary, deleting all unused user accounts, removing all applications and widgets you don’t use, limiting access to your files, deleting or hiding all unnecessary pages on your website and so on. 
  • Use Trusted Sources – Never install plugins, themes or widgets from unverified sources. Don’t be tempted by offers of ‘limited beta releases’ or similar scams.

    Also, don’t take WordPress advice from unverified sources and don’t log in from PC’s which are not secure enough. Stick to what you know and what you’re sure is safe. 
  • Stay Informed – Find a reliable source of WordPress news, something like the news section of for example. Follow it and regularly check for news about possible exploits and employ extra protection until a fix is found and deployed.

    Try to do the same for each of your themes and plugins – if needed, uninstall them when you found out there’s a new exploit for them and reinstall them when it’s fixed.

    Security updates for themes and plugins can take quite a while to come out. Either way, it’s important to stay well-informed and vigilant. If you’re informed that there’s a potential risk, you can take steps to preempt an attack.

There’s even more stuff you can do to secure your website, but you’ll find out more about that later.

↑ Table of Contents ↑

The Types of Attackers that Could Target Your Website

Generally speaking, there are two types of attackers which might target your website – humans and bots.

The main difference between the two is that the first one is a real-life human being actively trying to get into your site, while a bot is an automated script or program that a person is using to try and attack your site or, more commonly, many sites at the same time.

Here’s some more in-depth info on the matter:


When you think of hacking, the first thing you think about is a person sitting at their keyboard, typing away furiously, trying to get into some restricted area.

This is rarely true, and most hacking is not actively done by a hacker – most of it is done by bots or bot networks (botnets for short).

Single bots will be run by a single machine, while botnets involve an entire network of computers running the same program.

Bots are automated programs written by hackers to do most of the work for them – and more effectively than they ever could.

Visiting hundreds of websites and trying to log into each one of them using a standard password is something that would take a single person a long time to do, but if that person writes an effective bot program, the program can do it for them in a flash.

Bots are usually programmed to try and exploit one or more specific vulnerabilities in a certain version of WordPress or a plugin or theme, etc.

They will try this attack on multiple websites in hopes of succeeding on some of them. Bots may also try one form of assault on a single website many times – like trying to log in thousands of times with many different passwords.

Most of the bots will rely on penetrating through simple vulnerabilities that have probably already been fixed – but are recent enough that there are still websites out there which haven’t performed the required updates to fix it.

Due to this, the majority of bot attacks can be preempted merely by regularly installing updates.

Bot attacks also aren’t sophisticated and are incredibly aggressive, which makes them predictable and easier to detect.

However, if they’re exploiting a new, undiscovered vulnerability (also known as a “zero-day vulnerability” or “zero-day exploit”), they can compromise a large number of sites in a short amount of time.


This is the case when an individual hacker manually tries to get past your site’s defenses and take control of it or extract some information. Rarely is a website targeted individually, even by bots, and even rarer still is the case where an actual human attacker is targeting it.

If your site is receiving this type of attention, it’s probably extremely valuable, or some upstart hacker is using it to train their skills. In this case, the attack is much more difficult to detect.

Human attackers can take it slow and employ methods which are far more sophisticated and less likely to trip any security measures you might have in place. They can see what works and what doesn’t and predict your defenses, then go around them.

They are also able to employ a type of attack that a bot can never perform – an attack through social engineering. This entails employing tricks that con-artists and similar charlatans use to extract information from unsuspecting targets.

They might pretend to be a member of WordPress support and convince you to tell them your password, for example,

Luckily, you will probably never encounter this type of attack since it is much harder to deal with.

↑ Table of Contents ↑

Why Would Attackers Target Your Website

One of the reasons why most people don’t take time to secure their websites properly is this simple thought – ‘Why would anyone want to target my website? There’s nothing to gain from it!’

Well, there is something to gain from it, even if you might not be aware of it. Here are some of the most common reasons why attackers might be targeting your website.

Stealing Your Data – Data is power in the digital age, and it is one of the most valuable assets anyone can have. This can happen even if you think you might not have any useful data that attackers can steal. 

For example, they could steal the email addresses and passwords of your users, and you’re bound to have someone using the same password for both their WordPress and email account.

This allows the attackers to steal more info and their accounts on other sites. Some accounts, like those linked to popular video games, can be extremely valuable. 

This can also lead to a domino effect – one compromised account is enough to cause hundreds or thousands of others to be compromised as well. 

Attackers can also steal data like your credit card information or your real name, opening up even more avenues of attack and allowing them to engage in identity theft.  If you’re running a business, the risks are even more significant. 

No matter how small and insignificant you think you are, there’s a chance that someone could profit significantly out of extracting data from your site.

Hosting Malicious Content – Another reason why attackers might want to get into your site is to get a safe platform where they can host malicious content.

They can do this even without your knowledge and mask it as regular content on the site – for example, replacing all the hyperlinks in an article to links to porn sites or other sites the hackers are paid to advertise with such tactics.

These links could also be more malicious than that, serving as a way to infect unsuspecting user’s PC’s with malware and adware, allowing them to gain access to their information or even lock down their PC’s and ask for ransom.

They could also create new pages on your site designed specifically for phishing – tricking the users into giving them their private info, such as passwords and credit card numbers.

Besides that, they could also use your website to host legitimate pages that they want to advertise or use your site to improve the SEO of their own. They do this by planting links on your site to theirs, posting additional pages to your site and more to give their own an SEO boost.  

Finally, it’s possible that attackers could use your website to host messages about illegal activities and links to them. This could include things like prostitution, drug deals, gambling and more. 

But why would they use your site for that? Well, because it’s probably inconspicuous and doesn’t have a bad reputation. Practically any site is at risk for such attacks, even if it’s relatively small in size.

Stealing Your Bandwidth – Your bandwidth can be stolen through a wide variety of ways, the most common of which is through hotlinking images. People doing it might not even know that they’re doing it. 

However, attackers could also be aiming to steal your bandwidth for nefarious purposes.

Once your site becomes a ‘slave’ of these hackers, your bandwidth could be used for mounting attacks on other sites or things like bitcoin mining. The monero mining hack is an excellent example of the latter.

Another common reason for stealing bandwidth is sending spam. You might not even notice this type of hack as it might be just a small slowdown or a minor spike in the bandwidth used.

Spam watchdog services might notice, however, and blacklist your site before you even find out you’re compromised.

The worst part is that this might incur you a massive cost for server maintenance without you even knowing that anything is going wrong until the bill arrives. At that point, you’ll have almost no choice but to pay up.

Just For Fun – Yes, it is possible for attackers to target your website just because they can. Some hackers use this as proof of their clout and a way to spread their names by proving that they can hack into a more significant number of websites and deface them.

Some do it just for sport or because they might have an issue with the subject of the site – vegan sites are a popular vandalism target for example.

Some groups do it for political reasons as well, aiming to spread their message through defacing your site. Either way, this could cause your website to be a target regardless of its size and content.

As you can see, no matter how large your site is, no matter the content you host on it, it is still possibly valuable enough for attackers to get a hold of it.

These are just some of the most common reasons for hackers targeting WordPress websites, and there are more. If you don’t secure your site correctly, you’re at risk, all the time.

The best way to secure yourself is not only to practice good security habits but to build your site from the ground-up with security in mind. In the next section, you’ll find out how to do precisely that.

↑ Table of Contents ↑

How to Implement Good WordPress Security When Starting Your Website

One of the best ways to secure your WordPress site and to make sure it stays secure is to build it with security in mind. If you have a good foundation, you’ll find that everything after that will come easier and you won’t have to worry as much.

If you weren’t thinking about WordPress security when making your website, you might find yourself stuck, unable to solve a crucial security hole without uprooting or remaking your entire website from scratch.

None of this is easy but it might be necessary to save your hard work if your site has weak foundations.

However, if you do make your site with security in mind, you’ll have a better base to build your security on, and you won’t have to worry about some basic things.

For example, if you choose a good host straight away, you won’t have to make up for it with additional plugins and widgets that might themselves compromise your site further.

But, how do you lay the proper groundwork for a secure WordPress site? Well, this is where you’re going to find that out.

↑ Table of Contents ↑

How to Choose Secure WordPress Hosting

When you’re creating a WordPress site, choosing the right hosting service is probably the first and most important thing you should be thinking about.

Of course, it can be incredibly difficult to choose the right hosting service – there are many of them out there, too many to count.

Someone who’s just building their first WordPress site might choose the first one they come across simply because they don’t know any better and don’t have the time to learn about it.

Well, you should definitely take the time to learn more about WordPress hosting and this section will provide a concise but informative look at how to choose the right WordPress hosting service.

So, to start with – what is a hosting service and what does it provide?

Well, to put your website out there on the internet, you need some way to store all the information, and you need bandwidth to allow your visitors to be able to load pages. Hosting services, also called web hosts, provide all of that for you, for free or at a cost.

Of course, there is also the option of not choosing a hosting service at all and hosting the website yourself.

However, for most people, this is not a viable option, and if you aim to make your website big and famous, you probably won’t be able to keep up with the demands. Web hosts have powerful servers that can handle the traffic.

Not all hosting services are the same though – some offer just the basics while others offer additional services besides just hosting and the quality of the hosting itself can differ in a variety of ways.

Picking a poor host can leave your site open to attack – so, here are some things to keep in mind when selecting the right WordPress hosting service for your website.

CPU Limitations – Most web hosting packages you can find on the internet are the shared web hosting type, meaning that you share a server with other websites. The CPU limit is the fraction of the computing power of the server that your website can use.

Most hosting plans will give you two limits – the maximum amount of processing power that you can use and the maximum number of seconds that you can stay at that maximum.

The higher the CPU limit, the better it is for you. A higher CPU limit will allow your website to get more traffic that it otherwise could, and it will make you more resistant to things like DDoS attacks and other brute force attacks.

The more CPU power you have available at your hosting service, the more power such attacks need to take your website down.  

Encryption – Encrypting the communication between the browsers of your users and your website could be costly, but ultimately it could save you a lot of pain.

By using TLS or SSL encryption methods and running an HTTPS website instead of an HTTP one, you’ll be able to protect the information of your visitors more effectively. You’ll also be able to defend yourself from some forms of attacks.

File Transfer Protocols – Since your files are stored on the host servers, to manage your website you need to be able to alter these files as well as upload new files and download the files from the server. Such file transfers are done through various file transfer protocols that connect your PC to the servers.

FTP is probably the most commonly used file transfer protocol along with HTTP, but in recent times both have become worryingly unsafe and open to attackers.

If you want to transfer your files securely, you want to make sure that your hosting service supports alternatives like sFTP, FTPs, and SSH-based file transfer protocols.

Unlike the plain old FTP or HTTP protocols, these use file encryption and don’t send the file in the form of easily readable text.

Dedicated IP Address – If you’re getting shared WordPress hosting you’ll be sharing your IP address with other websites using the same service.

For the most part, this has no impact on your website; it won’t slow your site down or make your search rankings any worse. However, it might be a security issue nonetheless.

If one of the websites sharing your IP address is engaging in malicious behavior or is compromised, this might cause your website to become blacklisted or get compromised as well.

Due to this, it’s better if you get a hosting plan which includes a dedicated IP address for your website, so you won’t run into these security issues.

Security Software – Many WordPress hosting services will offer some type of security software in their hosting plans, designed to safeguard your website.

The cheaper or worse WordPress hosting services don’t offer such benefits or, worse yet, offer software that could potentially be malicious.

Some of the best security applications offered in these deals include ModSecurity, Cloudflare, and ironbee. Make sure to get a hosting plan which includes some sort of security software and make sure it’s a good one by researching it on the web.

Website Isolation – When you’re using a shared WordPress hosting service, you need to make sure that the hosting service is appropriately isolating your website and account from all the others using the service. This is also called ‘jailing’ sometimes.

If your website is not properly isolated from the other website on the same hosting service, you could get compromised if one of the other websites gets compromised.

Since most WordPress hosting services claim to offer some amount of account isolation, it’s difficult to determine how genuine this is, except by looking for customer experiences concerning the matter.

In case you want to be completely safe, you could get one of the dedicated WordPress hosting services out there, but that will cost you much more than a shared hosting service.

Website Backup – If your website happens to be compromised. One of the best ways to deal with it is to have a recent backup.

Plenty of WordPress users utilize plugins for backups, but some hosting services offer backups as part of their service plans. Choosing a hosting service that offers one will save you the need to install an additional plugin.

As with everything, some are better than others. Backup services which back up your website at least daily, if not hourly, and retain the backups for at least a month are among the better ones out there.

Server Logs – These are log files pertaining to all the activity on your website that your hosting service stores on their servers. It’s recommended that you choose a host which will allow you to browse these files since they can be easily used to identify an issue when it occurs. This will save you the trouble of installing a plugin that would make separate records similar to these.

Of course, it’s good to choose a host which archives server logs for a long amount of time, in case an attack occurred a few days or weeks ago and you want to have a record of what happened.

Support – If you get hacked, you might not necessarily know what to do, or have the ability to do anything. However, your host always has more control over the files on their server than you do and can probably do something to help you even when all seems lost.

Not all hosting services have great support teams though – some have no support teams at all.

Choose a good host that provides instant support, preferably by phone, 24 hours a day, seven days a week. If you can’t find one that offers such support, even a quick-responding email support service is a decent option.

There’s a bit more to it, but these are the basics of what you should look for in a WordPress hosting service. Be wary of choosing free services as well, since they offer practically none of these benefits, and they can shut down your website at any time, without notice.

If you’re wondering what some of the best WordPress hosting services out there are, here are a few of them:

  • SiteGround – A web host focused on WordPress hosting and of the most used hosts in the WordPress community due to offering tons of WordPress-specific features.
  • Bluehost – One of the oldest and still one of the best web hosting services with great support and lots of good web hosting plans.
  • Tsohost – Probably the best hosting service for UK-based site owners, they offer managed hosting services at low prices and is fantastic for small websites.
  • InMotion – If you want a wide choice of plans to find the one that suits you the best, this is the host to look at. They also offer a lot of fancy extra features in some of them.
  • WPEngine – A completely WordPress-centric web hosting company that offers a lot of WordPress-specific features in their plans which you won’t find at most other hosts.

↑ Table of Contents ↑

How to Make Sure Your Workstation is Secure

Your PC or laptop can be the ultimate target of any hacker that targets your site. After all, that’s the device where you store all your data and that you use to type in every possible password – it’s immensely valuable. It’s a gateway to all your accounts and possibly the workstations of others.

Because of this, it’s vital that you keep the PC or laptop that you use to work on your site completely secure and that you always securely access your admin account. This section will be focused on how you can do that.

Update Your System Regularly – The first thing you can do to make sure your workstation is secure is to update the core operating system as frequently as possible.

Entire government facilities have been hacked and compromised due to not updating their operating systems, and it’s a great point of risk. The recent ransomware attacks are proof of that.

For most people, this operating system will be either Windows or Mac, but it could also be iOS if you prefer to do most of your work from a phone or a tablet. Whatever it is, install new updates as soon as they come out.

Use VPN’s – VPN stands for Virtual Private Network, and it’s essentially a way of encrypting all the communication between your workstation and the internet.

This will ensure that anyone monitoring a network you’re connecting to will not be able to access any information you might be sending or receiving.

Using VPN’s if you’re accessing valuable info on public networks is especially important since you never know who might be connected to them and for what purpose. However, it’s a good idea to use it even on your home network, just in case.

VPN’s are available rather cheaply, from 4 to 10 dollars per month, though better ones cost more. Of course, you can also get a free VPN, but they are typically unreliable and slow.

Keep in mind that a VPN is not something that will offer you complete protection. Your communication will be encrypted but only until it comes to the VPN gateway. From that point on it will be unencrypted if you’re using HTTP based websites.

Use Antivirus – Viruses and other malware are often used to gain a hold of someone’s PC or personal information from it. It’s a good idea to have one running actively at all times to catch any infections that might compromise you.

It’s also not a bad idea to have a few dedicated antiviruses and antimalware programs that you would use to make regular scans of your system.

While antiviruses like Norton, Avast, Kaspersky, and others are good, they might not catch some specific malware that Spybot or Malwarebytes could, for example.

Running scans every 24 hours is a good idea, and you can just schedule them at shutdown when you’re done with your work, so it won’t be too much of a hassle. It might save you when you least expect it.

Only Install Trusted Software – People install a lot of junk software on their machines these days, and no one is an exception, even you. When you’re in a pinch, you might be tempted to just download some small, free tool, install it and do what you need to do, then wipe it.

However, something else might have come with it, something that stayed even when you deleted it and is stealing your information. It’s not uncommon for various malware and spyware to be included in such tools.

This is true not only for standalone programs but also for things like browser extensions.

Recently, a well-reviewed and popular Chrome extension called Stylish was found to be collecting information on its users for years and then selling it off, without anyone being the wiser. Try using a separate browser for work than the one you use for everything else.

Think twice before installing any piece of software on your workstation and install as little as possible. Use only the essentials that you absolutely need and only install software from highly trusted sources.

Always make sure to check user experiences – if the software is malicious, someone will have a horror story to tell about it. Check on Google and try to find if the app contains malware or if it’s a scam. Only once you’re entirely sure that the software is safe, should you install it.

Don’t Visit Suspicious Web-Pages – Keep your visits to potentially suspicious or easily compromised web pages to a minimum, at least on your workstation.

Don’t be tempted to click on suspicious links and be wary of phishing attacks. These attacks present you with a login page for a website that looks like the original in an attempt to steal your password.

Other malicious web-pages might install malware on your workstation or even software that could take complete control of it.

Be careful before clicking on any links you find, especially in your emails, and don’t open attachments before checking who sent them, why they were sent to you and what they are exactly.

Also, avoid posting any info about yourself online that attackers could use against you. If attackers know too much about you, they might target you in what is known as a ‘spear phishing attack.’

This is a much more sophisticated and targeted version of phishing relying on the knowledge of your interests, habits, area of expertise and more.

Don’t Allow Others to Use Your Workstation – If you can, avoid letting others use your workstation at all times. They might not be trying to steal your data, but they still might expose you to attackers by not being as vigilant as you.

Others could visit hazardous sites, click on dangerous links without knowing, accidentally change crucial settings and more.

If you don’t trust a person 100%, don’t let them use your workstation if you want to stay as safe as you can be.

Those are the basics of keeping your workstation secure. If you stick to this advice, you will almost certainly be able to prevent it from getting compromised.

↑ Table of Contents ↑

How to Use the Best Version of WordPress

Updating your WordPress core is one of the critical things you need to do to keep your website safe. However, doing it properly is a completely different matter, as is knowing when to avoid doing it. Here are some tips on the subject.

By default, WordPress installs minor updates automatically – however, you might want to disable this option if you want to have more control. If you’re forgetful, you can leave on since it might save you in a pinch. You can even enable core updates to be automatic if you want.

You can do all of this simply be editing your wp-config.php file in a few different ways:

  • For disabling all updates, add the following line to the file- define( ‘AUTOMATIC_UPDATER_DISABLED’, true ); 
  • For enabling core updates, add this line – define( ‘WP_AUTO_UPDATE_CORE,’ true ); – if you want to disable all updates, change ‘true’ to ‘false,’ and if you want to enable only minor updates, change ‘true’ to ‘minor’ in the line.

If you don’t want to mess with your wp-config.php file, you can always install a plugin that can disable or enable updates, but that can be a potential security risk.

Before performing any update, you should make sure to create a backup of your website, just in case something goes wrong. That way you can instantly roll back to the previous version, like nothing ever happened.

If you have control of your backups, perform one directly before the update, if not perform the update straight after the automatic backup.

Performing an update is rather simple. You just need to go to the dashboard and click the update tab. There you will find info on your current WordPress version along with info on whether it’s the most recent one and an ‘update now’ button that you can press to perform the update.

However, while the ‘one-click update’ as this method is called, works most of the time, there are times when it fails. If that happens you can still update your WordPress core manually and here’s how to do it:

  • Deactivate all your plugins and backup your database
  • Delete the wp-admin and wp-includes directories on the server
  • Go to and download the latest version of WordPress.
  • Unpack the zip file
  • Upload the wp-admin and wp-includes directories to the server
  • Upload the files from the wp-content folder to the existing wp-content folder on the server and overwrite all existing files
  • Upload all the files from the root directory to your WordPress root directory on the server

During this process make sure not to delete or replace the entire wp-content folder as that will delete all your plugins as well. Just move and replace the files themselves.

What you need to do next is to visit your admin page on the website. At this point you will be prompted to make a database update if it’s necessary – WordPress will give you the necessary link, and you only have to follow it as well as the instructions found there.

Do this immediately after updating the files.

Once this is done, re-activate your plugins and clear your cache. The update is done, and you now have the new version of WordPress core. If you still happen to have issues, check some of the articles on the WordPress codex concerning the matter.

Now that you know how to update your WordPress core you should also know when not to update it. Yes, there are times when you don’t want to install the newest update.

Firstly, when a major update comes out – which means the second or the first of the three version numbers changing – you might not want to install it straight away.

Such significant, sweeping changes could cause your plugins and themes to malfunction and could create some large security gaps. Wait a while and see how the situation develops.

Secondly, there are the minor, mostly security-oriented updates. However, even they might create new holes for attackers to exploit.

You should probably install the update immediately anyway, but always keep an eye out to see if any info about the update being bad pops up, then load a backup from before the update.

Otherwise, check for updates daily and install them as soon as they’re available. It will be one of the best security measures you can employ.

↑ Table of Contents ↑

How to Find the Right WordPress Security Plugins

One of the best ways to defend yourself against attacks on your website is to have a good security plugin installed.

There are many available out there – literal thousands – but you should probably settle for just one or two since installing too many of them is counterproductive and can lead to unexpected conflicts.

To make sure your plugins don’t conflict you should make sure no two cover the same areas. There are three main categories of WordPress security plugins – Protection, Detection, and Response.

Protection or prevention based plugins are those designed to stop attacks before they even happen. Most of them will be firewalls of some kind and are useful against brute force bot attacks like DDoS or brute force login attempts. More sophisticated attacks will get through since these plugins work only on the application and not the server level.

Detection plugins are focused on recognizing threats that manage to get through the previous category of plugins. These plugins work somewhat like antivirus programs, scanning your site for malware, changes in file integrity or both at the same time. They tend to check everything, including other themes and plugins.

Response plugins have a focus on dealing with the threats or mending what was broken, but they can have a wide variety of functions, so they are also sometimes referred to as utility plugins.

These can include plugins for making back-ups, those allowing you to edit specific files in a more accessible way, those that hide certain site functions or even those that give you audits and tell you exactly what’s going on at all times.

Some of them are just laser-focused on a specific threat, like stopping spam or login attempts.

Of course, there are also comprehensive security plugins for WordPress that can do all of that and more. It’s probably best if you install one of these all-encompassing plugins.

Some of the best plugins include:

  • Sucuri
  • Wordfence
  • iThemes Security
  • SecuPress
  • Jetpack

If you want to know more about the best WordPress security plugins you can find, you can read more about that right here.

↑ Table of Contents ↑

The Most Common WordPress Security Vulnerabilities – And How to Avoid Them

Earlier in this article, you found out about different types of attackers that might want to target your website and why they would do it.

However, not all of them will do it in the same way, and this section is intended to explore all the ways in which attackers might choose to target your website.

This list is by no means comprehensive since that is most likely impossible – new avenues of attack pop up nearly every day. Here you’ll just find a list of the most common types of attacks and some advice on how you can deal with each of them if they occur. So, let’s get started

↑ Table of Contents ↑

Denial of Service

You’ve probably heard about denial of service or DDoS (Distributed Denial of Service) attacks before but don’t know exactly what they are.

Well, a DDoS attack is performed by using a network of compromised computers or servers to drive a ton of traffic (also called ‘requests’) to one single website.

Once the target receives too many requests that exceed the bandwidth or the CPU limit of a server, the website stops responding to any requests and the website ‘crashes’ so no one can access it.

It’s a simple but effective method that has been around for almost 30 years, and it’s still being used.

The intention of these attacks can be simply to take down targets that the hackers have an agenda against or it can be used to continuously disrupt a website before asking for ransom so the attacks would stop.

Of course, DDoS attacks are a bit more complex than that, and there are a lot of different types, but it’s too much to go into here.

There is no effective way to stop or prevent DDoS attacks completely – however, there are ways to minimize their effects. Most of those methods are up to your web host, which is why you should pick a good hosting service which uses some DDoS prevention methods.

However, it’s not all up to that, and there are things you can do on your end as well.

The most effective thing you can do is to invest in getting a DDoS protection service – one of the best ones out there is Cloudflare, and another good one is Stormwall.

Such services will filter incoming traffic to your website and exclude the requests that they deem to be malicious. Of course, even such services can only mitigate DDoS attacks, and they cost quite a lot.

You can also fix vulnerabilities in your website that might be exploited by attackers, effectively hardening your site against all attacks. For example, you can disable XML-RPC functionality, something that you’ll read about later in this article.

Using security plugins that can monitor your traffic and notice possible DDoS attacks in advance can also be helpful. WordFence is a good security plugin that might help you defend against DDoS attacks on your website.

↑ Table of Contents ↑

Brute-Force Login Attempts

Have you ever tried to login into your friend’s Facebook account by repeatedly guessing at their password? Some of you might have even succeeded by using that method. Well, brute-force attacks on WordPress websites are not dissimilar to that – they’re just much larger in scale.

By default, WordPress allows users unlimited login attempts and won’t lock them out after a few failed ones.

This allows hackers to make bots which will attempt to login using known usernames with thousands of different passwords until they get the correct one by chance and gain access to an account.

Even if the attack doesn’t succeed at accessing any accounts, it can still be devastating due to the number of login attempts overloading your site, similar to a DDoS attack. You may even get your account suspended by your web host for exceeding bandwidth and CPU limits.

Bots can easily go through thousands of login attempts within a minute, so the strain is immense.

If you have a large number of users on your website and their usernames or email addresses are public, and your login page is not hidden, this type of attack is far more likely to occur. Thus, one of the best ways for preventing it is making your login page more difficult to access.

With a plugin like WPS Hide Login this can be done easily, but if you don’t want to install a plugin, you can also do it manually by editing the .htaccess file. You’ll find out more about that later in a section focused on logging in securely.

The next most effective way of dealing with these attacks is limiting the number of login attempts that the users of your website can make.

You can do this by using a plugin like Login LockDown – just go into the settings after installing it, and you can make various limitations.

These include the number of attempts, when a lockdown occurs and how long it lasts as well as an option to keep out attempts to log in with non-existing usernames.

Another method to preempt such attacks is by using complex passwords that are difficult to guess and encouraging all the users of your website to do the same. Using two-factor authentication is also a good option.

Various security plugins like iThemes, for example, have brute-force attack protection capabilities built into them, which is another thing you can utilize to prevent such attacks.

↑ Table of Contents ↑

PHP Code Vulnerabilities

Vulnerabilities in the PHP code of WordPress websites are one of the most common targets of attack from bots, right next to brute-force attacks.

Most of the work that is done securing a WordPress site comes down to fixing the vulnerabilities in the PHP code – that’s what most security fixes in WordPress core, themes and plugins are.

These vulnerabilities mostly exist due to mistakes, oversights, and sloppiness that occurred when the developers wrote the PHP code for the software. Here’s a list of some of the most common PHP vulnerabilities and what they entail:

  • SQL Injections (SQLi) – These types of attacks occur when an attacker can send instructions to your database which are then executed. The flaw is when the application is written to just accept user input without checking for malicious intent or malicious code. More on this type of attack a bit later. 
  • Cross-site Scripting (XSS) – With this type of attack, the attacker causes malicious code to load in the browser of a website visitor and execute. At this point, it can perform actions as the user, stealing information and possibly granting additional access to the attacker. More on this type of attack further in the text. 
  • Remote Code Execution (RCE) – When bugs in PHP applications accept code uploaded by the attacker as user input and valid PHP code and then execute it, this type of attack occurs. It can allow attackers to create new files to use as backdoors, thus gaining full access to your site without your knowledge. These vulnerabilities are exceptionally easy to exploit and can leave your entire site compromised straight away. 
  • Cross-Site Request Forgery (CSRF) – An admin or another high-level user on your website is sent a link – when he clicks that link, it performs an action on the website. For example, that could be creating a new page with malicious links or a new user with admin-level privileges and a password that the attacker knows.

    This type of attack is more difficult to execute than it seems since WordPress has a built-in way of dealing with it, called a ‘nonce,’ which is a sort of security token located in the admin’s browser. For the attacker to do anything with the link he sends, he would have to know the nonce. However, if a theme or a plugin doesn’t use a nonce, it is open to this type of attack. 
  • RFI/LFI – Remote file inclusion happens when a PHP application passes user input to a function designed to load a file, which can consequently be a URL to a different website with a piece of PHP code which is then executed on your website. These type of attacks are rare these days since most PHP developers restrict where files can be activated from.

    Local file inclusion is much the same, but the file that’s loaded is one of your local files which is then displayed to the attacker, and he gains access to it. This is how attackers can gain access to crucial files like wp-config.php. These types of attacks are still common. 
  • Object Injection – When a PHP application passes user input to the ‘unserialize()’ function, a stored object is turned into an object in the memory. It is a gateway to code injection, SQL injection and many other different forms of attack. 
  • Authentication Bypass – This is a crucial mistake in PHP coding which improperly validates the access level of a user, allowing them more privileges and control than they are supposed to have. Thus, non-admin users can gain admin-level powers and easily take over the entire website.

One of the best ways to harden yourself against any of these attacks is, as always, to regularly update WordPress and all the themes and plugins you’re using.

Another way to harden your website is to implement PHP file execution prevention in certain directories. You can do this by creating a file named .htaccess and writing the following code in it before uploading it to the wp-content/uploads folder as well as the wp-includes folder:

# Kill PHP Execution

<Files ~ “\.ph(?:p[345]?|t|tml)$”>

  deny from all


This will help prevent attacks that exploit PHP vulnerabilities, but if a hack is already in progress, it won’t help you since this is not a fix. If your theme requires PHP execution in those directories, then you shouldn’t do this.

↑ Table of Contents ↑

Pharma Hacks

This is another type of attack primarily praying on those who don’t update their WordPress core or plugins and themes regularly. It is essentially a subset of a backdoor hack combined with tons and tons of SPAM.

If you’re a victim of this type of attack, it will quickly turn your website into a spam machine for pharmaceutical products (mostly Viagra).

Thousands of new pages will be created, all related to such products and tags will be inserted into your existing pages, making all the results for your site on search engines into Viagra adds. Soon, you’ll be blacklisted, and all your clout will be gone.

You can get rid of this hack by loading an old backup, but even then you might still get re-infected.

The backdoor through which the pharma hack was activated might have been there for months before the attack began and since most backups are not older than 30 days, you won’t have a clean backup to go to.

Worse yet, there might be multiple backdoors injected into your site so even if you clean one, others might remain in place and the whole thing will simply start again.

Other files might even start re-generating the files you already deleted creating a seemingly never-ending loop until you find the exact source file.

But, there’s more! Even if you manage to clean everything out, you could still be doomed. Search results for your site will probably forever be tainted, and you’ll be on virtually every known blacklist as a notorious spammer and a malicious website.

You’ll probably have to move the entire site to a new domain and start building your SEO clout from the ground up. (happened to me once – was forced to do this)

All of this is what makes the pharma hack so feared. It is difficult to clean up, and it might ruin your site completely in no time at all. The best way to guard against it is to have a secure hosting service, to use only secure plugins and themes and to update all your software regularly.

↑ Table of Contents ↑


Backdoors are, essentially, hidden passages into your website that attackers can exploit to gain access to it. They’re usually things you wouldn’t expect and are disguised as normal pieces of code or files.

These vulnerabilities are extremely dangerous and once a single site is compromised others on the same hosting servers can easily get cross-contaminated.

These backdoors are usually injected by exploiting well-known weaknesses in outdated versions of WordPress core or outdated versions of certain plugins and themes.

They are injected during other attacks to make sure that the attacker has immediate and easy access to your website. They can remain even after you use a backup to restore your site to a previous state.

Backdoors can be hidden in many different places on your website, including:

  • Plugins – Since people don’t like to update their plugins for fear of them breaking and they want to keep them, hiding backdoors in them is popular. If you just upgrade your plugins regularly, the backdoor exploit won’t survive. 
  • Themes – Probably one of the custom themes you aren’t using at the moment, one you’ve forgotten about. Deleting inactive and unused themes regularly might save you from a backdoor attack 
  • wp-config.php – One of the most popular places to put backdoors into since it’s a commonly used file that won’t be overwritten in updates or deleted. 
  • Uploaded Files – If you own a WordPress website you probably have hundreds of images and other files uploaded, and you don’t keep track of them all. Because of that, it’s easy to hide a new file with a backdoor in here, and no one will notice it.

These backdoors will probably use names that seem like normal files or use the names of well-known plugins that most people use. Attackers might even notice your file-naming patterns and use them to trick you into believing you uploaded a file you forgot about.

Luckily, it’s not that difficult to get rid of possible backdoors that attackers can use. The first thing you can do is to constantly keep all your software and WordPress core up to date – that way, you’ll minimize the risk of attackers finding any backdoors.

You can also use a scanner plugin to find the backdoor – there are many good ones for that including Sucuri, Theme Authenticity Checker and Exploit Scanner. Once a scanner has identified the offending file, you only need to delete it, and the backdoor will be gone.

↑ Table of Contents ↑

Cross-Site Scripting

If a PHP developer is writing their code in an intuitive way that comes naturally to them, they are likely to create an XSS vulnerability without even noticing.

How? Well, if they make code that directly grabs a value from your browser and write it back into the URL without any filtering, it will be efficient, but it can also be exploited by using the value to write and execute a javascript code in the browser.

That way they can get anyone to execute any javascript code they want in their browser.

Through this, the attacker can send a link to someone who’s signed in with admin privileges on the site, for example. The script can then perform an action as that user, which can be stealing data, creating backdoors, creating new pages, adding tags and more.

These vulnerabilities can come in two distinct forms:

  • Reflected XSS Vulnerabilities – This type of XSS vulnerability is the one described above, called as such because the script is ‘reflected’ from the webpage into the browser of the user who visited it. 

    This is a less dangerous form of this vulnerability because it relies on the user clicking the link that was sent to them and each victim must be targeted individually, making it slow. 
  • Stored XSS Vulnerabilities – Unlike the reflected type, this XSS vulnerability can be completely automated and performed by bots. The script created in this case can visit tons of websites with the vulnerability, loading the stored code into them. 

    From that point on, anyone that visits the site becomes a victim and gets their data stolen. There’s no need for clicking a personalized link or anything similar.

So, how do you protect your site from these types of vulnerabilities? After all, a perfectly functioning plugin could have such a vulnerability, and you wouldn’t even know if you don’t know how to read and parse PHP code.

Well, there are some built-in ways to deal with it but they will involve editing some PHP code so get ready.

All of the following functions are designed to serve this purpose – to make sure all the data accepted is within acceptable parameters and that any code included in an XSS code would fail to execute even if it is shown to your users.

The first important things are validating data to a user to make sure they give you what you asked for, and the next part is sanitizing the data given in case they try and find a way to bypass the validation.

If both fail to stop the attack, the last line of defense is escaping the data and converting crucial parts of it into something else to prevent scripts from executing.

The WordPress codex contains info on how to perform all of this even if you’re not too tech savvy. Just read this, and you should know what to do to protect your website from possible XSS attacks.

↑ Table of Contents ↑

SQL Injection Attacks

XSS attacks are the most common attack performed on WordPress site, and SQL injections are right behind them as the second most common, and they can be just as dangerous if not more so.

The mechanics behind the vulnerability lie in the interaction between plugins and the database and the user input sent from one to the other.

If the user input to the plugin is not validated and escaped properly, attackers can turn that input into something malicious and use it to, for example, create backdoors in the database that they can exploit later or just outright steal your data.

There are two types of SQL Injections – classic ones, where the attacker gets the result of the input back and a ‘blind’ injection where the attackers can’t see the output of your database.

With a classic SQL injection attack, the attacker can do almost anything they desire to your website. However, it can be relatively easily fixed by sanitizing and escaping all the data that is sent from you to your database.

With a blind SQL injection attack your data can’t be easily extracted, but the attack can be devastating nonetheless since the attacker can still perform actions in your name. It can be fixed in the same manner as a classic vulnerability.

However, a blind SQL injection can still extract data by using timings and putting the database offline if the answer to their questions is ‘no’ and letting them stay online if the answer is ‘yes.’

It’s a slower process, but it can still be done. That’s why you need to sanitize and escape your data as soon as possible, same as with an XSS attack.

↑ Table of Contents ↑

Malicious Redirects

These types of attacks focus on inserting a bit of malicious code to your website that will redirect the users to a different website.

They are mostly used for advertising and building up SEO rankings of certain sites through interlinking. There are malicious redirects that could also lead to pages containing malware or to phishing pages.

The worst part about this type of attack is that you might not even know you have a malicious redirect somewhere on your website. It could be only on a few specific pages that you don’t visit that often and you will only learn about it once users start complaining.

At that point, it might already be too late to save your reputation, and your site could be blacklisted.

Finding these malicious redirects can be quite difficult, and they could present in a wide variety of ways. They’re usually in the form of javascript but that they could be inserted not only into pages but into your database, widgets, files, or legitimate javascript you have running.

Removing these redirects can be as simple as restoring a non-infected backup. However, since you can’t know when the redirects were implemented, you might not have a backup old enough to remove them. In that case, you’ll have to go through them manually.

There are websites which can search for the redirects, especially if they’re not well-hidden. These include Unmask ParasitesQutteraWeb InspectorScan My Server and more. The Google Diagnostics Page can also help you figure out which pages and files were redirecting your users.

Identifying and removing bad code can be troublesome if you don’t know how to recognize bad javascript and differentiate them from those that are part of the core functionality of the site. It’s better to ask for support from your hosting service, if possible.

Once the bad code is removed, make sure to change all the passwords you can and to resubmit your site to Google through their console, so you’re listed on their search results again.

↑ Table of Contents ↑

Keeping Your WordPress Site Secure on a Day-to-Day Basis

As mentioned, WordPress security is an ongoing process that never stops, and you can do some small things every day to keep your site secure.

Almost everything you do on a day-to-day basis while working on your website carries some risk with it and keeping that risk to a minimum is crucial. Even the smallest of mistakes can open your site to potential attackers.

In this section, you’ll find out how to do everything in the most secure way possible, from logging in at the start of the workday to logging out at the end. If you follow this advice, the safety of your WordPress site will be greatly improved.

↑ Table of Contents ↑

How to Sign-In Securely

Most people sign into websites without thinking too much about it, and it’s a mundane task to most. Despite that this is one of the first lines of attack and you could be targeted before you even log in, so taking precautions is necessary.

The first thing you should keep an eye out for are phishing attempts – attempts to steal your password and username through a lookalike website that prompts you to log in. The moment you open the login page of your site check the domain name – if you see any irregularities in it, don’t even attempt to log in.

Even if the domain name looks right, a part of it may be hidden so make sure to look at the general design of the login page – rarely will phishing pages be an exact copy of the original and some noticeable differences usually exist.

Another thing that you’ll find out more about later in the article is the use of HTTPS. Make sure your site uses the protocol so your login information can stay encrypted and safe.

If you can avoid logging in on other machines or public PC’s, or even on your own PC or laptop connected to a public network, avoid it. Those are all unknown factors which could compromise the security of your website if you log in to your admin account.

Finally, when you’re done doing your work, log out. Never stay logged in for too long on any machine, even your own. Since you’re the admin, make sure to log out other users that stay logged in for too long – you can do that with a plugin like Idle User Logout.

Also, don’t accept the prompts of browsers to remember your username and password – it may be easy, but it’s also extremely risky. There are other ways to store passwords if you have trouble remembering them.

If you can, try to use a separate browser to log in to your website, dedicated only to work purposes. That way you will limit any factors which might cause your login information to become compromised.

↑ Table of Contents ↑

How to Secure Your Password

People certainly now that their passwords are important, right? They have to be aware that a weak password is easily guessed and that using the same password on multiple websites can lead to disaster. Right?

Well, apparently, no, most people either don’t know or don’t care enough. 

Some of the most common passwords are still 123456qwerty1111111 and, of course, the old classic – password.

Even Mark Zuckerberg is not immune to the disease of bad password usage – he used the password ‘dadada’ for a multitude of his social media profiles.

So, that’s where to start – don’t be like Mark and create a strong password for your admin account.

A strong password should include a large number of characters – around 12 is a good number, but 15 or more is better. It should also include uppercase and lowercase letters as well as numbers and symbols.

The stronger it is, the more difficult it will be for a brute-force attack to guess your password by chance.

To make up a password like this you could use an online password generator like Strong Password Generator or maybe the LastPass Password Generator or create a strong password yourself.

There are many others, and most of them will do. Make sure to use the password you get only for the admin account on your website and nothing else. Periodically changing the password is also a good idea.

Once you have a strong password, you need to make sure everyone else who potentially logs into your site has a strong password as well.

This can be tricky to do, but some plugins can increase the chance your users will employ stronger passwords than is common or change some of their bad habits.

For example, a plugin like No Login by Email Address will force them to use usernames for login, thus protecting their emails.

The reason why most people use weak passwords and the same password on multiple sites is that they have trouble remembering them.

One of the solutions to the problem is using a password manager where you’ll store all your passwords – LastPass is a good online-based option, but if you want something offline, KeePass is more than decent.

Of course, this can create a whole new type of security risk. If your password-storing service ever gets hacked, you’ll lose all your passwords. You’re essentially putting all your eggs in one basket.

Another option is to write down your passwords on a piece of paper – you just have to make sure that no one sees it and that you don’t lose it.

Memorizing your password is the most secure way to store them, but you could be in trouble if you forget them. Either way, there is some risk involved.

↑ Table of Contents ↑

How to Create New Pages and Posts Securely

Making new posts and pages on your website and putting them out there can seem like something that’s easy to do but it contains unique risks as well. Here’s what you should keep an eye out for so you can keep your site safe.

The first thing you should keep an eye out for are the links you’re using on your pages and posts. Are the sites they lead to safe? Even if they look credible now, are they potentially compromised or prone to being compromised in the future?

You don’t want to hotlink to pages that will become Viagra-sellers or phishing websites in six months.

You should be the most careful when embedding code into your pages. If the code is malicious in any way, it could lead to your users and your website becoming compromised.

Before you add any javascript code to your pages, find out where it comes from and possibly who made it. Does it come from a trustworthy source? Can you even find out where it originates from?

Some rather innocuous Java-based widgets can be hiding malicious code inside them, and you could be spreading it without realizing.

Guest posts are a great way to boost SEO rankings, but you should be wary of anyone you don’t know well posting on your site.

You definitely shouldn’t be giving them direct access to your website so they can make posts – negotiate with them and let them deliver you a word file through a site like Google Docs so you can vet it before you post it.

Make sure to check all the hotlinks and scripts used in their post and check if they’re safe enough to be on your site. If they’re not, stop communication with the guest poster, who tried to trick you and don’t post their text.

Even if you have regular contributors who you trust and who have a certain level of access to your site, make sure to check their posts for potentially malicious links and code. They might not mean ill, but they could make a fatal mistake.

Vet each post carefully and don’t be in a hurry to publish them – make sure each one is as secure as possible.

↑ Table of Contents ↑

How to Securely Create New Users

During your tenure as a site owner, you will probably come to a point where you will have to create new users for contributors and moderators that will join the site. You will need to give them specific permissions and roles so they can work on the site effectively.

However, this is always a potential for a security risk – and not just because those people could be potentially untrustworthy. You’ll find out more about that in a bit.

First, here how you can create new users in WordPress – you need to go to the Dashboard  > Users > Add New and then choose the type of user you want to create.

There is another way to create users though, but it is potentially riskier. If you go to the Dashboard > Settings > General and enable the option “anyone can register” users will be able to create their own accounts at the ‘subscriber’ level of access.

Enabling this option is a potential security risk – unless you find that it’s necessary, don’t enable it and stick to manual user creation.

When you create new users manually, you have the option to let WordPress decide on their passwords using a random generator. This will mostly result in a strong password, so it’s recommended that you use this method and tell your users to keep those passwords.

The most important thing to consider when making new users, though, is the level of access that you’re giving them.

WordPress roles are a system used to determine the level of access that users have. What you might initially want to do is to give as much access as possible to each user since you never know when they may need it.

Don’t do this – it just creates unnecessary risk. Stick to what is known as the Principle of Least Authority – grant users the minimum access they need to perform their duties effectively and no more than that. It’s a well-known principle used to minimize risk, and it is known to work.

Here’s a summary of all the roles you can give to your users so you can choose the right ones:

  • Subscriber – This is the lowest possible level of access that a user can have and it’s the role assigned to users who register to your site when the option ‘anyone can register’ is enabled. These users can only edit their own profile and post comments if comments are enabled on the site. 
  • Contributor – The next role already has a significantly higher level of access, being able to create drafts of posts or pages without being able to publish them. This is the role you can give to guest posters so they can create a draft that you will review and publish later on. 
  • Author – This level of access is similar to the contributor, but with two key differences. They can upload files, and they can also publish their own posts. Here’s where we already get into risky territory, and you shouldn’t give this level of access to anyone unless it’s absolutely necessary. 
  • Editor – These users, as the name implies, have the power to edit and publish pages and the posts of other users, besides their own. They can also edit, approve and delete comments, tags, categories, files, and links on the site. A hacker that gets a hold of an account with this level of access could wreak serious havoc. 
  • Administrator – This is the role that you, as a site owner, have. It allows you complete control of the website and everything on it, the highest possible level of control. Your site is most likely lost if an account with such privileges gets into someone else’s hands and you should give out this role to anyone else. 
  • Super Administrator – One a single site, this role doesn’t exist, and it only pertains to multi-site networks. There, super admins have complete access to all the sites in a network, while administrators only have access to one. You should probably never have more than one super admin when running a multi-site network.

Remember to give your users only as much access as they need – it’s easier to give them more access if it happens to be necessary. It is far easier than dealing with the damage that even an account with the author role can cause if compromised.

↑ Table of Contents ↑

How to Keep the Comment Section Secure

Comment spam can be a more serious security risk than you might realize at first. Yes, spam messages seem like minor annoyances akin to mosquitoes, but even those mosquitoes can carry a deadly disease like malaria.

Spam comments can carry links to malicious websites, execute malicious scripts, create backdoors on your website and more. If you’re not careful, you could have a serious problem on your hands.

The best way to be completely rid of comment spam on your website is to disable future commenting completely. If you want to go this route, you only need to go to Dashboard > Settings > Discussion and uncheck the “allow people to post comments on new articles” option.

You can still enable comments on individual posts if you want by checking the ‘allow comments’ option beneath them.

Of course, disabling all the comments is not the best option you can go for. You want some discussion to happen on your website since it improves SEO rankings and brings in additional traffic. So, what can be done?

Well, luckily, WordPress has some inbuilt comment options that can help deal with the spam and save you some hassle.

Go to Dashboard > Settings > Discussion, and you’ll find a host of options – here are some you should take a look at:

  • Allow link notifications from other blogs (pings and trackbacks) – You should definitely disable this one, as it will save you a lot of trouble.
  • Comment author must fill out their name and email – This is a no-brainer, it just stops most bots dead in their tracks, and they won’t post a comment. It might cause your visitors to be annoyed as well though.
  • Users must be registered and logged in to comment – This will cut down on even more spam but might also reduce the activity of your comment section. Weight the benefits against the downsides when enabling this.
  • Automatically close comments on articles older than X days – The number of days here should be around 90 for a fairly active blog and closer to 30 for a less active one. This will stop spambots from posting their comments on every article you have.
  • Before a comment appears comment must be manually approved – Enable this option if you don’t have an incredibly active community since it might help you deal with the spam. Otherwise, it might stifle discussions unless you have incredibly active mods.
  • Before a comment appears comment author must have a previously approved comment – This is another no-brainer which will cut down on a lot of bots since most of their comments won’t get approved.  
  • Comment moderation – Here, set to hold a comment in a queue if it has 2 or more links. Most spam comments are filled with hyperlinks and even more than one link can be a good indication of spam.
  • Comment Blacklist – In this section, you can set blacklisted words, URLs and IPs that will immediately mark a comment as spam if it contains them. If you have some well-known pieces of spam that you want to preempt, here’s where you can do that.

With this settings enable, most of the spam should be dealt with. However, some will always remain, and if you’re still having lots of trouble, there are others methods of dealing with it.

There are many great plugins which can be used to help deal with the constant torrent of spam which will inevitably assail your website:

  • Akismet – A great plugin designed to filter out most spam and can automatically delete the worst it to free up your workload.
  • WPBruiser – This plugin was formerly called GoodBye Captcha because it eliminates spam without any need for captcha or similar annoying methods. It also keeps a log of all the deleted spam messages so you can check for false positives.
  • WordPress Zero Spam – Another plugin that eliminates spam without the need for captcha or anything similar. It works by detecting if the comments came from a valid web browser and recognizes legitimate messages from spam that way.
  • Antispam Bee – This is also a captcha-free anti-spam plugin that works well and is completely free, not even requiring registration.

More are out there, but those are just some of the best. Choose one and try it out to see how well it performs and how well it stops spam.

↑ Table of Contents ↑

Securely Adding Themes, Plugins, and Widgets  

These are the large sore spots of almost every WordPress site out there and if attackers gained access to your website somehow, there a high chance they did it through a theme, plugin or widget.

Vulnerabilities in relation to themes, plugins, and widgets will appear regardless of what you do, but you can definitely keep the risk to a minimum by keeping up some good practices.

For starters, you shouldn’t install too many themes, plugins or widgets to your website – the more of them you have, the larger the number of potential vulnerabilities that attackers can exploit. You should only keep the crucial ones and delete any unused ones to shave off the useless fat.

As always, you should regularly update all your plugins and themes. This can be done by going to the Updates section from the Dashboard on your admin panel. There you can click on each theme or plugin to update them.

When installing these features, though, you should only get them from reputable sources. One of the best sources to get plugins, themes, and widgets from is certainly Themesplugins, and widgets are all available there in abundance, and all are completely safe.

For themes, some of the good trusted websites include:

  • Theme Forest – A paid site with cheap membership and over 40,000 themes available, some of which can’t be found anywhere else.
  • JustFreeTemplates – If you want free themes or templates to work from, this is the site where you can get some. Just check some customer experiences before installing them, they can be quite buggy.
  • Elegant Themes – This site offers both themes and plugins for WordPress at a reasonable price.

If you want to get plugins from sources other than you can go to:

  • CodeCanyon – A decent website offering a few thousand great, paid and well-maintained plugins that are free from malware.
  • Creative Minds – This site has only a small amount of paid WordPress plugins, but there are some good ones on there so you might want to check them out.
  • Themeisle – On here you can find both themes and plugins. The selection is small, but you can’t find some of them anywhere else.

Most widgets can be found in the same place as plugins.

Of course, make sure to steer clear of ‘nulled’ themes and plugins, those containing in-built malicious software. Also, beware of widgets that load code from other websites – if you can’t inspect the code, consider it unsafe. The only exceptions are highly reputable sites like Google.

Also, avoid installing plugins and themes that are no longer officially supported and are deactivated. It’s likely that their code is old and that they have plenty of well-known and easily exploited vulnerabilities which won’t be fixed.

Before installing any new theme or plugin, you should make sure to backup your website. It is likely that something might break or go wrong due to interactions and conflicts between various plugins and themes so it’s good if you can instantly restore your site in that case.

When you’re installing plugins and themes, make sure you don’t have any other websites open in your browser, just in case. If a harmful script is potentially running in the background, it could wreak havoc and contaminate what you’re attempting to install.

To install themes or plugins you can simply go to either Dashboard > Themes or Dashboard > Plugins and click the ‘add new’ button after which you can search for the one you want to get.

If you want to upload one, you can just click on the ‘upload theme/plugin’ button on the same screen.

If you keep your themes, plugins, and widgets safe, you’ve already got most of your basics covered when it comes to security.

↑ Table of Contents ↑

Securely Using the File Transfer Protocol

As mentioned before the FTP or File Transfer Protocol is the way in which files are transferred from a server to your machine and the other way around. While FTP proved to be great for WordPress websites in the past, recently it has proven to be far less safe than before.

This is because FTP is a plain-text protocol that sends both the file and your username and password across the internet completely unencrypted. Even on your home network, this is extremely unsafe, and on public networks, it’s just a complete safety hazard.

Luckily, more secure versions of FTP have been created in recent times. sFTP is a version of FTP that encrypts your username and password while sending them across the network by using a secure shell (SSH) service.

FTPS is a similar improvement, but it uses TLS for encryption instead of SSH.

While these protocols are secure enough on their own, they could be made even more secure by securing the files on your end.

You will probably download most of your site files from the server at one point or another, and you’ll most likely download backups of the site. Since these files contain important info, including your username and password, you should take good care of them.

Consider keeping them on a separate drive and encrypting them, or at least protect them with a password (that’s different than any of your other passwords). Don’t upload those files willy-nilly and don’t copy them to unprotected drives without a serious need for that.

If you happen to need to send those file to someone, make sure it’s a person you can trust. Just in case that someone intercepts the transfer, encrypt the files before sending them or at least put them in a zip file with a password.

Another measure you can take to make your file transfers more secure is to always use the most recent version of FTPS or sFTP that you can get.

↑ Table of Contents ↑

Advanced WordPress Security Tips

Now that you know the basics it’s time to move on to something a bit more complex! You can harden your website further and make it even more impervious to potential attacks if you just put in a bit more extra effort and learn some more advanced tricks.

Of course, it’s nothing too complicated, and it mostly involves editing some files, hiding some stuff from sight and enabling some more restrictive options.

A lot of these techniques are used by paid WordPress professionals when maintaining a website and you can save yourself a lot of money paying for such services if you perform some of this stuff yourself.

However, these aren’t completely risk-free operations, and some of them might break your site if done incorrectly, so make sure to back it up before you do anything described here. That way you stay safe if anything goes wrong.

Now that you know the risks and benefits let’s get right into it.

↑ Table of Contents ↑

Restricting File Permissions

One simple way to lock out hackers from one of their main vectors of attack – modifying the PHP files on your website – is to make the files unmodifiable by anyone.

When you do that, not even someone with an admin account will be able to touch them – only you will be able to modify them through your FTP client.

Sounds great, right? Well, not so much, since it has some serious downsides.

The largest downside of this is that WordPress will be unable to update automatically – however, you will still be able to update it manually by the method described before. It’s quite a long and tedious process.

There’s more to it though – you also won’t be able to update your plugins and themes automatically. You also won’t be able to update them via the WordPress administration panel anymore. You’ll have to do it all manually which can be quite a chore if you have a lot of them.

But, even if you know all the negatives and you still think this is worth doing, you can go ahead. Doing it is actually rather simple – you just need to add one line of code to the end of your wp-config.php file. Make sure to backup your site before you do it though.

That line of code is as follows – define(‘DISALLOW_FILE_EDIT’, true);

Now no one can edit any files on your site, at least not via the WordPress application. Only you can do it now via your FTP client, and if you want to disable this option, you will have to do it by editing the wp-config.php file again and removing that line of code.

This might disable the work of some plugins or themes and completely break the functionality of your site as well. If that happens, you can roll back to the previous version from the backup or try to remove the line of code and see if everything goes back to normal.

Doing this will stop most attackers in their tracks, but it will cause you a lot of hassle – make sure it’s worth doing before you commit to it.

↑ Table of Contents ↑

Protecting Your wp-config.php File

You can make lots of important changes to your WordPress site by just editing the code in your wp-config.php file. But you’re not the only one who can do it – hackers will most likely target this file as soon as they get a chance and they can wreak havoc if they get to it.

One of the ways to protect is to disable access to it so no one can edit it, but then you’re also locked out of it and if you happen to need to edit it, though luck. However, there are better options to protect this file from attackers and here are some of them.

Hiding the File – This is one of the simplest things you can do – just move the file elsewhere than where it’s usually located. It most likely won’t cause problems with your website, but it will make attackers scratch their heads when they try to find it.

By default, the file is located within your root folder on the website. However, you can move it to a directory that’s less public and less predictable. However, you might have to constantly edit the code of your core files and plugins to refer to the new location.

Block Access Through .htaccess – If you want to restrict access to the file, there’s an easy way to do it by editing your .htaccess file. This will block anyone from accessing the wp-config.php file. Here’s how to do it.

If you don’t have the .htaccess file, create it in the same directory where the wp-config.php is located. Then, edit the file and add the following snippet of code at the end:

# Deny access to wp-config.php file

<files wp-config.php>

order allow, deny

deny from all


Once you’ve done that you’re finished! If you ever want to edit your wp-config.php file, though, you’ll have to remove that line of code beforehand. You also might have to remove it for performing updates.

Transfer Important Info – Another way to protect this file is to make it unimportant by transferring everything important from it to another file that it will refer to for all the info. This isn’t too hard to do.

To start with, create a new file in another directory that’s not WWW-accessible and name it, for example, config.php. Now, open the wp-config.php file, copy the lines that contain the secret keys, database connection details, and the database prefix and paste them into the new file.

Now you can delete all those lines from the wp-config.php file and replace them with references to the new file. For example, if your new file is located in the home/username directory, what you need to include after <?php should look like this:

; include(‘/home/username/config.php’);

This achieves a similar result as moving the wp-config.php file but without a lot of hassle.

Now that you’ve done all this, your wp-config.php file should be more secure than ever and resistant to attacks. Even if someone does get a hold of your website they probably won’t be able to do as much damage as before and they won’t be able to access the file through scripts either.

Of course, this is not perfect protection, and someone could still do some damage if they wanted to, but this will minimize the risk of that happening.

↑ Table of Contents ↑

Protecting Your WordPress Admin

Your admin account is the most imp0ortant user account on your website – if attackers get a hold of it, they’ll be able to do almost whatever they want, and you’ll be helpless to stop them. At that point, the site might as well be theirs.

Because of that, you might want to take some extra precautions to secure your account and make sure that it isn’t compromised. You’ve already made a strong password and reinforced your day-to-day habits to be as safe as possible – what else is there to do?

Well, quite a few things in fact – here are some of the most important ones to take care of.

Changing your login URL – By default the login URL for your website is which is just not acceptable. Attackers can easily program bots to target such generic addresses with brute force attacks.

By changing this URL, you will effectively dodge most brute force attacks directed against your website. This can even be done easily by using a free plugin like WPS Hide Login.

The plugin will appear under the General section of the settings on your WordPress admin dashboard, and the only option it offers is changing the login URL of your website. Try to change it something that’s not easily guessed.

Limit Login Attempts – Another way to fight against brute force attacks trying to get into your admin account is by limiting the number of login attempts available before the account locks down for a set time period.

Using a plugin for limiting login attempts like Login LockDown or Cerber Security is a good option.

Create a Separate Editor Account – When you make a post or edit one as the admin account, your admin username will show up below the article. This is giving your possible attackers half the puzzle – now they just need to figure out the password.

If you create a separate editor account, however, and use it for day-to-day activities, they will be none the wiser and might even try to break into that account instead. Thus, you’ll be able to protect your admin account.

As you can see, there’s a ton you can do to protect your admin account and probably even more than that. If you secure your admin account, you’ve done most of the job of securing your website, and you’ll almost always have a way back in while that account remains uncompromised.

↑ Table of Contents ↑

Enable the HTTPS Protocol

The protocol that most websites run these days and that’s used to communicate between them, and the browsers is named HTTP – and it’s just terrible for security. It’s a plain-text protocol, meaning that anything going through is completely unencrypted and can easily be viewed.

Luckily, HTTPS exists, and it has existed since 1994 wouldn’t you believe it! This protocol is an improvement on HTTP in terms of security – with it, the information between the website and the browser is encrypted, meaning that not just anyone can access the information.

Most websites still use plain old HTTP because HTTPS costs more and people think they don’t need encryption – but if you want to focus on WordPress security, you need it more than most other things.

By running an HTTPS instead of an HTTP website, all your communication will be encrypted, and attackers will have a much harder time penetrating your defenses. All your security measures will be boosted up a notch.

To run your website in HTTPS, you need two things – to enable the HTTPS protocol on your web server and to own an SSL certificate. Most web hosts will be able to provide you with both – they will sell you an SSL certificate and give you the instructions to enabling HTTPS.

Some of the hosting companies which offer free SSL certificates to all their clients include:

Each host will have a different process for enabling HTTPS on your website, but the process of configuring WordPress to use the SSL certificate and HTTPS is roughly the same no matter which host you’re using.

One of the easiest methods is to simply install a plugin like Really Simple SSL and use it to configure your website. Once you install it, just go to Settings > SSL – then, the plugin will take care of everything for you, like magic!

There might be some side-effects and mixed content errors that remain for a while, but it should all be sorted out after a short while.

Of course, if you don’t want to use the plugin to perform all this, you can also do everything manually. Stay strapped in; this gets a bit complicated.

To start with, you need to check if your website is loading via HTTPS – go to and see if it loads. If it does, login to your admin account and go to WordPress general settings.

There you need to change your ‘WordPress address’ and ‘site address’ so they both start with HTTPS instead of HTTP. Once you’ve done that, click on save and exit.

The next step is editing your .htaccess file by adding the following piece of code at the top of it:

RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$$1 [R,L]

Once you’ve done that, move on to your wp-config.php file and add this line of code at the bottom:

define(‘FORCE_SSL_ADMIN’, true);

Save the changes, and you’re almost done. Some plugins might still be confused and think your website is running in HTTP in which case you will probably have to reinstall them or edit their PHP files to replace all instances of HTTP with HTTPS and a few other things.

However, now you’re the owner of an HTTPS website, congratulations.

↑ Table of Contents ↑

Hide WordPress Version Information

Attackers will try to target outdated versions of WordPress in the hope that they’ll get in through one of the well-known holes in the structure. However, they won’t be able to target you like that if they don’t know what version of WordPress you’re running!

You should, in theory, always be running the latest version of WordPress but in reality that doesn’t always end up being the case. Because of this, hiding the version you’re running can be extremely beneficial and could lead attackers astray.

By default, WordPress displays the version you’re running in the header of your website’s source code, which attackers can easily access and read.

So, how do you hide it? Well, you can simply open up your functions.php file and add this little snippet of code to the end:

function wpversion_remove_version() {

return ”;


add_filter(‘the_generator’, ‘wpversion_remove_version’);

And it’s done!

Some plugins also have the option to hide the WordPress version, but most of them are premium plugins. If you can do it manually, you don’t need to pay for them.

This way you’ll be at least slightly protected against attacks if you’re running an older WordPress version for whatever reason.

↑ Table of Contents ↑

Disabling XML-RPC

XML-RPC is a protocol used for connecting your website to mobile devices, and it was enabled in version 3.5 of WordPress. However, hackers also use it for another purpose – to greatly amplify the intensity of their brute force attacks.

How? Well, instead of making 500 separate requests for trying 500 passwords that will be a clear sign of a brute force attack, they can try thousands with only 25 to 50 requests, which might go by unnoticed.

This is achieved through the system.multicall feature, which allows anyone to execute multiple methods in one single request.

Because of this XML-RPC has become a sore point in WordPress security and if you’re not using, you should disable it.

One of the easiest ways to disable it is with a plugin called Disable XML-RPC which you can get for free. It’s a simple plugin, just follow the instructions on the plugin page, and you’ll be able to use it without a problem.

There is also a manual method as you would expect. It entails editing your .htaccess file with this little bit of code added at the end:

# Block WordPress xmlrpc.php requests

<Files xmlrpc.php>

order deny,allow

deny from all

allow from


This will completely disable XML-RPC and save you a lot of trouble with brute force attacks. If you’re not using mobile apps or similar connections to access your website, it shouldn’t even be a problem.

The only risks associated with disabling it involves the website not working on some mobile devices but that is more than acceptable when compared to the benefits of protecting you from potentially losing your entire website.

↑ Table of Contents ↑

Implement a WordPress Security Audit Log

Lots of things happen on your WordPress site on a daily basis, more than you can keep track of by yourself. Some of those things you won’t even notice no matter how vigilant you might be.

Well, you can notice all those things, some of which may be early signs of vulnerabilities of attacks – if you install a plugin that gives you the ability to view audit logs. Such a plugin will show you an audit trail of everything happening on your website.

Some of the best plugins for this purpose include:

  • Simple History – If you need a quick, free solution that will show almost all types of events, this is the plugin you should get for yourself.
  • WP Security Audit Log – A comprehensive audit log plugin showing almost every type of event that might happen on your website. This info can be used to preempt most types of attacks and identify strange behavior that might indicate a hack. It has a premium version that’s even better.
  • WP Log Viewer – This is an audit trail plugin designed specifically for keeping track of error messages. If you’re running a large number of conflicting plugins and themes or you’re constantly having trouble with your website crashing, this might help.
  • User Activity Log 
  • Simple Login Log – If you want to follow login attempts on your website and try to preempt brute force attacks, this plugin will allow you to do just that.

All of these plugins are decent, though the more comprehensive ones are better. Once you install any of these plugins, they will automatically start monitoring all the events that happen on your website.

Once you have the info, you can parse through it and use it to see if there’s anything suspicious happening and identify a potential breach of WordPress security.

Some of the telltale signs of suspicious activity include:

  • Strange login behavior – If you’re the only one logging into the site, someone else logging in is a clear breach of security. If you and others working on the site only tend to log in during certain hours, logins outside of those hours are cause for concern.
    If you detect logins from unknown IP addresses from strange countries, that could also be a sign of a breach in security. You could contact your hosting provider and see if they can block the offending IP addresses.
    A large number of failed login attempts are also something that you should definitely look into. It might be a sign of a brute-force attack, but it might also be a beginning of something more sophisticated.
  • Strange profile changes – New users being created out of nowhere, massive changes to user profiles and permissions without your knowledge as well as frequent password changes are all cause for concern.Some of these behaviors are telltale signs of someone taking over your website, and you should react to it immediately.
  • New files/pages being created – If a ton of new files are suddenly created if files you didn’t upload are appearing in the database, it’s a cause for concern. It might be a hack in the making, someone laying the groundwork for a complete takeover of the site.
    If you see something like this happening, try to delete all the unknown files as well as the user accounts that created them.
  • Requests to non-existing pages – One of the telltale signs of a hack being prepared is a large number of 404 errors. This means that attackers are scanning your website with an automated scanner.
    If you can identify the IP address that the page requests came from, you might be able to get your web host to block it completely.

These are just some of the attacks you can identify early if you have an audit trail plugin running so you should most definitely get one and keep an eye on it at all times.

↑ Table of Contents ↑

Enable a WAF

Web application firewalls, or WAFs for short, act as a filter or a shield between your website and any incoming traffic. They can monitor all of the traffic and block anything that might seem suspicious or malicious.

It’s not possible to block everything, of course, only what the firewall can recognize. Still, this will stop some of the most common and mundane threats before they ever get a whiff of your website.

There are two types of firewall plugins for WordPress out there:

  • Application Level Firewall – Once the traffic reaches your server, these firewalls examine it before letting it through to your website or loading most of the common WordPress scripts. It’s decent protection but not as good as the other method. 
  • DNS Level Firewall – These are more secure firewalls that reroute all the traffic coming into your website through their proxy servers, filtering out anything malicious and then sending all genuine traffic to you. It works better and might even speed up your website.

The other type of firewall is far better in dealing with threats though it could be costlier to maintain. However, they will be able to protect your website effectively and even speed it up a little by reducing the load on your hosting server.

Most WordPress security plugins offer firewall services in their complete packages, so there’s no need to install an additional firewall if you have any of these plugins. These are plugins like Sucuri, Jetpack or iThemes Security.

If you want to know more about what plugins to install for a good firewall, check out more about the best WordPress security plugins.

↑ Table of Contents ↑

Customizing Your .htaccess File

While it’s not always there by default, the .htaccess file is one of the most important files for your WordPress website. It is what your website uses to handle changes to configuration on a per-directory basis.

You can do a lot of cool and useful tricks with it to harden your website security. Some of them have already been described earlier in this article, but those are not all of them, not by a long shot. There are still some others you can try.

Set a file upload limit – Attackers will often try to upload new files to your directories to make backdoors for themselves. These files can often be huge, and if you limit the size of the possible file uploads, you may be able to stop them from doing something like that.

To limit the size of file uploads add the following; just replace the XX with a number:

php_value upload_max_filesize xxM

Doing the same for posts is easy:

php_value post_max_size xxM

Block author scans – The first thing brute-force attacks do is to try and find as many usernames of authors on the website as possible. This is half the work for them, since then they only have to guess the password.

Well, you can disable this with a small snippet of code at the end of your .htaccess file and make yourself more secure:

# BEGIN block author scans

RewriteEngine On

RewriteBase /

RewriteCond %{QUERY_STRING} (author=\d+) [NC]

RewriteRule .* – [F]

# END block author scans

Restrict access by IP address – If you’re the only one working on your WordPress site from your home network, it is a good idea to restrict access from other IP addresses. You can  do this by adding the following piece of code to the file:

order deny,allow

allow from [insert your IP address]

deny from all

However, if you have a dynamic rather than a static IP address, don’t do this. Since a dynamic IP address changes every time the router is restarted, you will end up being unable to access your website.

Block direct access to plugin/theme PHP files – This is something that you can do to stop attackers from exploiting PHP vulnerabilities in your themes and plugins. However, this will leave you unable to update them automatically, so beware.

To do this, just add the following bit of code:

RewriteCond %{REQUEST_URI} !^/wp-content/plugins/file/to/exclude\.php

RewriteCond %{REQUEST_URI} !^/wp-content/plugins/directory/to/exclude/

RewriteRule wp-content/plugins/(.*\.php)$ – [R=404,L]

RewriteCond %{REQUEST_URI} !^/wp-content/themes/file/to/exclude\.php

RewriteCond %{REQUEST_URI} !^/wp-content/themes/directory/to/exclude/

RewriteRule wp-content/themes/(.*\.php)$ – [R=404,L]

Restrict access to wp-includes directory – There is no reason for anyone to edit this directory most of the times, but hackers will try to edit it or add backdoors to it. To prevent tht all you need to do is to disable access by adding this snippet of code to your .htaccess file:

<IfModule mod_rewrite.c>

RewriteEngine On

RewriteBase /

RewriteRule ^wp-admin/includes/ – [F,L]

RewriteRule !^wp-includes/ – [S=3]

RewriteRule ^wp-includes/[^/]+\.php$ – [F,L]

RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L]

RewriteRule ^wp-includes/theme-compat/ – [F,L]


Protect the .htaccess file – Finally, here’s how to protect the file itself from unauthorized access to it. Just add this snippet of code to the end of the file:

# Deny access to all .htaccess files

<files ~ “^.*\.([Hh][Tt][Aa])”>

order allow,deny

deny from all

satisfy all


If you don’t want to mess around with editing the file on your own through your FTP client, though, there are plugins which can allow you to do it directly from your WordPress dashboard. 

Here are just some of them:

Now you know what do with your .htaccess file, and you can use this knowledge to make your website even more secure than usual. There’s, even more, you can do with the file if you learn a bit of PHP coding and then you can start experimenting on your own as well.

↑ Table of Contents ↑

Hotlinking Prevention

Have you ever directly linked to an image on another website by right-clicking it and copying the exact link? You probably have. You might have even included images in your pages or posts that way.

Well, when you do that you’re stealing bandwidth from the website where you hotlinked it from. They’re still hosting the image, and for anyone that views it on your website, they’re paying the price – which can be extremely high.

Other people can do the same thing to you as well and massively increase your hosting bill, especially if it’s a popular site that does it. Because of that, it’s a good idea to prevent the hotlinking of images from your website.

This can be done in a few different ways. The easiest one is using a plugin like Hotlink Protection or Hotlinking File Prevention to do it. Of course, these plugins aren’t completely reliable, and you don’t want to have too many plugins installed, so there’s another method.

Preventing hotlinking manually can be done by editing the .htaccess file in your root folder. Find it, right click it and select “view/edit” from the menu. Then, at the end, add the following code:

RewriteCond %{HTTP_REFERER} !^$

RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)? [NC]

RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)? [NC]

RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)? [NC]

RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)? [NC]

RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)? [NC]

RewriteRule \.(jpg|jpeg|png|gif)$ – [F]

This prevents any other site from accessing your images directly, thus preventing hotlinking.

You can add as many different sites as you want to the blacklist and you can also add as many different file extensions as you want at the end.

If you want to find out who hotlinked images from you so you can blacklist them, one of the easiest ways to do it is by using Google. You can just type in the following – – and go to ‘images’ to find the culprits.

↑ Table of Contents ↑

Make Sure to Use WordPress Backup

One of the best ways to deal with anything bad or undesirable happening to your website is to have a good back-up. With it, you can just return your website to a previous, pristine state like nothing ever happened.

You might think your website is secure enough and that there’s no need for a backup – but you never know. A website can never be 100% safe, and you could still lose everything in a moment of weakness.

Besides attacks, it is also possible for you to lose all your data simply due to a bad update or a plugin that conflicts with another and messes everything up.

A lot of web hosts offer their own backup services, but you might not want to rely on them completely. Server-side information can be quite open to the web so the back-up itself might end up compromised if the worst comes to worst.

It’s better to rely on your own backups instead – that way you will be sure that the files remain pristine and uncompromised and you can store them however you like. Alternatively, you could rely on the service running the plugin to store the files for you and keep them safe.

Here are some of the best WordPress backup plugins that you could install:

  • Updraft Plus – Even though it’s free, this is one of the best backup plugins around, and the premium version it offers is even better. It allows you to store the backup on the cloud or your machine and it can do on-demand backups.

    The premium version offers options for migrating or duplicating your website as well as multisite support. You also get to be first in line for any support services that they offer. 
  • Backup Buddy – This is one of the oldest backup plugins on the market and still one of the best around. It is a premium plugin, and it offers the ability to automatically store your data on sites like Dropbox or the Amazon S3, and you can do real-time backups. 

    The best part is that you don’t have to pay a monthly fee to use this plugin – it’s a one-time fee that gives you access to great support forums and lots of storage space as well. 
  • BackUpWordPress – With this free tool, anyone can do a backup even without a tutorial for it. It’s an intuitive tool that can backup your database or your entire website whenever you want it and stores the files on the cloud or your machine. 
  • VaultPress – This is a premium plugin that offers great backup services, but it also offers much more than that. It is a comprehensive security service with a firewall, a scanner, spam defense and more. If you want one plugin for everything, it might be a good choice.

    However, their backup service is a bit difficult to set up, and it has its own dashboard full of options. Of course, there are lots of good options on there, but it could still be overwhelming to a new user. 
  • BackWPup – The premium version of this plugin is quite expensive, but the free version is good enough that you probably won’t have to opt for that. You can still perform scheduled and manual backups to services like Amazon S3 or Dropbox.

    Email backup is a nice option as well, and in general, it’s loaded with tons of great options that are intuitive to use. You have the option to backup different parts of your site separately as well, allowing you to deal with some hacks easier.

There are some other plugins that could also do the job, but these are considered to be some of the best. If you pick a backup plugin, it’s suggested that you pick one of these five.

Once you have your backup done, there’s still a question of where to store the backup. Well, there are a few options:

  • Cloud Services – These are things like DropboxGoogle DriveAmazon S3 and others. Most of them are reasonably secure and connected to backup plugins but they are still on the internet and can get hacked, so they’re not the safest option you could go for. 
  • Your Machine – If you think your machine is secure enough and you have enough space, you should just store the backup there, on one of your hard drives. However, if your machine ever gets hacked or someone else gets a hold of the file you’ll be left vulnerable. 
  • Encrypted Drive – This is probably the most secure option you could choose, but it might be a hassle to set up. You should use a hard or a thumb drive that’s completely encrypted and password protected, without any other files on it.

Whatever you do, make sure to password-protect your files and to store the backup on at least two different places in case one of them somehow gets corrupted.

Restoring your site from a backup is a different matter entirely, and it differs a bit with each plugin. However, there’s one thing that you should keep in mind whenever you do it – completely delete all of your old files – don’t leave anything, especially if you’ve been hacked.

Some people are tempted to keep some files, especially if they only have an old backup, but don’t’ do it – it might make the whole process pointless. Also, change your MySQL username and password before you create a new database with your backup.

With a backup, you’ll always have a way of restoring your website to some semblance of normalcy. Don’t forget to back-up regularly, so you always have a version that’s as up-to-date as possible.

↑ Table of Contents ↑

How to Check if Your WordPress Website Has Been Hacked

No matter how much you harden your site, your site can still be hacked. The chance is much smaller, yes, but it still exists. If it is, the important thing is to detect it as soon as possible before it spreads and the consequences become irreparable.

Here are some ways in which you can detect a hack on your website from external sources.

Your Browser – You open Google Chrome, type in the address of your website and – the screen goes red. Chrome is telling you that the site ahead is unsafe and contains malware. Well, that’s it, your site’s been hacked.

If it’s already come to this, it’s probably quite bad. Still, it can be helpful since Chrome, for example, can differentiate between a website used for phishing and one hosting malware so you can get some kind of idea of how your site is compromised.

Google Search Results – If you’re worried about your SEO ranking you’re probably googling your website rather often. Well, at some point you might come across something strange.

For example, if results for Viagra appear when you google your website, you’ve probably been the target of a pharma hack. On the hand, Google might flag your site as ‘this site might harm your computer’ or ‘this site may be hacked,’ and you will know that something has gone awry.

One of the worst things that can happen is that you can’t even find your site through Google – this likely means that your site’s already been blacklisted and removed from the search results for being malicious.

The Google Search Console – This handy tool alerts you to problems that Google might have encountered with your website, and any website owner should be using it. GSC can also email you about any potential problems with your site if you enable the option for it to do so.

You can also visit the Security Issues panel of the GSC and see if it detects your website as infected.

Your Hosting Provider – Most hosting providers will immediately take a website down when they find out that it’s hacked, to protect their other customers and their lofty reputation. They will probably inform you about this after the fact.

Some hosting providers instantly format infected servers or accounts, even before notifying you, so it’s good to have a backup in the case.

Your Visitors – You can easily be contacted by a visitor who got infected from going onto your site or got a suspicious pop-up from a page. Since you probably get hundreds to thousands a visitors a day, at least some of them are bound to notice something when you get hacked.

Your Malware Scanner – If you’re using a scanner like Sucuri or Wordfence it might alert you that you’re infected with malware or that you’ve been hacked. If you found out about the hack this way you probably still have plenty of time to react, unlike the previous methods.

Since the alert will most likely arrive at your email address, you should keep a close eye on it at all times for signs of trouble.

Watching Site Traffic – Closely monitoring your site traffic can help you notice hacks and attacks as soon as they start happening. A sudden large spike in traffic could be a sign that your site’s been hacked or that someone is trying to hack into your site with a brute-force attack.

It could also be a sign that your site is being used in a spamvertising campaigning due to having a good reputation.

There are various ways you can check this – Google Analytics, tools provided by your web host or a plugin.

Either way, you should take some action and see if you’ve been hacked if there’s an increase in traffic or bandwidth use.

Source Code Scanner – You can utilize a source code scanner to detect changes made to your site by hackers and thus identify if your site has been hacked. Such scanners inspect all of the PHP on your website for signs of malicious code.

This method might not detect some newer infection or method of hiding malicious code. However, scanners that compare your version of the code with a version from a known good source might detect even newer infections.

Remote Scanners – These scanners will comb through the HTML that your site produces and search it for any malware. If the hackers didn’t include any malware in the HTML, a hack might escape detection.

Also, this method might not find a hack if it only activates under certain conditions or at certain times of the day.

Other Methods – There are more places where you can check if your site has been infected. 

Here are a few of them:

  • The Google Safe Browsing List can be used to search for your site, and it will tell you if it’s flagged for malware or phishing and give you an idea of when the flagging occurred.
  • SpamHaus is a spam watch list that keeps track of websites that have been infected or hacked. If your site appears on the list, it is most likely compromised.
  • VirusTotal can scan the URL of your website and compare it to a huge database of viruses that you could be infected by.

If you try to check by any of these methods and you find out your website has been hacked, what can you do? Well, a few things.

The first thing you can try is to try and restore your site to a previous backup. If that doesn’t work, you could also try contacting the support service of your web host.

You could try and identify the problem yourself or with them and then try to fix it yourself or pay a professional.

A service like Sucuri or Wordfence could also be used to clean out your website.

↑ Table of Contents ↑

Final Word

Good WordPress security is a combination of many different things – good preparation, safe day-to-day habits, proper reactions to signs of trouble and more. There is no easy fix or one-button solution – you have to work on it all the time.

Here, you’ve found out exactly how much work needs to go into maintaining a website properly and protecting it from as many avenues of attack as is humanly possible.

Of course, you can’t do everything by yourself and neither can we – there are still some things we haven’t mentioned. If you want to know more about some specific aspects of WordPress security you should look around, preferably on the WordPress codex where you’ll find lots of good info.

If you find yourself in a situation where you don’t know what to do, always try to reach the support team of your web host before you try anyone else. If you picked a good hosting service the support should be able to help you unless it’s a major problem.

Alternatively, you should try to get some free WordPress support elsewhere on the web before turning to paid services. You can find a lot of good advice out there without having to pay a dime for it.

If you have to turn to a paid service, either because no one else knows the solution or you need to fix things quickly, you should always be a bit wary. Even if it’s a trusted service be a bit careful about giving them complete control of your website unless you have to.

In case you’ve been a victim of a hack, make sure to change every possible password of yours on every website that you visit. You don’t want to leave something open to the attackers and get compromised again in a matter of days.

But, it won’t have to come to that if you keep up with good WordPress security habits. Your website should remain secure and resistant to most sorts of attacks – after all, people who get hacked are usually weren’t paying enough attention to their websites, and that’s not you.

Hopefully, all of the tips and info in this article were helpful to you. If you have anything to say feel free to pop into the comment section and say it. In case you liked the article or know someone who can benefit from it, share it around.

For now, thank you for reading and watch out for more WordPress tips from us.