Top Ways to Secure WordPress Website





Most WordPress sites are lacking in terms of security. It can be contributed by many the many available plugins whose security cannot be developed, or the developer may be lacking security expertise. WordPress makes up to 20% of the sites on the internet. Therefore, it is a popular target for both amateur and experienced hackers. In the year 2013, more than 80,000 WordPress sites were attacked by botnets. The number continues increasing with the additional of new WordPress sites. Security should be the main concern when running a WordPress site.

Run the Latest Version of WordPress

One of the first obvious security measures is running an updated version of any software. It is normally the starting point. As it stands, there are more than 80% WordPress installations that are using outdated versions. Apart from brining new features, each WordPress update comes with security fixes and bug fixes. This secures the WordPress from being exploited by the common vulnerabilities.

Run the Latest Version of Plugins and Themes

This is another WordPress security lapse affecting most websites. Many users assume that once they run the updated version of WordPress, then everything else on the website is automatically updated. However, the themes and plugins on the site could still be vulnerable, and this could expose the whole site to security attacks.

One common example of how outdated themes and plugins can expose the security of a site is the Slider Revolution plugin. It is one of the most popular plugins used on WordPress. Most WordPress themes sold on the Envanto market also use this plugin. This vulnerable plugin presented malicious users with the opportunity to steal database credentials. With such information, the whole site is compromised.

Therefore, it is important to ensure that the plugins and themes running on a WordPress website are updated at any one time. The themes and plugins can also be set to update automatically. This will ensure that the site is secured with the current security updates.

Website Hosts

The hosting environment also determines the level of WordPress security of a website. There are many options available today when it comes hosting. Although hosts provide certain level of security, it is good to understand that the main responsibility of securing the site lies with the owner. In choosing a trusted web host, the following qualities should come clearly.

– Is ready to discuss the security concerns of the client and the security features offered with the hosting

– All server software should the most recent and stable

– Reliable methods of recovery and back up are provided.

Regardless of the number of security features that have been added on a particular WordPress website, if the host is not reliable, then the whole site is vulnerable to malicious attacks. It is therefore advisable to choose a reliable and trusted host. Premium hosting might sound expensive, but they offer some of the best security for any website.

Use Two-Step Verification

This method of verification requires a two-step authentication process for anyone who intends to log in to the WordPress website with administrator privileges. It is one of the best methods of securing the website. Most people use this verification process for their Gmail and PayPal and forget to apply the same to their WordPress websites. It is one of the most secure ways of locking out hackers and others with malicious intentions.

Hide Author Usernames

Failure to change WordPress defaults exposes the usernames of authors on the site. Most hackers also know that the main author of a particular site is also the administrator. With the username of the administrator, the hackers can then proceed to generate a password combination and access the site.

According to DreamHost, hiding the usernames of authors on the site is a good idea in order to make sure that the hacker’s job is not made any easier. This can be done through adding some code to the site which takes the hacker to the main site, instead of accessing the information of the user.

Do Not Use Admin as Username

Using “admin’ as a username is inviting hackers to the WordPress website. Most of the attacks today are mainly targeted on the wp-admin access point through a combination of some password and “admin’. It is clear that once the “admin’ has been removed, the threat potential has been totally eradicated.

Most people would argue that the hacker could still generate the user ID and name and even create a new username. Although it is somehow true, security is not about eliminating risks, it is about reducing risks. For the commonly used Brute Force Attack, removing the “admin’ will reduce chances of a successful attack. It is important to clarify that the “admin’ used in this case is just a username, and not the privileges.

Choose Themes and Plugins Selectively

WordPress gives users the chance to customize and extend the site with numerous themes and plugins. Although customization and extending the site’s capabilities are important, it should not compromise the security of the website, regardless of what they add to the website.

Even if the site itself, the themes and plugins are all updated, it does not eliminate the risk of an attack. Attackers can use plugin enumeration to determine the type of plugins used on a particular WordPress website. Cutting down on unnecessary plugins will reduce the attack surface of the site automatically.

When choosing the themes and plugins to use, it is advisable to be selective. Before any theme or plugin is installed, the user should read about them on other sites and any reviews about them. This will prevent users from installing a malware like Toolpack Malware Plugin.

When installing plugins, the user should check the total number of times it has been downloaded and the last update by its developer. The higher the number of downloads and recent updates a theme or plugin has, the wider the use and active maintenance. This implies that any identified bugs are quickly fixed.

Reducing the number of plugins is not just about WordPress security, it is also ensures the speed and performance of the site is high. Once a website has been loaded with too many plugins, its loading speed can be dramatically reduced. Therefore, if a particular plugin is giving the site some problems, is should be left out altogether.


Securing a WordPress website is more than just installing security plugins. It requires a comprehensive approach that should be carefully handled. A secure site will ensure that unauthorised users do not gain access to the WordPress website. seek a professional that knows what he is doing

Top 5 WordPress Vulnerabilities and How to Fix Them 

wordpress SEO


WordPress, a free, open source blogging tool, is the most popular blogging system on the web, even surpassing Blogger, Microsoft SharePoint and Drupal. WordPress also serves as a content management system (CMS). The popularity of this platform has made it a favorite among hackers. In particular, its plugin architecture and template system, which are based on PHP and MySQL, make the platform vulnerable in several ways. With over 30,000 official WordPress plugins, the seriousness of the vulnerability problem cannot be overstated. Need Search Engine optimization as well ?


Vulnerabilities keep emerging and re-emerging as new themes, plugins and WordPress are introduced. In general, new updates offer most WordPress fixes, which helps most WordPress site owners stay a step ahead of the hackers. However, a new version may introduce a new or a worse vulnerability, or even create vulnerabilities where none existed. In such cases, the best fix could be as simple as reverting to an earlier version of the theme. Owners host about half of all WordPress sites, which means that knowing common WordPress fixes to certain vulnerabilities is very important.


  1. Security Bypass Vulnerabilities

WordPress keeps introducing plugins to improve the functionality or the appearance of its sites. However, some of these plugins usually come with security vulnerabilities that can allow unauthorized access to privileged resources. The worst-case scenario is when these security threats allow the hackers to modify security information and take command of the vulnerable sites. Security bypass vulnerability is mostly introduced by new plugins, for instance, the Mobile Pack plugin.


The Fix

WordPress’ Mobile Pack Plugin allows security bypass that gives access to password-protected posts, a problem that can be fixed by updating to version 2.0.2 of the plugin. The WPTouch Plugin also fails to restrict access to certain administrative functions, which can allow hackers to upload and execute server-side codes. This problem affected versions 3.4.2 and possibly prior versions, but installing version 3.4.3 will fix the problem.


  1. Inadequate Access Restrictions to Sensitive Files

A general WordPress installation results in creation of some sensitive files that, in the wrong hands, can create serious security vulnerabilities. Hosts may provide the ability to view site directories as part of their default settings. When the directories contain sensitive information, and are accessible to malicious parties, they can be modified to seriously compromise the a site security.


The Fix

Any files that the owner feels could easily expose sensitive information should have its access privileges tightened. The changes should allow the files to be viewed and modified only by the administrator, for instance, files with configuration information. Modifications can be made to the .htaccess file to restrict access to any sensitive files. The website owner can also create a whitelist of any links allowed access to certain directories.


  1. Attempts to Hack the Admin User Account

Some hackers are quite resourceful and persistent in their attempts to gain administrative privileges to a site. The default admin account increases the susceptibility to such attacks since the hackers know right away that getting the password to the admin’ account will give them unlimited access to the site. The hackers can achieve this by using automated scripts that are able to make relentless login attempts that may eventually succeed.


The Fix

The knowledge that the hackers only have to succeed in getting the password for a certain account to have administrative privileges is a definite plus for them. This edge can be eliminated by deleting the admin’ account, and using a generic name to create a user account and then assigning it the administrative privileges associated with the admin’ account. The hackers’ task is therefore magnified as they would have to try and hack every account on the site and succeed, in order to gain access to the site, which is obviously much more difficult. In addition to getting rid of the admin account, site administrators can also use a plugin that inhibits enumeration of users, which prevents the hackers from knowing the names of site users.


  1. Cross-Site Scripting (XSS) Vulnerabilities

A number of plugins on WordPress allow hackers to execute client-side attacks through injection of scripts into web pages viewed by site users. This vulnerability allows attackers to execute HTML codes on the browsers of the users in the context of the vulnerable site. For instance, some Photo Gallery and WooCommerce plugin versions released recently have this problem. In both of these plugins and other plugins offering the same vulnerabilities, input passed through sensitive admin files is not adequately sanitized before being returned to the user, which means the output contains sensitive administrative information that can be exploited by hackers.


The Fix

Most of the cross-site scripting problems are recognized early enough and reported. Usually, subsequent updates specifically resolve these issues. However, before safer updates are available, site owners who have installed such updates can remove them until safer versions are available.


  1. The WordPress Tag

As it has already been established, being a WordPress site makes it more vulnerable to attacks. WordPress sites are vulnerable because of their numerous unsafe themes and plugins, which WordPress sites vulnerable. When hackers have not way of knowing whether a site runs on WordPress, they are more than likely to stay away, indirectly reducing a site’s vulnerability.


The Fix

If hackers dedicated to taking down WordPress sites could be convinced that a site did not run on this popular platform, the site would be less susceptible to attacks. WordPress site owners can get rid of the “WordPress Site” tag by removing mentions of the word from the site.


The “Powered by WordPress” is usually the first obvious giveaway. Site owners can also get rid of backlinks to the WordPress site from your site and redirect to functions.php file, which hides the WordPress version of the site from attackers.



In general, WordPress site owners can reduce the number of vulnerabilities on their sites by knowing some of these WordPress fixes. In addition, any unwanted plugins should be removed, considering that plugins introduce a majority of vulnerabilities to WordPress sites. More importantly, it is critical to stay updated on any issues relating to WordPress vulnerabilities. This way, a site will not become an easy target for malicious users. Sites such as keep a comprehensive and updated list of WordPress vulnerabilities, and their solutions, if any.