WordPress is a walking target in the digital world. Every day and perhaps even every second, WordPress sites are being probed by hackers, bots, brute force attacks, and other malicious and intrusive third-parties. What should be a comfortable experience for web developers all around is actually a disaster waiting to happen.

As a matter of fact, every week Google blacklists over 20,000 websites for malware and 50,000 for phishing. It was reported by WP White Security in 2012 that over 70% of all WordPress installations are vulnerable to hacker attacks and a whopping 170,000+ sites have been hacked.

It’s sad to say that this figure is growing as the years go by. But you have to ask yourself, why would hackers be interested in stealing the data of a low-traffic site? It’s not that they’re interested in stealing your data, but that they want to use it to send spam emails.

Even though WordPress’s core software is secure and audited regularly, there is still a lot to be done to fortify it. If you wish to avoid this kind of fiasco, then stick around and I’ll show you how you can strengthen the security of your WordPress site. The following tips provided below will be your saving grace:


Use a Good Hosting Company

About 41% of all the hacking attempts are caused by a security vulnerability found in a hosting platform. So it would certainly do you a whole lot of good to opt for a high-quality hosting platform, especially one that largely focuses on security. In other words, look for a platform that:

  • Is optimized for running WordPress.
  • Supports the latest versions of PHP and MySQL.
  • Has intrusive file detection and malware scanning.
  • Trains the staff on crucial security issues.

If you’re going for a shared hosting plan, then be sure that it provides you with account isolation. With this, one account cannot overload the server and thus cause problems for your site. Be advised that good hosting platforms give daily internal backups, but you still need to do regular external backups as well.


Keep WordPress Updated

Being open-source software, WordPress is constantly updated and maintained. However, WordPress only automatically installs minor updates. The major updates have to be installed manually.

WordPress also comes with thousands of themes and plugins that you can install. And many of these plugins and themes are maintained by third-party developers who regularly release updates.

It is extremely vital that you hone in on those updates as they keep your site stable and secure from vulnerabilities. You must make sure that your WordPress core, themes and plugins are all up to date at all times.


WordPress Themes and Plugins

You better watch all of the plugins and themes that you download, because more than half of all successful WordPress hacks are a result of security holes found within them. That’s why it is essential for you to take the following actions:

  • If there is a functionality that you do not like in a plugin, then deactivate it and remove it at once.
  • Be alert of plugins that have not been updated in the last two years as they may have security holes in them that have never been addressed. Only use plugins that are regularly updated.
  • All plugins are not equal. Understand that if a plugin is poorly coded, it would make it easier for a hacker to gain access to your site.

As a reminder, you must ensure that your theme is up to date and at the same time well-coded as well. If you want to inspect the quality of the code in your theme you can use a plugin called Theme-Check. Use Plugin-Check to check the code of plugins.


Be mindful of downloading WordPress themes from unknown sources for they could secretly consist of malicious coding. The same can be said for premium plugins. Although it is highly unlikely for the original developer to insert malware into it, you should be careful nevertheless when downloading premium plugins from unknown sources.

For what it’s worth, the safest thing you can do is to download themes and plugins directly from WordPress’s directory instead of a third-party site. It is both risky and hurts the business of the people working at WordPress. You will get functionality that is largely bug-free, as well as 24/7 support.


Use Strong Passwords and User Submissions

Stolen passwords are the most common method of hacking attempts, and can be countered by using stronger passwords that are unique for your website. Don’t restrict this only for the admin area, but for FTP accounts, databases, professional email addresses and WordPress hosting accounts as well.

The main reason beginners do not want to use stronger passwords is because they are harder to recall. Fortunately, with the use of password manager tools, one no longer needs to remember their passwords any more.

Another way to lessen this risk is to never give anyone access to your WordPress admin account unless you really want or need to. If you have a large team and a group of guest bloggers, then be sure you understand the user roles and capabilities of WordPress before you add new users and authors to your site.


Use Correct File Permissions

Setting up permissions of 777 could grant a malicious party access to your site and allow them to upload a file or modify an existing file. Be sure to configure your permissions correctly. According to WordPress, you have to use the following permissions on a WordPress site:

  • All directories should be 755 or 750.
  • All files should be 644 or 640.
  • wp-config.php should be 600

To learn about file permissions, you can look into the Changing File Permissions guide on WordPress.org for insights and instructions. If you’re still unsure about file permissions, then ask your host to check them for you.


Install a Backup WordPress Solution

A backup should be the first thing at the back of your mind when considering a hacking attack against WordPress. A government site can be breached, which means so can yours.

That is why it is essential for you to make a backup copy of your site in case an unprecedented event comes afoot. In this case, there are many free and paid WordPress backup plugins that you can use.

Arguably the most important thing that you have to do is to save a full-site backup to a remote location other than your hosting account. I would strongly recommend you save your backup on a cloud service such as Amazon, Dropbox or a private cloud such as Stash.

You could settle for once a day or real-time backups considering how you setup your site. This can also be handled by plugins such as VaultPress or BackupBuddy. Not only are they reliable, but they are suitable for beginners who don’t know how to code.


Disable PHP Error Reporting

There may come a time when a plugin or theme causes an error and the message for that could be display your file or server path for all visiting your site to see. If this happens, hackers will become aware of this and exploit it to their advantage. Therefore, you have no other choice but to turn off PHP error reporting for your live website.

You can do this by adding the following two lines of code to your wp-config.php file:


@ini_set(‘display_errors’, 0);

If the code above does not work, then ask your web hosting company about disabling error reporting on your behalf.


Enable Web Application Firewall (WAF)

A web application firewall (WAF) is perhaps the easiest way for you to protect your website and be confident in your site’s security. The firewall brilliantly blocks all malicious traffic before it can reach your site. I recommend using Sucuri, as it is the finest web application firewall for the job.

By far the best part about Sucuri is that it comes with a malware cleanup and blacklist removal guarantee. If you happen to get hacked under their supervision, they will immediately take action and quell the problem at once. That is a great perk, as repairing a website is a costly task!


Disable XML-RPC

XML-RPC has been enabled by default ever since WordPress 3.5. This feature enables you to connect via blogging clients. It can be also be used for trackbacks and ping-backs. The sad part is that hackers can use this file for DDoS attacks.

You can use plugins such as Disable XML-RPC Pingback and Disable XML-RPC to reduce the chances of your site being attacked in this manner.


Disable File Editing

WordPress has a built-in code editor that permits you to edit theme and plugin files straight from your WordPress admin area. However, in the hands of criminals, this feature could be a serious security risk, which is why it is best advised that you turn it off.

Do this by adding the following code in your wp-config.php file:

// Disallow file edit

define( ‘DISALLOW_FILE_EDIT’, true );

You can also do this in one click with the “Hardening” feature of the Sucuri plugin that I mentioned earlier.


That’s All There Is…

Your WordPress site cannot go wrong as long as you follow all of the aforementioned tips and tricks to strengthening your site’s security. Now, go enjoy peace and tranquility without having to worry about your site getting hacked!


Editor’s Note: This blog article was written by an outside contributor – a guest blogger – for the purpose of offering a wider variety of content for our readers. However, the opinions and recommendations expressed in this guest blog are solely those of the contributor, and do not necessarily reflect those of The Security Awareness Company, LLC. If you are interested in writing something for us, please do not hesitate to contact us: blog@thesecurityawarenesscompany.com.

Anas Baig

Security Journalist & Writer at Geektime
Anas Baig is a security journalist who covers cyber security & tech news. A computer science graduate specializing in internet security, science and technology. He is a security professional and a writer with a passion for robots, IoT devices, and cars. Follow him on Twitter @anasbaigdm, or email him directly by clicking here.