WordPress is always at the center on for security experts as it is open source platform and bears large community. Hackers and spammers are always after this well-known CMS platform. There are many updates have enriched WordPress since it is developed. Still WordPress security is a concern for developers, individuals and organizations. The main concern for WordPress security is ignorance of individuals and businesses as they know little about cyber-attack and security, thus hackers do take advantage of their unfamiliarity. Below study carried out by reputed researcher lab that reveals why WordPress security is important?

Fact of WordPress Hacked:


According to Wordfence report, there are 61.5% respondents do not know how hackers hack WordPress website which shows unawareness about WordPress security. There are few entry points through which hackers can attack a website for example, vulnerable plugins and themes, hosting, phishing, brute force (password guessing) attack, etc.  You can see in below chart that outdated or vulnerable plugins are accountable for website hacking.

Besides security updates, there are few precautions we should take to create better and secured environment for WordPress. We have summarized few security steps that can help you to make your WordPress secured.

Keep WordPress Updated:

Hackers generally target outdated version of WordPress therefore, make sure you are using the latest WP version. You can update WordPress in WordPress panel in your browser. Before updating WordPress, it is essential to check compatibility of existing themes, plugins as well PHP and MySQL versions. You can set auto updates by following command in WordPress-config.php:

# Enable all core updates, including minor and major:

It may happen that when you update website automatically, your website may be broken after update. Therefore, you should manually update by disabling command in WordPress-config.php.

# Disable all core updates:
define( 'WORDPRESS_AUTO_UPDATE_CORE', false );

Auto updates often impacts website functionality because plugins associated with WordPress is not updated therefore; consider outdated plugins before making any major update on WordPress.

Use Two-Factor Authentication:

Even you are using strong password, brute force attack can guess your password. To avoid this issue, Two-Factor Authentication (2FA) is an ideal weapon against brute force attack, as it requires a code that can be access with your personal mobile phone. There are plugins available for 2FA like Google Authenticator, Duo Two-Factor Authentication, Clockwise SMS, etc. 2FA is an ideal way to stop unauthorized access to your website. Even Gmail, PayPal, Twitter has enabled 2FA then why not for WordPress? It is totally worthy the peace of mind, ensures that all confidential data is secure.

Keep Unique Password:

Avoid keeping the same “admin” or “123456” password for login purpose as hackers know such commonly used password. Remove old username and create a new name with authority rights. After setting a username, use complex passwords including small and capital letters, characters and numbers. Do not keep password as your username by making small changes but use random characters and letters. You can use password generator tool for complex password and manage different passwords with password management services. Keep changing your password at frequent interval to avoid password guessing.

Download plugin from known sources:

Be careful while downloading plugin from unknown source as it may contain virus or malware. Attackers target third party plugin platforms therefore it is best to download plugin from WordPress.org since they are well scanned before its availability in plugin directory. Besides free plugin, you can also directly purchase paid plug-in from developer website.

Stop Directory Browsing:

If the web server does not find index.php/index.html directory file, then the server will show a page that includes the information related to themes, plug-ins, files etc. Hackers can easily gain information of such directory browsing if it is enabled. To solve this issue, you can check whether directory browsing is active or disabled simply by creating a folder with a simple text file and then visit the directory via the browser. If the browser shows a link to text file, it means the directory is enabled. On contrary, the browser displays “Page Not Found”, blank page or “Forbidden” message. To disable directory browsing, you can add Options All –Indexes code to .htaccess file.

Keep plug-in, themes updated:

As you update WordPress version, you should take care of your plug-in and themes. Before updating plugin, you should remove any unused theme or plugin that can be targeted by hackers. Do not deactivate unused plugin but delete it immediately. If plugin or theme is not updated then security holes can invite hackers. Poorly coded theme and plugin can act as a backdoor of personal information. You can check themes code reliability via Theme Check and plugin code quality via Plug-in Check.


Choose good hosting provider:

While optimizing security of WordPress, selection of a hosting company plays a vital role. Check few features while choosing hosting provider for WordPress site like additional firewall, regular backups, malware scanning, DDoS protection, auto WordPress update, updated server software, patch to security threats. You can go for managed hosting as it provides previously mentioned feature and ensures that the website remains secured and active.

Use Correct File Permission:

In case of managed hosting, the authorized permission should be checked for WordPress files and folders to stop hackers from exploiting file and gaining control of the website. Generally, WordPress folders have 0755 permission and WordPress files have 0644 permission. In case of any installation or uploading content throw an error, you should contact hosting provider. Do not use 777 mode for permission, as it would open all user access to files or folders. You can get more information here about file or folder permission.

Limit Login Attempts:

Hackers always try random login and password to gain access of site admin therefore, it is essential to put a cap on login attempts. Login Lockdown plug-in can limit login attempt on a specific IP address. If an individual failed to login after given attempts, he cannot reattempt for a set time. Site admin can increase or decrease the set time for re-login. Even, you as an admin can grant specific users that are already locked out.

Take Backup Frequently:

After taking precaution for website security, it may happen that you forgot to take back up of your WordPress web site. Regular backup saves your data and in case of hacking, you can restore the system with backed up data. Do not rely on hosting backup as if the hosting data center is damaged, your backed up data would also be lost. In that case, you should back up your data on external device. There are services like VaultPress, CodeGuard, BlogVault that take automatic backup of your WordPress website. Besides services, there are plugins that regularly take back up of the site like UpdraftPlus Backup and Restoration for WordPress and WordPress Backup to Dropbox.

SSL Certificate:

For live WordPress website, it is vital to stay away from prying eyes of hackers. Hacker may attempt for MITM attack and grab important information of website owners (like: username, password, etc.) and clients/customers (example: credit card info, login credentials, SSN, etc.). To prevent hackers from performing such practice, SSL certificate plays vital role by encrypting communication of two parties (Browser of User & Web Server). Additionally SSL Certificate not only protects travelling information but also gives opportunity to rank higher on Google Search engine.

It is your turn now:

Once your website is developed in secure environment, it is essential to keep security practice at regular intervals. WordPress website security is a never-ending process and should be on the top in checklist. You should schedule malware scanning and log analysis to prevent malicious actors. If you have read the given information then I am sure that you have no excuse of ignoring WordPress security. The above precautions can give booster to website security and build a secured environment on your web server.