WordPress Security Basics

WordPress Security Basics

So, you’re using WordPress! What you might not yet realize is that WordPress currently powers approximately 26% of the internet powering sites for The New York Times, National Geographic, and Forbes (McGee, 2016) (ManageWP, 2016). Certainly, the reigning king of content management WordPress and its security is a continual target for security researchers, both good and bad.

Limit your plugins!

Although plugins are a great way to quickly get up and running with WordPress they are also the most common reason that a WordPress website is hacked! Limit your use of plugins to those that are regularly updated and have a reasonable following. If you’re interested in the history of a plugin or want to check if it has an active exploit within it you can search for it in the WPScan Vulnerability Database.

Secure your passwords – keep them unique

An attacker doesn’t need to break the passwords on your WordPress installation if its matches another account of yours that has been compromised in a different security breach. Sites such as HaveIBeenPwnd are great ways to track whether you’ve been caught up in a security breach elsewhere however beyond question the best defense is to use a unique password for each site that you use, or at least for your WordPress login.

Always update to insure you have the latest security patches

When a security hole becomes known either publicly or directly to the developers of WordPress or your plugins then the corrections they make will be delivered as updates. Not keeping on top of updates allows for automated enumeration tools (such as WPScan) to be run by an attacker to identify known weaknesses in your site.

Always ensuring that your WordPress and all its plugins are up to date is the best way to ensure that publicly known exploits cannot be identified and exploited on your WordPress installation.

Use a Web Application Firewall (WAF)

Free plugins such as WordFence serve as first line defenders of your WordPress installation. A good Web Application Firewall (WAF) should prevent an attacker from being able to enumerate your plugins, logins or to even see your WordPress installation version number. Just be sure to read reviews online about any WAF that you put in place – you don’t want to create a new point of weakness in the process!


ManageWP. (2016, 12 19). More Surprising Statistics About WordPress Usage. Retrieved from ManageWP: https://managewp.com/statistics-about-wordpress-usage

McGee, M. (2016, 12 19). WordPress Used On 25 Percent Of All Websites [Report]. Retrieved from MARTECHTODAY: https://martechtoday.com/wordpress-used-on-25-percent-of-all-websites-report-151115

WordPress.org. (2016, 12 19). Hardening WordPress. Retrieved from WordPress: https://codex.wordpress.org/Hardening_WordPress