Platforms & Apps

How to Keep Your WordPress Site Safe from Hackers

Editor’s Note: This article was originally published by Web Marketing Today. Practical Ecommerce acquired Web Marketing Today in 2012. In 2016, we merged the two sites, leaving Practical Ecommerce as the successor.

Once open-source software becomes the most widely used content management system on the Internet, it will undoubtedly also become a target for hackers.

WordPress, an open-source platform, powers over 18.9 percent of all websites, which amounts to more than 74 million sites total.

The platform has received quite a bit of negative attention recently for its security vulnerabilities. If the proper steps are taken, however, WordPress can be just as safe as other CMS systems.

Has Your Site Already Been Hacked?

The first step to securing a WordPress site is to make sure that it hasn’t been compromised already. Many business owners never visit their site and may be unaware that an attack has taken place, albeit in a very discreet way.

Sucuri, a website security and malware protection site, provides a site check utility that scans your site to ensure it has no publicly visible signs of malicious activity.

Also, set your site up on Google Search Console (formerly called Webmaster Tools) as it will notify you of a website breach. You can visit the hacked site information page to learn more about Google’s process for marking sites as malicious.

Once you know your site’s status, there are several steps you can take to ensure it is as secure as possible.

Update, Update, Update.

In my experience, the number one reason most WordPress sites get hacked is due to a lapse in regular updates. WordPress is open-source software, which means it is developed and worked on by a large community around the world. That also means bugs and security vulnerabilities appear quite often as well.

Vulnerabilities that have been discovered and fixed are posted publicly, and all users are advised to update. Unfortunately, those who seek to do malevolent hacking have access to detailed information on the new vulnerability, which they can use to exploit all the outdated installations.

WordPress updates take on three different forms: core, plugins, and themes.

Core updates. WordPress knows that regular updates are critical. Version 3.7 introduced automatic background updates for minor security releases. This feature doesn’t fix a major upgrade from version 3.7 to 3.8 but does ensure security fixes routinely take place on most sites.

WordPress core updates are critical.

WordPress core updates are critical.

The bigger problem is that many people still use versions older than 3.7. To check which version you are running, go to [your site URL]/readme.html or visit your admin dashboard and look at the “Right Now” or “At a Glance” widgets to find it.

Check the admin dashboard to see the WordPress version.

Check the admin dashboard to see the WordPress version.

The current version of WordPress is 4.2.3; if you are still running a version 3.9, you should upgrade as soon as possible.

Plugin and theme updates. Plugins can be another major security risk for WordPress installs. A first step is to ensure that you update the plugins on your site and that they are compatible with your version of WordPress. Many plugins utilize other libraries or scripts that can become outdated and vulnerable to hacks.

The same premise applies to themes, as many WordPress theme makers will bundle their template files with a variety of plugins or frameworks. There have been a few high-profile vulnerabilities with popular gallery and image plugins.

Once you update your core WordPress installation, visit the “Updates” or “Themes” page to see if your theme is due for an upgrade. Also, removing unused themes and plugins will increase both the speed and security of your site.

Hardening Your Hosting Server Protects WordPress Files

Whether your site uses WordPress or another CMS, server security is necessary to make sure hackers don’t get access to your system files.

If you installed WordPress through your hosting company’s site, you are probably safe when it comes to file permissions. However, if you or someone else installed WordPress manually, you may want to review WordPress suggestions on file permissions to ensure you aren’t leaving your site open to malevolent activity.

Shared versus private hosting. If your business runs off of WordPress, I highly suggest you avoid using low-cost hosting that relies on shared servers, which store not only your site but thousands of others.

Although hosting companies try their best to wall off customers accounts from each other, a skilled hacker can gain access to other accounts through a single vulnerable account. Even if you invest time and money into protecting your site from hackers, someone else’s vulnerability could grant them entry.

Although it may cost more, your investment in security will ultimately save you time and money. Companies dedicated to hosting WordPress sites, such as WP Engine and Pantheon, are specially designed for WordPress security. Many of these will even guarantee to keep your WordPress core and plugins updated on a regular basis.

Usernames and passwords. Having a secure username and password is an easy way to keep your site safe from hackers but are steps many site owners overlook.

Instead of using the default “admin” user account, create a new user with admin privileges and delete the old account. Attribute all posts and content to the new account so that no data is lost.

Also, use a unique password not tied to other sites. That way, if hackers discover your generic and widely-used password, they won’t have access to your website as well.

Other Steps to Avoid Being Hacked

Even if you regularly update WordPress and use secure server and password practices, it is helpful to have something actively working to ensure you are secure at all times.

Security plugins. Wordfence and Bulletproof Security, two free plugins with premium upgrade options, will actively scan your WordPress installation and plugins to discover any sign of malicious activity and protect your WordPress installation from a variety of commonly known attacks. They can also limit login attempts, block users from questionable IP addresses or from outside the country, and enforce strong and unique passwords.

Wordfence protects your site against attack.

Wordfence protects your site against attack.

Regular backups. Even with all the available protection in place, unfortunate incidents may still occur. Keeping a regularly updated copy of your site’s files and database will ensure that even if you are hacked, the files are easily accessible and can be restored to an older version.

BackupBuddy is a plugin that will not only perform regularly scheduled backups but can also connect to other popular file storage systems like DropBox and Google Drive.

Monitoring and repair services. For more mission critical sites, you can enlist third-party services like Sucuri or VaultPress to constantly monitor your site. In the event it gets hacked, they will automatically address the issue on your behalf. Both services charge either a monthly or yearly fee, provide services to monitor issues, and help fix or clean any files affected by hacking activity.

VaultPress monitors your site against hacks.

VaultPress monitors your site against hacks.


Malicious activity on your website can cost you hours of time in dealing with the issue. If your business depends on your website for income, it could also mean dollars lost. Investing in site security by making these fixes, as well as paying for quality server hosting and security monitoring, will ultimately provide you peace of mind and a safer site.

For power users looking to expand on these basic recommendations, check out the page Hardening WordPress.

Daniel Kedinger
Daniel Kedinger
Bio   •   RSS Feed