Securing WordPress the right way

Securing WordPress the right way

Securing WordPress is not a one action thing that you can switch on and relax. It wouldn’t be an issue it was that easy, right?

The complexity of securing WP is mainly due to the possible entry points to gain access to the website or its data. We can sum them up to the following four:

  • Hosting
  • WordPress core
  • Themes and plugins
  • and User login/access credentials

It will always come down to one of these four. The only difference is how the hacker will attempt to get in.

But before diving in, we need to understand how hackers think and process their hacking gig.

First thing, you are not protecting yourself against high-level hackers. These don’t target anything, and when they do, only God and a top dollar security firm can prevent them from getting it

WordPress hackers are more of lazy asses and opportunists. They will attempt a hack when they feel that an exploit/vulnerability is easy to execute, and when there is a way to automate the process.

Otherwise, it will be a very tedious process, and even for hackers, time is money They rather spend their time monetizing mass hacked websites than look for hand-picking websites to hack.

If we know where the enemy will come through, and how they intend to get in, all we have left is making sure to protect the right places the right way

WordPress Security done right


Probably the least cared about entry point and probably the easiest to exploit.

WordPress hosting services put security as the main feature on their sales pitch. Unfortunately, there is an enormous difference between the sweet talks and what is done in real world.

When a website gets hacked, hosting services usually blame the site owner for not securing it enough.

What if you did your fair share to secure your WP, and still get hacked?

Well, they will still blame you for that

Shared hosting is the most vulnerable

A shared hosting service provider will always favor performance to security. You will most likely find oldish setups, archaic server architecture, and poorly protected and isolated individual plans.

The nasty thing about shared hosting is that hackers can discover other servers hosting within the same server. If one falls, it means that most of the other websites hosted there might fall too and that usually lead to a large-scale hack through cross-site contamination.

90% of websites I fix are hosted on shared hosting plans. And more than often, all websites within the same plan get contaminated too.

Unmanaged VPS plans can be at risk too

Unmanaged VPS plans need to be manually secured. A critical detail that unseasoned owners omit to do. They are a good deal from the price/performance standpoint, but it’s still a naked server that needs to be set up and fully secured.

Following tutorials without knowing Linux security fundamentals might put your VPS in jeopardy, and the worst part is, you may not be realizing it until it’s too late.

Managed services are the less risky

They are still vulnerable to get hacked depending on their architecture (shared or isolated VPS). But the thing is, it won’t be your problem! It will be the service provider’s duty to keep your website safe and fix if the worst happen.

The ideal hosting service

  • Prevents external access to files and the database
  • Isolate (jail) each website from everything else hosted on the same server
  • Opt for a guaranteed security when available

How to stay safe

Protect your WordPress files from unauthorized accesses by setting the right permissions to your WP files (644), and folders (755).

Make sure that access to phpMyAdmin is only possible from within your hosting dashboard. Avoid at all costs any hosting service pointing to an IP address or domain name on the define(‘DB_HOST’, ”); in your wp-config.php file. The mention ‘localhost’ usually means the database is only accessible from inside the web server.

Rely on your Cpanel (or equivalent) file manager. If you need an FTP access, you can activate it, use it, and make sure to deactivate it and delete your FTP credentials once done. Ideally, use Dropbox to handle your files access (only possible if you use an unmanaged VPS).

If you use a VPS, and did the setup on your own, either dig deeper and learn how to secure Linux servers or hire someone to do it in your stead. It’s usually a one-time gig.

Always check reviews about the security of your hosting service. Spending few hours searching for information will prevent your getting disappointed, and might spare you from getting hacked

Make sure to check my full WordPress hosting guides to get a more accurate idea on the subject.

WordPress Security done right

WordPress Core

The primary target for most hackers, but luckily, the easiest to lock.

Like any piece of software, WordPress is prone to vulnerabilities. I recently noted the rise of 0-day exploitsVulnerabilities and exploits not publically reported. in the platforms, and hackers hit hard before any reaction from the WordPress maintainers.

A good example is the REST-API vulnerability (late January 2017) in the new WordPress 4.7 that got 1.5M websites defacedRandom posts/page injection in less than 10 days.

How to stay safe

One way: keep your WordPress ALWAYS updated.

WordPress releases periodic updates, and security is a prominent component on each one. Make sure you have an auto-update feature on your website even if there risks to break your website.

You better have your website broke with an update than getting hacked

An additional step

An additional effort can be made by keeping an eye news related to WordPress security. This will help taking temporary measure while waiting for official fixes.

Like what happened with the REST API exploit:

  • First time reported: 11th January 2017
  • First time mediatized: 12th January 2017
  • Official fix released: 26th January 2017

Which leave regular users a 15-day vulnerability timespan, where hackers can easily exploit it.

The following places can help you keep up with the news:

You can also subscribe to my list, where I keep my audience well informed about WP security amongst other things.

[cp_modal display=”inline” id=”cp_id_e23c1″][/cp_modal]

WordPress Security done right

Themes and plugins

WordPress core is not the only thing that you need to keep continually updated. Themes and plugins have the exact same need, with a bit more attention.

As opposed to WordPress core, you get to pick your theme and plugins. This freedom can help you be more secure or make you extremely vulnerable.

What you need to check

Two main things:

  • How often the asset is updated (read the changelog)
  • How secure is it (do a quick research for that)

Takes few minutes, an hour tops, and makes you more confident if the asset you want to use is secure or not.

The free assets risk

We are always tempted to use anything free! On WordPress, it will probably come back and bite your ### in no time as the risks are significant, not matter how you take it.

The first issue is the upgradability. Free assets often end up getting abandoned when the main author/developer doesn’t want to keep the asset updated anymore, and there is no one willing to take its place.

So, the likelihood of ending with a slow/never updated theme or plugin is quite high.

The second issue is temptation. When you here that a premium theme or plugin is available for free or a fraction of its real price, you jump on it without thinking about the consequence.

You end up using a nulled asset, which will lead you to get hacked one way or another. In fact, the highest hack rate with themes and plugins happen to be using nulled materials.

If you still want to live the freeway, just make sure to:

  • Strictly limit your options to the official free themes and plugins found on the official WordPress marketplace. You can’t miss it. It’s the only thing that you can use to install themes and plugins from within the WordPress dashboard.
  • Check if the asset was recently updated, and preferably only pick it if it’s frequently refreshed

How to stay safe

Keep one main theme, and eventually, its linked child theme if used. Completely delete the rest.

Delete any inactive plugins. There is no need to keep anything else installed if it’s not meant to be used. Remember, installing and activated a plugin is quick enough to be done only when needed.

Favor paid assets. Besides better features and higher coding standards, premium themes and plugins have a steady flow of updates and upgrades, and they are the fastest to adapt and fix vulnerabilities when needed.

Avoid at all costs problematic assets. There are plugins with a tarnished hacking history that caused major outbreaks in the past, like Slider Revolution or NexGen Gallery. Always look for security breach history to make sure you are not using a hacking magnet asset.

Avoid at all costs nulled themes and plugins. The only way to get a paid asset is by going to the author website, or by going to known marketplaces, like:

The average price is:

  • $50 to $70 and up for themes
  • $10/$15 and up for plugins
  • $250 per year or lifetime access

Premium assets always come with:

  • A key or API code (for registration and activation)
  • An extensive documentation and tutorials
  • A direct access to support platforms
  • At least 6 months worth of supports, updates, and upgrades

Anything claiming itself to be a premium asset within fitting the above is probably a scam, stolen asset sold without their authors’ consent, and a highly risked trade in every way as you can get you credit card information stolen, and will probably download an infected asset, would it be free a paid.

Pay for genuine assets. There is always a refund grace time, so, you can basically test it up and reconsider if it’s not something you really want to use.

WordPress Security done right

User login/access credentials

The most favored hacking method of all times because it’s fairly easy to handle.

Use are at risk when a hacker gains access to your WordPress login/password (by guessing or stealing), or your database URL/login/password (by having access to your wp-config.php file).

Brute force is your worst enemy

The most used technique is brute forceHackers keep trying sets of logins/password until they get in .

Other ways methods to get your credentials

There are countless of ways to steal your login information, including:

  • Arbitrary file download targeting wp-config.php files (Slider Revolution, NexGen Gallery)
  • Unprotected file permissions
  • FTP access
  • Hosting platform access
  • Password theft (virus or malware on computers, bogus VPN access)

And many other ways.

I’ve been freelancing for years. And as part of my activity, I maintain WP websites on demand. When I get a request, I get an admin access to the website, hosting platform and anything related to the task.

To date, I’ve never had been informed at any point that the accesses I received will be destroyed or changed once I’m done.

This means that most people don’t have a credential safety protocol when a 3rd party gets involved. Consequently, the credentials will stay active even if the 3rd party intervention is done. Making it possible to have access to the site without the owner’s consent or notification.

I’ve seen this relaxed credentials sharing policy turn quite bad when a malicious service provider take advantage of that, and spy, or hold the website hostage in case they don’t get paid for example.

How to stay safe

Enable brute force protection wherever it’s possible by changing the regular login/admin URL, disabling XML-RPC and the REST API if it’s none is used.

2-factor authentication, using either email, cell-phone, or any way to verify you are the one accessing your website.

Make service providers sign a non-disclosure contract, and make it clear that once the job is done, all credentials shared will be either destroyed or changed.

WordPress Security done right

WordPress security protocol & gear

As you have learned so far, WordPress has some many facets. To date, no one-do-it-all tool can handle them all at once.

My advised security protocol is a stronghold against known and expectable hacks. I make sure to update it periodically to cover any new threat and add any new security protocol if relevant.

Fundamental security

Make sure to implement basic security fixes for any WordPress installation such as:

  • Always keep WP core, theme, and plugins up to date
  • Keep and eye on your server’s security
  • Set the files permissions correctly

Have a reliable backup system

No matter how we protect our websites, there is always a new threat that might overcome all our security protocols.

While there are countless of plugins and services doing that for WordPress, I always found All-in-One WP Migration delivering a solid performance and a cost-effective long-term option.

While the core plugin is free for migration, to get the scheduled backups and the cloud storage pairing, a one-time $79 for unlimited websites use is required per cloud storage service.

The available cloud storage options are as follow:

  • Dropbox ($79)
  • Google Drive ($79)
  • Amazon S3 ($79)
  • OneDrive ($79)
  • Box ($79)
  • Mega (coming soon)
  • Amazon Glacier (coming soon)

I’ve been using it for a couple of years now, and I’m pretty happy with it.

Go to All-in-One WP Migration
Get one of the cloud storage extensions (one-time $79)


Part of the protection job is to cut the threat before it becomes one.

Cloudflare is a free DNS manager that comes with some threats monitoring and protecting feature.

It helps lighten the load from known threats sources.

The setup is fairly easy.

Go to Cloudflare


Wordfence is a very important part of my security protocol. It’s the only plugin that covers multiple aspects of WordPress security at once.

The free version offers:

  • A feature-rich firewall
  • Live traffic monitoring
  • Blocks brute force attacks (disables the XMLRPC, limits login attempts, and bans obstructive IPs)
  • A great scanning tool with the ability to compare, repair and delete compromised files

They do have a paid version, starting from $99 per year. It has more advanced features, like:

  • Real-time threat defense, which means, when a 0-day exploit is found, it’s quickly fixed and deployed to premium users
  • Country blocking feature
  • Remote scans

Amongst other features.

Go to Wordfence

Block Bad Queries

BBQ gives a hassle-free protection against malicious URL requests and scripts injections attempts.

Consider it as an extension to the Wordfence firewall.

The free version works under the hood and doesn’t have any controls or customization options.

The paid version has an admin panel with customization options, blocking stats, the ability to set redirections, and other protective features.

Get BBQ (free version)
Get BBQ Pro ($15)


Blackhole is a subtle plugin that allows you to dismiss any unusual crawling activity from bad bots.

Consider it as an extension to the Wordfence firewall.

The free version works under the hood and doesn’t have any controls or customization options.

The paid version has an admin panel with customization options, bad bots stats, the ability to set redirections, and other protective features.

Get Blackhole (free version)
Get Blackhole Pro ($25)

The Ultimate Tweaker

UT is a lightweight plugin to obfuscate information and secure some aspects of your WorrdPress site, like:

  • Remove the generator tags for WordPress, WooCommerce, Visual Composer, and the RSD tag
  • Adding nosniff and xss protection headers
  • Prevent your website from being embed inside an iframe
  • Disable selection and right-click

Minimizing the share information will make it harder for hackers to attempt any nasty thing against your site.

Get the Ultimate Tweaker ($21)

Swift Security Bundle or Hide My WP

Both are equally good to take the obfuscation process a step further by totally misleading anyone meaning harm that your site is a WP website!

They do have security features comparable to Wordfence, but I find the Wordfence ones more reliable and effective.

Get Swift Security Bundle ($36)
Get Hide My WP ($22)

Other plugins

Disable REST API switches off access WordPress’ REST and JSON API (can be dismissed if using Wordfence).

WPS Hide Login changes the default login URL. It’s handy when you are the only one with direct access to your website (can be dismissed if using Swift Security or Hide my WP).

Miniorange 2-Factor Authentication implements the 2-step secured login using Google’s Authenticator.

Some plugins require technical skills to set them properly. If you don’t think you have the required knowledge to do so, either:

  • Get a managed hosting service
  • Hire cheap labor to take care of it periodically for you
  • Or get my security pack

Additional resources to check:

That's pretty much it!

Never take your website’s security lightly or assume that you are hack proof without being geared accordingly.

Invest heavily in security. It can be a maintenance contract, rigorous updates, and upgrades as they go live, buy plugins to strengthen your setup, invest on better, standalone servers.

Better safe than sorry! Especially if your website works and gets you a nice and steady income.

Do NOT follow this link or you will be banned from the site!