November 04, 2013

More than 20 percent of the world’s websites now run on WordPress. That’s a huge achievement for the Automattic team. Unfortunately, this massive user base presents hackers with a seductive challenge: the chance to exploit and control millions of sites at once.

All they have to do is find the chink in WordPress’ armor, and 20 percent of the web could be theirs.

Sounds far-fetched, right? But it could happen. Back in April, hackers tried to attack WordPress websites using a massive botnet.

If you’ve got a WordPress website, security is key, and the consequences of a lapse could be severe. So how safe is your WordPress site – and what can you do to improve its security?

How Websites Become Vulnerable

If you have a web hosting account, you’ll be familiar with the idea of vulnerability. Essentially, a vulnerability is a security hole. It’s a chunk of code that can be exploited to allow unauthorized access to your site, database, or even your server.

Often, WordPress users assume that vulnerabilities only occur in the WordPress code itself, yet hackers can gain access through other routes too. Plugins and themes can be hacked in exactly the same way.

The other obvious route for hackers is via cracked passwords. Often, hacking attempts involve hammering WordPress login pages with common passwords that are weak and easy to guess. If you use the same password for everything, a hacker may obtain that password via another site and try it out on your WordPress login page, just to see what happens.

In its default state, WordPress is relatively hardy, so there’s no need to panic. But there are still things you can do to make it safer. Yes, problems occur, but they’re rare. (If they were common, they wouldn’t hit the headlines).

How to Make WordPress More Secure

There are steps you can take to shore up your site against attack. Read on for inspiration.

  • Start a backup regimen today. It doesn’t matter if you back up to an FTP account, to the cloud, via email, or using some kind of automated, paid solution. Just do it. There are plenty of plugins for this, and most are free. Web hosts won’t normally provide backups on demand, so the onus is on you to make your own arrangements. If you’ve invested in content for your site, don’t skip this part.

  • Update your WordPress installation every time a new version is released. This ensures you benefit from all the latest updates to the core code behind WordPress. You’ll see a notification bar on the admin pages when there’s a new version to install.

  • Refrain from installing beta versions of WordPress on live servers. While the bleeding edge is fun to play with, you should never use a beta for anything but testing.

  • Keep plugins and themes up to date. Regularly check for new versions and get into the habit of installing them right away.

  • Uninstall anything you’re not using. If you’you’ve ditched a plugin, don’t just disable it: trash the folder. The same goes for themes.

  • Change your username. By using the default username, ‘admin’, you’re giving hackers one less hurdle to leap over. Change it to something else. There’s a guide here.

  • Add a secondary password on the admin screen. Most web hosts allow you to set passwords on folders: you should add one on the wp-admin folder. (Remember to make it different to your WordPress password or it’ll be useless). There’s a guide for cPanel users here.

  • Follow the Automattic guide to hardening WordPress. If you have a couple of afternoons to spare, hardening your installation will give you the very best chance of deflecting hacking attempts and staying safe.

  • If hardening WordPress isn’t within your capability, install a security plugin. These plugins make changes to the database and settings to change WordPress’ defaults. Examples include Bulletproof Security and Better WP Security. (Note: always use these plugins with caution: back up first.)

Does It Sound Like Hard Work?

Keeping WordPress secure is definitely an ongoing chore, and you’ll have to work it into your website maintenance regime. There’s really no way around it; all software needs to be kept up to date, and WordPress is no exception. However, the rewards are clear. A WordPress vulnerability is a hacker’s dream precisely because WordPress is so resilient, and a little housekeeping will keep your site from being targeted.

Claire Broadley is an experienced WordPress user; she advises small businesses on websites, hosting, and more. She shares tips and how-tos on behalf of, an independent hosting review website.

Nexcess, the premium hosting provider for WordPress, WooCommerce, and Magento, is optimized for your hosting needs. Nexcess provides a managed hosting infrastructure, curated tools, and a team of experts that make it easy to build, manage, and grow your business online. Serving SMBs and the designers, developers, and agencies who create for them, Nexcess has provided fully managed, high-performance cloud solutions for more than 22 years.

We use cookies to understand how you interact with our site, to personalize and streamline your experience, and to tailor advertising. By continuing to use our site, you accept our use of cookies and accept our Privacy Policy.