In Defense of WordPress

Getting started with with WordPress is quick and easy. Which has made it extremely popular. But as WordPress popularity has grown, so too has the giant target on its back.

But with some basic settings, policies and plugins, you can protect yourself from 99% of the attacks you might face.

Before we get into the gory details, it’s worth noting that there’s simply no way to make WordPress (or really anything) 100% impregnable. Even with the most sophisticated technology, teams of smart people and a lot resources dedicated to security, large corporate and government websites get hacked.

Which means that, in addition to taking precautionary measures, you also need to have a plan for recovering from an attack.

WARNING: Before you implement any of these suggestions, BACK UP ALL THE THINGS!

Stronger User Names and Passwords

Earlier this year, when there was a huge spike in brute force attacks against WordPress:

The top five user names being attempted are admin, test, administrator, Admin, and root. The top five passwords being attempted are admin, 123456, 666666, 111111, and 12345678.

Don’t use these. Instead, use a strong password generator tool for both user names and passwords. If you have trouble remembering difficult user names and passwords, I suggest a password manager like Last Pass.

Among some other tips and plugins, Daniel Smeek recommends hiding login error messages by adding the following code to functions.php:

add_filter(‘login_errors’,create_function(‘$a’, “return null;”));

Also, don’t email user names and passwords. And if you do have to give someone else access, create a unique user for them. If you simply won’t do that, change your user name and password each time you give someone else access. Finally, don’t store user names and passwords on your computer. You have a soft underbelly.

Avoiding common user names and passwords is a very simple way to protect against brute force attacks.

Avoid Public WiFi

Put simply, don’t connect to WiFi hotspots without a secure VPN in place. Hint: Your Starbucks probably doesn’t have a secure VPN in place. If you’re using WiFi at home or at the office, create a very strong password, implement WPA2 and don’t show your SSID.


The internet battle between good and evil continues to rage on. Which means you need to be constantly vigilant in applying updates to:

  • Core WordPress installation
  • Theme files
  • Plugins

As I stated above, before you apply updates, make sure you have working backups of your site files and database.

I can’t tell you how many WordPress installations I see that are running really, really, really old versions of WordPress. Failing to update these files is one of the best ways to guarantee that you get hacked.

Secure Hosting

Choose a host that knows security. Specifically, WordPress security. WP Engine, which is more expensive than your standard economic hosting, is among the best.

If you want to save on hosting, you might consider password protecting your wp-login.php file.


If you’re tech-savvy, you might be able to add some security to your .htaccess file (you probably should have a developer do this for you). Here are some things you should consider adding (talking to your developer about):

  • Disabling your server signature.
  • Remove spam queries.
  • Block spam bots (i.e. bots without user agents).
  • Block SQL injections.
  • Password protect WordPress login page or limit WordPress login to your IPs.
  • Block malicious IPs.

If you want to see the specific code for how to implement these, Sam McRoberts lays it out in his Definitive Guide to WordPress Security. You can find a couple additional useful .htaccess configurations here.


When most WordPress users want to add some additional functionality to their installation, they immediately think: Plugins to the rescue!

Don’t think like this. Use plugins very judiciously. Read-up on plugins before installing. Get help from a developer.

Only after you’re confident in the safety, security and support of the plugin, and only after you’ve created a recent backup, you might turn to plugins to help with security. Here are a few to consider:

  • Wordfence (Last Updated: 2013-7-19 as of posting) – Wordfence Security is a free enterprise class security plugin that includes a firewall, virus scanning, real-time traffic with geolocation and more.
  • Better WP Security (Last Updated: 2013-7-26 as of posting) – Helps with protection, detection and recovery.
  • Limit Login Attempts (Last Updated: 2012-6-1 as of posting) – Limit rate of login attempts, including by way of cookies, for each IP. Fully customizable.
  • BulletProof Security (Last Updated: 2013-7-16 as of posting) – WordPress Website Security Protection. Website security protection against: XSS, RFI, CRLF, CSRF, Base64, Code Injection and SQL Injection hacking.

Over in The LAB, a few years back, Greg recommended checking out Perishable Press as a good WordPress security resource. And Sam recommended the Exploit Scanner plugin. Perhaps they’ll update us on what they’re reading / using for security now.

The WordPress plugin directory has many more security plugins. Again, I encourage you to limit your reliance on plugins in general. And be sure that you are confident in the safety and support of those that you choose to install and activate.

As anyone who has been hacked will tell you, getting hacked and recovering from a hack is not fun. Taking the time to take some preventative measures and instituting some commonsense security policies at your firm will help you avoid 99% of the most common security issues you’re likely to encounter.

Have a WordPress security question or tip you’d like to share? Feel free to post below.

(Photo by:


  1. Avatar Sam Glover says:

    I use Better WP Security and Limit Login Attempts on all my blogs, and they are installed on websites and blogs in our Sites network by default.

  2. Avatar David Whelan says:

    Great tips. I was tweaking my .htaccess file this weekend, where I block access to the login page from all but my main IP address. I commented it out and was surprised that there were immediately login requests in the logs. It’s easy to forget that the automated attacks are unceasing. Like Sam, I use the Limited Login plugin on a site that has multiple editors, and a captcha plugin like Blue Captcha can double up the challenges on the login page. Thanks for the list of suggested plugins.

  3. Avatar Gene M says:

    I learned the hard way that shared hosting can ruin your WP installs no matter what kind of security measures you take. Beware of shared hosts and SQL injections. Go dedicated, trusted cloud ($$$) or VPS (from trusted companies).

  4. Avatar Aseal Morghem, Esq. says:

    Great tips and insight for those of us whom are not so tech savvy. Thank you.

  5. Avatar Ian Armstrong says:

    There are several comments I’d like to make and only a little time to make them with.

    First, WordPress is an excellent platform if you know what you are doing with it. If you are a large law firm concerned foremost about security, you should consider the WordPress VIP program, that caters to your type of enterprise. If, on the other hand, you are self hosted there is a lot you can do to both to test and to harden your site.

    Brute force attacks typically happen on a rotating IP address using a botnet of other websites, so you can’t just block all IPs from Nigeria for 24 hours and be done with it. Login limiters are of dubious utility because of this as well. Unless you have a hands-on security setup in place, the tips that will best help you include:

    [a] Block author scans/enumeration. If you visit you will immediately learn that this is a user named “myadmin” and the fact this account is in the #1 slot, if you want to take down the GOP’s website, you’ve got a very good point of entry. A simple bit of htaccess listed here: will solve the problem.

    [b] If you know someone who can use the software at (see the linked BackBox distro) then you can use many of the tools that hackers will employ against you to probe your site.

    [c] Don’t just install every security plugin under the sun. In fact, don’t install a ton of plugins you don’t really need. Plugins aren’t bad but many aren’t written as well as you would hope.

    [d] Better WPS, mentioned above, is the best of the plugins but it will also break your site if you aren’t careful. Bulletproof security is good too because you can configure it then disable the plugin. They cover very different approaches with only a little overlap. The difference being that it’s easy to replicate Bulletproof without a plugin.

    [e] Nothing, nothing, nothing beats a good backup & disaster recovery plan

    [f] Never post pages or blogs as an administrative user. The highest public-facing user level should be editor.

    [g] A quick MySQL operation will allow you to renumerate your DB. You should not have IDs 1-10 on your install in MySQL, they are targets. Make any admin a random 16 digit user ID number.

    Finally, it’s not just WordPress that has security issues. It’s just when you’re the 800 pound gorilla in the room, the problems are more pervasive.

    — Ian Armstrong /

Leave a Reply