WordPress is well known to be a target for hackers. So, anything you can do to harden your WordPress site is a sensible thing to do; and should be part of your overall design process. I’ll look at some of the main areas that should be on your list of potential areas of weakness and what you can do to add greater levels of security and protection.

The general areas that need to have attention are shown below but you may have site specific security requirements too, so bear this in mind:

  • Access control to the site content
  • Securing WordPress core files
  • Plug-in and theme security
  • WordPress vulnerabilities
  • Webserver vulnerabilities
  • Secure communications / HTTPS
  • Disaster recovery

Much of the security of WordPress comes down to the same core processes as securing any other digital system, i.e. handling software vulnerabilities, controlling access, securing communications and having a plan if it all goes wrong.

To begin, you should always start with a security strategy plan in mind, based on the types of security issues and their potential resolution. The plan should take into account what the site is used for and by whom. For example, SSL may not be required for visitors if you don’t create user accounts, and so on; but you may use third party adverts and these can have potential as a malware vector. So the plan should reflect the level of security that is required by the site.

However, some things are fundamental and should always be implemented, for example, good login security for site administrators and contributors.


The first area to look at is setting up how your administration, contributors, and other users can access and modify the site content. This area is fundamental to controlling the security of your site. Some areas are very difficult to secure — insider threats for example. If one of your privileged users decides to turn against you, then this event is difficult to predict and control. However, you can manage insider threats through good monitoring of usage behaviour and pre-empt any issues by removing old accounts, for example.

Insider threats are one thing, but controlling cyber-attacks, such as brute force attacks, is another. There are a number of ways you can control these sorts of attacks where hackers attempt to access your accounts.

Brute force attacks are where a hacker uses an automated program to enter many typical usernames and passwords into your login screen to try and force entry. People have a tendency to use password and username patterns and so these attacks can be very successful. For example, password policies, which typically ask for a capital letter and number, result in many people using a typical password, such as “password” and instead replacing it with “Password1”. Hackers know this and use this type of behaviour against us.

To prevent brute force attacks you should:

  • Use a  non-typical username (for example, don’t use “admin” as your username).
  • Use a long password with special characters as well as words and letters, this just makes it that much harder for hackers to use brute force attacks.
  • Enable second factor authentication within your WordPress login system. You can use plugins such as the DUO plugin to request a mobile app based code, or an SMS text code, as well as username and password to access the WordPress CMS.

If you don’t like second factor authentication, you can alternatively use a Captcha method such as Math Captcha.


There are certain, core files that WordPress uses that should have protection applied. These files are involved in the appearance and functionality of your WordPress site. If a hacker gains access to these files, you can kiss your site goodbye. The files are neatly placed together in well-known folder areas, perfect for hackers to find.

To protect these important files from being compromised you should only allow write access on a highly limited, need to know, basis. You should add password protection to your wp-admin/ folder, which contains many of these important files.

There’s one file in particular, wp-config.php which tells WordPress where to find your site database. It contains your MySQL username and password as well as your WordPress authentication keys. This file needs to be hardened against attacks and one way to do this is to move it from its default home (under the public_html folder or www folder) to another folder.

However, the jury is out on the effectiveness of this tactic. Ultimately the best way to protect this and other files is through strong access control and anti-malware actions.

As an alternative to your own security actions, there are a number of WordPress plugins that can help with security of core files and malware threats, including Wordfence and Sucuri’s Security Plugin, the latter also offering help with hardening of core files.


Plugins and themes are the perfect vector for malware. Hackers look for vulnerabilities in plugin and theme software and exploit those vulnerabilities to insert many types of malware. Sucuri recently found that 100’s of thousands of sites had been infected with malicious code via an insecure version of the plugin, Revslider.

The best way to prevent this type of entry point for hackers is to make sure you use plugins that have at least some pedigree (and not found on some dodgy looking Warez site) and most importantly keep your plugins and themes patched and up to date. This won’t stop zero day vulnerabilities, aka exploits using software insecurities that haven’t yet been recognised by the vendor, but it will keep your software as malware free as you can possibly make it.

You should also look at, but not rely entirely on, security plugins to help prevent malware infections, examples being Anti-malware and Brute Force Security or Theme Authenticity Checker, which checks themes for malware infection.


WordPress itself can have software vulnerabilities built into new versions, which you often don’t hear about until the hackers have taken advantage of them.

Like all other software, vulnerabilities are best handled by keeping versions patched. However, the most recent patch was in version 4.2.1 released in April of this year, to fix a zero day vulnerability that allowed an attacked to use JavaScript to perform a cross site script attack (XSS) on a WordPress site.

The vulnerability was inherent in a default plugin (Jetpack) and Theme (Twenty Fifteen) bundled with WordPress. If you installed this new version and utilized the default settings, you were highly vulnerable. Patching wouldn’t have immediately helped this issue of course as it was a zero-day vulnerability, i.e. WordPress weren’t aware of it until after it had been hacked, but they quickly brought out a patch which fixed it.


Web server security should be applied in a number of areas. Generally you’ll be looking at an Apache webserver, running on Linux.  One of the most important files to protect is .htaccess which should be set to not allow Apache directives to be overridden.

One of the problems that a lot of sites have is that they run on a shared webserver through a shared web hosting company. In this situation, you should check out the security precautions your web hosting company take to prevent cross-site contamination – they should be using security tools to minimise this.

Again, as with all other aspects of your WordPress site, make sure your webserver software is patched and up to date, patching really is the first step in security.


HTTPS is a version of HTTP which uses a protocol called Secure Socket Layer (SSL) or Transport Layer Security (TLS) to encrypt traffic that is communicated over the Internet. It helps to prevent “Man-in-the-Middle” (MitM) attacks where someone intercepts communication traffic (data). As default you should be accessing your WordPress site as an administrator, or other contributing user, through and HTTPS connection. However, you also need to implement HTTPS across your site if you are in any way likely to gather data from your visitors.

To implement HTTPS across your WordPress site you need to install an SSL or EV (a more secure version of an SSL certificate) digital certificate. Many web hosting companies can help with this and even supply the digital certificates (which will need to be securely issued to your organization – visitors can then see it is issued to your company). Alternatively, you can look at this WordPress tutorial on implementing HTTPS for your WordPress site. Even following tutorials however can leave some areas of the site open to attack and this article explains how to avoid them.


If it still all goes wrong and you get infected by malware, your site is hacked, or you have a DOS attack, you need to be able to fix things and get your site back up and running with as little time delay and loss of data as possible.

Conversely, to what must seem logical, thinking about disaster recovery should be one of the first things you think about and organize.

WordPress is basically split into four areas:

  • The WordPress code (PHP)
  • Theme (PHP)
  • Plugins (PHP)
  • Database content

All four need to be backed up to be able to bring your site back if disaster occurs. Regular backups are a must, some people like to do them each night, but really it is up to you and things like how regularly your site is updated and so on, will determine this.

Backup software is often prescribed by the web hosting company you have your site with, but automatic WordPress backup plugins are also available. If you look in the WordPress plugin directory you will find many examples, you need to research, which is the best for your site and database type. Whichever you choose, test out the results before you start using it in earnest.


Security is not something you should grudgingly do, it is not an afterthought, it should be part of your general web design process.

Related posts

  1. 由於公屋、居屋只有在第一次的樓宇買賣時,才有銀行做按揭。所以當閣下想有第二次按揭時便會感到不知所措。深明居屋業主所需,所以為各公屋、居屋業主設定「業主貸款」。對象 :未補地價之公屋、居屋業主 貸款詳情 : 即批最高$1,000,000.00 可選擇息本攤分,以用作長線或綜合債項之需要 或淨息短期供款,以應付短暫週轉所需 自訂還款期,隨時借隨時還 所需文件 :只需身份證 水、電、煤單 差餉單

  2. Sculptra 含有由含有源於植物果酸的 PLLA 聚左乳酸(poly-L-lactic acid),它能促進天然膠原蛋白大量增生,令容顏重現年輕,一個療程的效果能持續逾2年。Sculptra 乃全球唯一獲美國食物及藥物管理局(美國FDA)認可的PLLA聚左乳酸美容品牌。Sculptra 塑然雅會被人體自然分解吸收,同時促進天然膠原蛋白再生1。療程效果可以漸進地給你更富清新朝氣的容頻,效果自然,更不會影響面部表情。SCULPTRA 塑然雅 Sculptra 由含有源於植物果酸的PLLA聚左乳酸(poly-L-lactic acid),它可以被新陳代謝成二氧化碳及水,最終自體內排出。PLLA聚左乳酸早已被廣泛應用於醫療用品超過30年,自2009年起 Sculptra 及全球唯一獲美國FDA認可的PLLA聚左乳酸美容醫學品牌。Sculptra ® 塑然雅能促進天然膠原蛋白大量增生1,改善皺紋,令容顏重現年輕。全球唯一獲美國FDA認可PLLA聚左乳酸。臨床研究證實於3個月間,肌膚的膠原蛋白密度 顯著增加67%2。療程效果能持續愈2年3。主要成份PLLA聚左乳酸源於植物果酸,醫學界廣泛使用超過30年。洢蓮絲(依戀詩)-少女針療程

  3. IELLIOS是由歐盟資助倫敦大學細胞重建研究所研究. 採用諾貝爾生理醫學獎科技 , 透過”納米能量電流” 以最親膚與迅速導入的方式 , 利用電腦化系統去令皮膚再生 , 令皮膚組織在無創傷的情況下自然更新及收緊 . 這治療是無創無痛的 . 完成治療後亦沒有傷口 . 我們是香港第一引入IELLIOS的機構 , 醫生會根據客人不同情況去為你設計不同的組合 .在外國IELLIOS受到很多荷里活明星, 歌手以至政客的追棒 , Madonna的facialist kate somer -field就常用IELLIOS為她護理肌膚 , 令52歲的她肌膚輪廓均保持於30歲的狀態. IELLIOS的訊號技術,採用心臟起博起原理,活躍無法正常運作的心臟細胞。訊號技術可活化及修復愛損皮膚,透過傳送訊號,激活靜止的細胞。IELLIOS的訊號技術給予細胞指令,引發細胞再次生長,令肌膚重回年輕。

  4. Read our in-depth iPhone XS Max review
    Read our hands-on iPhone XR review
    Read our hands-on Apple Watch 4 review
    iPhone XS price and release date
    iPhone XS

  5. Los Blancos, with captain Sergio Ramos suspended after deliberately collecting a yellow card in the first leg, had been looking to build on a slender 2-1 lead from that game in Amsterdam and stay on course for a potential fourth straight European triumph.

    However, after Raphael Varane’s header rattled the crossbar, Ajax raced into an early lead through Hakim Ziyech before Dusan Tadic set up David Neres for a second in the 18th minute.
    Real Madrid were forced into two changes when Lucas Vazquez and Vinicius Junior went off injured, with substitute Gareth Bale hitting the post just before half-time.

    Ajax looked to have put the tie to bed when Tadic swept in a brilliant third goal just after the hour – which was eventually given following an extensive Video Assistant Referee review to check if the ball had gone out of play in the build-up.

Leave a Reply