WordPress Security

WordPress has become the world's most popular Content Management System. Easy to started with and extremely versatile. One of the best website and blogging platforms ever. The biggest drawback of WordPress's popularity is it's a prime target for hackers. WordPress security should always be a top priority for site owners. It is estimated 60,000 attacks on WordPress Websites happen every hour

Keep WordPress Updated

Make sure you are always running the latest stable build. WordPress updates and improves its build often. Make sure that your version is the most up to date to stay ahead of old vulnerabilities and exploits. RSH Web Services WordPress accounts update automatically. If yours doesn't keep an eye on your Admin panel or In-box to be notified of when new updates are available. Hackers look for outdated sites, and only about 25% of sites are running the latest version. And since WordPress runs almost 30% of all websites that's a lot of outdated websites

Not Updating Plugins or Themes

Running outdated versions of WordPress plugins and themes can also leave you vulnerable. Updates often include patches for security issues. It is important to run the latest versions. Make a practice of regularly running backups and updates for your WordPress site. This is a important WordPress security "Best" practice

Install only trusted plugins and house clean regularly

Poorly-written, insecure, or outdated plugins is one of the most common ways attackers exploit your site. Plugins and themes are the most potential sources of security vulnerabilities. Only download and install WordPress plugins and themes from reputable sources. Avoid bootleg or torrent "Free" versions of premium themes and plugins, as the files may have been altered to contain malware

Not using those old plugins any more?

Get rid of them!
There's a temptation to install as many plugins as you can or have problems to solve, But too many plugins can cause bloat and just one unreliable or outdated plug-in can cause a major security risk. Regularly delete unused themes and plugins, as even a deactivated plug-in can be a security risk if a vulnerability is found and exploited. Review your plugins periodically to make sure you still have the best one for the job. There could be a new plug-in that combines the features of a few that you already have and might be better supported, more secure and easier to maintain

information on hosting

Add Extra Security to User Accounts

Lock down user permissions to prevent unauthorized access to admin areas A great deal of vulnerability comes from the user accounts that intentionally give access to your site, particularly administrator and editor roles. If a hacker gains access to one of these accounts. Always make sure accounts only have the access they need. It's also good practice to remind users to use secure passwords (over eight digits, with upper, lowercase, numbers etc), and to change them every so often. Remind them never to write their passwords down, and log out when they are finished with their session to avoid unauthorized access to their accounts

Change the "Defaults"

Changing the name of your admin account will make a hacker's job a lot harder. New WordPress installs make you choose a custom username for your admin account, but if you installed your site a while ago, your admin account may have the default name of "admin" This makes it easier for hackers to guess your login credentials as half the work is already done for them. Change the default admin user-name to something else to improve security. You should also change the default database prefix to something other than "wp_" to add a further layer of obscurity to your default setups. The easiest way to do this on an existing install is via a plug-in, but backup your databases first


Hide your WordPress version number and change the name of your login page. Hackers have less leverage if they don't know where to start. In this way hackers will not know which vulnerabilities they are able to exploit. Move your login page from /wp-login to something that's not default. This makes a huge stumbling block for DOS - Brute Force Attack Bots that look for login forms to target. It also adds a more aesthetic value, in that you can change the URL to something more memorable for your users

.htaccess file

Deny external access to wp-config.php and .htaccess using the following code in your .htaccess file
Here is a example of such a file

   <Files wp-config.php>
     order allow,deny
     deny from all
   <Files .htaccess>
     order allow,deny
     deny from all

You can also disable file editing from the Admin panel if your themes are only going to be edited via FTP or cPanel. This prevents anyone with access to the Admin panel from directly editing files accidentally or as a hacker with malicious intent
Insert the following into your wp-config.php file:

    define('DISALLOW_FILE_EDIT', true);

Many WordPress security experts recommend disabling directory browsing. With directory browsing enabled, hackers can look into your site’s directory and file structure to find a vulnerable file
To disable directory browsing on your website, you need to add the following line to your .htaccess file:

     Options -Indexes

Ban Suspicious IP Addresses
You can block requests by blocking the IP address in your .htaccess file

   <Limit GET POST>
     order allow,deny
     deny from xxx.xxx.xx.x
     allow from all

Security and anti-spam plugins

A good set of security plugins will keep your site safer. Many security features can be added with comprehensive security plugins. Some security plugins come with a suite of tools to lock down vulnerabilities on your site such as those already mentioned here. These types of plugins can be invaluable in making your WordPress site more secure, Some security plugins also come with backup options, for that all-inclusive service

You may want to try Astra Security Firewall. It is one of the best rated complete Security Solutions for WordPress websites

Brute Force Attacks

WordPress, by default, doesn’t limit login attempts, so bots can attack your WordPress Login page using the brute force method. Even if a brute force attack is unsuccessful, it can still wreak havoc on your server, as login attempts can overload your system. While you’re under a brute force attack, some Web Hosts may suspend your account, especially if you’re on a shared hosting plan, due to system overloads

File Inclusion Exploits

After brute-force attacks, vulnerabilities in your WordPress website PHP code are the next most common security issue that can be exploited by attackers. (PHP is the code that runs your WordPress website, along with your plugins and themes.) File inclusion exploits occur when vulnerable code is used to load remote files that allow attackers to gain access to your website. File inclusion exploits are one of the most common ways an attacker can gain access to your WordPress website's wp-config.php file, one of the most important files in your WordPress installation

SQL Injections

Your WordPress website uses a MySQL database to operate. SQL injections occur when an attacker gains access to your WordPress database and to all of your website data. With an SQL injection, an attacker may be able to create a new admin-level user account which can then be used to login and get full access to your WordPress website. SQL injections can also be used to insert new data into your database, including links to malicious or spam websites


Malware, short for malicious software, is code that is used to gain unauthorized access to a website to gather sensitive data. A hacked WordPress site usually means malware has been injected into your web-site's files, so if you suspect malware on your site, take a look at recently changed files. Although there are thousands of types of malware infections on the web, WordPress is not vulnerable to all of them.
The four most common WordPress malware infections are:
>> Backdoors
>> Drive-by downloads
>> Pharma hacks
>> Malicious redirects
Each of these types of malware can be easily identified and cleaned up either by manually removing the malicious file, installing a fresh version of WordPress or by restoring your WordPress site from a previous, non-infected backup

Using Poor-Quality Hosting

Since the Server where your WordPress Website resides is a target for attackers, using poor-quality hosting can make your site more vulnerable to being compromised. While all hosts take precautions to secure their servers, not all are as vigilant or implement the latest security measures to protect websites on the server-level

Cross-Site Scripting (XSS)

84% of all security vulnerabilities on the entire Internet are called Cross-Site Scripting or XSS attacks. Cross-Site Scripting vulnerabilities are the most common vulnerability found in WordPress plugins. The basic mechanism of Cross-Site Scripting works like this: an attacker finds a way to get a victim to load web pages with insecure javascript scripts. These scripts load without the knowledge of the visitor and are then used to steal data from their browsers. An example of a Cross-Site Scripting attack would be a hijacked form that appears to reside on your website. If a user inputs data into that form, that data would be stolen

Weak Passwords

Using a weak password is one of the biggest security vulnerabilities you can easily avoid. Your WordPress admin password should be strong, include multiple types of characters, symbols or numbers. In addition, your password should be specific to your WordPress site and not used anywhere else. If you’re currently using a password that contains fewer than 6 characters, change it now. If you’re currently using a password on more than one login, change it now. If you’ve had the same password for more than six months, change it now. Start practicing good WordPress password security, especially if you’re an admin user

Never use a "Random Password Generator"

Most of these programs are made by Hackers
And you guessed it. You just gave then your new password!!

Bundling hosting, domains, privacy, and security
Into one low price for all our WordPress hosting packages

Tweet  Share  Pin  Tumble  Email