How to Implement WordPress Security

Security on WordPress is an issue to be taken seriously, primarily due to it’s sheer popularity! There are over +75 million WP websites out there, so devising a successful hack opens up a world of opportunities. Whilst you can expect determined and sophisticated hacking attempts directed against your WordPress sites, there are numerous preventive measures that ensure the integrity of your site will be maintained. .

These hacking efforts run the whole gamut of attack variations;

  • Blackhole Exploit Kit attacks
  • SQL Injection attempts
  • Brute Force Login & Password access efforts
  • Link Injection & Phishing attacks, where links to bank fraud efforts are made
  • DDOS – distributed denial of service attacks where thousands of computers simultaneously access your site with multiple request in order to bring it down
  • Etc…

Many attacks are initiated in China, Russia, Poland, Iran, North Korea, Turkey and Indonesia. Generally speaking, its easy to minimise the potential threat by a few minutes of preemptive efforts!

In other words, an ounce of prevention is better than a pound of cure!

WordPress Security Plugins

This is the first line of defence – a properly implemented WordPress security plugin will thwart the majority of hacking efforts – particularly the script-based automated ones! Where a human-driven attack is initiated, you can easily make it extremely difficult to cthe internals of your website. The more difficult it is, the greater the likelihood of the attacker giving up and seeking out a softer, easier target. Even in the hacking world, time is money…

There are multiple WordPress security plugin applications available, each with its own methodology or variation on a theme. Selection of one over the other will often be based on the server environment – some simply won’t install if the right PHP elements or server settings are not enabled. Those that I have direct personal experience with are;

  • Wordfence Security – excellent login security and strong password enforcement
  • Block Bad Queries – fast firewall that does not intrude into other activities – such as WordPress Management Consoles

These two work quite well together, although I disable the Wordfence Firewall in favour of the BBQ one. Wordfence has its peculiarities, peccadilloes and quirks! But each works…



I prefer to use a single WordPress security plugin across all sites I manage, so I’ve got Wordfence Security installed on over 50 sites.

Wordfence has a much more complicated interface than it did a couple of years ago, It is very robust, and once you grasp the logic of how things are hidden / found, the settings are easy to configure.It is going to defeat the most determined of automated hacking efforts without impacting on the site’s usability! Wordfence can be configured to provide email warning of a variety of threats, including;

  • Alert on critical problems
  • Alert on warnings
  • Alert when an IP address is blocked
  • Alert when someone is locked out from login
  • Alert when the “lost password” form is used for a valid user
  • Alert me when someone with administrator access signs in
  • Alert me when a non-admin user signs in

Other important security aspects include;

  • Enable automatic scheduled scans
  • Scan core files against repository versions for changes
  • Scan for signatures of known malicious files
  • Scan file contents for backdoors, trojans and suspicious code
  • Scan posts for known dangerous URLs and suspicious content
  • Scan comments for known dangerous URLs and suspicious content
  • Scan for out of date plugins, themes and WordPress versions
  • Check the strength of passwords
  • Monitor disk space
  • Scan for unauthorized DNS changes
  • Scan files outside your WordPress installation
  • Enforce secure passwords

The fast alerts on the slightest hint of a problem are comforting. I especially like the “Scan core files / plugins / themes against repository” function!!! If a file changes, or an extra one appears, the alarm bells start ringing!


WordPress Security Plugins Summary

These plugins are sure to solve the particular security issues on your WordPress website. They provide a known base from which to start your countermeasures. There are several others that can be trialed.


Securing WordPress

There are several basic elements that need to be addressed as part of any recommendations on WordPress security.

Secure WordPress User ID

The default WordPress User ID is “admin” and you should NOT use that on your site. Doing so immediately means half of the “site access equation” is known, and all that’s required is the password! That’s pretty reckless in this day and age…

A secure User ID ought to be a minimum of 10 characters containing a mix of upper and lower case and including numeric and/or special character variations e.g.; The#1Boss

In addition, you should then assign a User Account “nickname” so that there is no clue as to the Admin identity if you inadvertently use the account to publish any pages or posts! Ideally, you should publish the pages and posts from a “Editor” level account…

Secure Passwords

Most people foolishly use a password related to their life in some guessable way. Phone numbers, wife’s name, child’s name, dog’s name etc… A little bit of research, a bit of trial and error on the part of a smart hacker or competitor and your site is wide-open!

There are several websites specialising in secure password generation…

USE one of them!

Comment Spam & Bad Links

These contribute negatively to your website’s online profile. Eliminate the majority of potential issues by using the inbuilt automation options;

  • Don’t allow registration unless its absolutely necessary!
  • Don’t allow comments on pages
  • Close comments on posts after 2 – 4 weeks
  • Don’t allow trackbacks / pingbacks on posts

Installing and configuring Akismet is not at all difficult and it effectively screens out the worst of the remaining garbage!

I use Cleantalk on sites that get a lot of spam post attempts.


Maintaining WordPress & Plugins

Its extremely important to diligently maintain WordPress and any plugin applications. When a security breach or flaw occurs, fixes are put in place, but word of the potential exploit quickly circulates among the hacking community. Hackers immediately start looking for sites that are at risk, and target them!

A ‘once a week’ login to your WordPress Admin should be a standard task, in order to check if there are upgrades available. Install any upgrades immediately! Having a plugin like Wordfence installed ensures you are notified immediately WordPress, a plugin or theme has upgrades available.


Having an automated monthly backup process scheduled, with off-server storage, makes sound business risk management sense.


How to deal with WordPress Hacking

Don’t panic, because it won’t help! Usually, the hacking efforts I’ve seen relate to exploits of inherent security weaknesses in;

  • JavaScript in plugins
  • permissions allowing concealment of phishing (most often bank fraud) code in a sub-directory

The first indication may be;

  • an email from Fraudwatch requesting you delete the offending content
  • a warning from your hosting company that the site is compromised and in danger of being shut down
  • a tip from a friend or client that Google is displaying malware or virus warnings about your website

These days, its rare to have an overt, immediately obvious hacking occur. Its mostly an out-of-sight, deeply planted problem that the hacker hopes won’t be discovered for weeks or months.

Dealing with the problem is explained in the How to deal with WordPress Hacking page..


WordPress Security Conclusions

  • Avoiding the problem is not particularly difficult.
  • Eliminating the problem is usually straightforward.

If you need WordPress Technical Support, use the form below to get in touch.

The SEO Guy provides a comprehensive Annual WordPress Maintenance Service plan that addresses all of the issues covered in this article, for a very modest annual cost.

WP Support Enquiry