Skip to content

Your WordPress Site is Not as Secure as You Think

    Cyber Security

    So, you think that your WordPress site is secure? That could be a very costly mistake. While WordPress itself is secure, bad user habits can leave your site vulnerable. It’s also possible for bugs in plugins and themes to create vulnerabilities.

    In this post, we’ll go through the most common vulnerabilities and how to guard against them.

    The Top Five Attacks Cybercriminals Use with WordPress

    1. Brute Force Attacks

    One big vulnerability is that WordPress doesn’t limit the number of attempts to log in. So, a bot could theoretically try different combinations until it was successful. Now, even if they’re unsuccessful, this causes problems for you.

    The repeated attacks can overload the system. They could make your site a lot slower. If you’re on a shared hosting plan, you could reach your bandwidth cap fast. This, in turn, could lead to your account’s suspension.

    2. File Inclusion Exploits

    A brute-force attack is the simplest attack vector. If that doesn’t work, the bot might try to exploit a weakness in the PHP code. This is the code that allows your site to run with the themes and plugins you add. Learn more about defending against this kind of attack with this post.

    3. SQL Injections

    Here’s a little dose of nastiness for you. This happens if the hacker is able to get access to your database. They’ll usually set themselves as a new administrator. From there it’s simple enough to gain access to your site.


    4. Cross-Site Scripting (XSS)

    This is a problem you could encounter as a result of a poorly designed plugin. The victim loads a page with malicious javascript scripts. When someone lands on the site, their data is stolen. The problem with this is that it looks like your site is stealing the data.

    5. Malware

    Malware is where they’ve gained access to your site. They’ll usually take a sniff around, and change the files on the site. As a result, it can be hard to detect if you’re not looking. The aim of these hackers is usually not to get caught.

    What Makes Your Site Vulnerable?

    These are the bad user habits that we were talking about earlier.

    Using a Weak Password

    The first thing that you learn during security awareness training is that your password is often the weakest link. If your password is not:

    • At least 16 characters long
    • A random mix of alpha, numeric, and special characters
    • A mixture of upper and case letters
    • Unique to your WordPress site

    It’s good practice to get in the habit of changing your password up every thirty days or so. WordPress also allows you to enable two-factor authentication.

    Weak Password

    Your Software is Out of Date

    There are often bugs in newly issued plugins and themes. WordPress is pretty good at detecting bugs and system flaws. And they regularly release patches if they’re detected. Get into the habit of updating all your software on a regular basis.

    Where possible, set WordPress to check for updates automatically. Do also regularly check for any updates for software, themes, or plugins you have on your site.

    Back up your site and load new updates as soon as they pop up on your dashboard. It’s a pain, but the penalty for having malware on your site is a lot worse. If Google deems that your site is malicious, it’s hard to have that decision reversed.

    Downloading Any Old Plugins

    Before you add that next plugin, be careful where you get it from. Hackers may write these programs themselves. And, even well-meaning developers might inadvertently create a poor program with loopholes hackers can exploit.

    To safeguard against this, choose plugins from well-established companies. Companies with a proven track record. Check their reviews and see how well they’ve done. Then also check how old the plugin is. When was the last update completed? Out-dated software is asking to be exploited. Steer clear of it completely.

    And as for “free” versions that you can download via torrent or unknown sites, that’s asking for trouble. Read more about how to identify bad plugins in this post.

    Using a Low-Quality Hosting Plan

    It’s not just your site that is a target. All the security in the world won’t do much good if the hackers can hack the servers. Ideally, you’ll want to steer clear of shared hosting plans if you can. A Virtual Private Server costs more, but it is far more secure.

    Since the server where your WordPress website resides is a target for attackers, using poor-quality or shared hosting can make your site more vulnerable to being compromised. While all hosts take precautions to secure their servers, not all are as vigilant or implement the latest security measures to protect websites on the server-level.

    Some General Tips to Secure Your Site

    Start with a Strong Password

    Create a strong password. If you’re battling to remember it, consider using a secure password manager to take the pressure off.


    Do Install a Security Plugin

    We’re not keen to add a lot of extra plugins. But a good security plugin can save you a ton of grief later. Check out our choice of the top five security plugins.

    Update Your Site

    Have you updated your site yet? What are you waiting for? Do it now. Also, check when your licenses expire. It’s worth renewing them for ongoing support.

    Enable Two-Factor Authentication

    Do so on every site that you can. This makes logins a little more tedious, but it creates an extra layer of security. And, if someone does try to hack your account, you’ll have a warning straight away.

    Two Factor Authentication

    Set Up Permissions Properly

    Do this at a server level to ensure that the rules about who is able to read, create, or change files are made clear.

    Run Malware Checks Regularly

    Do scan your site regularly using a good malware detector. We’d recommend doing this on a daily basis. That way, if malware is located, you have a fighting chance of getting it off your site before Google picks it up.

    Backup Your Site Up Regularly

    Prepare for the worst. Some hackers take great delight in destroying your data. Regular backups are the only way to get around this particular issue.

    Final Notes

    The best way to protect your site is to stay vigilant. Never be complacent about online security. You never know where the next attack might come from.

    Join our newsletter

    Interesting articles about

    WordPress and internet security

    Stay in touch

    Articles about WordPress and Internet security

    Please enter a valid email address.
    Something went wrong. Please check your entries and try again.

    WordPress Security made easy

    Protect your website from hackers and malicious software.

    We won't spam you. Unsubscribe any time.

    Wait! Before you go!

    Get 10% discount for any WP Security Ninja plan!


    Subscribe to our newsletter for new releases, discounts and general WordPress Security news. Sprinkled with other interesting stuff :-)

    10% OFF

    Subscribe to our newsletter

    * We do not spam or share your email

    Discount on any Security Ninja plan

    and get

    Hi and welcome back :-)