WordPress Security


Hackers don’t care whether you are a small or large site, they want your server/CMS/email to send spam or hide their identity. They say more than 70% of WordPress installations are vulnerable to hacker attacks and the total number of hacked WordPress websites in 2012 was around 170,000. A major concern is that this figure is growing every year so you need to know how your site gets hacked and what you can do to prevent it. WordPress websites mostly get hacked through the various avenues below:

how wordpress gets hacked

WordPress Hosting Security Prevention

A good hosting company is the most important step in keeping your site safe. You should always look for a hosting company that offers the following features below. At Evolv, we recommend WP Engine because they offer all of these things in addition to increased speed. Read our post on“Faster & More Secure Managed WordPress Hosting

  • Uses the latest versions of PHP and MySQL
  • Optimized server configurations for running WordPress
  • Provides a firewall and malware scanning to prevent hacking attempts
  • Isolates database access
  • Uses separate customer sites via filesystem roots
  • Uses required security plugins (i.e. force strong passwords, limit login attempts, admin user not installed by default)
  • Notifies customers right away when there are security vulnerabilities of installed plugins/themes
  • Provides automatic daily backups
  • Keeps up-to-date on the latest WordPress security
  • Will fix your site for free if you get hacked!

WordPress Theme & Plugin Security Prevention

Keep WordPress, Themes, & Plugins Updated!!

The latest version of WordPress will always identify security holes that have been addressed from the previous version so if you’re using an outdated version your website is more vulnerable to attacks. ALWAYS update WordPress, themes, and plugins whenever you are flagged! At Evolv we offer a WP Updates package for $12/mo – check it out at the bottom of our WP Engine post.

Choose Quality Plugins and Themes & Limit How Many You Use

Security holes in plugins account for more than half of all successful WordPress hacks so it is wise to keep the number of plugins you have installed to a minimum. Always download plugins or themes from trusted sites and delete any plugin that is not necessary. And only use regularly updated plugins. If a plugin has not been updated in over 2 years it will get flagged as a possible security risk.

As for themes, be sure to do browser testing, check for author/theme ratings, check if they comply with WordPress coding standards and answer their support threads in a timely manner. To check the quality of a theme we recommend installing the Theme-Check plugin temporarily to run a test.

Use WordPress Security Keys

The WordPress Security keys and salts makes your site harder to hack and access harder to crack by adding random elements to the password. A good WordPress-specific host, like WP Engine, automatically adds these keys to all of their website installs. But if you are on a cheaper shared hosting environment we strongly suggest you or your developer implement these keys yourself.

The keys can be changed in wp-config.php. This is an important configuration file that can be found in the root of your WordPress installation. If you have not added security keys to your wp-config.php file already, the code will look like this:

define(‘AUTH_KEY’, ‘put your unique phrase here’);
define(‘SECURE_AUTH_KEY’, ‘put your unique phrase here’);
define(‘LOGGED_IN_KEY’, ‘put your unique phrase here’);
define(‘NONCE_KEY’, ‘put your unique phrase here’);
define(‘AUTH_SALT’, ‘put your unique phrase here’);
define(‘SECURE_AUTH_SALT’, ‘put your unique phrase here’);
define(‘LOGGED_IN_SALT’, ‘put your unique phrase here’);
define(‘NONCE_SALT’, ‘put your unique phrase here’);

Use the WordPress Salt Keys Generator to populate the fields (refresh link to generate unique characters). Another quick way of achieving this is to download the iThemes Security Plugin which will add all the necessary changes for you.

Disable File Edit and File Mods

The WordPress plugin and theme editor will give an authorized user access to the entire list of files that run your website. Anyone who has access to the WordPress admin area, can possibly take down the entire site by adding or removing lines of code. It is very important to keep this area only available to trusted users such as developers. To remove access to the theme editor you can simply add the code displayed below to the wp-config.php file:

define( ‘DISALLOW_FILE_EDIT’, true );

You can also remove the option of updating and installing plugins and themes by adding the code below to your wp-config.php file.

define( ‘DISALLOW_FILE_MODS’, true );

 Weak Password & Login Prevention

Use Strong Passwords & Protect your Logins

This one is a no brainer, always use strong passwords! And change your default Admin username to something different than just Admin. Here are some great password generators that you can use to acquire a strong password:


Some hosts (like WP Engine) force you to use strong passwords through a required plugin like Force Strong Passwords. We recommend you install that plugin if your host does not already.

Then try to keep your passwords safe via either a password protected Word/Excel document that houses all your passwords OR use a secure password manager such as: OnePassword, KeePass,RoboForm, Passpack or LastPass

And NEVER email your logins to anyone, always call or text them to someone as hackers love to find emails with login info and emails are easily hacked unless they are secure.

Limit the Number of Login Attempts

Hackers often will use automated practices to repeatedly try new random usernames and passwords in order to access your admin area. One way to protect your website against these attacks is to use plugins like Login LockDown or Login Security Solution. These plugins allow you to limit the number of login attempts from a given IP range. Once that number is reached, the IP address is temporarily locked out.

Never use “admin” as your Username

Hide your Login Page

Hackers will sometimes directly attack your default login page so changing that login URL www.yourwebsite.com/wp-login.php to something else will make it more difficult for hackers to attack your login. There are good plugin solutions available that allow you to do this easily:

Rename wp-login.php (this one has the best rating)
Hide Login+
Lockdown WP Admin

 Other Security Prevention Measures

Remove the WordPress Version Number

By default, WordPress will display the version of WordPress that you are using by adding a meta tag in your website’s code. This can be vital information to a hacker who’s deciding on which route to take in order to hack into your site, especially if you happen to be running an older version of WordPress. To remove this information from your code you can add the following line to your theme functions.php file:

remove_action(‘wp_head’, ‘wp_generator’);

Use All-in-One Security Plugins

Using an all-in-one security solution can be much easier if you manage your own site and your WordPress security knowledge is limited. These WordPress plugins can toughen your website at the click of a button by addressing common WordPress security issues. Some also add a firewall and scan your website on a daily basis for malicious files. But again if you are using a great webhost like WP Engine you don’t need these extra plugins as they have their own firewall and malware in place to protect.

BulletProof Security is a feature packed security plugin that offers .htaccess website security protection, file intrusion detection, login security, database backups, and daily monitoring. It also keeps a log of anything that is changed.
Acunetix WP Security is a security plugin that can check for vulnerabilities in passwords, theme files, and your admin area.
Sucuri Security will scan your website and detect PHP mailers, injections, malicious redirects, phishing attempts, and more.

back to top