WordPress Security: Essential Ideas for DIY

graphic showing building websites plus cover standard

WordPress security issues needlessly send DIY business website builders screaming for the exit. That is a shame because WordPress is simply the easiest, most economical, and versatile DIY website building solution on the planet.

Look at it this way, if WordPress wasn’t the coolest website building platform in the world, then why are 37.6% of the world’s websites powered by WordPress*?  The reason of course is WordPress rocks.

Be that as it may, there is no escaping the fact that 30% of all security vulnerabilities are also, unsurprisingly, WordPress related. Well fine then, but does that mean you should give up the idea of having the best content management system around running your DIY business website?

Absolutely not!

What I hope to do in this article is give you real information about WordPress security so you can make an informed decision. If, after you read this, you still want to bolt for the WordPress exit then at least you would have learned something about website security issues. Specifically, WordPress security issues and how to avoid them.

WordPress security issues and how to avoid them

First, and most obvious, a WordPress security issue is any time a hacker finds a way to put malicious code on your host’s server; this is where the nastiness starts for you. Once this code is on your host’s server it can then load itself onto your visitor’s browser; this is where the nastiness starts for your visitor.

According to Sucuri, “Website attacks usually derive from a lack of knowledge or complete denial about the threat landscape and the common mindset is: Attackers only target large corporations or famous websites.” Of course, this is complete nonsense.

In fact, one reason WordPress is so vulnerable and attacked so often is its ease of installation. An uninformed webmaster can install WordPress with no regard to security issues. In other words, if you slap a WordPress install to an unmanaged host, load it up with a questionable theme, load that theme with scads of plugins written by who knows who from who knows how long ago, and never update any of it; You are asking to be hacked.

Again, according to Sucuri the largest percentage of hacks come from WordPress addons, not the WordPress core code. That is, plugins, merchant packages, and other easily installed code to the WordPress CMS platform are a hacker’s easiest point of entry. In addition, you might like to know that most of those attacks are Cross Site Scripting attacks.

How then do you avoid WordPress security issues? Simple, do a good WordPress installation.  

Well, you may be asking now, how should you install WordPress?

Great question.

The best way to install WordPress and avoid security issues

First, to avoid security issues, you must know where they are. For that, let’s have a look at what WPBeginner.com has to say about the top 11 reasons WordPress sites get hacked.

In case you did not pop over to WPBeginner, here’s the list in condensed form.

Top 11 reasons WordPress gets hacked

1.) Insecure Web Hosting

2.) Unprotected Access to WordPress Admin

3.) Incorrect File Permissions

4.) Not Securing WordPress Configuration wp-config.php

5.) Weak Passwords

6.) Using Admin as WordPress Username

7.) Not Updating WordPress

8.) Not Updating Plugins or Theme

9.) Using Plain FTP instead of SFTP/SSH

10.) Nulled Themes and Plugins

11.) Not Changing WordPress Table Prefix

I have been working with WordPress an exceptionally long time and I think that is the most concise list of WordPress security issues I have come across. Thank you WPBeginner.

Now that we’ve built the framework of why WordPress security issues are common, what the most common threat is, and some ideas of how to avoid the whole mess, let’s look at how this list helps you avoid the threat and how to use it.

WordPress hosting servers and WordPress security

In case you did not know it, WordPress is a collection of PHP files interacting with database files on a physical server. Collectively, these come together and spew a website through the myriad of network connections around the world we call the internet. The destination is a browser, phone or otherwise, where an alleged human being has requested access to your WordPress’ repository of information by way of search. Or so we would like to believe.

The reality is many of the visits your website gets are not human at all.  Most are automated queries called spiders. You know spiders are not all dangerous in the real world. And they not all dangerous in the virtual world either. The trick is knowing the difference.

Google, in example, uses spiders all the time. Google indexes the world’s websites with spiders so we humans get our information efficiently. Hackers use spiders too though. Of course, unlike Google’s helpful spiders, a hacker’s spider is designed to inject the venom of a virus into your WordPress files. Once infected, your visitor’s browsers become infected. And so on, and so on.

That, in a nutshell is how hackers hack websites in attempts to destroy the world and the lives of people living in it. But for a spider to infect your WordPress this way, it must be automated with a toolkit to compromise your WordPress installation. And that, my fellow webmaster, is where our list of 11 items comes in handy.

13 WordPress safety features you need to know

Graphic showing wordpress security issue list items one through four are fixed with proper server configuration

Making sure your WordPress host’s server implements security standards is as simple as asking your hosting company a few questions. Ask: Who has access to configuration settings? How are these configurations currently set? Who can change these configurations? Do I, as a webmaster need to set any file permissions to make my WordPress installation secure?

Abcdef or 123456 are not secure passwords. Got it? Use one lowercase character, one upper case character, a number sequence, and a punctuation character if you can.

When you set up WordPress, you may want to set up so you and others can work with. To be safe you change the default Admin to something else. Also, be sure you check permissions on your co-bloggers. Note: The only admins should be you and maybe someone you hire to manage your site like Building Websites Plus.

WordPress gets updated frequently for a few reasons. Security is perhaps the most important. WordPress makes this extremely easy offering you a simple one-click button on the admin dashboard. Use it. But before you use it make sure your hosting company backs up your current installation before you update. Things happen, stuff breaks, you should always have a backup for everything in life.

Not updating plugins or addons. Like I said earlier, most hacks come from plugins, addons, or outdated themes. Coupled with number 7, most security compromises happen because lazy webmasters did not update their WordPress.

The S in front of SFTP and SSH stand for secure. Unlike regular FTP, SFTP and SSH have encoding and bit check features to make sure data packet delivery is secure on both ends of transmission.

Automattic is the company behind WordPress. They make themes too. Hard to imagine any more secure theme than one of these. But there are others. My advice is to create a child theme off of a reputable theme like Chaplin or any of the Automattic themes. By the way, Chaplin is the basis of Automatic’s 2020 theme. See number 12.

When you install WordPress, you get to a point where you see a couple fields asking for database names. They are default named wp_. Like any default, you should change this. You will be prompted if you exceed limitations. But generally, this is a very intuitive thing to accomplish.

I have added this one for emphasis. Learn how to, and always use a child theme. It is easy to do and smart for a few good reasons I cover elsewhere in this blog. Thanks to WPBeginner for the video on how to do it.

Thanks for reading

I have been working with WordPress for many years and know that being hacked is a real issue. But if you follow these ideas you should be well prepared to defend malicious attacks.

In addition to the ideas presented here I would like to add most hosting companies today offer some sort of security scan. They are generally affordable add-ons, like a buck or two a month. But they are well worth it.

Another tool I am checking out is file changes monitor from WP WhiteSecurity. I will give an update another time, but I can say it did find some issues with my server right away.

If you have liked this article, please join our mailing list. And, if you are in the market for WordPress management check us out or give us a call. We have a few client slots available.

* Affiliate link


Building Websites Plus is a website design and marketing service located near Detroit. Our focus is small business websites and helping small business owners get the most out of their website budget. For more information call: 248-860-6259.