Gary Stevens14 min readPartner postsJuly 11, 2019

Simple Beginner Guide to WordPress Security in 2019

Simple Beginner Guide to WordPress Security in 2019

Would you leave the doors to your shop wide open and keep your customer ledgers and cash on the counter? If you aren't minding website security, that's exactly what you're doing.

Every month, more than 4,800 individual websites are subject to form-jacking, a cyber crime that allows hackers to steal your customer's credit card information. That's just one-way thieves and trouble makers are able to disrupt businesses and ruin reputations. There are dozens of others

hacking attempts by cms

Even if you don't engage in E-commerce or own a website, you're still at risk for exposure. The highest number of cyber attacks were lodged against companies in the healthcare industry, and that trend is expected to quadruple within the next few years. 


WordPress (WP) is a content management system preferred by more than 30 percent of all website owners. Yet it accounts for more than 90 percent of all hacking attempts. 

What makes WordPress such an out-sized target in relation to its market share? Part of the problem is WP administrators running outdated versions of plugins, themes, and core code. But, that isn't the only issue.


Public Enemy #1? Unsecured Plugins and Themes

Themes are the style sheets and layouts that determine how your website looks and, to some extent, how it functions. Plugins are apps and software that add features and functions to your website. They account for a little more than half of known entry points for hacked WordPress websites. 

That's just among those who were aware of an attack; 61.5% of owners and admins don't even know that their website has been breached. Contrary to prevailing wisdom, the open source nature of WP is not the reason for plugin weakness. 

The real culprit? 

Administrators leaving old, outdated, or unused plugins in their directory. It's a simple case of "Out of sight, out of mind." But you can trust that hackers are paying attention. 

According to Wordfence, just shoring up plugin vulnerabilities will reduce your risk of infiltration by up to 70%. 

How do you do that? 

It's as simple as 1-2-3!

Update Your Plugins: Reputable vendors, like MailerLite, release updates and security patches as soon as they're available. You can set some to auto-install, but some you may need to update manually.

Purge Your Directory: Do you remember all of those cool plugins and themes you tried and forgot about or replaced with something cooler? Leaving them in your directory to gather dust is just inviting hackers in when you're not looking. Old or obsolete plugins and themes are even weaker because many are no longer supported by the developer.

Only Use Plugins from Trusted Vendors: The WP plugin repository has hundreds of themes and plugins that have been tested and verified by the community. If you're going to download plugins from outside of this platform, make sure that you're dealing with someone who's reputable.


Third-party plugins generally have a reputation for security flaws, especially if you find them through an open source library. That's not to say that the open source community is at fault. But, it does allow many people with little knowledge of app security to develop plugins. Since free features are sometimes hard to resist, these fly-by-night developers are able to get them into the hands of admins who don't know any better. 

With so many apps and themes available outside of the WP repository, how do you know if you're dealing with someone who's reputable and trustworthy? 

Appearance: Does the website look professional or does it seem to be hastily put together? You can also check the domain registry to see how long the website has been in existence and whether the name and contact information is the same as what's listed on the website.

Contact Info: Speaking of contact info, is there any listed on the website? Lack of a name, physical address, and contact phone number is a red flag.

What Does Google Say?: You can learn a lot by Googling companies and plugins. Does a search turn up complaints or warnings about that plugin or developer?

Vulnerability Search: You can also find out if any specific vulnerabilities, flaws, and hacks are linked to a plugin by typing in the name or vendor followed by the word "vulnerabilities."

Terms of Service and Support: Is there any mention of customer support or means of contact? Does the vendor have a user agreement or a link to their TOS available on their website?


These are the cyber equivalent of someone kicking in your front door, and it's one of the first ways hackers will attempt to get into your WP website. There are several variations and methods, but most involve simply guessing or stealing passwords. This can be mitigated with a little due diligence.

Use Strong Passwords: Forget about convenience. Weak passwords account for a large share of brute force attacks. If you're afraid of forgetting your password, use a password manager to create a unique, long-form password for every account and login associated with your website. That includes FTP accounts, domain-related email accounts, hosting accounts, and databases. You also should automatically lock out users who are idle or after multiple erroneous login attempts.

Use 2F Authentication: This will provide you with an extra layer of protection in the event that someone guesses or steals your password.

Change Your Admin Login: You'd be surprised how many people keep the default "admin" username in place even when they create strong passwords and limit access in other ways. Change your login to something that isn't the default, your email address, or something else that's not easy for unauthorized users to figure out.

Limit Who has Access to Your Admin Dashboard: There have been many cases of one admin locking others out after a dispute, and of careless security practices allowing unauthorized access to admin panels. Define user roles, limit access only to those who absolutely need it, and designate various levels of permissions.

Avoid Logging in Using Plain FTP: This sends the password to your server without encryption. If your hosting provider allows it, change the login protocol to "SFTP – SSH."


Many attacks are launched against the WordPress core. The best way to guard against this is to make sure that you're using the latest version of WP and reporting any issues immediately. 

Although WordPress is an open source platform, they have strong support and a thriving community of developers and users. You can learn a lot about security flaws and issues through WP forums and by becoming an active member of that wider community. Minor updates are installed automatically, but you'll have to take care of installing any major updates yourself. 

Hackers know that older versions of WordPress are more vulnerable than the latest version, which has no known security flaws so far. The meta-tag that tells your version number is used for tracking, but it can also be used to find out how many websites you're running on the platform and your WP version. It's present on your website by default, and it can be found on CSS style sheets, in RSS feeds, on your admin dashboard, and in the header. 

You can prevent some hacking attempts by simply removing your WP version number from your website and all scripts or coding associated with your website. Here's how.

Removing the Version Number From Headers and RSS Feeds

You can access this and remove the version number by going to "Appearance> Editor" and adding the following code to the bottom of your functions.php file:

Code to add:

function remove_wordpress_version() {

return '';

}

add_filter('the_generator', 'remove_wordpress_version');

Click "update" and the version number should be gone from your headers and feeds. 

Removing the Version Number From Style Sheets and Scripts

Similarly, you can remove the version from all style sheets and scripts through the same functions.php file. Just add the following bit of code and click "update."

Cote to add:

// Pick out the version number from scripts and styles

function remove_version_from_style_js( $src ) {

if ( strpos( $src, 'ver=' . get_bloginfo( 'version' ) ) )

$src = remove_query_arg( 'ver', $src );

return $src;

}

add_filter( 'style_loader_src', 'remove_version_from_style_js');

add_filter( 'script_loader_src', 'remove_version_from_style_js');

Of course, you can avoid all of this unnecessary code alteration by just using the latest version of WordPress, to begin with.


Many bloggers monetize through affiliate marketing with third-party platforms like Amazon and AdSense. The most important requirements for affiliate marketing are trust and transparency. 

However, partnering with a big name doesn't automatically equal increased security, as some Google users learned not too long ago. 

One of the most common ways that hackers can hijack browser sessions from visitors is through cross-site scripting (XXS) attacks. This happened just last year to some third-party affiliates linked to Google DoubleClick. Google has since disabled the vendors involved and removed associated files, but the damage was already done.

most common ways to hijack browser session

Since these session hijacking attacks occur on the user side, admins and affiliates may not even know their traffic is being redirected until they check their metrics and find that the numbers don't add up. WordPress plugins are a notorious source of this kind of attack. 

However, you can probe for XSS vulnerabilities by checking all source code for anomalies. If there is an active attack, it can be unearthed by adding "alert (Hack)" enclosed in a script tag to a form field or URL bar. If a dialogue box pops up, there is malicious coding somewhere. You can prevent attacks by disabling JavaScript in your browser and by disabling and removing any suspicious apps, themes, or plugins.


Your choice of web hosting affects more than just your amount of available resources. Uptime is as close as you’ll get to a direct measure of a provider’s resistance to issues that try to take a server or website down. One of the major causes of downtime is a result of a hacker who has managed to insert a virus or bug into the system.

Do you know your current web host’s uptime percentage? Few business owners are actually aware of their provider’s uptime. For reference, the community-run research group HostingCanada.org regularly updates their web hosting reviews of leading Canadian and U.S. hosts. Companies like G2 and TrustPilot also aggregate reviews but have been known to include a lot of “fluff”, much akin to product reviews on Amazon.com 

The bottom line is that anything below 99.99% uptime is not credible for business purposes. If your hosting company can’t hit this number, it might be time to look for another. 

Just beware of free or cheap web hosts. Secure, premium services provide you with the added benefit of unlimited resources and storage as well as enhanced security features like:

  • SSL/TLS certificate, WAF firewalls, and DDoS protection
  • Free updates and the most current technology
  • Daily backups
  • Around the clock support and network monitoring
  • Procedural protocols for attack defense and recovery

Security isn't just a concern for E-commerce platforms. If you're using email to market your blog or deliver content to subscribers, you need to be diligent about security. In 2017 alone, email spear-phishing attacks accounted for 71% of targeted vectors for criminal activity

The best web hosting companies will give you domain-specific email addresses for each of your websites as part of your plan. You'll also get a portion of the security that comes with premium hosting platforms to protect them. 

That will solve part of your problem with email vulnerabilities. Here are some additional things you can do to increase your security

  • Educate yourself and your subscribers about common phishing techniques.
  • Use an email address encoder plugin. If you include a link to your email on your website, it’s an invitation to spammers to harvest it and spam you mercilessly. One dead simple solution is an email encoder plugin. This nifty little piece of software leaves emails readable to humans but not to the army of bots that spammers send out. Once installed, it works by sifting through your site content and swapping out any email addresses it finds in decimal or hexadecimal code. This actually works at the code level so the bot just sees gobbledygook but the encoder makes sure human readers can still read the actual email address.
  • Use unique email addresses that don't contain any identifiable links to WP. This doesn’t apply to all WordPress sites but if you have a free site through WordPress.com it’s worth paying attention. Due to its popularity, hackers love to poke and prod WP sites and they keep a sharp lookout for any email addresses, domain names, or even version numbers that  contain a “WordPress” or “WP.” Anything that identifies your site as being associated with WP will bring an onslaught of hacker attention. If you use WordPress, and millions of people do, take care that you don’t leave an obvious trail.
  • Harden form fields and comments sections to reduce the attack surface. When we say harden forms and comments, we simply mean to make them more resistant to spam or hacker attack. Of course, the most successful method is to not have any forms on your website and turn off comments, but that’s not always feasible. To keep a form from providing access to your server from a bad guy, you need to do what is called sanitize the input, which is a process that goes beyond this article but here’s a good introduction. To secure comments, at the very least require that all be approved by a human before going live on the site. An increasingly popular option is to use an offsite hosted third-party service like Disqus. Pay for a subscription and let them deal with the junk.
  • Authenticate your email domain.

Finally, make sure your email marketing tool integration (like MailerLite) has a clear security statement and adheres to security best practices such as data encryption, GDPR-compliance, encrypted Secure Sockets Layer (SSL) connections and Payment Card Industry Data Security Standard (PCI-DSS). 


Despite Hollywood portrayals of wily hackers looking for the next big challenge, cyber criminals often pick low-hanging fruit. Failing to place security as a priority is all that's necessary to put your business and clients at risk. 

But, knowing that threats are out there is meaningless if you don't take the time to follow through with action. 

Our best practices for WordPress security won't eliminate 100% of your risk, but implementing them and monitoring your website and activity will go a long way toward limiting your exposure and protecting your interests.

Gary Stevens

Gary Stevens is a full stack, front end developer. He's a blockchain geek and a volunteer working for the Ethereum foundation, as well as an active Github contributor.