Skip to main content

WordPress Security Basics

WordPress has the largest market share. This success makes it an attractive target for hackers. The number of hacks carried out using vulnerabilities in the latest versions of this CMS is relatively small. WordPress sites are hacked mostly through vulnerabilities related to plugins, themes, hosting services, and users.

Who is attacking WordPress and why?

Most hacker attacks aimed at WordPress sites are done automatically by means of scanners and bots. These are specialized computer programs that are constantly looking for unprotected websites. Once they find a known vulnerability, they exploit it.


Spam messages make up about 60% of all emails sent. Hackers access the server using a vulnerable plugin or an old version of the WordPress engine to turn your server into a spamming machine.

Resource theft

Hackers who do not want to spend a lot of money on servers, penetrate unprotected WordPress sites, gain access to their servers and use their computing capabilities to mine cryptocurrencies.

Improving SEO

A particularly popular type of WordPress hack is gaining access to the database and adding hidden text and backlinks associated with another site. This is a quick way to increase the SEO ranking of hackers’ sites.

Data theft

Data is valuable, especially when it relates to user activity and e-commerce. Obtaining this data and its subsequent sale can bring a huge profit to the attacker.

Why is WordPress security so important?

To recover a hacked WordPress site, you need to remove and replace every bit of third-party code (including WordPress core files), check every line of your code. Change all server passwords and database passwords.

After the hacker attacks, the site loses its position in search results that leads to a decrease in the number of visitors and conversions.

Visitors come to the site because they trust it. Hacking damages your reputation greatly, and it can take a long time to restore it.

CIA - confidentiality, integrity, availability

The CIA triad is the foundation for every digital security project. For WordPress, the CIA structure boils down to the following:

Part 1: Confidentiality

Confidential data

The plugins and themes you use contain valuable and sensitive data. For example, if WP_DEBUG is set to true, you show each hacker the path to the root of the site on the server. Another source of confidential data are pages of authors. They contain usernames and even email addresses. In combination with a weak password, they can be used by a hacker to breach the site.

Usernames and passwords

The WordPress platform does its best to prevent the use of weak passwords, but often this is not enough. I would recommend adding two-factor authentication, as well as limit the number of login attempts.

Part 2: Integrity

Data validation and sanitation

WordPress platform does a great job securely processing data. But this only applies to its core. Therefore, it is important to know how to verify the rest of the code.

Using WordPress features like update_post_meta is a better practice than using the database directly. This is needed to prevent SQL injections. An attack using SQL injection launches malicious SQL code through forms hosted on the site.

When working with a custom table or executing a complex query in WordPress, use the WPDB class and the Prepare function in all queries to prevent SQL injection attacks.

Security of queries

WordPress administration requests are secure if SSL is enabled and you are using reliable hosting services. But some vulnerabilities still exist. Therefore, you need to check the intentions of users and confirm that the incoming request has been sent by a registered user.

WordPress verifies intent using Nonces. These tokens prevent the ability to copy requests. Nonces are sent along with each request that the user executes. They are tied to URLs, and they should always be checked on the receiving side before executing the request.

Third-party code

Most WordPress hacks involve plugins, themes, and outdated versions of the WordPress engine. Less code means less threat landscape.

If you are sure that you need some kind of plugin or theme, you need to study it carefully. Check ratings, last updated date, and required version of PHP. Also, look for references on reputable security blogs.

Part 3: Availability


Security updates for the WordPress engine arrive and get installed automatically. But security updates for plugins and themes is a completely different story. Often, they should be updated manually. And keep in mind all plugins must be tested before they are installed on the site.

Users, Roles, and Rights

"Availability" in the CIA triad is associated with the transfer of information. All data should go to "the right hands." The main priority is to limit the rights of end-users. Do not create a separate account for each administrator.

When working with CMS, I create many new roles. Thanks to this, you get full control over what parts of the system various users can access. Also, this will not allow third-party code to modify the WordPress core files.


WordPress processes email using the server on which it is installed. You can prevent eavesdropping by using the SMTP service. A large number of plugins may help you to send emails through a secure SMTP connection. This will require access to the DNS settings of the domain name to add a Framework Policy (SPF) record. An SPF record ensures that your SMTP service is authorized by the domain to send emails.


When monitoring file integrity, it is important to understand that if hackers gain access to the server, they will be able to change the code. There are plenty of plugins that will help to cope with this problem. Sucuri has a great plugin for auditing. It scans all files against extensive database of known malicious code.


Most reliable hosting providers do backups for you. But you should know that there are other options if your hosting provider does not automatically back up your site. Some services back up to Dropbox or Amazon S3.

Hosting services

Poor hosting services is the main reason some WordPress sites support outdated or unsupported versions of PHP. There is a big difference between managed hosting for WordPress and hosting that provides you with a folder with database access.

The best advice is to find a decent managed hosting for WordPress. They can be costly, but they provide better security.


The WordPress engine gets constantly updated; however, the environment surrounding WordPress is unsafe. Keeping in mind security best practices when adding each new line of code, adding users, installing plugins and themes, can guarantee that your site is safe.


Was this article helpful? Please, rate this.

There are no comments yet.
Authentication required

You must log in to post a comment.

Log in