Chat with us, powered by LiveChat

This website uses cookies

Our website, platform and/or any sub domains use cookies to understand how you use our services, and to improve both your experience and our marketing relevance.

10 WordPress Security Issues And How to Fix Them

August 19, 2019

10 Min Read
Reading Time: 10 minutes

WordPress is by far one of the most widely used open-source CMS in the world. It powers millions of websites and holds a 33% market share. This makes WordPress the alpha CMS among bloggers, designers, and business owners.

Despite being so popular, many WordPress users do not know the basics of securing their WordPress sites. Worse yet, many users believe in the (very dangerous) misconception that installing an SSL certificate is enough to secure their site. Therefore, it is important to discuss the various effective methods of securing the WordPress site.

Co-founder of Sucuri, Dre Armeda believes that:

“People Are And Will Continue To Be The Biggest Security Issue With WordPress.”, Dre Armeda Discusses WordPress Security

I also believe that half of the WordPress security vulnerabilities occur because of negligence. This is an important reason why WordPress websites are an easy target for cybercriminals. Many first-timer users simply install WordPress and then trust the default security of the WordPress website.

In this post, I will present several basic and some not-so-common tips about dealing with WordPress security issues.

Let’s begin!

  1. Invest In The Right Web Hosting
    • Shared Hosting
    • Dedicated Hosting
    • VPS Hosting
    • Cloud Hosting
    • Managed Cloud Hosting
  2. Acquire Scheduled Backups
    • Offsite WordPress Backup
    • Local WordPress Backup
  3. Make a Strong Password
    • Brute Force Attacks
    • Google Invisible reCAPTCHA
  4. Limit Login Attempts
    • Use Two-Factor Authentication
  5. Change the WordPress Login URL and Default Username
    • Change the WordPress Login URL
    • Change WordPress Default Username
    • Different WordPress User Roles
  6. Keep WordPress User Updated
    • Test New Releases on WordPress Staging Environment
  7. Delete Unused Plugins or Themes
    • The right way to Uninstall
  8. Prevent SQL Injection And URL Hacking
    • Using .htaccess Rules
  9. Deny Access To Sensitive Files in WordPress
    • Use .htaccess to Harden the Security
  10. Hide WordPress version & Change Default Prefix For Database
  11. Bonus Tip: How Cloudways Helps in Securing a WordPress site
    • First-Class Cloud Infrastructures
    • Firewall
    • Server Monitoring
    • SSH & SFTP Access
    • Updated OS and Applications
    • Randomly Generated Credentials
    • Backups
    • Free SSL Certificate
    • 24/7 Live Chat Support

The Basics

WordPress security is mainly all about simple fixes and common sense. The idea is to apply fixes that minimize the commonly known WordPress security issues and harden the website security.

TIP #1: Invest In The Right Web Hosting

Website security begins with a secure managed WordPress hosting provider. This has become an essential aspect of building your online presence. A secure web host will not only have industry-proven security processes in place but also have your back in case something goes wrong with your website. Almost every such provider has an effective disaster recovery strategy that kicks in case your website suffers an incident.

To give you an idea of the web hosting options out there, here are the four There are five types of web hosting solutions where you can host your WordPress websites:

Shared Hosting: A single server machine is shared among multiple user accounts. If s single account gets hacked, the entire server gets compromised. In many cases, the server is not really protected because there are just too many loopholes.

Dedicated Hosting: You actually own the server and only your website is hosted on the server. Since you own the server, the security of the server is limited to your expertise in cybersecurity.

VPS Hosting: In VPS hosting, you get a dedicated portion of a physical machine. Similar to dedicated hosting, you are the one responsible for the security. If you are not well versed in cybersecurity, you either need to be a fast learner or spend a lot of money on outsourcing the security of your server.

Cloud Hosting: In a cloud hosting solution, you own a portion of a network of connected physical server machines. Cloud hosting solutions are secure by definition but as a dedicated server, you have to dedicate a lot of effort and time to security.

Managed Cloud Hosting: As the name says, a managed cloud hosting solution manages all aspects of your cloud server including server-side security, performance, and updates. This is what Cloudways does – it provides multiple layers of security (one being platform level firewalls) resulting in a secure hosting environment so that you don’t have to be worried about the security of your server.

Security fatigue. Feeling overwhelmed?

Try Cloudways to harden the security of your WordPress website.

TIP #2: Leverage Scheduled Backups

At first glance, scheduled backups might not look like a WordPress security measure. However, this crucial step can prove to be a lifesaver when disaster strikes. In such cases, website backups is a great way of taking the site back online within hours of a disaster.

WordPress backups can be done on two levels: offsite backups and/or backup via hosting provider.

Offsite WordPress Backup: Backing up a WordPress site is pretty easy, thanks to the UpdraftPlus plugin that back up a WordPress site to off-site storage solutions such as Dropbox, Google Drive, and Amazon S3. IF you wish to explore the idea in detail, here is an extensive guide to backing up a WordPress site.

Note: If you are on a shared hosting server, offsite WordPress backup is a great way of getting the site back online in case your server goes down.

Local WordPress Backup: Backing up a WordPress site on the hosting provider’s server creates a Local Backup. Many WordPress cloud hosting providers provide a local backup process in which the entire server can be backed up automatically or manually on the same server.

If you are a Cloudways customer, you are in good hands. You can have a local backup (same server) AND the entire server can also be backed up on Amazon S3. Check out a guide to backing up a WordPress server.

TIP #3: Have a Strong Password

A strong password is a very basic but oft-overlooked WordPress security must-do that protects against many WordPress vulnerabilities.

Ideally, passwords should be hard-to-guess for people and must contain case-sensitive alphabets, punctuation, and numbers. Experts also suggest using different passwords for different websites such as social media accounts and email accounts.

To enforce the habit of strong passwords on your site, you should use a plugin to enforce strong WordPress password policies. This ensures all your users use strong passwords.

Brute Force Attacks: A strong password is your first defense against brute force attacks that tries various combinations of usernames and passwords until your site gets compromised. A weak password never fares well against a brute force attack.

CAPTCHA is considered one of the best protection against brute force attacks. A few months back, Google started a project “Google Invisible reCAPTCHA” in which visitors do not have to get vet manually. By default, it’s invisible and only kicks in when Google suspects that the visitor is not a human.

Read more on adding Google invisible reCAPTCHA to WordPress

TIP #4: Limit Login Attempts

By default, WordPress doesn’t place any restrictions on how many times a visitor can try out usernames and passwords multiple times at the login. This is the reason behind the many unintentional user-caused WordPress security issues.

To prevent this and add an extra layer of security to the WordPress websites, site admins should install a limit login attempts plugin that prevents hackers from exploiting this issue and mount a brute force login attack on your site.

This smart tool blocks the IP of any possible hacker that tries this attack on your WordPress site admin panel. The plugin does this by limiting the number of failed attempts per user.

Use Two-Factor Authentication: Two-Factor Authentication (2FA) is an industry-standard security practice that uses two-layer credentials to minimize the chances of unauthorized site login. If you wish to add 2FA to your WordPress website here’s how you can add two-factor authentication to a WordPress site.

TIP #5: Change the WordPress Login URL and Default Username

Change WordPress Login URL: Changing the default WP-admin login URL makes it hard for hackers to launch a brute force attack at your website. This simple step greatly strengthens the security of your WordPress site. I recommend WPS Hide Login plugin to change the default WordPress admin URL.

Change WordPress Default Username: the most basic security loophole that you can have on your website is the admin username “admin”. That is just too easy to guess. While you can use a plugin to change this username, there is a simpler method for this: Go to the dashboard, make a new user and assign it the role of “Administrator”.

Different WordPress User Roles: WordPress allows multiple users to contribute to a WordPress site using predefined roles. As a website administrator, you can modify or even create a separate user role by following the guide on custom WordPress user roles.

TIP #6: Keep WordPress Updated

Team WordPress regularly releases updates to the core files. These patches are available as self-contained installation files that fix known issues and generally strengthen the security of WordPress websites.

Maintaining the website’s CMS is an essential aspect of running the website. The site owner should ideally apply the patch within hours of release because there is always a chance that attackers are on the prowl for vulnerable websites.

This also applies to the installed plugins and themes. Plugin developers follow the release cycle of the WordPress core files to make sure that the plugin keeps pace with the newer WordPress versions.

Note: NEver deploy patches on a live site. Always test the patches at a WordPress staging environment to make sure everything continues to function as intended.

On the other hand, if you are on managed WordPress hosting, the engineers take care of patching the WordPress core files and ensure that the security doesn’t get compromised. the biggest security threat to themselves.

TIP #7: Delete Unused Plugins or Themes

Testing new themes and plugins is a good way to get the first-hand experience of the latest releases. However, once the testing is over, WordPress users usually deactivate the plugins instead of a proper uninstall.

Note that unused or inactive themes and plugins pose a serious threat to the WordPress website. Hence, it is of utter importance that all plugins and themes that are not in use should be deleted immediately to make sure that no data remains in the WordPress database. Here is a proper guide on how to properly uninstall WordPress plugins.

As a general precaution, always download the most recent version of themes and plugins from a trusted resource to make sure that the plugin or theme do not open a new security loophole at your site.

The Not-So-Basics

NOw that you have an understanding of the basics of WordPress security, it is time to check out the following advanced tips for beefing up the security of your websites.

TIP #8: Prevent SQL Injections And URL Hacking

SQL injections are attacks in which attackers embed SQL commands in various areas of the websites (in particular the comment box and text areas). These commands can compromise the SQL database and might reveal sensitive information stored in the database.

Modifying the URL by adding PHP statements is another potential threat to WordPress security in which the attackers can trigger attacks on the database and other website components.

Most WordPress websites are hosted on an Apache server that has a clever trick to counter these attacks. All Apache servers have a file .htaccess that define access rules for the website.

To reduce the incidences of SQL injections and URL hijacking, add the following code to the .htaccess file to lay down a strong set of rules.

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^(.*)$ - [F,L]
RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR]
RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
RewriteCond %{QUERY_STRING} tag\= [NC,OR]
RewriteCond %{QUERY_STRING} ftp\:  [NC,OR]
RewriteCond %{QUERY_STRING} http\:  [NC,OR]
RewriteCond %{QUERY_STRING} https\:  [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|ê|"|;|\?|\*|=$).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(&#x22;|&#x27;|&#x3C;|&#x3E;|&#x5C;|&#x7B;|&#x7C;).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127\.0).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare).* [NC]
RewriteCond %{HTTP_COOKIE} !^.*WordPress_logged_in_.*$
RewriteRule ^(.*)$ - [F,L]

As you can see, the code “sanitizes” the data that goes into the input fields. In addition, all such input is treated as a string instead of a SQL query statement.

TIP #9: Deny Access To Sensitive Files in WordPress

A WordPress installation contains several sensitive files, such as the wp-config.php, install.php, and readme.html files. These files must be kept hidden from all outside access.

Again, .htaccess is your best friend. You can add the following lines to the file to prevent important files from getting defaced. The following code snippet also prevents access to user directory listings and hide sensitive server and WordPress files from unauthorized access.

Options All -Indexes

<files .htaccess>
Order allow,deny
Deny from all

<files readme.html>
Order allow,deny
Deny from all

<files license.txt>
Order allow,deny
Deny from all

<files install.php>
Order allow,deny
Deny from all

<files wp-config.php>
Order allow,deny
Deny from all

<files error_log>
Order allow,deny
Deny from all

<files fantastico_fileslist.txt>
Order allow,deny
Deny from all

<files fantversion.php>
Order allow,deny
Deny from all

If you wish to dig deeper into the use of .htaccess file for optimizing your WordPress, here is a detailed description of the WordPress .htaccess file.

TIP #10: Change Default Prefix For Database

Hide WordPress Version: By default, WordPress automatically adds the current version number to the head section of themes. A great security tip is to NEVER display the WordPress version publicly, simply because of the fact that attackers can launch attacks against all known vulnerabilities of the version mentioned in the header.

The following simple line of code should be included in functions.php file of your theme to hide the WordPress versions.

remove_action( 'wp_head', 'wp_generator' );

Change Default WordPress Prefix For Database: All tables in a WordPress database have names that start with the prefix “wp_”. While this appears to be a great feature, for WordPress hackers, this greatly simplifies things by removing some of the guesswork.

A user can limit this predictability by changing the default WordPress prefix of user database tables while installing WordPress. This can also be done for already-active websites by manipulating user database at several places. I recommend using one of the top 10 WordPress security plugins that implement a range of defenses for WordPress website.

Cloudways Helps in Securing WordPress Sites

After this detailed guide to securing WordPress websites, it is worth mentioning that WordPress cannot be secured in isolation. WordPress users should also opt for a secure hosting environment that offers a secure environment for the website.

Here is how Cloudways provides a secure WordPress hosting environment.

  • First-Class Cloud Infrastructure: Cloudways has partnered with top-notch cloud infrastructure providers that have security as their number ONE concern. Hosting a WordPress site on the cloud ensures a high level of security.
  • Firewalls: All servers launched via Cloudways come with a pre-installed firewall that acts as the first line of defense of the website.
  • Server Monitoring: Monitoring a server helps in identifying unexpected high traffic spikes that can take the website down.
  • SSH & SFTP Access: Many hosting providers still use FTP to access files. However, with Cloudways SFTP (Secure File Transfer Protocol) your connection is encrypted and secure. If multiple teams are working on a project hosted on a server, they can be assigned access to a particular application instead of the entire server.
  • Updated OS and Applications: Experts at Cloudways keep an eye on the latest releases and ensures their availability after stability and compatibility tests.
  • Randomly Generated Credentials: All applications launched via Cloudways have a default randomly generated credentials that are hard to guess.
  • Backup: In case of disaster, the site backup is your best bet for faster disaster recovery. You can set the backup frequency as low as an hour.
  • Free SSL Certificate: Cloudways provides one-click SSL certificate installation with auto-renewal feature.
  • 24/7 Live Chat Support: Still worried about server security and performance? The Cloudways Support is always there round the clock.


WordPress security tips ensure an effective and secure website. However, many people forget that defending a WordPress website is an ongoing process which needs continuous attention in the face of new tools and tricks emerging in cyberspace.

I strongly suggest WordPress users keep a log of what happened on WordPress by using a security audit plugin and use the preferred WordPress security plugin which strengthens the WordPress environment against security threats.

Feel free to add if you think I have missed out something. I will add it to the list ASAP. If you have any questions, please post in the comments below.

Share your opinion in the comment section. COMMENT NOW

Share This Article

Start Growing with Cloudways Today!

We never compromise on performance, security, and support.

Mustaasam Saleem

Mustaasam is the WordPress Community Manager at Cloudways - A Managed WordPress Hosting Platform, where he actively works and loves sharing his knowledge with the WordPress Community. When he is not working, you can find him playing squash with his friends, or defending in Football, and listening to music. You can email him at

Get Our Newsletter
Be the first to get the latest updates and tutorials.

Do you like what you read?

Get the Latest Updates

Share Your Feedback

Please insert Content

Thank you for your feedback!

BFCM 2019