Chat with us, powered by LiveChat

This website uses cookies

Our website, platform and/or any sub domains use cookies to understand how you use our services, and to improve both your experience and our marketing relevance.

10 WordPress Security Issues And How to Fix Them

January 10, 2018

9 Min Read
Reading Time: 9 minutes

WordPress is by far one of the best open-source CMS in the world. It powers millions of websites and holds 30% market share of websites on the Internet. It is built and designed to fulfill a single purpose: elevate web standards, aesthetics, and usability. It makes WordPress an alpha CMS among bloggers, designers, and business owners. However, with such mass usage, there is still a wrong myth evolving in the industry that only adding free SSL certificate assures WordPress website as secure.

Co-founder of Sucuri, Dre Armeda believes that:

“People Are And Will Continue To Be The Biggest Security Issue With WordPress.”, Dre Armeda Discusses WordPress Security

We also believe that half of the vulnerabilities in a WordPress website are at the user’s end. This makes them an easy target for the assailants. Out of the box, some best practices can harden the security of WordPress websites. In this post, we will be providing our readers with the basics alongside some not-so-common tips related to WordPress security issues.

If followed deliberately, you can save yourselves the troubles of worrying about the security of your WordPress-powered websites, and instead focus on running your sites for success.

  1. Invest In The Right Web Hosting
    • Shared Hosting
    • Dedicated Hosting
    • VPS Hosting
    • Cloud Hosting
    • Managed Cloud Hosting
  2. Acquire Scheduled Backups
    • Offsite WordPress Backup
    • Local WordPress Backup
  3. Make a Strong Password
    • Brute Force Attacks
    • Google Invisible reCAPTCHA
  4. Limit Login Attempts
    • Use Two-Factor Authentication
  5. Change WordPress Login URL and Default Username
    • Change WordPress Login URL
    • Change WordPress Default Username
    • Different WordPress User Roles
  6. Keep WordPress User Updated
    • Test New Releases on WordPress Staging Environment
  7. Delete Unused Plugins or Themes
    • The right way to Uninstall
  8. Prevent SQL Injection And URL Hacking
    • Using .htaccess Rules
  9. Deny Access To Sensitive Files in WordPress
    • Use .htaccess to Harden the Security
  10. Hide WordPress version & Change Default Prefix For Database
  11. Bonus Tip: How Cloudways Helps in Securing a WordPress site
    • First-Class Cloud Infrastructures
    • Firewall
    • Server Monitoring
    • SSH & SFTP Access
    • Updated OS and Applications
    • Randomly Generated Credentials
    • Backups
    • Free SSL Certificate
    • 24/7 Live Chat Support

The Basics

As mentioned earlier, here are some of the necessary procedures to minimize the commonly known WordPress security issues.

TIP #1: Invest In The Right Web Hosting

It is essential if a user looks for a secure WordPress hosting server before creating an online presence. A secure web host will not only undertake some noteworthy procedures to help protect user domain but also get user home safe if, in case, user domain crashes or is hacked with an effective disaster recovery strategy.

There are four types of web hosting:

Shared hosting: Single server machine is shared with multiple user accounts. If any ONE of the accounts got successfully hacked, the entire server will be considered as compromised. The hacker may modify or delete all the sites hosted on the same server.

Dedicated hosting: It is considered as a bit more secure as compared to the shared hosting. You are the only owner of a physical server machine however you need to build a secure hosting environment by yourself.

VPS hosting: In VPS hosting, you get a dedicated portion of an entire physical machine instead of owning a physical machine. Just like the dedicated hosting, you are the only owner of a VPS server. All the server side security risks should be handled by yourself.

Cloud hosting: In the cloud hosting, you own a particular portion of an entire network of connected physical server machines instead of a single physical machine like VPS. This increases the reliability and creates a secure environment as compared to the others.

Managed Cloud Hosting: As the name says, a cloud hosting that manages a server for you including all of the server side security, performance, and updates. This is what Cloudways is doing, it provides multiple layers of security firewalls resulting a secure hosting environment so that you don’t have to be worried about the security of your server.

Security fatigue. Feeling overwhelmed?

Try Cloudways to harden the security of your WordPress website.

TIP #2: Acquire Scheduled Backups

This might not look like a WordPress security issue at first. However, this crucial step can become a user effective crisis management strategy. Assuming that if anything goes wrong, the user can have an on-premise backup solution which will ultimately enable the user to get back online in no time.

WordPress backups can be done on two levels: offsite backups and/or backup via hosting provider.

Offsite WordPress Backup: Backing up a WordPress site is pretty easy. Thanks to the UpdraftPlus plugin that back up a WordPress site to an off-site storage like Dropbox, Google Drive, Amazon S3 etc. Here is an extensive guide to back up a WordPress site.

Local WordPress Backup: Backing up a WordPress site on the same hosting provider is called as the Local Backup. If you are on a shared hosting provider, then I would prefer to take backup on an offsite storage as the server can be compromised and the backup would be useless. However, most of the WordPress cloud hosting providers provide a local backup facility. The entire server can be backed up automatically or manually on the same server.

If you are a Cloudways customer, you are in good hands. You can have a local backup (same server) and the entire server is also backed up on Amazon S3 in case of any disaster. Check out a guide to the backup WordPress server.

TIP #3: Make a Strong Password

Making a strong password is an absolute must-follow. It provides an iron-clad security against WordPress vulnerabilities. Try to make passwords that are hard to guess and phonetic (use case-sensitive alphabets, punctuation, numbers, all in one). It is also suggested that users should use different passwords for different websites such as social media accounts or email accounts.

Brute Force Attacks: Making a strong password can prevent you from a Brute Force attack. An attack that tries various combinations of usernames and passwords again and again until it gets in. A weak password can be hacked by using Brute Force attack. This repetitive action is like an army attacking a fort.

Google Invisible reCAPTCHA: Captcha is considered as one of the best solutions to avoid brute force attacks. Within the last few years, CAPTCHA has evolved a lot. A few months back, Google started a project “Google Invisible reCAPTCHA” in which a visitor does not has to verify himself manually. By default, its hidden from the screen, Google Invisible reCAPTCHA is activated only in cases where Google suspects that the visitor is not a human.

Read more: Add Google invisible reCAPTCHA to WordPress

TIP #4: Limit Login Attempts

By default, WordPress allows a visitor to try out username and password multiple times that results in an easy way for Brute force attacks. A user can create an extra layer of security for their WordPress website by installing limit login attempts plugin that prevents hackers from guessing user WordPress password. Secondly, having a login limiter installed on WordPress would also save the user from brute force login attempts.

This smart tool blocks the IP of any possible hacker that tries to get into users’ WordPress admin panel. Additionally, you can also limit the number of failed attempts per user.

Use Two-Factor Authentication: Today is the era of mobile phones, all the Internet giants are using Two-Factor Authentication to verify the identity of a user. You can also add two-factor authentication to a WordPress site.

TIP #5: Change WordPress Login URL and Default Username

Change WordPress Login URL: It is always suggested to change the default WP-admin login URL to make it hard for hackers to guess and conduct a Brute Force attack. This will help in strengthening the security of your WordPress site to a great extent. Thanks to the plethora of apps that WordPress caters for everything! Just heads-up WPS Hide Login plugin and change the default WordPress admin URL.

Change WordPress Default Username: Changing the admin username of a WordPress user can be performed by using a plugin. If you don’t want to go through the plugin way, then you can follow the simple way by going to the dashboard, making a new user and assigning the role of “Administrator” to that user.

Different WordPress User Roles: WordPress allows multiple users to contribute to a WordPress site using defined roles. However, you can modify or even create a separate user role by following the guide on custom WordPress user roles.

TIP #6: Keep WordPress User Updated

If users have a secure WordPress hosting, they will keep user platform maintained by applying regular patches. However, for a self-hosted WordPress website, this can become a critical security tip to safeguard user WordPress site. The users will need to keep their WordPress Core, Plugins and Themes updated that will help in running a stable site in the future.

Most of the websites are hacked because of a vulnerable outdated version of WordPress Core, Theme or Plugin. This proves the statement of Dre Armeda that WordPress users are the biggest security threat to themselves.

So, don’t leave behind with insecure WordPress files. Keep an eye on the updates, if available, check the compatibility test first in a WordPress staging environment.

TIP #7: Delete Unused Plugins or Themes

Testing new themes and plugins is a good way to get in touch with the latest releases. Once tested, WordPress users usually deactivate the plugin instead of a proper uninstalls.

However, unused or inactive themes and plugins still possess a potential threat to WordPress website. Hence, it is of utter importance that the particular user assures that no such data exists in the WordPress database.

This would also save WordPress users from any unnecessary additional updates required for them. Here is a proper guide on how to properly uninstall WordPress plugins.

The Not-So-Basics

Listed below, are some of the best practices observed by expert developers that help in keeping a WordPress website secure.

TIP #8: How To Prevent SQL Injection And URL Hacking

SQL injections are attacks in which hackers embed commands whether in user URL or user comment box to trigger a particular behavior by user database. SQL, being the command language used for MySQL database, if correctly transformed into an injection may reveal sensitive information about the particular user database. WordPress hackers can modify the actual details or content on that user’s website. Many of the URL hacks also have the potential to trigger unintended PHP commands which again may reveal sensitive information.

Many of today’s cyber attacks on the website are accomplished by various forms of SQL injections. Since most WordPress installations are hosted on Apache web server and to define access rules Apache uses a file named .htaccess, a little tweaking in user .htaccess code can save the user from such a nuisance of URL or SQL injections.

Here is a Code that can be inserted into the website’s .htaccess file that would lay the strong set of rules to prevent a user from many serious injection attacks.

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^(.*)$ - [F,L]
RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR]
RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
RewriteCond %{QUERY_STRING} tag\= [NC,OR]
RewriteCond %{QUERY_STRING} ftp\:  [NC,OR]
RewriteCond %{QUERY_STRING} http\:  [NC,OR]
RewriteCond %{QUERY_STRING} https\:  [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|ê|"|;|\?|\*|=$).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(&#x22;|&#x27;|&#x3C;|&#x3E;|&#x5C;|&#x7B;|&#x7C;).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127\.0).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare).* [NC]
RewriteCond %{HTTP_COOKIE} !^.*WordPress_logged_in_.*$
RewriteRule ^(.*)$ - [F,L]

TIP #9: How To Deny Access To Sensitive Files in WordPress

A WordPress installation contains certain sensitive files, such as the wp-config.php, install.php and the readme.html files. These files must be kept hidden from any outside access.

Here again, a user needs to add a bit of code to WordPress .htaccess file to prevent these files from being defaced. In addition to preventing access to the user directory listings, this code will also help in hiding sensitive web server and WordPress files.

Options All -Indexes

<files .htaccess>
Order allow,deny
Deny from all

<files readme.html>
Order allow,deny
Deny from all

<files license.txt>
Order allow,deny
Deny from all

<files install.php>
Order allow,deny
Deny from all

<files wp-config.php>
Order allow,deny
Deny from all

<files error_log>
Order allow,deny
Deny from all

<files fantastico_fileslist.txt>
Order allow,deny
Deny from all

<files fantversion.php>
Order allow,deny
Deny from all

Additionally, we have written an extensive guide to secure a site using WordPress .htaccess file.

TIP #10: How To Change Default Prefix For Database

Hide WordPress version: By default, WordPress automatically adds the current Version number to the head section of themes. It is always suggested to NOT display the WordPress version number publicly. Having the version publicly available makes it easy for attackers to execute known vulnerabilities on a particular version.

Here is a simple line of code that needs to be written in functions.php file of your theme.

remove_action( 'wp_head', 'wp_generator' );

The above code will hide WordPress version.

Change Default WordPress Prefix For Database: In WordPress installation, the database consists of numerous tables, which are labeled with a default prefix starting with “wp_”. For WordPress hackers, the ability to guess or predict anything on user domain means an extra advantage.

A user can limit this predictability by changing the default WordPress prefix of user database tables while installing WordPress, but if the user already has WordPress installed, he has to modify the prefix by manipulating user database in several places. However, a user can accomplish the same process, by choosing from top 10 WordPress security plugins that contain various other defenses for WordPress website.

Cloudways Helps in Securing a WordPress site

After getting a long-detailed guide to secure WordPress website. It is worth mentioning that WordPress itself can’t be secured alone. WordPress users must choose a secure hosting environment.

Here is how Cloudways provides a secure WordPress hosting environment.

  • First-Class Cloud Infrastructures: Cloudways partnered with top-notch cloud infrastructure providers that take security as their number ONE concern. Hosting a WordPress site in the cloud itself ensures high-level security.
  • Firewall: All servers launched via Cloudways comes up with a pre-installed firewall that ensures the high-level of server security.
  • Server Monitoring: Monitoring a server helps in identifying unexpected high traffic spikes that help to act accordingly.
  • SSH & SFTP Access: Many hosting providers still use FTP to access files. However, with Cloudways SFTP (Secure File Transfer Protocol) your connection is encrypted and secure. If multiple teams are working on a small project of a large server, they can be assigned access to that particular application instead of providing them the entire server access.
  • Updated OS and Applications: Experts at Cloudways keeps an eye on latest releases and ensures their availability after a number of stability and compatibility tests.
  • Randomly Generated Credentials: All applications launched via Cloudways have a default randomly generated credentials that are hard to guess.
  • Backup: After following the tips mentioned above, for some reasons, if your site is still compromised. The backup will be there for a faster disaster recovery. You can set the backup frequency as low as an hour.
  • Free SSL Certificate: Cloudways provides one-click SSL certificate installation to a WordPress site using Let’s Encrypt with auto-renewal feature.
  • 24/7 Live Chat Support: Still worried and digging your head in the sand? The Cloudways Support is always there round the clock.


The above-mentioned WordPress security tips ensure an effective and secure website. However, like other forms of security, defending a WordPress website is also an ongoing process which gets modified with the inception of new codes, tricks, and tools.

We suggest WordPress users keep a log of what happened on your WordPress by using a security audit plugin and also use your preferred WordPress security plugin which makes them aware of the new threats, as well as some specific security details of the WordPress environment.

However, we believe there is still more to add here. Feel free to add more if you think we have missed out something. We will surely add it to our next regarding WordPress security soon.

If you have any questions, please share with us in the comment section.

Share your opinion in the comment section. COMMENT NOW

Share This Article

Start Growing with Cloudways Today!

We never compromise on performance, security, and support.

Mustaasam Saleem

Mustaasam is the WordPress Community Manager at Cloudways - A Managed WordPress Hosting Platform, where he actively works and loves sharing his knowledge with the WordPress Community. When he is not working, you can find him playing squash with his friends, or defending in Football, and listening to music. You can email him at

Get Our Newsletter
Be the first to get the latest updates and tutorials.

Do you like what you read?

Get the Latest Updates

Share Your Feedback

Please insert Content

Thank you for your feedback!