Categories: WordPress Tutorials, Tips and Guides

10 WordPress Security Issues And How to Fix Them

WordPress is by far one of the best Open Source CMS in the world. It powers millions of websites and holds 29% market share of the websites on the Internet. It is built and designed to fulfill a single purpose: elevate web standards, aesthetics, and usability. It makes WordPress an alpha CMS among bloggers, designers, and business owners. However, with such mass usage, there is still a wrong myth evolving in the industry that only adding free SSL certificate assures WordPress website as secure.

We believe that half of the vulnerabilities in a WordPress website are at the user’s end. This makes them an easy target for the assailants. Out of the box, some best practices can tighten the security of WordPress websites. In this post, we will be providing our readers with the basics alongside some not-so-common tips to secure a WordPress website.

If followed deliberately, you can save yourselves the troubles of worrying about the security of your WordPress-powered websites, and instead focus on running your sites for success.

WordPress Security Tips

  1. Invest In The Right Web Hosting
  2. Acquire Scheduled Backups
  3. Make a Strong Password
  4. Limit Login Attempts
  5. Change User Admin Username
  6. Keep WordPress User Updated
  7. Delete Unused Plugins or Themes
  8. Prevent SQL Injection And URL Hacking
  9. Deny Access To Sensitive Files in WordPress
  10. Change Default Prefix For Database

The Basics

As mentioned earlier, here are some of the necessary procedures to minimize the commonly known loopholes of websites running on WordPress.

TIP #1: Invest In The Right Web Hosting:

It is essential if a user looks for a secured WordPress hosting before creating an online presence. A secure web host will not only undertake some noteworthy procedures to help protect user domain but also get user home safe if in case user domain crashes or is hacked with an effective disaster recovery strategy.

TIP #2: Acquire Scheduled Backups:

This might not look like a security tip. However, this crucial step can become a user effective crisis management strategy. Assuming that if anything goes wrong, the user can have an on-premise backup solution which will ultimately enable the user to get back online in no time.

TIP #3: Make a Strong Password:

Making a strong password is an absolute must-follow. It provides an iron-clad security to users on a WordPress website. Try to make passwords that are hard to guess and phonetic (use case-sensitive alphabets, punctuation, numbers, all in one). It is also suggested that users should use different passwords for different websites such as social media accounts or email accounts.

TIP #4: Limit Login Attempts:

A User can acquire an extra layer of security for their WordPress website by installing an add-on “limit login attempts that prevents assailants from guessing user WordPress password. Secondly, having a login limiter installed on WordPress would also save the user from brute force login attempts. This smart tool blocks the IP of any possible assailant that tries to get into users’ WordPress admin panel.

TIP #5: Change User Admin Username:

Thanks to the plethora of apps that WordPress caters for everything; changing the admin username of a WordPress user too can be performed by using a plugin. If you don’t want to go through the plugin way, then you can follow the simple way by going to the dashboard, making a new user and assigning the role of Administrator to that user.

TIP #6: Keep WordPress User Updated:

If users have a reliable Web Hosting solution, they will keep user platform maintained by applying regular patches. However, for a self-hosted WordPress website, this can become a critical security tip to safeguard user WordPress site. Users will need to keep their WordPress Core, Plugins and Themes updated which will help in running a stable site in the future.

TIP #7: Delete Unused Plugins or Themes:

Unused or inactive themes and plugins possess a potential threat to a user’s WordPress website; hence it is of utter importance that the particular user assures that no such extensions are existing in WordPress database. This would also save users from any unnecessary additional updates required for them. Here is a proper guide on how to properly uninstall WordPress plugins.

The Not-So-Basics

Listed below, are some of the best practices observed by expert developers that help in keeping a WordPress website secure.

TIP #8: How To Prevent SQL Injection And URL Hacking

SQL injections are attacks in which hackers embed commands whether in user URL or User Comment Box to trigger a particular behavior by user database. SQL being the command language used for MySQL database, if correctly transformed into an injection, might reveal sensitive information about the particular user database. Hackers may then modify the actual details or content on that user’s website. Many of the URL hacks too have the potential to trigger unintended PHP commands which again, may reveal sensitive information.

Many of today’s cyber attacks on the website are accomplished by various forms of SQL injections. Since most WordPress installations are hosted on Apache web server and to define access rules Apache uses a file named .htaccess, a little tweaking in user .htaccess code can save the user from such a nuisance of URL or SQL injections.

Here is a Code that can be inserted into the website’s .htaccess file that would lay the strong set of rules to prevent a user from many serious injection attacks.

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^(.*)$ - [F,L]
RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR]
RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
RewriteCond %{QUERY_STRING} tag\= [NC,OR]
RewriteCond %{QUERY_STRING} ftp\:  [NC,OR]
RewriteCond %{QUERY_STRING} http\:  [NC,OR]
RewriteCond %{QUERY_STRING} https\:  [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|ê|"|;|\?|\*|=$).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(&#x22;|&#x27;|&#x3C;|&#x3E;|&#x5C;|&#x7B;|&#x7C;).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127\.0).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare).* [NC]
RewriteCond %{HTTP_COOKIE} !^.*WordPress_logged_in_.*$
RewriteRule ^(.*)$ - [F,L]

TIP #9: How To Deny Access To Sensitive Files in WordPress

As it is probably obvious, a WordPress install contains certain sensitive files, such as the wp-config.php, install.php and the readme.html files. These files must be kept hidden from any outside access.

Here again, a user needs to add a bit of code to user .htaccess file to prevent these files from being defaced. In addition to preventing access to the user directory listings, this code will also help in hiding sensitive Web Server and WordPress files.

Options All -Indexes

<files .htaccess>
Order allow,deny
Deny from all

<files readme.html>
Order allow,deny
Deny from all

<files license.txt>
Order allow,deny
Deny from all

<files install.php>
Order allow,deny
Deny from all

<files wp-config.php>
Order allow,deny
Deny from all

<files error_log>
Order allow,deny
Deny from all

<files fantastico_fileslist.txt>
Order allow,deny
Deny from all

<files fantversion.php>
Order allow,deny
Deny from all

Not only this, here is a complete guide on how to protect WordPress with .htaccess.

TIP #10: How To Change Default Prefix For Database

In WordPress installs, the database consists of numerous tables, which are labeled with a default prefix starting with “wp_”. For hackers, the ability to guess or predict anything on user domain means an extra advantage.

A user can limit this predictability by changing the default WordPress prefix of user database tables while installing WordPress, but if the user already has WordPress installed, he has to modify the prefix by manipulating user database in several places. However, a user can accomplish the same process, by choosing from top 10 WordPress security plugins which contain various other defenses for his/her WordPress website.


These are the beginning must-to-do strategies to ensure an effective WordPress Security. However, like other forms of security, defending a WordPress website too is an ongoing process which gets modified with the inception of new codes, tricks, and tools. We also suggest users, to get a scanner for user website such as “All In One WP Security & Firewall” which makes them aware of the new threats, as well as some specific security details of the WordPress environment.

However, we believe there is still more to add here. Feel free to add more if you think we have missed out something. We will surely add it to our next regarding WordPress security soon.

If you have any questions, please share with us in the comment section.

Mustaasam Saleem: Mustaasam is the WordPress Community Manager at Cloudways - A Managed WordPress Hosting Platform, where he actively works and loves sharing his knowledge with the WordPress Community. When he is not working, you can find him playing squash with his friends, or defending in Football, and listening to music. You can email him at mustaasam.saleem@cloudways.com