This website uses cookies

Our website, platform and/or any sub domains use cookies to understand how you use our services, and to improve both your experience and our marketing relevance.

Top 10 WordPress Security Issues And How to Fix Them

Updated on December 8, 2021

11 Min Read
wordpress security issues

WordPress is by far one of the most widely used open-source CMS in the world. It powers millions of websites and holds a 35% market share. This makes WordPress the alpha CMS among bloggers, designers, WooCommerce store owners, and other business owners.

Despite being so popular, many WordPress users do not know the basics of securing their WordPress sites. Worse yet, many users believe in the (very dangerous) misconception that installing an SSL certificate is enough to secure their site. Therefore, it is important to discuss the various effective methods of securing the WordPress site.

Co-founder of Sucuri, Dre Armeda believes that:

“People Are And Will Continue To Be The Biggest Security Issue With WordPress.”, Dre Armeda Discusses WordPress Security

I also believe that half of the WordPress security vulnerabilities occur because of negligence. This is an important reason why WordPress websites are an easy target for cybercriminals. Many first-time users simply install WordPress and then trust the default security of the WordPress website.

Doing so exposes your website to cyber threats. To safeguard your website against malicious traffic and DDoS attacks, you must opt for a secure WordPress hosting platform combined with top-tier security plugins.

In this post, I will present several basic and some not-so-common tips about dealing with WordPress security issues.

Let’s begin!

The Basics

WordPress security is mainly all about simple fixes and common sense. The idea is to apply fixes that minimize the commonly known WordPress security issues and harden the website security.

TIP #1: Invest In The Right Web Hosting

Website security begins with a secure and managed WordPress hosting provider. This has become an essential aspect of building your online presence. A secure web host will not only have industry-proven security processes in place but also have your back in case something goes wrong with your website.

Almost every such provider has an effective disaster recovery strategy that kicks in when your website suffers an incident. And if you own an e-commerce store, you should only opt for an ecommerce hosting that does not compromise on security and performance to keep your site up at all times.

To give you an idea of the web hosting options out there are five types of web hosting solutions where you can host your WordPress websites:

Shared Hosting: A single server machine is shared among multiple user accounts. If s single account gets hacked, the entire server gets compromised. In many cases, the server is not really protected because there are just too many loopholes.

Dedicated Hosting: You actually own the server and only your website is hosted on the server. Since you own the server, the security of the server is limited to your expertise in cybersecurity.

VPS Hosting: In VPS hosting, you get a dedicated portion of a physical machine. Similar to dedicated hosting, you are the one responsible for the security. If you are not well versed in cybersecurity, you either need to be a fast learner or spend a lot of money on outsourcing the security of your server.

Cloud Hosting: In a cloud hosting solution, you own a portion of a network of connected physical server machines. Cloud hosting solutions are secure by definition but as a dedicated server, you have to dedicate a lot of effort and time to security.

Managed Cloud Hosting: As the name says, a managed cloud hosting solution manages all aspects of your cloud server including server-side security, performance, and updates. This is what Cloudways does – it provides multiple layers of security (one being platform-level firewalls), resulting in a secure hosting environment so that you don’t have to worry about your server’s security. Read our blog for a more detailed comparison of hosting options.

Security fatigue. Feeling overwhelmed?

Try Cloudways to harden the security of your WordPress website.

TIP #2: Leverage Scheduled Backups

At first glance, scheduled backups might not look like a WordPress security measure. However, this crucial step can prove to be a lifesaver when disaster strikes. In such cases, website backups are a great way of taking the site back online within hours of a disaster.

WordPress backups can be done on two levels: offsite backups and/or backup via hosting provider.

1- Offsite WordPress Backup

Backing up a WordPress site is pretty easy, thanks to the UpdraftPlus plugin that back up a WordPress site to off-site storage solutions such as Dropbox, Google Drive, and Amazon S3.

If you wish to explore the idea in detail, here is an extensive guide to backing up a WordPress site.

Note: If you are on a shared hosting server, offsite WordPress backup is a great way of getting the site back online in case your server goes down.

2- Local WordPress Backup

Backing up a WordPress site on the hosting provider’s server creates a Local Backup. Many WordPress cloud hosting providers provide a local backup process in which the entire server can be backed up automatically or manually on the same server.

If you are a Cloudways customer, you are in good hands. You can have a local backup (same server) AND the entire server can also be backed up on Amazon S3. Check out a guide to backing up a WordPress server.

TIP #3: Have a Strong Password

A strong password is a very basic but oft-overlooked WordPress security must-do that protects against many WordPress vulnerabilities.

Ideally, passwords should be hard-to-guess for people and must contain case-sensitive alphabets, punctuation, and numbers (for example #[email protected]$).

Experts also suggest using different passwords for different websites such as social media accounts and email accounts.

To enforce the habit of strong passwords on your site, you should use a plugin to enforce strong WordPress password policies. This ensures all your users use strong passwords.

Brute Force Attacks: A strong password is your first defense against brute force attacks that tries various combinations of usernames and passwords until your site gets compromised. A weak password never fares well against a brute force attack.

CAPTCHA is considered one of the best protection against brute force attacks. Previously, Google started a project “Google Invisible reCAPTCHA” in which visitors do not have to get vet manually. By default, it’s invisible and only kicks in when Google suspects that the visitor is not a human.

Read more on adding Google invisible reCAPTCHA to WordPress

TIP #4: Limit Login Attempts

By default, WordPress doesn’t place any restrictions on how many times a visitor can try out usernames and passwords multiple times at the login. This is the reason behind the many unintentional user-caused WordPress security issues.

To prevent this and add an extra layer of security to the WordPress websites, site admins should install a limit login attempts plugin that prevents hackers from exploiting this issue and mount a brute force login attack on your site.

This smart tool blocks the IP of any possible hacker that tries this attack on your WordPress site admin panel. The plugin does this by limiting the number of failed attempts per user.

Use Two-Factor Authentication: Two-Factor Authentication (2FA) is an industry-standard security practice that uses two-layer credentials to minimize the chances of unauthorized site login. If you wish to add 2FA to your WordPress website here’s how you can add two-factor authentication to a WordPress site.

TIP #5: Change the WordPress Login URL and Default Username

After launched the WordPress you can go to the admin panel and change your site according to your requirements. This is not possible if you had no access to the WordPress admin dashboard.

Change WordPress Login URL: Changing the default WP-admin login URL makes it hard for hackers to launch a brute force attack on your website. This simple step greatly strengthens the security of your WordPress site.

Although there are many plugins available, I recommend WPS Hide Login plugin to change the default WordPress admin URL. The plugin has 700,000+ active installed and has 5-star reviews.

Change WordPress Default Username: the most basic security loophole that you can have on your website is the admin username “admin”. That is just too easy to guess. While you can use a plugin to change this username, there is a simpler method for this: Go to the dashboard, make a new user and assign it the role of “Administrator”.

Different WordPress User Roles: WordPress allows multiple users to contribute to a WordPress site using predefined roles. As a website administrator, you can modify or even create a separate user role by following the guide on custom WordPress user roles.

TIP #6: Keep WordPress Updated

Team WordPress regularly releases updates to the core files. These patches are available as self-contained installation files that fix known issues and generally strengthen the security of WordPress websites.

Maintaining the website’s CMS is an essential aspect of running the website. The site owner should ideally apply the patch within hours of release because there is always a chance that attackers are on the prowl for vulnerable websites.

This also applies to the installed plugins and themes. Plugin developers follow the release cycle of the WordPress core files to make sure that the plugin keeps pace with the newer WordPress versions.

Note: Never deploy patches on a live site. Always test the patches at a WordPress staging environment to make sure everything continues to function as intended. If your hosting doesn’t have a staging environment then I would suggest taking a backup first and start updating.

On the other hand, if you are on managed WordPress hosting, the engineers take care of patching the WordPress core files and ensure that the security doesn’t get compromised. The biggest security threat to themselves.

TIP #7: Delete Unused Plugins or Themes

Testing new themes and plugins is a good way to get the first-hand experience of the latest releases. However, once the testing is over, WordPress users usually deactivate the plugins instead of a proper uninstall.

Note that unused or inactive themes and plugins pose a serious threat to the WordPress website. Hence, it is of utter importance that all plugins and themes that are not in use should be deleted immediately to make sure that no data remains in the WordPress database. Here is a proper guide on how to properly uninstall WordPress plugins.

As a general precaution, always download the most recent version of themes and plugins from a trusted resource to make sure that the plugin or theme does not open a new security loophole at your site.

The Not-So-Basics

NOw that you have an understanding of the basics of WordPress security, it is time to check out the following advanced tips for beefing up the security of your websites.

TIP #8: Prevent SQL Injections And URL Hacking

SQL injections are attacks in which attackers embed SQL commands in various areas of the websites (in particular the comment box and text areas). These commands can compromise the SQL database and might reveal sensitive information stored in the database.

Modifying the URL by adding PHP statements is another potential threat to WordPress security in which the attackers can trigger attacks on the database and other website components.

Most WordPress websites are hosted on an Apache server that has a clever trick to counter these attacks. All Apache servers have a file .htaccess that define access rules for the website.

To reduce the incidences of SQL injections and URL hacking, add the following code to the .htaccess file to lay down a strong set of rules.

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^(.*)$ - [F,L]
RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR]
RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
RewriteCond %{QUERY_STRING} tag\= [NC,OR]
RewriteCond %{QUERY_STRING} ftp\:  [NC,OR]
RewriteCond %{QUERY_STRING} http\:  [NC,OR]
RewriteCond %{QUERY_STRING} https\:  [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|ê|"|;|\?|\*|=$).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(&#x22;|&#x27;|&#x3C;|&#x3E;|&#x5C;|&#x7B;|&#x7C;).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127\.0).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare).* [NC]
RewriteCond %{HTTP_COOKIE} !^.*WordPress_logged_in_.*$
RewriteRule ^(.*)$ - [F,L]

As you can see, the code “sanitizes” the data that goes into the input fields. In addition, all such input is treated as a string instead of a SQL query statement.

TIP #9: Deny Access To Sensitive Files in WordPress

A WordPress installation contains several sensitive files, such as the wp-config.php, install.php, and readme.html files. These files must be kept hidden from all outside access.

Again, .htaccess is your best friend. You can add the following lines to the file to prevent important files from getting defaced. The following code snippet also prevents access to user directory listings and hide sensitive server and WordPress files from unauthorized access.

Options All -Indexes

<files .htaccess>
Order allow,deny
Deny from all

<files readme.html>
Order allow,deny
Deny from all

<files license.txt>
Order allow,deny
Deny from all

<files install.php>
Order allow,deny
Deny from all

<files wp-config.php>
Order allow,deny
Deny from all

<files error_log>
Order allow,deny
Deny from all

<files fantastico_fileslist.txt>
Order allow,deny
Deny from all

<files fantversion.php>
Order allow,deny
Deny from all

If you wish to dig deeper into the use of .htaccess file for optimizing your WordPress, here is a detailed description of the WordPress .htaccess file.

TIP #10: Change Default Prefix For Database

Hide WordPress Version: By default, WordPress automatically adds the current version number to the head section of themes. A great security tip is to NEVER display the WordPress version publicly, simply because of the fact that attackers can launch attacks against all known vulnerabilities of the version mentioned in the header.

The following simple line of code should be included in the functions.php file of your theme to hide the WordPress versions.

remove_action( 'wp_head', 'wp_generator' );

Change Default WordPress Prefix For Database: All tables in a WordPress database have names that start with the prefix “wp_”. While this appears to be a great feature, for WordPress hackers, this greatly simplifies things by removing some of the guesswork.

A user can limit this predictability by changing the default WordPress prefix of user database tables while installing WordPress. This can also be done for already-active websites by manipulating user databases at several places. I recommend using one of the best WordPress security plugins that implement a range of defenses for the WordPress website.

Cloudways Helps in Securing WordPress Sites

After this detailed guide to securing WordPress websites, it is worth mentioning that WordPress cannot be secured in isolation. WordPress users should also opt for a secure hosting environment that offers a secure environment for the website.

Here is how Cloudways provides a secure WordPress hosting environment.

  • First-Class Cloud Infrastructure: Cloudways has partnered with top-notch cloud infrastructure providers that have security as their number ONE concern. Hosting a WordPress site on the cloud ensures a high level of security.
  • Firewalls: All servers launched via Cloudways come with a pre-installed firewall that acts as the first line of defense of the website.
  • Server Monitoring: Monitoring a server helps in identifying unexpected high traffic spikes that can take the website down.
  • Bot Protection: Bot Protection aims to identify and block malicious traffic, protect from attacks like Dictionary attacks, Web Scraping, and Brute Force attacks. It also helps to reduce server resource usage for WordPress applications. These attacks are targeted to gain unauthorized access to your website or overwhelm it, but Bot Protection monitors all these activities and proactively blocks upon detection.
  • SSH & SFTP Access: Many hosting providers still use FTP to access files. However, with Cloudways SFTP (Secure File Transfer Protocol) your connection is encrypted and secure. If multiple teams are working on a project hosted on a server, they can be assigned access to a particular application instead of the entire server.
  • Updated OS and Applications: Experts at Cloudways keep an eye on the latest releases and ensures their availability after stability and compatibility tests.
  • Randomly Generated Credentials: All applications launched via Cloudways have a default randomly generated credentials that are hard to guess.
  • Backup: In case of disaster, the site backup is your best bet for faster disaster recovery. You can set the backup frequency as low as an hour.
  • Free SSL Certificate: Cloudways provides a one-click SSL certificate installation with an auto-renewal feature.
  • Free Staging Environment: Cloudways offers a free WordPress staging environment to make sure everything continues to function as intended.
  • 24/7 Live Chat Support: Still worried about server security and performance? The Cloudways Support is always there round the clock.
  • Phone Support: This is the premium support addon if you need any assistance you can also contact and our senior engineer with directly respond anytime.

Frequently Ask Questions

Q: How do I fix WordPress not secure?

A: Follow this guide and see all points that I have mentioned, I hope it will help you a lot.

Q: Should I use an SSL certificate to secure my WordPress website?

A: Yes you should, most of the hosting companies offer free one-click SSL certificate.

Q: Does WordPress have security issues?

A: WordPress is the most favored Content Management System (CMS) used today. With the help of numerous themes and plug-ins, one can easily customize their website according to their taste and preferences. However, WordPress Security is one of the major issues which is a concern for many.


WordPress security tips ensure an effective and secure website, Also check our webinar on how to deal with attacks on WordPress Sites. However, many people forget that defending a WordPress website is an ongoing process that needs continuous attention in the face of new tools and tricks emerging in cyberspace.

I strongly suggest WordPress users keep a log of what happened on WordPress by using a security audit plugin and use the preferred WordPress security plugin which strengthens the WordPress environment against security threats.

Feel free to add if you think I have missed out on something. I will add it to the list ASAP. If you have any questions, please post in the comments below.

Q. Does WordPress have security issues?

Like every platform, WordPress has its share of security issues. However, WordPress security issues can be easily avoided if you follow the WordPress security best practices.

Q. Why is WordPress not secure?

Many of the WordPress security issues occur because the site admins choose to ignore the standard practices about plugins and themes. In many cases, this could be avoided by conducting a security audit and taking care of the loopholes so that the website remains secure.

Q. Is WordPress easily hacked?

No. The recent versions of WordPress are quite secure. This basic security can be further enhanced by installing WordPress security plugins, only opting for themes and plugins from respected developers, and following the best practices of WordPress security.

Q. How can I improve my WordPress Security?

WordPress security can be improved by following some basic tips:
1. Choose a secure hosting solution.
2. Install an SSL certificate (an essential requirement for business websites)
3. Set up a reliable WordPress security plugin
4. Install login rate limiting through a plugin
5. Make sure TFA is active

Share your opinion in the comment section. COMMENT NOW

Share This Article

Customer Review at

“Beautifully optimized hosting for WordPress and Magento”

Arda Burak [Agency Owner]

Mustaasam Saleem

Mustaasam is the WordPress Community Manager at Cloudways. Where he actively works and loves sharing his knowledge with the WordPress Community. When he is not working, you can find him playing squash with his friends, or defending in Football, and listening to music.


Get Our Newsletter
Be the first to get the latest updates and tutorials.

Thankyou for Subscribing Us!


Webinar: How to Get 100% Scores on Core Web Vitals

Join Joe Williams & Aleksandar Savkovic on 29th of March, 2021.

Do you like what you read?

Get the Latest Updates

Share Your Feedback

Please insert Content

Thank you for your feedback!

Do you like what you read?

Get the Latest Updates

Share Your Feedback

Please insert Content

Thank you for your feedback!

Unleash The Cloud.
Not Budgets.

For 4 Months +
Up To 30 Free Migrations

Cyber Week

Time Left In Offer
  • 0


  • 0


  • 0


  • 0


40% OFF

On All Plans