4 May 2018

WordPress Security: Keeping your WordPress Website Secure

wordpress security

WordPress Security should be a part of the website development process

With every web development project we undertake, we include WordPress Security as a key deliverable. Here is why …

Nobody wants to wake up to find that their website had been hacked overnight. WordPress security is often not something that businesses consider when setting up their website.

A hacked WordPress website can cause damage to the reputation of your business to your clients.

Why was MY website hacked?

Everyone who has been hacked has probably asked this question. Rule #1, do not take it as a personal attack against you.

There are a variety of reasons why your website was hacked.

  • WordPress required an update
  • WordPress themes or plugins required an update
  • A user used a weak password for their account
  • A vulnerability with your hosting provider

More than 50% of hacked WordPress websites were the cause of outdated core files, themes or plugins. Roughly 40% of hacked websites were due to hosting provider vulnerabilities with about 10% being from weak user passwords.

What are some signs my WordPress Website has been Hacked?

One of the most prominent methods that people are notified that their WordPress website has been hacked is when they try to visit their website and they are greeted with a big Warning or Error screen from their browser saying access to their website has been blocked.

A second method is if you noticed strange sub-folders or directories showing up. Something like

Yet another method is when you see a long string of characters in the header section of every page. This is usually a trigger to Google to block your site but sometimes you get through and can see the horrible code presenting itself.

If any of these situations exists for you at the moment, your WordPress website has been compromised. It is time to take action and address WordPress Security as an important investment for your business. You should read our article Help – My WordPress Website was Hacked – Click Here!! before continuing on with the rest of this article.

Securing Your WordPress Website

In most cases, I would provide code based solutions to implement. But for this topic, the plugins available are powerful and take the pain out of making WordPress secure.

The most effective way to keep WordPress secure is with a WordPress Security plugin.


WebARX is a website security and monitoring platform that helps freelancers, digital agencies and website owners protect and monitor every website on a single dashboard. We wrote about our personal experience using WebARX in this article; WebARX Website Security & Monitoring Platform.

If you care about your business and your customers’ businesses, you need protection from hackers. For this you need to have a complete overview of your websites, first line of defense and an intelligence system that will let you know when there’s a risk and how to eliminate it in time.

WebARX will monitor uptime, site speed, defacement (and hacking databases), blacklists, software vulnerabilities, domain expiration, site errors and much more. It even allows you to set up alerts for all of them via E-mail or Slack.

Not only does WebARX analyze over 3000 website hacking incidents per day and provide that info to national CERTs (Computer Emergency Response Teams) around Europe, they also use the same data to update the firewall on your website in real-time.

You get a 14-day, free trial when you register. After that, the basic service is $39 per month. They have more expensive packages that increase the number of websites you can monitor and the level of support you receive.

iThemes Security

On this website, we use the iThemes Security plugin. Once installed, it has a wizard for quickly securing a WordPress website. It protects against Malware and a variety of common hacks known to the WordPress Security community.

iThemes Security works to lock down WordPress, fix common holes, stop automated attacks and strengthen user credentials. With advanced features for experienced users, our WordPress security plugin can help harden WordPress. One of the most used features, and most valuable from our perspective, is its ability to automatically block users that make an attempt to attack our website with brute force. We have been very happy so far.

They offer both a free and a paid version of their plugin.

Wordfence Security – Firewall & Malware Scan

Our WordPress Security team has had good comments about this plugin. They use what they term a “Threat Defense Feed” that keeps the plugin up to date with the newest firewall rules, malware signatures and malicious IP addresses it needs to keep your website safe.

This is a very powerful security plug-in. For me, it was not as intuitive but I understand they have updated their User Interface and it provides a much richer and informative picture of your website WordPress Security situation.

WordFence also offers a free version and a premium (paid) version of their plugin.

Sucuri Security – Auditing, Malware Scanner and Security Hardening

Sucuri is a major player in the web security community, not only WordPress Security. So it is no surprise they offer a robust security plug-in for the WordPress platform. Thee number of features and options offered can be a little over whelming. But this is a serious WordPress Security solution that does a great job of keeping WordPress secure.

They also offer an online service that reports on common threats for WordPress as they are discovered.

Additional Steps to Keep WordPress Secure

Good website security is always accompanied by good preventative security measures.
It is my opinion that any website owner should expect to be hacked, and therefore take the necessary steps to guard against such an event. There are a few steps you can take to prevent an attack. The WordPress Security plugins above come with some of this functionality included to assist you.

Another good security policy is to configure layers of protection for your website. A layer of security worth serious consideration is a website firewall. You can learn more from our post Why you Should use a Website Firewall.

Scan Your Website Now

The first scanner I tried is WPSCAN. ( They have a website that lets you scan 1 website to determine the level of security deployed. It should return results that identify potential security issues with your WordPress website. I ran it on my website with the Security plugin active and I was getting an error telling me the website was not a WordPress website. So the security plugin must have been doing its job properly.

The next scanner I tried is from Sucuri at I liked this scanner as it provided a more complete picture on my WordPress Security situation. What I really liked was they did a lookup at a number of places to make sure my website was not blacklisted. Sucuri also provided me with feedback on the WordPress Security elements that are not implemented and probably should be.


Take frequent backups of the files and database and keep them in a safe place. That way, if you ever have a security issue, you are only a day or so behind with your websites content.

Keep Activity logs

Monitor the activity of visitors and users. See who is logging in, activating/updating plugins, etc.

As I mentioned, the WordPress Security plugins above handle some of these tasks nicely as well.

Other Helpful WordPress Security Resources

Best of success in keeping WordPress Secure.


Pick a WordPress Security plugin and give it a try. Don’t deliberate too much on this. All three are considered good choices and extremely helpful to keeping WordPress Secure.
You should be able to sleep well at night now knowing one of these tools is helping to protect your online assets.

Would you like us to help make your WordPress Website Secure? Let us know how to reach you and we will help you.


    Your Name

    Email Address


    By using this form you agree with the storage and handling of your data by this website.

    13 Comments on “WordPress Security: Keeping your WordPress Website Secure

    Internet Protection
    28 August 2009 at 11:53

    Nice work! Didn’t know you guys ported PHP IDS to WordPress. I also like that Role Manager plugin.

    Timothy Lyrics
    8 May 2009 at 14:06

    Good post, detailed and well-written, which is rare these days.

    Secure Wordpress Login
    3 January 2009 at 23:50

    You can use wordpress stealth login like this tutorial (The link is for a site in Indonesian)

    23 October 2008 at 11:49

    I hope articles like this one (and latest WordPress security improvements) will make WordPress blogs less likely targets for hacker attacks.We want you to come up with more information like this.

    Hacker4lease-IT Security Service

    20 October 2008 at 08:40

    Now this some great info!!! Thanks a lot!

    Big League Players Club
    18 October 2008 at 11:41

    This blog Is very informative , I am really pleased to post my comment on this blog . It helped me with ocean of knowledge so I really belive you will do much better in the future . Good job web master .

    13 October 2008 at 19:29

    Thanks Denis,
    Very useful too. I gave the scanner a shot and works very quick. Thanks for the link.

    13 October 2008 at 19:13

    Great post!

    There are too many careless site owners and compromised WordPress blogs out there. Just try to google for “powered by WordPress” “powered viagra wordpress” (word specific to hidden spam injected into wordpress blogs) and you’ll see thousands of infected wordpress webpages.

    I hope articles like this one (and latest WordPress security improvements) will make WordPress blogs less likely targets for hacker attacks.

    P.S. You’ve mentioned that you used CacheChecker service to scan your blog. This service can easily reveal hidden links cached by Google.

    I guess, you might be interested in taking a look at my similar (but more sophisticated) service called Unmask Parasites. The major differences are:

    1. It works in real time (not with Google cache, which may be several days old)
    2. In addition to invisible links, it reveals hidden iframes, scripts and redirects.
    3. The hidden links are highlighted and accomponied with anchor text, so that you can easily distinguish legitimate links from illicit ones.

    […] WordPress Security – Keeping your Blog Secure […]

    […] things which hopefully will keep the hackers out this time, most of which I learn’t about by Reading this post on WordPress security I recommend you have a read if you haven’t already taken steps to make your own WordPress […]

    Martin Malden
    5 October 2008 at 19:46


    This is excellent! A great source of practical, easily implementable security processes that will, at least, keep out the hacker bots!

    The hackers are only going to get more sophisticated, I’m afraid. As good as it would be if everyone focused their efforts more productively, that lazy, layabout element will always be there!


    4 October 2008 at 15:29

    WordPress Security Keeping your blog Secure…

    With the recent, and ongoing attack on so many blogs, this useful posts identifies some goods methods for securing your blog….

    Leave a Reply