It’s time to clear there air. Occasionally, when discussing content management system options with new clients I am questioned the security of WordPress as a CMS solution. In most cases the client has picked skewed views up form a poor website host or from a colleague who has not been taking the basic steps to keep their WordPress website up to date and secure.

In truth, attacks on websites and web hosts are very common and it’s true that many WordPress websites have been hacked in recent years. However, don’t let this give you a negative impression of the CMS. First of all, in many of these cases the web host and/or website owner have not taken the basic steps to shore up security issues in their WordPress installation by keeping the software up to date and to resolving the obvious vulnerabilities. Additionally, WordPress is the most popular content management software in the world and is deployed more than any other system, so it is unfair to compare it against the number of successful attacks to other systems.

Take for example, the comparison of the number of Ford F-Series pick up trucks on the road in 2013 (367,486 in 2013) compared to the Ford Fusion (161,146). The vast difference in the number of Ford F-Series’ on the roads make them far more susceptible to theft than the Ford Fusion. It has nothing to do with the security of either vehicle at all, but rather the greater opportunity and thieves familiarity with the most popular vehicle.

With the rise of open source content management systems, conducting mass attacks that target a specific technology and/or a flaw has become increasingly more common. WordPress security and security every other CMS is a pressing concern for professionals and small businesses alike with hackers ability to perform sweeping attacks that target websites on any given content management platform.

A recent well known attack on WordPress websites was the DDOS attack that choked the Internet by using a brute force attack that was carried out from multiple IP addresses and exploited weaknesses in usernames and passwords. The attackers goal was to bring down the websites by systematically guessing common usernames. In this article, we’ll discuss some very basic security measures that you and your web host should be taking to secure your WordPress website from such attacks.

Server Level Security

Some of the most common attacks WordPress websites face are SQL injection attacks. A typical attacker will first go through the .htaccess file before moving on to other internal WordPress files. Think of your .htaccess file as the gateway to your WordPress installation. By modifying your .htaccess file, you can stop attackers from accessing other important files and folders of your WordPress installation.

You can secure the files in your WordPress installation by defining the permissions in the root .htaccess file and adding .htaccess files to other WordPress folders such as /wp-content/uploads. We’ve written more in depth about this security measure in our article How to Help Prevent Your WordPress Site From Being Hacked.

By adding the additional code to the .htaccess file you will ensure that visitors don’t have access to the documents you upload to your WordPress website or the theme and plugin files.

But what if you’re not savvy enough to make modifications to your .htaccess file, as I imagine most website owners are not. This process can be made much simpler and even managed for you if you employ the services of a quality web host like WP Engine that specializes in WordPress hosting and looks after basic security precautions such as this.

Website Level Security

Attackers may use different methods depending on the possible vulnerabilities of the content management software. The .htaccess file changes noted above will help to secure access to directories and files. However, we cannot always keep all the attackers at bay and it is important to monitor your WordPress installation on a consistent basis.

WordPress plugins such as Wordfence Security and BulletProof Security help you monitor and set preferences to harden your WordPress installation. For example, with the Wordfence Security plugin you can monitor crawlers and visitors to your website and block access to any suspicious visitor. Additionally, you can also monitor login attempts to your website, and set the maximum number of allowed unsuccessful login attempts before the plugin blocks the user from further attempts. The plugin also scans the WordPress installation files and offers an option to restore original files if any files are infected. Additionally, Wordfence has options to set up email alerts to keep you informed of any vulnerability that the plugin detects.

User Level Security

Your username and password are the most important part of securing your WordPress website. A weak password can undermine all the work you have put in to secure your website and give attackers quick and easy access to your files.

A brute force attack typically tries a list of common usernames and passwords. To counter this type of attack, the first thing you must do after installing WordPress is create a new user with administrative privileges with an uncommon username. Something that is unique to you and not an obvious username such as admin or administrator. In addition to the username, you must also create a strong password for your account.

Usually a strong password has at least 8 characters, is not a dictionary word, and is alphanumeric. There are countless password generators available online to help you create highly secure passwords, but you may also want to read up on some suggestions for creating secure usernames and passwords.


Given that WordPress is an open source CMS, any new enhancements and code changes are public immediately and available to everyone with an internet connection. Similarly, the plugins used on your website are also open source. Any vulnerabilities in the plugins and WordPress code can be exploited by attackers, if they are not addressed.

Thankfully, WordPress fixes and releases updates whenever they come across any such flaws to protect users. As a website owner, you must ensure that you install these WordPress and plugin upgrades as soon as possible. Again, this is where a specialized WordPress host like WP Engine can make life easy for you with their automatic core updates.

Website security is a complex and ever-evolving practice. This article covers the four basic steps that every WordPress website owner should take. However, mass attacks on web technology target everyone using a specific platform. While these basic steps to secure your website may not stop a dedicated attacker hell bent on hacking your website, it can protect you from most of the mass attacks that exploit vulnerabilities in the system and those created by ill-informed users.

For more in depth information on WordPress security, read our article on How to Help Prevent Your WordPress Site From Being Hacked.