Taking care of WordPress website security

WordPress security issues and how to fight them

WordPress is the most popular way to build a website. As of June 2020, 37% of all existing websites use WordPress. This popularity has an unfortunate downside as well — it attracts all kind of trouble. 


WordPress is the most popular way to build a website. As of June 2020, 37% of all existing websites use WordPress. This popularity has an unfortunate downside as well — it attracts all kind of trouble.

WordPress is an open-source technology, and hundreds of developers are working to push out updates fixing vulnerabilities for their users to install. But even with the efforts of the WordPress team, it’s still far from a safe. According to wpvulndb.com, there are 4034 unique vulnerabilities. Cool, but it doesn’t really concern you. Who’d want to hack your site? An attack doesn’t have to be personal and directed specifically at you. Your website just needs to be scanned along with a million of others to take control over them. You can be attacked by hackers simply because they treat your site as a potential source of SEO links. It’s worth, then, to increase the safety of your WordPress website.

Mind those updates! It might be a hassle to install them, but that’s the simplest way to stay safe. They’re here for a reason. The minor updates will be installed automatically, but the major ones you need to start manually. The wpvulndb.com reports that the least safe versions are in WordPress 3.X, so gone times. Except not really, because only 39.4% of all WordPress users have the latest version. Do you?

Be careful with WordPress plugins. The most vulnerabilities actually come from them, wpvulndb.com reports, and are the most common way to attack a WordPress page. Be sure to regularly check available updates of themes and plugins. Some, however, have no support and lack of updates increases the risk of an attack. The plugin itself might spell trouble. Its code might be used to load remote files that allow hackers to take over your website. This is called file inclusion exploit and works by getting access to crucial WordPress files, such as wp-config.php, by finding holes in your PHP code — the one that your website, plugins, and themes run on.

Another way to hack your website is the cross-site scripting. You’re tricked into loading webpages with insecure JavsScript code inserted. When the script loads, cybercriminals can access and steal data from your browser. A good example would be a hijacked form — once you fill it in, your data is taken. The last attack with a plugin is SQL injection, in which the hacker gains access to your WordPress database. Just like other malware, it can be used to insert links to malicious or spam websites into the code. Besides the obvious tragedy of it, such malware also makes Google blacklist you and block your site. Ouch.

Hackers may try to steal your login and password as well, using brute force attacks. A quite literal name — it’s much like punching different numbers on a pin pad and kicking the door until it finally opens. It’s a trial and error method of gaining access to your site by trying out different combinations until the correct one is found. You can protect yourself from it by choosing a complicated and not-obvious login. So no names and surnames, please, let’s be a bit more creative. It could literally save you. The same with the password: you’ll have the best luck with a randomly generated one that is changed frequently: no password, 1234, admin or your hamster’s name.

Of course, you can simply hire a WordPress agency to take care of all this stuff. Like us, CODETOWP.com. Better yet, you can hire us to develop a custom WordPress site for you, with custom plugins and themes, and hackerproof code. Custom code means that we can make sure everything’s working as it should and is safe for you and your clients. We’ll take extra care of your safety, for example, by activating Two Factor Authentication (2FA). Bit too much? Might be so, but better to be safe than sorry. Want to know more? Hit us up and let’s talk about what you need.

Those are absolute basic safety rules. Follow them, if you don’t want to end up a victim of a cyberattack. It’s all very easy and you can do it yourself. Or, you can entrust your safety to an agency like us. Not only will wet take care of the things above, but we’ll also do a full audit of your website and add many other solutions (like two-factor authentication) that will make your site secure even more. You take care of your health, technical condition of your car, and the safety of your house. Why aren’t you taking care of the safety of your website as well?

We’re here to help you with this.

Piotr Tabor
Piotr Tabor

Appwise CEO and new technology lover. Over 10 years experience in software testing and development. Want to find out how I can help? Contact us and let’s schedule a call!

Tired of unreliable freelancers?

Hire a whitelabel agency that puts emphasis on quality and timeliness.