Table of contents


The most popular content management system, WordPress, has 64 % of the CMS market share which is more than all other systems such as Drupal, Joomla, etc, combined. Over 75,000,000 websites use WordPress or we can say that almost 40.3% of the internet is powered by them. Known for their unparalleled impact on web standards, usability, and the internet at large, WordPress have spread like wildfire and are still growing. However, widespread reach and growth have also made WordPress sites susceptible to vulnerabilities. Statistics reveal that WordPress accounted for 90 percent of all hacked CMS sites in 2018! This article talks about how as a WordPress user, you could secure your site against hacking attempts.

Top reasons behind successful hacking attempts

Before we get into tips for securing our WordPress site, let’s have a look at statistics that reveal the weak spots which hackers targeted.

  • 41% are attributed to vulnerability in the hosting platform
  • 29% came through vulnerable WordPress themes
  • 22% took advantage of security issues of the WordPress plugins
  • 8% happened through a weak login information

WordPress Security Checklist

Our technical experts recommend some of the best practices that are proven to secure a site from the above-mentioned threats.

  • Strengthen Your Computer Security

    Presence of a virus and malware scanner on your computer that scans frequently must be a non-negotiable. Install a reliable firewall- possibly that one that was delivered with your OS.

  • Modify the WordPress Table Prefix 

    All the tables in the WordPress database of a standard installation, start with the prefix naming convention wp_. This vulnerability can be fixed by changing it into something arbitrary such as 8uh7dsgakm_.

  • Reliable and High-Rated Themes and Plugins

    While choosing plugins and themes, go for the ones that have a high rating and appear reliable. Also watch out for when they were updated last. If there’s no update since long, chances are that it’s more vulnerable due to unpatched security loopholes.

  • Keep WordPress versions and plugins up to date. Updated versions of WordPress don’t just bring new features but they also fix security holes identified in earlier versions.

  • Use Strong Login Credentials

    A very common way to protect your WordPress account is using safe and strong login information instead of default username. Make your password as strong as possible.

  • Change the Login Error Alerts

    If someone tries to log into your site with wrong credentials, WordPress will alert them whether the problem is with the username or password. This gives away half of the information, making it easier to hack into an account.

  • Enable Two-factor Authentication

    Two-factor authentication serves an extra step for people to log into your site. An example can be the need to enter a validation code delivered to the mobile phone. Though it might add to efforts, it helps to block automatic attacks.

  • Change the wordpress login URL

    Another way to keep the WordPress login page safe is to hide it. You usually reach the login page via or Move it to a different URL address instead of wp-admin.

  • Disable XML-RPC

    This acronym is the name of a feature that allows connecting to WordPress remotely. For example, blogging clients use it and it’s also used for trackbacks and pingbacks. Unfortunately, it’s also sometimes the target of hackers, which is why you should protect it with a plugin Disable XML-RPC Pingback.

  • Automatically Keep Your Site Up to Date

    Automatic updates should be enabled to keep the site up to date.

  • Add Security Keys

    WordPress security keys(SALTs), encrypt information stored in browser cookies. This way, they protect passwords and other sensitive information. These keys are phrases that are used to randomize this information and stored inside wp-config.php

  • Disable the Theme and Plugin Editor

    WordPress contains an internal editor for theme and plugin files that allows you to make changes to your site. Even though it can be useful in some situations, it also comes with a risk. The reason is that if somebody gains access to your site’s back end, they can use the editor to take out your website without even accessing your server.

  • Disable PHP Error Reporting

    When plugins or themes cause any error on your site, WordPress displays a message on your front end. This message may contain the path to the file that is causing the problem. Hackers can use this information to better understand the layout of your server and attack your site.

  • Restrict Admin Access to Specific IP Address

    By making changes in .htaccess you can restrict access to your WordPress login page to limited IP addresses. This way, only you can access it.

  • Lock Out Specific IP Addresses

    A similar technique is available to block IP addresses that try to break into your website. If you notice such incidents (from your server logs, for example), you can lock them out of your site by configuring the .htaccess file.

  • Pay Attention to File Permissions

    The following file permissions should be paid attention to in the WordPress site

    • 755 or 750 for directories
    • 644 or 640 for files
    • 600 for wp-config.php


If you are concerned about securing your website against hackers, the tips mentioned in this article are a step in the right direction. Apart from following important security measures mentioned above, to best protect yourself from attacks, it is also very important to keep your website up-to-date and to keep abreast of the latest WordPress related vulnerabilities.

The post How to Secure WordPress Site Against Hacking Attempts: Quick Tips appeared first on [x]cube LABS.

This content was originally published here.