Keys to WordPress Security


Using an open source CMS like WordPress makes sense for many businesses from a cost and flexibility standpoint. However, there can be pitfalls to using an open source solution. Make sure you are vigilant about WordPress security.


So you have put time and money into building the perfect WordPress website for your company and the hard work paid off – it’s perfect and is getting you new business! Now it’s time to sit back and ride the wave while you turn your attention to other aspects of your business right?

Not Quite. 

WordPress is a great platform because many people can develop a website on it so it’s easy to find a developer, it’s versatile so you can use it for many different requirements, there are thousands of plugins that you can install to get instant functionality, it’s open source so you can completely customize it, and it’s free. However, because it’s open source and free, people can get access to the code easily and comb through it to find security vulnerabilities. Since most plugins are written by third party users, their code could not be as polished as the main core files and also lead to WordPress security issues. And since it is so easy to use, there are thousands of websites using WordPress as their CMS of choice (26.7% self-hosted websites and 58.9% of websites with a CMS use WordPress as of September 1 20163).

In 2015, WordPress websites faced 250 times more attacks then non-CMS websites2 and 25% of the hacked sites had updates over a year old that would have prevented the security breach1. These attacks are automated so once written, they scan through the internet looking for sites with the security holes they need to infect them.  So even if you are a small business, you are just as vulnerable as the ‘big guys’ that are using WordPress. 

To protect your website, the WordPress team and many plugin developers are constantly providing updates to their code, patching vulnerabilities and adding new features. These updates can be as often as every few days so it’s pretty likely that there are already a few updates you need to make from when you started the project. Only 33.5% of WordPress websites are current as of October 20164 so that leaves a lot of opportunity out there!

What do WordPress security threats mean for you?  

To protect your website from being hacked, you need to keep your site updated and keep current backups. However, that’s easier said than done. It’s easy to put updates on the back burner because everything looks fine on the website. Then a few weeks turns into a few months which turns into a few years and your site is really outdated and full of security holes. It also becomes a lot harder to update, and the risk of breaking something increases. So, you will likely have to deal with code fixes.  

What can you do? 

Update, Update, Update! You don’t necessarily have to do every update that comes out because you would be working on your site almost daily but at least do them a few times per year. It can also be helpful to sign up for alerts from security sites that track hacked plugins. Then if there is a known vulnerability on a plugin that you have installed, you can quickly go in and make the update as soon as it is available. 
In addition to updating, there are a few other things you can do to help. 

  1. Use a security plugin to help prevent and detect malicious code. This can lock people out if they try to login too many times or if they try using an invalid username. If the site does get infected, it can help tell you what files were changed and what needs to be fixed. 
  2. Change your login page so it isn’t at yourwebsite.com/wp-login.php. It makes it harder for hackers to know you are using WordPress and get access to the site.
  3. Don’t use common usernames like ‘admin’ since that is the first username that a hacker will try.
  4. Have secure password with 8+ characters, lower and uppercase letters, symbols, and numbers.
  5. Don’t install any plugins that are not being actively maintained. If a vulnerability is found, you will have to get a new plugin anyways to protect your site.
  6. Only download plugins from legitimate sources. Most of the 3rd party sites that offer huge discounts on paid plugins – and even free plugins - are not something you want on your site. A lot of the time they are already compromised.

Another option? Have Carbon8 help you! For a small monthly fee, we will update your website unless there is a known plugin fix that you need in which case we do those right away. We also check your site after each update to make sure nothing broke during the update and verify that backups are being made just in case. We can also help with the above list making sure your site had a WordPress security plugin installed, you are not using wp-login.php for your login page, and other various security measures. All you have to do is focus on what you do best – run your company!

Give us a call if you want to learn more!  


  1. https://sucuri.net/website-security/website-hacked-report
  2. https://www.imperva.com/docs/HII_Web_Application_Attack_Report_Ed6.pdf
  3. https://w3techs.com/
  4. https://wordpress.org/about/stats/
Katie Phillips

Katie Phillips is a Frontend Developer at Carbon8. In between coding websites, you can find her working to find a cost effective, creative solution to whatever clients dream up.

Prior to Carbon8, Katie has worked as the development team at a Denver design agency. She has worked on projects from nationwide buying groups for office supplies to small startups across the country.

Katie graduated from Creighton University with a degree in Graphic Design and minors in French and Interactive Web Design. Even though she started out as a web designer, Katie quickly found a passion in building them as well. In her spare time, you can find Katie reading a book, skiing in Winter Park, or diving down to a shipwreck in the Caribbean.


share this