Freelance Web Programmer logo
Contact

WordPress Security Issues

secure wordpress
  • Modified: February 24, 2025

For every new WordPress website I am hired to build, I include addressing WordPress security issues in the web development quote. When I start a new project, the first thing I do after installing WordPress is fully secure it. I do this before installing a WordPress theme or installing any plugins.

Is WordPress Secure “Out Of The Box”? – NO.

Because of this, WordPress sometimes gets bad press about not being secure. With just a little bit of effort up front though, WordPress security issues can be easily prevented.

It is staggering how many WordPress sites get hacked on a regular basis. I suppose due to ignorance or laziness of not taking the proper steps to secure and maintain WordPress.

Can WordPress be secured so it is less likely to get hacked? – YES.

Hacked WebsiteI say less likely because I simply cannot guarantee it won’t ever happen. Securing WordPress is not a one-time thing that you can “set it and forget it”. Things should be done harden and secure WordPress when you first install and configure it. Ongoing WordPress maintenance needs to be done to keep your website secure.

Compare it to buying a new computer. Initially, you most likely create a recovery disk and install antivirus software before you start customizing your desktop and installing applications. Common practice is to update your antivirus definitions and run virus scans regularly . Operating systems push updates to protect your computer from known vulnerabilities. You should also update programs you have installed when new updates are available.

Similar practices should be done when you run a WordPress website. You need to secure WordPress to keep your website safe.

Are You Going To Be Proactive Or Reactive?

I mentioned basic things you should do when you set up a new computer. Whether you actually do these things on not is your choice. If you haven’t, you probably have not lost a hard drive or gotten hacked yet. It’s a hard lesson to learn.

Building a website for your business and then not properly protecting it could potentially ruin your business. If your website gets hacked beyond repair, you have to start over building a new website (unless you have a current backup). Your site could be down for weeks, or even months while it is rebuilt. Again, a hard lesson to learn.

People often hire me as a freelancer to fix hacked WordPress websites and then secure WordPress so it does not continue to happen. My advice is to be proactive rather than reactive by addressing hardening WordPress up front.

I have cleaned numerous website virus infections and secured even more sites. Proactively addressing potential vulnerabilities before they become an issue is the way to go.

As I said though, doing this once and forgetting about it will not keep your website secure.

WordPress releases updates for the core code on a regular basis. These updates may include new features, bug fixes and/or address security vulnerabilities. Because WordPress is popular. Over 75 million websites run on WordPress! When word gets out that there is code vulnerability, hackers attack quickly and en masse. WordPress plugins have the same issue. You need to monitor and update them regularly too.

How To Avoid WordPress Security Issues.

Harden WordPress

When you harden WordPress, you are securing the overall installation.

Ongoing Maintenance

Keep WordPress core code, plugins and themes updated ongoing. Updates are released constantly. Depending on how many plugins you have installed, it could be daily that new updates are released.

Updating WordPress code and plugins can be as simple as clicking a button.

Clicking the update button is simple enough. What happens to your site after that finishes can create problems. When I update WordPress I do the following:

  • Make a full code and database backup.
  • Make a copy of the website and make all updates on the copied version first to test after making updates.
  • Review each plugins change log to see if it will potentially cause problems or conflicts with other plugins installed.
  • Review the WordPress theme and version for potential updates and compatibility.
  • Update plugins and test the website copy.
  • If all is good, then I make the WordPress updates on the live site.

Security maintenance needs to be part of any site owner’s website maintenance plan.

Hiring a web developer that is experienced with security issues to maintain your website can save you time, money and lots of frustration. WordPress maintenance plans address security and maintenance with keeping code updated. If you don’t know how to maintain your site, consider a maintenance plan.

Read more about WordPress security services to keep your site secured and error free all of the time.

Security Tips for WordPress

Wordpress Security Checklist

 

 

WordPress security is not optional. If you don’t secure your WordPress website you will most likely get hacked. For the small investment of time (or cost if you hire a WordPress developer to secure your website for you), it will save you time, money and aggravation down the road.

This  checklist is meant to target a non technical user, not a WordPress developer. There are a lot of things not on this list that should be, but without the technical knowledge, I don’t feel it is worth going into here. Hire a WordPress Developer to properly secure your site.

  • Use quality web hosting services.
  • Keep WordPress core code updated.
  • Keep code plugins up to date.
  • Delete inactive plugins you are not using.
  • Delete WordPress themes that are not active.
  • If you are using the username “admin”, stop. Create a new user with the role of Administrator and then delete the old one. (In this order, create new first, delete admin user second.
  • Use a strong password. (Min 8 characters, upper and lower case letters, numbers and symbols.) (This advice applies to all passwords for anything, not just WordPress)
  • Change your password regularly. (This advice applies to all passwords for anything, not just WordPress)
  • Don’t use the same password for WordPress for anything else. (This advice applies to all passwords for anything, not just WordPress)
  • Use HTTPS on your admin side to encrypt data submitted. (These days its recommended to use HTTPS on the front end too)
  • Backup your code AND database regularly. Do not leave the backup on your web server. Download it or store it on cloud service like Dropbox, Google Drive. I recommend Updraft Plus for this.
  • There are a lot of security plugins out there. I recommend Solid Security plugin because you can do almost everything from it and not have to install separate plugins for different security features. Warning though – misconfiguring this plugin will lock you out of your site. Hire a WordPress developer to set this up for you.

Keep in mind, to keep WordPress secure, this is not a one time checklist to do and forget it. All of these items need to be reviewed and updated regularly.  Many people don’t take the time to keep WordPress secured and ignore it until the site crashes. I promote proactive, regular  WordPress maintenance services vs panic mode when your site goes down.

Do NOT follow