Published: 15 February 2016 You may already know that WordPress is the world’s most popular, open source Content Management platform out there. There are around 70 million active WordPress sites on the Web today, which equates to approximately one fifth of all websites online. That’s a lot of WordPress sites!

Not surprisingly then, WordPress websites are the most targeted by cyber criminals to distribute malicious code. On average 30,000 WordPress websites are hacked every day. Cyber criminals have automated scanning tools crawling the web looking for websites to infect then deploy their malicious code. So if you haven’t taken exemplary measures to prevent your WordPress website from being hacked, you could become the next victim.

You should follow these simple steps to harden your WordPress instance and ensure you are prepared in the event of an attack:

1. Update WordPress to the latest version and update All plugins
For me this is the most integral step to make your WordPress instance more secure and less vulnerable to exposures in the WordPress core system code and files. Many attacks are a result of vulnerabilities in Plugins so equally it is important to update plugins with the latest patches, which may include additional security. You can configure WordPress to automatically update when a new version is available. You may however prefer to manually install these updates to avoid any nasty surprises to your site layout in case a plugin developer decides to strip something out completely from the plugin model that you have relied on up till now :( If you do decide to manually install updates, you need to do this as often as possible.

2. Install the All In One WordPress Security and Firewall Plugin
There are a number of features available in this plugin that allows you to “harden” your WordPress site through the plugins control panel. You can set the admin user accounts and you are advised to change any usernames of ‘admin’ to increase security. Using ‘admin’ is bad practise as well as having duplicate login names. There is a password strength tool which encourages you to create strong and hard to crack down passwords. You can also decide whether or not new user registrations are managed and added to the database manually.

You are advised to change the database table prefix from the default WP prefix to something else. Although this is a good idea from the offset, be careful if you have coded any parts of the site based on the default wp_ prefix in case some in line SQL relies on this. In addition to database security, this plugin can schedule automatic backups of the wp database which is always a good idea.

I won’t repeat all of the mentioned features here as you can find this list on the plugin page above. There are some great security features, which should be followed and practiced when considering a new build or making existing sites more secure.

3. Backups, Backups, Backups
I’ve learnt over the years that in most cases where a site has been or attempted to be hacked, you will be hoping and relying on that you have a backup somewhere of the website files and databases to which you can restore the production site to. Without backups it would be almost impossible to guarantee that the website can be restored to it’s original state before the hack. So always make sure backups are occurring frequently and that your server hasn’t run out of disk space for the automatic backups to stop. Have the backups completed notifications emailed to you if you can so you can keep a track of them. You will soon notice if backups fail.

Kartar Gill

Server-Side Developer


Page Name: {% PageName %}

Page Template: {% PageTemplate %}

CampaignID: {% AgentReferrer.ID %}

CampaignName: {% AgentReferrer.Name %}

CampaignPhone: {% AgentReferrer.Phone %}

Item Location: {% PageLocation %}

Search Session Exists: False