Security Risks for WordPress and 10 Easy Mitigation Steps

Website security. Your website is your online property and you need to take the same approach to securing it as you do your ‘real world’ business premises.

As importantly: failure to properly secure your website makes the Internet less safe for other users because you are helping the cyber-criminals to carry out their dirty tricks.

It makes you a poor net citizen.

Hacking Websites is a Growth Industry

Sadly, that’s true. It’s one of the few real growth industries around today. The graph below comes from WordFence and shows the trend of Brute Force attacks on WordPress websites in June 2017:

Graph of Brute Force attacks on WordPress in June 2017 from WordFence

Source: WordFence June 2017 WordPress attack report

Two things to notice:

  1. The average number of attacks on WordPress websites is slightly under 30 Million a day (yes, 30 million each day)
  2. The trend is climbing

Add to that the increasing number of widely reported attacks, such as the WannaCry attack that knocked out large sections of the NHS in the UK back in May, and the less widely reported but simple (and effective) phishing email attacks, and you have an online environment that is becoming less safe by the day.

There are countless reasons why someone would want to hack your website, but among the most common are:

  1. To plant hidden links on your website to one of their websites (in order to boost the search ranking of their website)
  2. To plant malware on your website that will infect the computers of anyone visiting it. That would give the hackers control over those computers, enabling them to add them to a bot net so they can carry out Denial of Service attacks, spread spam or use them as part of a ransomware attack
  3. To redirect your website visitors to one of theirs (often a porn site or similar) which could then also plant malware on the visitors’ computers

Visitors to your website won’t immediately notice the hidden links, but they’ll certainly notice (and not appreciate!) either of the other two.

Whatever the hackers’ reasons, the search engines will quickly find out when a site has been compromised and immediately blacklist it in their search indices.

And the numbers are startling: some time ago, Google reported that in March 2016 over 50 million websites were blacklisted – visitors were greeted with a warning that the site they were attempting to visit contained malware and they could go no further.

If your website becomes one of those 50 million it will ‘go dark’ – no one will be able to reach it.

Cyber crime is growing in both volume and sophistication. Whether you have a small blog or you’re running the Democratic Party’s IT infrastructure, your website is fair game for all hackers everywhere.

And if you don’t take steps to keep it secure you’re aiding and abetting those criminals.

Security on WordPress websites

At Abledragon we build all websites on the WordPress platform.

There are many reasons for that, including usability, the quality of the underlying code, the flexibility of the platform and the ease with which you can update your own site after it has been launched. WordPress, in fact, now powers more than 27% of all websites on the Web.

However, that does have a bit of a downside:

Just as the Internet Explorer web browser, and Microsoft based computers in general, are the focus of attention from hackers simply because they have such a dominant market position, so the same goes for WordPress.

As a result, the WordPress development team is highly responsive to new security threats and issues software updates as soon as a loophole is exposed (just as Microsoft does with its operating systems and browser).

The result is that almost all of the hacking attempts on WordPress-based websites which are successful, are only successful because the webmaster did not apply the security updates.

Additionally, though, there are some extra steps that we at Abledragon take whenever we set up a new WordPress-based website.

None of them will guarantee the security of the site – no one can ever guarantee a site won’t be hacked – but they do make the hacking job more difficult and, by and large, will foil most automated hacking attempts (which account for 90+% of all hack attempts).

10 easy safety precautions for WordPress websites

Here are some simple safety precautions anyone can take to strengthen their WordPress website against hackers:

  1. Use strong usernames. WordPress enables you to use some symbols in usernames, as well as numbers and letters (both lower and upper case).
  2. Use strong passwords. WordPress now has an option to enforce strong passwords and generates them automatically. Use that feature and be sure to copy the generated password before saving your profile.
  3. Do not use your browser to save/store passwords. They are not encrypted.
  4. Do use a password manager. They encrypt your passwords and enable you to access all your sites with one click
  5. Do not use the same password twice. The moment you do that it is no longer secure
  6. Move your site to HTTPS. This does not make your site itself more secure, but it encrypts your username and password between your browser and the server, so preventing anyone from stealing them when you log in. This is also a requirement if you are running a shop on your site where you are capturing customers’ details
  7. Make regular full-site backups of your website. This will enable you to restore the site quickly when it is hacked
  8. Install a good security plugin – iThemes Security and WordFence are two excellent security plugins, and we have used both with great results
  9. Make sure you update all software on your site as soon as updates are available. That includes plugins, themes and the WordPress core
  10. Make sure you secure other elements that can impact your online security – such as your computer. (More details here)

Undertaking those steps does not require any special expertise. However, there are additional steps that we at Abledragon take whenever we build a site or take over the maintenance of an existing site.

For more details on how we can improve the security of your WordPress site click here.

Fixing a hacked website

If a site is hacked the surest way of cleaning it up completely is to delete the entire site and re-install it from a clean backup. This is why we are so fastidious about checking all sites under our management each day and keeping absolutely up-to-date, clean, full-site backups.

Once a hacked site has been restored you then need to change all your passwords and check your computer for any malware that may have stolen your passwords and passed them back to the hackers. See point 10 earlier!

You will also need to submit a ‘site reconsideration’ request to Google and Bing in order to get your site removed from the blacklists.


Your website should be bringing you new business if it’s doing its job properly, but it’s not just a set and forget activity.

It needs proper, disciplined and regular maintenance and monitoring – you need to have the same attitude to the security of your website as you do to the security of your every-day business premises.

If you don’t, and your site is hacked, it will be removed from the search results killing off the stream of new business that it should be bringing you.

As I mentioned earlier, we at Abledragon build additional security measures into every WordPress site we build. We also offer a security monitoring, software maintenance and technical support service that is designed to keep your site running safely and securely and to minimise any downtime. For more details click here.

If you have any questions or need me to clarify anything please get in touch:


Martin Malden.

About the author: Martin Malden owns Abledragon, a WordPress agency that was established in 2009. Today it serves customers in Hong Kong, Australia and the UK. Abledragon websites are built for today’s Internet, with the mobile user in mind, and are known for security and speed. Successful Abledragon projects.