How to Protect Your WordPress Website from Common Security Threats & Vulnerabilities

Whether you manage a WordPress website for personal reasons or to make a profit, you want it to be protected from all kinds of cyberattacks and online vulnerabilities. In this blog, you will learn some of the most effective tips on succeeding in that endeavour.

Using Strong Passwords

Passwords are your first line of defense against cyberattacks. So, make sure you use strong passwords for your server and website’s admin services.

Your passwords should include both uppercase and lowercase letters, special symbols ($, %, ^, etc.), and some digits. Basically, you want them to look as cryptic as possible. It’s also highly recommended that use a password manager to generate as many unique passwords as you need and store them all in a secured vault. Some of the best password managers come with the following features:

  • Unlimited password storage
  • Cloud backup
  • Secure note-taking
  • Auto form fillers
  • Strong encryption technology viz. AES-256 bit encryption

Preventing SQL Injection Attacks

SQL injection attacks are cyberattacks in which an attacker uses a URL parameter or a web form file to access your website’s database. If you are using standard Transact SQL, then an attacker can insert a snippet of code into a query that allows them to change tables, access or delete data. However, this can be easily prevented by using parameterized queries. The majority of web languages support it and it’s easy to implement too.

To take an example, consider the following query:

“SELECT * FROM table WHERE column = ‘” + parameter + “‘;”

If someone changes the URL to pass in ‘ or ‘1’=’1 this will turn the query into:

“SELECT * FROM table WHERE column = ” OR ‘1’=’1′;”

Since ‘1’ equals ‘1’, it allows the cybercriminal to add a new query to the end of the SQL statement. To fix this vulnerability, you should parameterise the query. So, if you are using MySQLi in PHP, the query should look like:

$stmt = $pdo->prepare(‘SELECT * FROM table WHERE column = :value’);

$stmt->execute(array(‘value’ => $parameter));

Installing WordPress Security Plugins

Just like there are a variety of eCommerce and SEO WordPress plugins to enhance your website, there are dedicated plugins for security as well. Some good examples include:

  • 6Scan Security: 6Scan offers a comprehensive rule-based protection for a WordPress website and fixes a variety of security vulnerabilities automatically. It’s frequently updated which is a big plus, and the fact that it covers all the major attacks including brute force attacks, CSRF, SQL injection, remote file inclusion, etc. ensures that your website is provided with an all-round
  • Sucuri Security: Sucuri Security is another popular WordPress plugin from the reputed website security and auditing company Sucuri. It offers protection against zero-day exploits, brute force attacks, DOS attacks, etc. It also offers blacklist monitoring, website firewall protection, and malware scanning. A noted advantage that makes it better than other plugins is that it keeps a log of all the activities of your website and uploads the same on a cloud for you to access and review. Although the plugin itself is completely free, you can enjoy a higher level of security by investing in its premium service.
  • WordFence: WordFence is a firewall, security scanner, and other essential security tools bundled into a single plugin. It protects your website at the endpoint, blocks malicious code or content with an integrated malware scanner, and rejects all requests from malicious IPs using real-time IP blacklist service. It’s also capable of repairing damaged core and theme files and even reports the changes to you. What’s more, these are only some of the features that it has to offer. Its actual range of services is much wider that make it an excellent tool for your website’s security.

Keeping WordPress, Plugins, and Themes Up to Date

In 2016, when the “Panama Papers” breach which involved a cyberattack against the Panamanian law firm Mossack Fonseca made headlines around the world, it left the top IT firms and security experts dumbfounded. This is because the main cause of the attack was merely an outdated web server software Drupal and WordPress!

When an older version of WordPress software can allow an attacker to wreak havoc on one of the world’s biggest providers of offshore financial services, you can only imagine what it can do to a standard WordPress website that’s managed by an individual or a small team. So, it cannot be emphasized enough that you must keep your WordPress software as well as the plugins and themes used up to date at all times.

Understanding File Permissions and Setting Them Up Properly

Your WordPress website comprises a number of files which include plugin files, media files, design files, etc. If an important file is granted a wrong permission, especially the execute permission which grants full control, then it can expose a vulnerability for an attacker to exploit. So, it’s a good idea to learn how the permission mode works and how you can change the permissions on the go.

A file can have the following permissions:

  • Read: Allows access to a file in which you can view its contents
  • Write: Allows access to a file in which you can view as well as modify its contents
  • Execute: Allows access to a file in which you can run scripts contained in it

These permissions can be granted to the following groups:

  • User: Owner of the website
  • Group: Your team that can access the website
  • World: Public that accesses your website via the Internet

Image Source

To allocate different permissions to the users, a coding system is used in which the permissions are denoted by different digits. This can be better understood by the actual values which are given below:

  • 0- no access
  • 1- execute
  • 2- write
  • 3- write and execute
  • 4- read
  • 5- read and execute
  • 6- read and write
  • 7- read, write and execute

You can also refer to the image above to understand how different groups have different permissions.

The permissions are granted in the sequence of three digits such as 644 or 777 which are called permission mode. The first digit determines the permission for the user of the account or the owner, second digit the other users in the owner’s group, and the third the website visitors. So, if a file has the permission mode 644, it means that the owner has access to read and write permission, group the read permission, and the world the read permission as well.

Most of the FTP clients offer an interface through which you can change the permission modes easily. If that feature is not available and you have the access to your server’s terminal, then you can use the chmod command to change the permission mode of a file or folder. The syntax for the same is as follows:

sudo chmod 644 <file>


Building a quality WordPress website takes a lot of time and effort. You often have to burn the candle at both ends to acquire enough customers/visitors to make the website a success. The last thing you want is some hacker in some remote location destroying your labor of love singlehandedly. Thus, take note of the information above and take appropriate measures as soon as possible. Remember- you can’t be too careful.

Looking for hosting? WPEngine offers secure managed WordPress hosting. You’ll get expert WordPress support, automatic backups, and caching for fast page loads.

Divi WordPress Theme