Keeping WordPress Safe – Security 101

Keeping WordPress Safe – Security 101

Like most website owners, security was never top of my priorities. It was only when one of my websites was hacked that I realized how common it was for websites to be compromised by malicious parties.

As the most popular web publishing platform on the internet (by a large margin), WordPress is a popular target for hackers and spammers. WordPress is known for being one of the most user-friendly website platforms available online, but out of the box WordPress is terribly vulnerable to attacks.

According to WP White Security, more than 70% of WordPress installations are vulnerable to hacker attacks and the total number of hacked WordPress websites in 2012 was a whopping 170,000. This figure is growing every year.

You may be wondering why anyone would want to attack your website, particularly if you have a low traffic website; however the vast majority of hackers are not looking to steal your data or delete important files. What they want to do is use your server to send spam emails.

I experienced this myself last year. A friend of mine had built a small content website using WordPress and hosted it on my hosting plan. Unfortunately, my friend stopped updating the website, which meant that WordPress was outdated. This made it possible for hackers to upload a script that sent spam directly from my server.

Due to this, my server IP address was blacklisted by all major ISP’s and email services; therefore newsletters that I was sending from a website I owned were not being delivered. Thankfully, I was able to clean my IP address from blacklists by using the blacklist checker from MXToolBox, though the whole experience cost me a lot of time and money.

MXToolBox can check to see if your server has been blacklisted.

When it comes to website security, it pays to be proactive rather than reactive. Do not assume your website is secure because you have not been hacked in the past.

This article details what you need to do to make your WordPress website secure from threats. It has been divided into five main sections. Click of one the links below to skip ahead to the appropriate section:

I encourage you to bookmark this article for future reference as you will find it useful when you are securing other WordPress websites you develop :)

How Do Hackers Compromise Your Website?

It is important to understand how hackers gain entry into a WordPress website and have their wicked way. Although there are many different ways in which a hacker can break into a WordPress website, the main techniques can be grouped together into four categories. In an article last year, WP White Security reported the following statistics about hacked websites:

  • 41% were hacked through a security vulnerability on their hosting platform
  • 29% were hacked via a security issue in the WordPress Theme they were using
  • 22% were hacked via a security issue in the WordPress Plugins they were using
  • 8% were hacked because they had a weak password

As you can see, 41% of attacks are caused by security issues within your hosting platform. This covers a lot of techniques, such as using a URL parameter to process an SQL injection. This technique allows the hacker to add code to your database, which can allow them to change data (e.g. your password), retrieve data, or delete data (i.e. delete all your posts and pages).

A whopping 51% of attacks were made through a WordPress plugin or theme. Hackers can do things such as insert an eval base 64 decode code which allows them to run a PHP function from your website (e.g. to send spam). They may also leave a backdoor somewhere on your website. This is a technique they use to get access to your website in the future, even when you believe you have deleted all malicious files.

Last on the list is a weak password. Hackers continue to gain access in this way by using automated scripts that continually guess passwords until they gain entry; a technique that is known as brute force.

WordPress Security Best Practices

Hackers are not looking for a long battle to gain access to a website. They specifically go after WordPress websites that are vulnerable because of security holes. You can therefore effectively block 99.99% of attacks on your website by simply addressing these security issues.

In this section, I would like to walk through techniques that you can apply to your website in order to make it more secure. It should not take you more than 20 to 30 minutes to apply all of these techniques. All you have to do is modify a few key files such as .htaccess and wp-config.php. I will also speak about security best practices and recommend WordPress plugins that will help you make your website more secure.

Remember that prevention is better than the cure. If you follow the advice given in this section, a hacker will find it very difficult to gain access to your website in the first instance.

Host Your Website with a Good Hosting Company

With 41% of hacking attempts being caused by a security vulnerability on a hosting platform, it pays to host your website with a good quality hosting company. Look for a hosting company that places an emphasis on security. One that has:

  • Support for the latest versions of PHP and MySQL
  • Is optimized for running WordPress
  • Includes a WordPress optimized firewall
  • Has malware scanning and intrusive file detection
  • Trains their staff on important WordPress security issues

If you choose a shared hosting plan, make sure that your host provides account isolation. This ensures that one account cannot overload the server and cause problems for your website. Good hosting companies will also offer daily internal backups, but remember that you still need to backup externally regularly too (more on this later).

Choose a hosting company that places an emphasis on security, such as Pagely and their trademarked PRESSARMOR WordPress security system.

Important Installation Settings

WordPress Security Keys were first introduced in WordPress versions 2.5, 2.6, and 2.7. The keys improve encryption of the information that is stored in a visitor’s cookies. They will also make it harder to crack your password as it adds random elements to them. A salt key phrase is added to make it even more secure.

The keys can be changed in wp-config.php. This is an important configuration file that can be found in the root of your WordPress installation. If you have not added security keys to your wp-config.php file already, the code will look like this:

{code type=php}
define(‘AUTH_KEY’, ‘put your unique phrase here’);
define(‘SECURE_AUTH_KEY’, ‘put your unique phrase here’);
define(‘LOGGED_IN_KEY’, ‘put your unique phrase here’);
define(‘NONCE_KEY’, ‘put your unique phrase here’);
define(‘AUTH_SALT’, ‘put your unique phrase here’);
define(‘SECURE_AUTH_SALT’, ‘put your unique phrase here’);
define(‘LOGGED_IN_SALT’, ‘put your unique phrase here’);
define(‘NONCE_SALT’, ‘put your unique phrase here’);

Eight keys and salts can be generated through the WordPress Salt Keys Generator. Once the code has been generated, you simply replace the code above with the unique generated phrases.

It will look something like this:

* Note that the above code is just an example. You should generate unique codes for your website.

WordPress applies a table prefix to all database tables. The default table prefix is wp_. For example, wp_posts, wp_terms etc. Changing the table prefix can help prevent SQL injection vulnerabilities as hackers will need to guess the prefix; which, in turn, will stop people from gaining control of your database.

You will find the table prefix in your wp-config.php file:

{code type=php}$table_prefix = ‘wp_’;

Simply change the table prefix to something obscure that no person or script could guess. For example:

{code type=php}$table_prefix = ‘asdfadsfa894sdms_’;

Changing the table prefix in your wp-config.php file will not automatically change the prefix of your WordPress tables if you have already installed WordPress. Therefore, if you are changing the table prefix on an existing website, you need to update your database too.

One of the quickest ways of doing this is to install the plugin Defender. The plugin can automatically do all the necessary changes for you.

Alternatively, you can do this manually. This is a more time consuming way to change the table prefix, however it may be necessary for you to do this if you cannot do it automatically via a security plugin.

There are two methods available to you through PHPMyAdmin (the process will be almost identical with other database managers). The first method is to use an SQL query to rename each table. Below is an example of how this is done:

{code type=php}RENAME table `wp_links` TO `newprefix_links`;

Obviously, you would change the reference to newprefix in the above example to the prefix you have defined in wp-config.php.

You need to run the above query for each database table including all core tables and any additional tables added by plugins.

The other way to do it is to click on the name of a table and then click on the operations tab. This tab allows you to change important table settings such as the table name. This step needs to be completed for each table.

Rename Table Prefix
Table prefixes can be changed through the operations tab.

Next, you need to update the references to the table prefix in the usermeta and options tables. You can do this using the PHPMyAdmin interface, however it is much quicker to simply use an SQL query.

To update the usermeta table (formerly wp_usermeta), enter the following SQL query through the PHPMyAdmin SQL tab:

{code type=php}UPDATE `newprefix_usermeta` SET `meta_key` = REPLACE( `meta_key`, ‘wp_’, ‘newprefix_’ )

To update the options table (formerly wp_options), enter the following SQL query through the PHPMyAdmin SQL tab:

{code type=php}UPDATE `newprefix_options` SET `option_name` = ‘newprefix_user_roles’ WHERE `option_name` = ‘wp_user_roles’

Again, in both examples above, be sure to change the references to newprefix to the prefix you have defined in wp-config.php.

To recap, to update your WordPress database tables with your new prefix, you need to:

  1. Rename each WordPress table
  2. Update the usermeta table
  3. Update the options table

I would still recommend changing the table prefix in your WordPress table using Defender as it allows the above changes to be made at the click of a button. You will, however, find the guide for applying the changes useful if the plugin cannot apply the necessary changes automatically.

Keep WordPress Updated

Every version of WordPress addresses security holes that have been identified in previous versions. Therefore, if you are using an older version of WordPress, your website is more susceptible to attacks. That is why it is important you always update WordPress to the latest version.

Major versions of WordPress contain many new features and are released twice a year. They are easily recognized as the version number increments by 0.1 with each release e.g. 3.7, 3.8, 3.9, 4.0 etc. Following every major release, WordPress release a few minor updates. The release numbers for minor releases increment by 0.01 e.g. 3.9.1, 3.9.2 etc.

Whereas major releases of WordPress introduce new features to the platform, minor releases address important security bugs and errors that have been found in a major release. It is therefore essential you apply these minor updates to your website.

WordPress introduced a new feature in WordPress 3.7 that updates WordPress automatically in the background. Many WordPress users wrongly believe that this feature applies to all WordPress updates, but by default WordPress will only automatically apply minor updates to your website.

It is possible to apply major and minor updates to your website. This will remove the need for you to ever update WordPress manually again. You can do this by adding this piece of code to your wp-config.php file:

{code type=php}# Enable all core updates, including minor and major:
define( ‘WP_AUTO_UPDATE_CORE’, true );

Safeguards are put in place to ensure your website does not break when your website is automatically updated, however there is always a risk that your website breaks after a major update. This is more likely if you use WordPress plugins that are not actively updated so you should be aware of this if you do apply major updates to your website automatically.

If you would prefer to handle all updates yourself because you are concerned your website will break with an automatic update (major or minor), you can disable all core WordPress automatic updates by adding this code to your wp-config.php:

{code type=php}# Disable all core updates:
define( ‘WP_AUTO_UPDATE_CORE’, false );

Plugin developers can improve automatic updates better by utilizing the add_filter function. They can do this by adding the following code to your wp-config.php file after the add_filter() reference.

{code type=php}require_once( ABSPATH . ‘wp-settings.php’ );

Check out “The definitive guide to disabling auto updates in WordPress 3.7” by Andrew Nacin for more information on disabling automatic updates.

WordPress Plugins and Themes

Security holes in themes and plugins represent more than half of all successful WordPress hacks. You therefore need to pay attention to the plugins you activate on your website.

  • Be ruthless when it comes to plugins. If you can do without the functionality a plugin offers, deactivate it and remove it.
  • Be wary of plugins that have not been updated within the last two years as they may have security holes in them that have not been addressed. If possible, only use plugins that are updated regularly.
  • All plugins are not created equal. Be conscious of the fact that a poorly coded plugin could make it easier for a hacker to gain access to your website.

It is important that your WordPress theme is up to date and well-coded, too. You can check the quality of the code in your theme using a plugin such as Theme-Check and check the code in plugins using Plugin-Check.

You should also be careful of downloading free WordPress themes from unknown sources as they may contain malicious code. If in doubt, stick to the free WordPress designs available at

Hackers could insert malicious code into premium plugins and themes. It is highly unlikely that the original developer of a premium WordPress product would insert malware into it, though you do need to be careful when downloading a premium product from other sources.

Therefore, I implore you to do the right thing and support WordPress developers by buying plugins and themes from them directly. Downloading a premium plugin or theme from a torrent website hurts their business and there is a chance the uploader has inserted malware into the product, placing your website at risk of being attacked. You are safer downloading plugins from a source such as WPMU DEV. Not only are our plugins free from bugs, they also come with 24/7 support.

The WordPress updater can be configured to automatically update plugins and themes. To automatically update WordPress plugins, add the following code to your wp-config.php file:

{code type=php}add_filter( ‘auto_update_plugin’, ‘__return_true’ );

To automatically update your theme, add this code to wp-config.php:

{code type=php}add_filter( ‘auto_update_theme’, ‘__return_true’ );

Note that your WordPress theme has to support automatic updates in order for the above code to work.

Remember that updating plugins automatically may cause a website error and could happen when you are away from the computer. I recommend upgrading plugins and themes manually to ensure that if any problems occur during upgrade, you can deactivate the plugin and reactivate it when the developer has fixed the error.

The WordPress plugin and theme editor allows authorized users to modify your theme and your installed plugins. If a hacker was able to gain access to your WordPress admin area, they could crash your website in a matter of seconds by simply changing code, or removing code. To avoid this occurring, you can disable the plugin and theme editor by adding the following code to your wp-config.php file:

{code type=php}define( ‘DISALLOW_FILE_EDIT’, true );

You can also remove the option of updating and installing plugins and themes by adding the code below to your wp-config.php file. Applying this technique would stop an unauthorized party from being able to upload their own plugin to your website.

{code type=php}define( ‘DISALLOW_FILE_MODS’, true );

The above code will also deactivate the plugin and theme editor if it is added to your wp-config.php file.

Using Correct File Permissions

It is important that you configure your file permissions correctly. Setting a directory with permissions of 777 could allow a malicious party to upload a file or modify an existing file.

According to WordPress, you should use the following permissions on a WordPress website:

  • All directories should be 755 or 750
  • All files should be 644 or 640
  • wp-config.php should be 600

Check out the Changing File Permissions guide on for more information on how to change file permissions. If you are unsure as to whether you have set up your WordPress file permissions correctly, ask your host to check them for you.

Turn Off PHP Error Reporting

If a plugin or theme causes an error, the error message may display your server path. This information is useful to hackers, therefore it is better to disable error reporting altogether for a live website.

You can disable error reporting in WordPress by adding the following code to your wp-config.php file:

{code type=php}
@ini_set(‘display_errors’, 0);

If the above code does not work, speak to your web hosting company and ask if they can disable error reporting on your behalf.

Protecting WordPress Using .htaccess

The .htaccess file is a powerful configuration file that changes the way your server operates. It is used to redirect URLs and configure pretty permalinks. The file can also be used to harden WordPress security.

The techniques below will strengthen your WordPress website significantly. Please note that he code has to be placed outside of the # BEGIN WordPress and # END WordPress tags, as anything between those tags can be updated by WordPress (e.g. during updates and permalink changes). Be sure to click on the option to see hidden files in your FTP client or file manager too. Otherwise, the .htaccess file will not be visible in the file list.

The wp-config.php is an important file as it contains your database connection settings, table prefix, security keys, and other sensitive information. You can protect the file by adding the following code snippet to your .htaccess file:

{code type=php}
<files wp-config.php>
order allow,deny
deny from all

You can also relocate the wp-config.php file above your installation folder; however there is some debate as to whether this is beneficial.

To restrict access to your WordPress admin area to a specific IP address, use the code below (be sure to change the IP address to your own). In order to do this, you need to create a separate .htaccess file and upload it to the /wp-admin/ directory. Be aware that in order to access your WordPress admin area via a different IP address, you will need to modify the .htaccess file.

{code type=php}order deny,allow
allow from
deny from all

Additional IP addresses can be allowed by adding additional lines. For example:

{code type=php}order deny,allow
allow from
allow from 123.456.7.8
deny from all

The wp-login.php file that is found in the root of your WordPress installation can also be restricted to a specific IP address. The wp-login page will ultimately redirect any logged in users to the /wp-admin/ directory, therefore if anyone did login through wp-login.php, they would be blocked at /wp-admin/. However, you may want to restrict access to wp-login.php too for added security.

An alternative to protecting your admin area by restricting it to certain IP addresses is to password protect the directory. I am not a fan of this technique as it can cause problems with Ajax in plugins and is apparently not full proof.

If you find a person is consistently trying to access your WordPress admin area, you can block them from your website using the code below. Like the restrict by IP technique, additional IP addresses can be blocked using this technique by defining them in additional lines.

{code type=php}
order allow,deny
deny from 456.123.8.9
allow from all

The /wp-includes/ directory contains a lot of important files that are required to run WordPress. There is no need for any visitor to view the contents of this directory. To protect the /wp-includes/ directory, add the following snippet to .htaccess:

{code type=php}# Block the include-only files
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ – [F,L]
RewriteRule !^wp-includes/ – [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ – [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L]
RewriteRule ^wp-includes/theme-compat/ – [F,L]

To prevent people from browsing the content of your directories, add the following code snippet to your .htaccess file :

{code type=php}Options All -Indexes

To protect the .htaccess file itself, add this to the file:

{code type=php}
<Files .htaccess>
order allow,deny
deny from all

The /wp-content/ directory can be protected using .htaccess too. In order to do this, you need to create a separate .htaccess file and upload it to the /wp-content/ directory. Then add the following code to the file:

As you can see, the above technique will protect the /wp-content/ directory but allow XML, CSS, Javascript, and images, to be processed. Be aware that this code has been known to break some WordPress themes as it does not allow PHP to be executed; particularly themes that use timthumb.php. If the code causes any problems with your website, it is best to remove the .htaccess file from the /wp-content/ directory.

Disable XML-RPC

Since WordPRess 3.5, XML-RPC has been enabled by default. The feature allows you to remotely connect via blogging clients. It is also used for trackbacks and pingbacks. Unfortunately, hackers have been known to use the file for DDoS attacks.

You can use a plugin such as Disable XML-RPC Pingback and Disable XML-RPC and reduce the change of your website being attacked.

Stronger Login Information

Weak passwords allow hackers to gain access to your website easily using a brute force automated script. You should therefore:

Many years ago, WordPress used the username admin as the default username for the primary administrator account. They now allow you to choose any username you wish during the installation process, however many people still choose the username admin.

The problem is that hackers know that admin was the default administrator username for a long time. This means that they only need to work out the password for the administrator account. Due to this, most brute force scripts attempt to gain access to your website using the username admin.

You should therefore change your administrator username if you are using admin or another basic username. This will make it much more difficult for a hacker to gain access.

You can do this by entering the following SQL query in PHPMyAdmin (or whatever database manager you are using). Be sure to change newusername to the new username.

{code type=php}UPDATE wp_users SET user_login = ‘newusername’ WHERE user_login = ‘admin’;

You could also run the above command directly through your admin area using the WordPress plugin WP-DBManager, but be sure to uninstall the plugin after using it as you do not want to give anyone the opportunity of accessing your database directly through the admin area.

Alternatively, use the plugin Admin renamer extended to change the username directly through your WordPress admin area.

Limit Login Attempts

Hackers use brute force attacks to try and gain access to your WordPress admin area; continually trying new random usernames and passwords. One of the best ways to protect your website against this kind of attack is to install Login LockDown or Login Security Solution. The plugins allow you to limit the number of login attempts from a given IP range.

Once a user has failed a defined number of times, they will be logged out of your website for a defined period of time. The default period of lockout can be increased to a more significant period of time if you wish. You can manually unban any legitimate users that have been locked out, so you need not worry about frustrating your staff.

The great thing about these plugins is that they record the IP address of anyone who fails a login attempt. You can use this information to block those people from your website indefinitely using the .htaccess technique I discussed earlier.

Login Lockdown
Limiting the number of failed login attempts that are allowed makes it difficult to use brute force scripts on your website.

Two-Step Authentication Solutions

A two-step login authentication process will make it even more difficult for hackers to access your website through a brute force attack. It forces everyone to use an authorisation code in order to login to your website. For example, you may have to provide a code that can only be accessed via your mobile phone.

Here are some useful authentication WordPress plugins that are available to you free of charge:

  • Google Authenticator – Requires you to enter a secret key or QR code that is provided to you via a Google Authenticator smartphone application
  • Clef – Allows you to login using a passwordless two-factor authentication system using your mobile phone
  • Clockwork SMS – Sends a SMS to your mobile phone with a key that you need to enter to login
  • Duo Two-Factor Authentication – Offers multiple ways to access your website such as a mobile phone application, a SMS, or a phone call
  • OpenID – Allows you to login using the OpenID protocol, which supports every major social media service
  • Authy Two Factor Authentication – Requires you to enter an API key from a smartphone application
  • Stealth Login Page – Login to your website using a secret login authorizaiton code

You may find a two-step authorization login process frustrating, however it is one of the most effective ways of preventing unauthorized parties accessing your website.

Two Step Authorization Process
Introducing a two step authorization login process will strengthen your website security considerably.

Hide Your Login Page

Malicious parties can attack your login page because they know that a default installation of WordPress can be logged in at and at Moving the location of your login files makes it very difficult for hackers to perform a brute force attack.

There are good plugin solutions available that allow you to do this easily:

  • Rename wp-login.php – A multisite friendly plugin that allows you to change your login page. Once activated, the wp-admin directory and wp-login.php page will be inaccessible.
  • Hide Login+ – Allows you to change name of your login page, admin area, logout page, and forgotten password page.
  • Lockdown WP Admin – Another useful plugin that can conceal your admin area and login page.

If you forget the new location of your login page and admin area, you can reset everything by simply deactivating the plugin in question. You can do this by renaming the name of the plugin folder contained within /wp-content/plugins/. Alternatively, you could delete the plugin and reinstall it once you have logged back in to your website.

Hide Login
It is difficult for a hacker to login to your website if they do not know where to login.

Remove the WordPress Version Number

By default, WordPress will place a meta tag in your website code that states the version of WordPress you are using:

{code type=php}<meta name=”generator” content=”WordPress 3.9.1″>

Unfortunately, this information is useful to hackers, particularly if you are using an older version of WordPress that has a security hole.

WordPress developer Paul Underwood shared a useful code snippet that lets you easily remove the WordPress version number from your website. You can do this by adding the following code to the top of your theme functions.php file:

{code type=php}remove_action(‘wp_head’, ‘wp_generator’);

Alternatively, you can remove the WordPress version number by installing the plugin Remove Version.

Use Common Sense

When it comes to making your website more secure, a bit of common sense goes a long way. You can reduce the chances of your website being compromised by taking precautionary measures.

  • Do not login to your website on unsecured networks
  • Make sure your computer does not have any viruses by installing antivirus software such as AVG, Avira, or Comodo
  • Install a firewall on your computer for extra protection, such as Comodo or Zone Alarm
  • Only upload files to your website using a Secure FTP (SFTP) client such as FileZilla
  • Do not access your website in an internet cafe PC as someone could track your login
  • Be careful that no one sees you entering your login details in public locations such as coffee shops and airports, incase someone is watching you enter your username and password
  • Be wary of allowing people to upload files to your website via a form as hackers can use it to upload a malicious script – Even if you only allow image uploads, sneaky files such as image.jpg.php have been known to slip through
  • Do not ever give admin access to people you do not know and trust
  • Do not ever make someone editor if you do not know them well
  • If you are ever concerned about logged in users (editors, authors) doing something malicious on your website, use a plugin such as Simple Login Log or track Audit Trail their activity
  • Do not give people you do not know FTP access or access to your website hosting area unless absolutely necessary

Backup Often

The old idiom states that you should hope for the best, but prepare for the worst. This is particularly true with websites. Even if your website security has been hardened, there is no guarantee that your website will not be compromised by hackers. That is why it is important to backup your website frequently.

Most hosting companies provide daily backups of your website, however if the host’s data centre is damaged, be it through a power surge or flooding, your main website and internal backups could both be lost. That is why you need to backup your website externally too.

VaultPress offers one click backups and restores from only $5 per month per website.

There are automated WordPress backup services that make the process of backing up and restoring your website painless. This includes Automattic’s VaultPress, the backup and monitoring service CodeGuard, and the backup and migration service BlogVault.

If you prefer a plugin backup solution, check out BackupBuddy, Backup Creator, UpdraftPlus Backup and Restoration for WordPress, and WordPress Backup to Dropbox.

You should also check out our very own backup solution Snapshot. It can backup your database, your theme files, and your uploaded media. It is one of the few backup solutions that lets you select what tables are backed up.

Backups can be backed up via secure FTP or to Amazon S3 or Dropbox. Everything can be restored at the click of a button, which ensures that you can get your website back online as quickly as possible.

Snapshop Backup Solution
Snapshot is a great backup solution that has native support for BuddyPress and WordPress Multisite

Do not become complacent about backups. If your website has been hacked, your content could be modified or deleted completely, and an external backup could be the only thing that saves your website from being lost. Therefore, you need to have a disaster recovery plan in place.


Scanning Your Website

A lot of people wrongly believe that when your website is hacked, your whole website will be broken. However, that is rarely the case, as the goal of the hacker is usually to use your server to send spam mail.

If you know your website has been compromised, you will contact your hosting company and start removing the files the hacker uploaded. If, however, you are unaware of the hacker using your server to send spam, they can continue to use your server to relay their email messages without your knowledge.

The most effective way of discovering malware and suspicious files on your website is to scan your theme files regularly. There are many plugins and services available that help you do this.

  • Theme Authenticity Checker – The plugin will scan all installed WordPress themes for signs of malicious code. It will then highlight this code to you by showing you the path to the theme file, the line number, and a small snippet of the suspect code.
  • Ultimate Security Checker – A plugin that scans your website for hundreds of known threats and gives you a security grade on what it finds.
  • AntiVirus – A great plugin that scans your theme files and database for malicious code injections. Email notifications can be provided on a daily basis after each scan so that you are aware of anything suspicious.
  • WP Antivirus Site Protection – A server side scanner that can detect backdoors, rootkits, trojan horses, worms, PHP mailers, fraudulent tools, adware, spyware, and more. It can be run automatically on a daily basis.
  • Sucuri Sitecheck – The Sucuri scanner can scan your website for malware, spam, and defacements. It will also advise if your website is on any known blacklists.
  • CodeGuard – The CodeGuard service is used to backup your website on a daily basis. If they detect any changes on your website, they will email you with a notification of what was added, modified, or deleted.

Another great plugin you should check out is WP Changes Tracker. The plugin will keep a log of every change in WordPress, in your themes, and in your plugins. It is not a malware scanner, however if you notice anything different on your website, it allows you to look at a change log and see exactly what has changed.

Scan Your Website
Scanning your website regularly will help you detect malicious activity on your website.


All-in-One Security Plugins

If you are not a technical person, you may want to consider protecting your website using an all-in-one security solution. These WordPress plugins can toughen your website at the click of a button by addressing common WordPress security issues. Some also add a firewall and scan your website on a daily basis for malicious files.

Let’s take a closer look at some great all-in-one security plugins.

BulletProof Security is a feature packed security plugin that offers .htaccess website security protection, file intrusion detection, login security, database backups, and daily monitoring. It also keeps a log of anything that is changed.

The plugin has many configuration options. If you don’t want to configure these options yourself, you can choose to harden your website with one click.

BulletProof Security
BulletProof Security can protect your website at the click of a button.

Acunetix WP Security is a security plugin that can check for vulnerabilities in passwords, theme files, and your admin area.

The plugin has many useful options such as removing the WordPress version, disabling PHP error reporting, removing update notifications, and more. A live traffic tool is also included.

Acunetix WP Security
Acunetix WP Security addresses common WordPress security holes.

Sucuri Security will scan your website and detect PHP mailers, injections, malicious redirects, phishing attempts, and more.

The plugin also includes one click hardening options such as protecting your uploads directory, removing the WordPress version number, disabling theme and plugin editors, and restricting access to the /wp-content/ and /wp-includes/ directories.

Sucuri Security
In addition scanning your website, Sucuri Security can also harden your website and make it more secure.

Formerly known as Better WP Security, iThemes Security is the most downloaded WordPress security plugin on

The plugin addresses common WordPress security vulnerabilities such as renaming the admin account, changing the ID of the first user from 1, removing login error messages, and displaying a random WordPress version number to non administrative users. It also features a monitoring system that will detect bots and file changes.

iThemes Security
iThemes Security is one of the most effective way of securing a WordPress website using a plugin.

Wordfence Security features mobile phone two-factor authentication logins, a firewall to block common security threats, and a password strength checker.

The plugin can scan your website for backdoors, malware, and phishing attempts. It will also monitor your disk space usage to help detect DDoS attacks.

Wordfence Security
Wordfence Security protects your website from malware, bots, phishing attempts, and much more.

Final Thoughts

Securing your website is something you need to take seriously. If you don’t take any security precautions for your website, you run a high risk of being hacked. This could cause your website to be blacklisted because it sent out spam. In a worse case scenario, you could lose all of your data.

By just taking thirty minutes out of your day, you can make your WordPress website secure and make it less likely that a hacker will do something malicious on your website.

If you fail to prepare, prepare to fail.

In the event of your website being compromised, stay calm. The best thing to do is reset your password, scan your website for malicious content, and contact your host for help on putting everything back to normal. By backing up every day, you can avoid the risk of your website content being completely lost.

If you want to want to learn more about securing your website, check out our WordPress Security Essentials series of articles.

  1. WordPress Security Essentials: Say Goodbye to Hackers
  2. WordPress Security Essentials : Four Points Of Vulnerability
  3. WordPress Security Essentials: Password and Username Safety
  4. WordPress Security Essentials : Building A Layered Defense
  5. WordPress Security Essentials: Obscurity Tactics and Backups

Be sure to check out the Hardening WordPress guide at, too. It has a lot of useful information on how you can improve the security of your website.

Do you know of any other great security tips for WordPress? If so, please share them in the comments below.

Image credits: Moyan Brenn

Free Video Why 100 is NOT a Perfect Google PageSpeed Score (*5 Min Watch) Learn how to use Google PageSpeed Insights to set realistic goals, improve site speed, and why aiming for a perfect 100 is the WRONG goal.