With the brilliant features and customisation options that WordPress provides, it’s no surprise that almost 33% of websites use WordPress CMS. However, potential security issues are something that can come back to bite site owners.

In fact, out of the 8,000 hacked websites analyzed in a recent study, 74% were using WordPress.

If you are using a WordPress website, it is important to ensure your security is properly setup in order to minimise risk. ⚠

So what is the best course of action to take?

The following security issues are some of the most vital and could leave your WordPress site vulnerable to hackers. It is important that you identify these issues and fix them; straight away.

1. Unsecured Hosting Service

One of the major resources that goes into making a website is web hosting.

From your site’s performance to its security, your hosting service can affect it all. As such, it is crucial that you choose a hosting provider that offers adequate security.

As you consider and analyse your hosting options, the following tips should help you.

    • Go through all the security features that it provides.
    • Understand that when it comes to hosting, expensive doesn’t always mean better.
    • Some providers have their entry-level plans costing as much as the high-end plans of other hosting providers. This doesn’t always mean they can be compared.
    • Know the difference between the two most popular types of hosting services.

      Shared Hosting:
      A shared hosting service offers basic security scans that can detect WordPress malware.
      It also allows you to track visitors coming to your site. This can help you identify harmful visitors and block their IP addresses.
      The main highlight of a shared hosting service is its ability to host more than one website, which also makes it a lot cheaper than other hosting types.

      Managed Hosting:
      This is the hosting service that provides a firewall for security along with a routine malware scan.
      Some providers offer ‘Managed hosting services’  that restrict access to WordPress files and folders to keep them safe.
      For example, WP-Engine prevents changes in all PHP files, while Pantheon doesn’t allow writing on folders except for the one containing theme and plugin data.
  • Test customer support:
    Customer support is another factor that you need to consider while comparing hosting providers.


    Whether it’s a trivial issue or a complete breakdown; if it’s about the hosting service, the provider should offer full customer support.

    To find out how qualified a provider’s support system is, simply get their contact details and reach out to them. Ask them all your questions and see how patient and cooperative they are while addressing your concerns.

    Based on this experience, you’d get an idea of how they’ll react in case of a security breach. This should help you decide if you want to buy from them or not.

If you have already purchased a hosting plan from the wrong provider, don’t worry. You don’t have to wait for your plan to expire. Services like BlogVault and Migrate Guru can help you migrate to different hosting providers without any hassles.

2. System updates

Like any other CMS, WordPress requires regular updating. Ignoring this could make your WordPress site a potential security risk.

In fact, 80% of the WordPress websites that have been hacked were running outdated themes and/or plugins. Eye-opening, right?

Being an open source CMS with thousands of developers working on different themes and plugins means your WordPress dashboard may receive many updates based on the plugins and themes that you are using.

You need to make sure that all the core themes and plugins are updated to the latest version.

Steps to Update a Plugin:

  • Open your WordPress dashboard and go to Plugins > Installed Plugins

  • The dashboard will take you to the page displaying plugins that you have installed.

    Identify the plugins that are pending and update and click ‘update now’.

Similarly, you can update themes on your site in much the same way by going to Appearance > Themes.

This will also unlock the latest features added to the theme/plugin/system. This helps in maintaining your website’s security and stability at the same time.

3. Pirated Themes or Plugins

While setting up a WordPress website won’t burn a hole in your pocket, making it aesthetically pleasing and rich in features could as a good WordPress theme/plugin can cost you anywhere between $10-$200.

To escape from these ‘supposedly’ uninvited costs, webmasters often take the cheaper route and use nulled/pirated plugins/themes, which are available for free or at negligible prices.

What are the results of this?

There have been a number of cases when a website using a nulled theme unwittingly granted backdoor access to the hackers through the URL: http://www.example.xyz?backdoor=go

The hackers were able to access the site as the URL triggered a backdoor to the website, creating a new WordPress administrator account with the following credentials:

Username: backdooradmin
Password: Pa55W0rd

This is generally a result of an additional shortcode that has been added to the functions.php file by the actual theme owner.

To save your site from such risks. Always acquire themes and plugins from the official WordPress repository or other trusted sources such as Theme Forest or Themeisle.

4. Dummy Login Details

Default login page:
Using the same old usernames and an easy-to-guess passwords makes life so much easier for hackers trying to get into your website’s back-end.

How to Fix?

  • Username and Password issue:
    Try to create a username and password that you have not used on another account.

    Please note that it is crucial to have a unique username. If the username is easy to guess, the only thing that a hacker will need to find out is your password.

    Be sure to never display your username on your website. To do this would be like giving hackers a personal invitation to feast on your WordPress dashboard. Instead, use a nickname or a title that’s different from the username.
    Default login page URL issue: www.yoursite.com/wp-admin

    This is the most effortless and the most common choice of a WordPress login page URL, which leaves your site vulnerable to hackers.

    Most hackers don’t attack manually. They program bots to access login pages and crack the login credentials of target sites.

    Using the default login page URL will reduce work for bots and hackers trying to get into your website.

    The best way out is changing the default login URL.

    For example, changing – www.yoursite.com/wp-admin to www.yoursite.com/welcometomysite

    To do this, follow these simple steps.

    – First, take a complete backup of your WordPress site using UpdraftPlus.

    – Then install and activate the ‘Easy Hide Login’ plugin (it’s free).


    – Go to the plugin’s settings and submit your choice of login slug (such as “welcometomysite”).


    – This will change your WordPress login address from yoursite.com/wp-admin to yoursite.com/welcometomysite and make it much more difficult for people to hack your site.


5. Writable PHP Files

Just like any other computer program on or off the web, a WordPress website also consists of files and folders.

One of these folders is the ‘Uploads’ folder. This folder stores all themes and plugins data for your site.

Potential hackers can find a way to upload a PHP code to this folder to gain access to your website.

Once hackers have access via this method, they can steal content that you were planning to publish in the future along with other important resources like email addresses from your mailing list. They may also sell back-links from your site or use your content to create links to their websites without your knowledge. Or worst of all, they can destroy the whole website and take it down.

The worst part of this type of hack is that you would not know about any of this until your hosting provider or a search engine banned your website.

To save yourself from this, you can disable PHP execution via the following steps.

  • Create a .htaccess file in the ‘Uploads’ folder in your website’s root directory in cPanel.

  • Create a new file with Notepad (on Windows) or TextEdit (on Mac).
  • Paste the following code in this file and save it as .htaccess (not as .htaccess.txt).

    # BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ – [L] RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L] </IfModule>
    # END WordPress
  • Upload this file to the ‘Uploads’ folder.
  • Now, you have a new .htaccess file specifically for your ‘Uploads’ folder. Right-click to edit it and paste the following code.

    <FilesMatch “\.(php|php\.)$”>
    Order Allow, Deny
    Deny from all
    </FilesMatch>

After implementing the above steps, your website will prevent the execution of any foreign files consisting of ‘PHP’. This change will add another brick to your site’s security wall.

Also, note that using this method is a bit risky. Even a trivial mistake can damage your site. So, if you are unsure about using cPanel, consult someone who is.

6. Lack of a SSL certificate

While http://yoursite.com and https://yoursite.com will both load the same web-page, there is a small difference that can break the deal.

The SSL certificate.

The first URL in the example above isn’t using an SSL certificate, while the second example is.

This can greatly affect a website’s security by putting the communication between the visitor’s device and your web servers at risk.

An SSL certificate encrypts the information so it can’t be accessed by anyone but the intended recipients. To safeguard your website against such leaks, it’s recommendable to install an SSL certificate as early as possible.

Installing an SSL certificate is usually straight forward and easy to do. You can usually buy an SSL certificate from your hosting provider, but If they don’t sell an SSL service, you should consider buying from another provider.

Getting an SSL certificate from your hosting provider will also save you the hassle of installation. They will set everything up and you just have to redirect your ‘http’ pages to ‘https’.

In Summary 

Failing to secure your WordPress site against security threats can hurt your business in a number of ways. It’s no surprise that all webmasters need to pay attention to website security and have an adequate backup plugin and system in place. Despite your best efforts, should the worst happen and your site suffers a malicious attack; UpdraftPlus can provide a safe and secure backup and restore option. This will help ensure your website always has that all important safety-net, even in the event of a hack. 

In this post, you have read about 6 loopholes that could potentially put your WordPress website security at risk due to hackers. Hopefully, this article helped you secure your site and take it’s security to the next level. 

By Vaibhav Kakkar

twitterlinkedinFacebook