At present, according to, 23% of the Internet websites are powered by WordPress. That is a huge number of web sites… Now, imagine the number of WordPress web sites users.

On the other hand, according to Checkmarx’s research labs, more than 20% of the 50 most popular WordPress plugins are vulnerable to common Web attacks, such as SQL Injection. In total, 8 million vulnerable plugins have been downloaded until now.

If you were a bad intentional person and didn´t have a specific system to hack, you probably would target one of the most used web platforms, so that your hacking could have more impact. That is why WordPress is a great target for attackers.

That means there are a lot of people looking to WordPress core code and WordPress plugins code in order to find a security breach that could be exploited. So, one of the biggest problems with WordPress is its security.

However, bear in mind that the core of WordPress has come a long way and is a fairly secure system, and that crucial patches are released very quickly. Most problems in WordPress security are due to either poor judgment by the end user, poorly coded themes and plugins or bad hosting.

This article is the first part of a three parts series about WordPress security.

In this first part, I will provide a short introduction to WordPress security.

In the second part, I will list exhaustively most of the common WordPress breaches and exploits, so that you can understand how to secure your WordPress site against each exploit. These are important topics because they will empower you to understand how WordPress security plugins work in order to achieve their security goals, which will be addressed in the third and final part of this security series.

In the third and final part, I will look to some security WordPress plugins and choose a set that implements almost everything we talked about in the second part of the series, but in a more automatically and assisted way.

Why Should I Bother?

This is one question, one might frequently ask: Why should I bother about WordPress security, since my site is small and doesn’t have sensitive information?

Of course, if you don’t mind to lose your data, then maybe there is no problem, although you may waste some time rebuilding your site, time that you could invest in a more useful way, like adding good contents to your site.

If you are one of those who care about your data, don’t expect to be hacked from a specific person, maybe someone that don’t like you, because most of the web hacking, including WordPress hacking, is made blind less. More precisely, attackers perform a web scan about a known vulnerability and get your server on the list and then hack it. Most of the times, these guys are not interested in the person behind the web site, but are solely behind the web site itself.

What Kinds of Hacks?

A WordPress site, like any other web site, can be attacked in a variety of ways. Its variations depend primary on the level of access the attacker has like root access, database access, and the imagination of the attacker.

One simple and very well known hack is to mess up your website, for instance changing the first page of your site, and display an image of the hacking group that hacked your site, or redirecting the main page of your site to another web site. Other possibilities are to delete data from your site’s database, or to create backdoors to future exploits.

What to Secure?

You should protect all the assets of your web site. In the case of a WordPress web site, that means your web files and your website database.

The database is an important asset to be protected because WordPress keeps there all the user information and almost all your site contents. If you lose it, you lose all your users and contents among other information.

The web files should also be protected so that you can easily and rapidly replace your hacked files.

How to Secure?

Despite all your efforts, your site is not completely free of being hacked. That is why you MUST periodically backup your assets: website files and website database.

There are a lot of security actions one can take to secure WordPress. From my point of view, we can organize most of them in what I call as levels of security measures, more precisely, in four levels of security measures, as presented in the following figure.


From bottom to top, we have measures related to the WordPress database and the WordPress files. Next, we find measures at the PHP configuration level, then at the web server level, and finally at the WordPress working environment level.

I will talk about many measures you can find in each level of security measures in part II of this security series. For now, you should have in mind that even if you get a protection close to 100% for your website today, that doesn´t mean that your site will be protected forever. Why? Because, new vulnerabilities may be found in old WordPress code or in old WordPress plugin code.

Also, new vulnerabilities may emerge from the latest version of the WordPress code or from its plugins. That is why, you MUST keep your WordPress up to date as well as your WordPress plugins (but test them in a test site before changing the production environment).

Another good advice for you is to try to be proactive and informed about new vulnerabilities, looking at a site like this:

Finally, if you tried everything but still have problems, you may need to get in touch with a security specialist who can advise you on the best ways to defend against cyber security attacks.

Then, of course, do not forget to read part II and part III of this tutorial series to get more information about securing your WordPress website. If they are not already available, you will need to wait a little bit 🙂


WordPress is the most used CMS in the World. More than that, nearly 23% of the Internet websites use WordPress. This makes WordPress a good target for attackers. Thus, your WordPress website, as well as any other WordPress website, will probably be hacked if not already, and that is why you should at least know about the basic security measures to protect your WordPress site.