Get WordPress Security Threats Done

WordPress is a massively popular, completely open source piece of software. The great thing about that security-wise, is that there is a huge community that work with it, who are able to discover bugs as well as security risks quicker than one might with an in-house CMS solution. (It’s hard to find out about weaknesses when one way to find out is actually having the weakness exploited, and having a huge user base makes discovery a lot more likely.)

The downside is that hackers with bad intentions know exactly how your website is built. They already have the ‘blueprint’ to your site. And if there are any weaknesses in the core, themes or plugins that you use, that’s something they will be able to know without ever gaining access to the backend of your site.

There are constant threats to blogs and sites running on WordPress. Oftentimes, you will find out about a security breach after it has happened.The better option is preventing the threats from materializing than reacting later. Being proactive with WordPress security might be the best thing you ever did.

WordPress Security Threats

Access to Theme/Plugin Files

You’re probably familiar with the theme and plugin file editors:

Pretty darn handy, but also a huge security issue should someone gain access to your dashboard. And in general, using the editors is bad practice as any incorrect PHP code can “break” your site (which will then require you to gain access via FTP).


Disable the editors and edit theme and plugin files via FTP only. Doing so is a piece of cake — just include the following in your functions.php file:

define( 'DISALLOW_FILE_EDIT', true );

Or use a security plugin to do it for you (that will basically only insert that line of code for you). The only problem is that there are plugins that allow people to turn this ability on and off, so a very dedicated hacker might be able to install a plugin, turn the plugin on, and then gain access to editing code without FTP access.

If you want to be extremely thorough and protect against this, you can disable all plugin and theme updates/installation by adding this line of code to wp-config.php:

define( 'DISALLOW_FILE_MODS', true );

But obviously this would mean you would have to change it’s value to false every time you wanted to update or install a plugin or theme (we don’t really recommend this option, since keeping themes and plugins up to date is one of the best ways to ensure your site is less vulnerable).

Brute Force Login Attempts

This is when someone will attempt to gain access to your site by attempting an enormous number of different username and password combinations. Such a process is of course made far more difficult by adding the above code to your functions.php file,but you can all but eradicate the chance of a successful brute force login attempt by limiting the number of login attempts by a specific IP address.


Install and activate the Limit Login Attempts plugin. This simple plugin offers you the ability to customize how many login attempts someone should have, and how long they are locked out for if unsuccessful.

Confirmation of Login Information

A major drawback of the current WordPress login form is that it informs the user which part of the login information he/she has gotten wrong. For instance, if the username is correct and the password wrong, WordPress informs the user about it. This makes it easier to use brute force login as the hacker has a clear idea of whether he/she needs to change the username or password.


This issue can be resolved by entering this line of code into your WordPress theme’sfunctions.php file:

function failed_login () { return 'the login information you have entered is incorrect.’ } add_filter ( 'login_errors', 'failed_login' );

Default Table Prefix Problem

A table prefix is what comes before names of tables in your database. Instead of users, with the standard WordPress prefix, it would be wp_users. If you use the default table prefix it makes it easier for people to gain access to your site by exploiting possible sql injection weaknesses. Because they know exactly where to inject info into your database to then gain access to your site.


Thankfully it’s very easy to remove this threat. If you’ve already installed WordPress using the default wp_ prefix, you can easily change it using a plugin like Sucuri. First, you need to backup your database before you use that option as there is a minor chance of something going wrong. You can do this with the click of a button. Then you can choose a new prefix, or simply let Sucuri randomly generate the new prefix for you.

Note: If you’re just installing WordPress for the first time, you can change it in the installation interface.

Global Registration Open

Any person from around the globe can register on your website. This is a feature of all WordPress websites, but is disabled by default. Unless you are targeting a worldwide audience with your side, you should leave this option disabled.


To ensure it’s disabled, go to the Settings tab and access the General settings. There, uncheck the ‘anyone can register’ checkbox. Also, select ‘subscriber’ as the New User Default Role as an extra precaution.

Login Page/Admin Area Location

If you’re still showing that you use WordPress (aka, not actively hiding it by for example using a plugin like Hide My WP), people with bad intentions will already know where to attempt a brute-force attack on your site.


To fix this threat, and drastically lower the chances of getting hacked, and to reduce server stress, we need to stop malicious people and bots from reaching our login page.

There are two main ways to do this. You can either change the physical location of your login page to something else by using a plugin (or a few lines of code), or you can limit the access to your login page and admin area by IP addresses. You can do this with a plugin dedicated to this particular thing, or with a security plugin like Sucuri,Wordfence, iThemes Security Pro or All In One WP Security & Firewall.

Login Name Confirmation

By default, the WordPress login screen will inform you as to whether you have got the username or the password wrong:

This effectively makes it twice as easy for hackers to gain access to your site — they can figure out what your username is without having to know the password. It is not information you should make readily available.


This issue can be remedied with some code in your functions.php file: function remove_wp_version() { return ''; } add_filter('the_generator', 'remove_wp_version');

Now when there is a failed login attempt, there will be no specific information concerning the username or password.

Open Firewall Settings

The default firewall settings of WordPress are actually on the liberal side. This means that some untoward bots and other unwanted visitors get a green light.


You can make this better by installing the basic 5G blacklist firewall rules, by either copying it manually into your .htaccess file or using a security plugin to better optimize the rules in your .htaccess.

Published WordPress Version Information

The default version of WordPress will have lines of code that give away that your site is built using WordPress, even down to the version to people who know where to look. Depending on the theme, it might even be showed visually on every page of your website.

The reason this could be a security risk, is that people might target your site for no other reason than that it is built on WordPress. If someone finds a security weakness in the WordPress core, a theme or plugin, they might find their way to your site to exploit that. Whereas if you had successfully hidden that your site was built with WordPress, people who search for WordPress sites using bots or crawlers would be tricked into thinking that your site was not a viable target.


To fix this, you can use the Hide My WP Plugin. With this helpful little plugin you can avoid unnecessary traffic on your server, and at the same time, remain safe from attacks that specifically target WordPress sites.

Universal Registration Option

This is a real simple one — is your WordPress site currently set up so that anyone can register as a user? This is only necessary if you are running some sort of community site (as opposed to a “normal” website or blog). So if you are not, you would be best served by preventing people from having the opportunity to register.


You can do so via Settings > General in your sidebar:

Whilst someone registering for your site in a limited role does not give them a huge amount of access, it does give them more than is absolutely necessary, which is why you should remove the option.


While a default installation of WordPress has some weaknesses, the beauty of WordPress is really in the ease of which you can solve pretty much any of your problems with your site, including the security threats mentioned in this post. Beyond having a unique username and a strong password, by installing a security plugin, editing some settings and maybe inserting a line of code or two, you can already significantly reduce the risk of your site getting hacked or infested with malware.

About the author: phoebe