It’s a simple numbers game. If millions of people are using a system, there are many more people learning to exploit that system. WordPress is currently powering up ~28% of the entire Internet and the most used CMS in the world. That makes WordPress sites a popular nut to crack for people who don’t have good intentions.

According to WordPress developer and Codeable expert Liam Bailey:

The number of hackers who are trying to find exploits, some for good, some for ill, is a vast amount. And because of the popularity of WordPress, these exploits are quickly being discovered, exploited and/or publicized.

Now that you just launched your freshly "baked" WordPress website it’s time you and I have the talk. Can you handle the truth? Well, here it is: your login and password are the only things you have in place to keep hackers off your website.

It's freaking scary, I know. Actually, there are 4 unquestionable truths about a new WordPress website security you ought to know. Don’t worry too much, for now. There's plenty of room to improve.

Ready to start? Great!

Untouched WordPress files are prone to attack

A new install of WordPress gives you a functioning site and a working database. The main issue is those vanilla WordPress files and database entries contain all the information a hacker or other data thief may want.

As Liam points out:

Everybody knows that the `wp-login.php` file is most sites' login form. So it's an immediate entry point for brute force attackers. They (the bots) don't have to go around looking for your login form.

This means that bots can repeatedly attack a WordPress login page for as long as they like. Or just until they gain access to your website.

Same story for your website database: the default wp_ prefix is what a new WordPress install comes with. Specifically, all items stored in your database will begin with that single prefix. This overly-known factor might help attackers and hackers do nasty things to your database. Most notably an attack known as an SQL injection, where hackers can create a separate admin user with full access to your entire WordPress website.

That's why leaving files (and folders) untouched can really harm a WordPress install but it’s something that could be easily be improved, as Liam notes:

Renaming your database prefix and moving your WP login file, it's basically one-off processes. And once they're done, they're finished. It's not something that's constantly running.

Not updating your WordPress core files, themes, and plugins opens your website to security flaws

When the WordPress team releases a new version, it’s full of security patches. Many people will leave their WordPress installations without updating them for long periods. Hackers know this and actively seek those WordPress sites out.

Explains Liam:

If you don't keep your WordPress updated it's basically giving the hackers a free ride. All they've got to do is find that you're using an old version, and they can get straight in exploiting the vulnerabilities that are already known. In fact, there are tools that practically do it for them. I could do it, you could do it, they are doing it.

Plugins and themes add a lot of extra features and functionality to WordPress sites. This is especially true for eCommerce stores. Along with the WordPress team, plugin and theme developers patch security holes and release updates routinely as well.

When it comes to updates, Liam says:

Make sure your plugins, your themes, and your WordPress are all up-to-date. That is probably the biggest factor as well as having good security plugins to protect you against the main forms of attacks.

Half the work to prevent your website from being hacked is keeping it current: your WordPress core files, your theme, and plugins, even if they’re custom coded, should always be kept updated to their latest versions.

In addition, you should not forget to get rid of unused plugins, theme files, and inactive users. Those are usually forgotten, left silently running in your WordPress install but they can provide a way in to those seeking to do harm.

Your current hosting providers might lack in security

Your hosting provider is a key player when it comes to your website security. Today there's abundance of WordPress-optimized hosting providers you should check because they have extra layers of security in place for WordPress sites and ensure that your own site stays updated.

WP Engine, Cloudways, Kinsta are trusted providers you should check out. As Liam notes:

Managed WordPress hosts are really bang-on with the security. They've already got their own steps in place for things like fail2ban, and they block users if they fail to log in too many times. They know the main ways that people are coming in to attack your WordPress site and they protect against it. They're already protecting you is an extra step in the defense, and they also force you to update plugins and themes, which is a really big risk area if you're not doing that.

If you're not using any security plugin, you're threatening your website security

WordPress has more than 52.3K available plugins in its repository. And when security is on your plate, there are 3 plugins that will improve the security of your site immensely: iThemes Security, Wordfence, and Sucuri Scanner.

In fact, Liam thinks that:

iThemes Security, Wordfence, and Sucuri Security are the three main plugins that, if set up properly, will really secure the average WordPress site against 99% of attacks.

These plugins and services can really help with all the aforementioned concerns. That includes changing database prefixes and securing your core WordPress files. They won't slow down your site, and they won't interfere with your business. But setting them up properly can be hard for some, that’s why you might want to consider hiring a professional to do that for you. Usually, in the 2-hour time frame.

Wrapping up

Your new WordPress website consists of several moving parts, which can work as loopholes to malicious attackers if you don't do anything. Securing those parts properly doesn’t cost much if you compare to the potential loss you’re preventing from happening. And sometimes, for very basic needs, security might even come free, thanks to specific plugins. However, you must keep in mind that security is never a single task; it requires consistent maintenance and upkeep to have everything working the way it should.


Liam Bailey is the developer behind Webby Scots with over 500 successfully delivered projects for clients through Codeable. An expert in many areas of WordPress, Liam also studies and specializes in website security. Liam has helped many happy clients improve their WordPress sites including also working in-house at Codeable before returning to freelance and help more clients from all over the world.

WordPress Security Checklist DownloadQuality: The Codeable Differene

  • Looking for even more WordPress security experts via Codeable? Well then you’re in luck, you can find them all right here 👉 https://codeable.io/developers/security/

  • Trade Southwest

    And what about wp-admin? how do you move this for one-off protection. I would think hackbots are trying both wp-login and wp-admin.

    • Liam Bailey

      Hi Tradesouthwest.

      I have never heard of anyone moving wp-admin as it is already well protected. Moving wp-login.php via the plugin I mentioned also stops any redirects from wp-admin to the correct login page. If your site has only one person who needs to login the blocking any wp-admin page to a given IP can be an ultimate protection. If anyone wanted to move wp-admin then it would be a good idea to hire a developer, as it would likely involve rewrite rules at the very least to keep everything working smoothly. If you have a shortcut for moving wp-admin please do share it. Thanks