There are almost 75 million WordPress sites to date, which makes up more than 25 percent of the entire Internet.

WordPress is flexible, easy-to-use, and with more than 40 thousand plugins in the repository, it is easier than ever to customize it to fit your needs. With its growing appeal, it’s more important than ever for users to take appropriate security measures.

As the president of SiteLock, a website security company, I have seen countless WordPress websites compromised, and it seems like these breaches are becoming more and more prevalent.

In 2005, there were 157 million data breaches in the United States exposing 66.9 million records, according to the 2015 Identity Theft Research Center Breach Stats Report. Fast forward to 2015, that number has skyrocketed to 781 million breaches exposing more than 169 million records. At SiteLock, we identify more than 50,000 compromised websites and clean more than one million malicious files every month.

Cybersecurity should not be taken lightly. A breach can directly impact the overall health of a company by affecting everything from its bottom line to brand reputation. A 2015 study found that cyber crimes for 252 benchmarked organizations have a mean annualized cost of $7.7 million per year, with a range from $310,000 to $65 million.

As WordPress grows in popularity it will become more of a target for hackers. This article takes a look at four ways to keep your WordPress site safe and secure.

Remove Information That Is Helpful To Attackers

Hackers look for “low-hanging fruit” that is easy to identify and exploit. It is critical to ensure you are not leaking information to a potential attacker. Here are a few quick, easy fixes we recommend to avoid common information disclosures:

  • Remove readme.html
  • Remove the ‘Proudly powered by WordPress’ footer
  • Disable version information from being displayed in the header or RSS feed by placing the below code in functions.php:

function disable_version_info() {
    return '';
add_filter('the_generator', 'disable_version_info');

  •  If you are using Apache, add the following to /etc/apache2/conf.d/security to reduce server information disclosure:
    • ServerTokens Prod
    • ServerSignature Off
    • TraceEnable Off

Again if you are Apache, disable directory listings by adding the following option to the server config file: Options – Indexes.

Tighten User Security

We all know how important it is to use strong, unique passwords, but it’s equally important to use a unique WordPress administrator name (instead of admin or wp admin) to prevent user-based attacks. Use two-factor authentication and consider moving wp-login.php to a unique URL, too. And lastly, be sure to regularly review registered users and disable user registration if unnecessary.

Maintain A Clean WordPress Hosting Environment

Complexity is an attacker’s playground. With this in mind, be sure to store backups away from the hosting server and delete unnecessary plugins. Do an inventory once a quarter or so to remove plugins and code you are not using.

And in the case that WordPress itself is compromised, do not store hacked files on the server — especially in a publicly accessible directory. This seems obvious but is a mistake we see often, especially for website owners who are trying to save “evidence” of the attack.

If you want to save this information, move it offline! And lastly, remove test scripts, like phpinfo(), from the server when finished testing.

Update, Update, Update

Out-of-date plugins and themes are a leading cause of hacked websites. WordPress core itself enables auto-updates automatically, however, you still need to make sure that you are regularly checking for plugin and theme updates.


Hackers will continue to find new ways to exploit sites. Now more than ever, it is imperative that you take the right security measures to protect your WordPress site. Implementing security measures on a regular basis can save you time, money, and even your reputation in the long run.

Stay safe out there.

Neill Feather

Neill Feather is the president of SiteLock, the leading provider of website security solutions. With more than 20 years of experience, Neill leads the company's approach to 360-degree domain security by providing industry analysis and utilizing rapidly evolving data sets related to security and hacking trends. A Pittsburgh native, Neill resides in Scottsdale, Arizona with his wife and three kids. He enjoys spending time with his family, running and playing basketball. Neill holds B.S. degrees from Pennsylvania State University and an MBA from the University of Pennsylvania's Wharton School of Business.

The post Keep Your WordPress Site Safe With These Four Tips appeared first on Torque.

Share This

We are using cookies on our website

Please confirm, if you accept our tracking cookies. You can also decline the tracking, so you can continue to visit our website without any data sent to third party services.