Basic WordPress Security

I attended the WordPress User Group Philippines meetup last January hosted by our friends at I was one of the speakers discussing Basic WordPress Security, so I decided to post it here on my blog.

The need for Security

  • 90% of all Hacked Sites are in WordPress
  • 97% came from plugins
  • 2.4% came from themes
  • .05% came from WordPress Core

Several Basic things you can do to secure a WordPress Site

  1. Use a strong and unique password for your WordPress administrator account, and use two-factor authentication if possible. Here are the top WordPress plugins that implement and manage 2FA that can be used on your site:
  2. Keep your WordPress core, all plugins, and themes up to date, as new versions often include security fixes. Some hosts/platforms offer managed update services:
  3. Use a security plugin to scan your site for malware and vulnerabilities, and to block malicious traffic. Some popular security plugins include:
  4. Use SSL/TLS to encrypt traffic to and from your site. You can get an SSL certificate for free through Let’s Encrypt or some web hosts included in their service.
  5. Use a security service or CDN to block malicious traffic and protect against DDoS attack example are Cloudflare and Fastly. Some web hosts like WP Engine include Cloudflare while includes Fastly.
  6. Restrict file permissions so only necessary users and processes can read, write, and execute files on your server.  The standard would be to make all writable permissions on the wp-content/uploads folder and deny PHP execution.
  7. Regularly make a backup of the site, so that you can restore it in the event that it is hacked or otherwise becomes unavailable.

The need for WordPress Security

WordPress site owners would just leave site security on the least priorities on their checklist.  The common things they are going for are an affordable host, an appealing design, SEO, promotion, and custom development.  They would not prioritize the security of their site, sadly according to an article from, WordPress accounted for 90 percent of all hacked CMS sites in 2018.  Two-thirds of them were hacked due to a backdoor from an outdated plugin or a known vulnerability.

(image from Sucuri)

Remember a website is a digital asset; any disruption would result in loss of lead, conversion, and sale.  That means a loss of revenue, imagine if a site that earns an average of $100 per day, a disruption of five days would result in a loss of $500, the same scenario on a site that was dropped off on search engine rankings.   Google Ad would not permit adding websites if their algorithm detected a possible malware infection.   In the worst scenario, Chrome would not allow the viewing of the site and would make a bad impression on customers.   Expensive Design, SEO, Social Marketing, Sales Funnel, or landing pages would not be of help once a WordPress website is hit by malware.  So it’s better to be protected than sorry.