Common avenues that compromise a website and possible interventions
The leading reasons for compromised websites have included:
- Hosting-related security vulnerabilities
- Theme weaknesses being exploited
- Plugins being exploited
- Human Error: Weak passwords, outdated software, and applications using insecure connections
1. Addressing hosting-related challenges
- While selecting a hosting provider for the website, review the secure performance history and
interventions by the provider.
- Review security and hardening practices at the hosting level. The most common hosting security
features include: Firewall and distributed denial-of-service (DDoS), virus protection at the host level,
and SSL security certificate and domain owner detail masking.
- While large hosting providers are of high interest for hackers, they tend to invest in security
improvement and tightening as their experience grows. This may or may not be possible for smaller
- Build a clear understanding of how and what the hosting provider protects; the remaining unprotected
portions will be website owner or admin’s responsibility.
- A secure hosting provider who does not manage a webserver, usually protects the availability,
privacy, and authenticity of infrastructure resources (the physical or virtual server on which a
website is hosted). The security of the webserver and its applications remains the responsibility of
the web admin.
2. Addressing theme-related challenges
- Themes are available within WordPress. There are both free, buyable, or custom (imported from a
- Professional themes available for free or for a price are regularly updated to address known
security and performance issues. Only minor updates may automatically apply and it is the site
owner’s responsibility to check and test major updates before implementing them on a live site.
There are plugins that track theme updates and send a notification with information about new
versions or updates being published.
- Custom themes that are sourced from unknown or non-verifiable developer sources present the risk
of security vulnerabilities that could expose the WordPress site to malware and hacking
possibilities. These risks could be due to poor code and/or malicious code insertions. Patching
security weakness and similar follow-up services may not always be an option, adding to the risk of
- Installing provisions for themes and plugins can be disabled on WordPress through the admin module.
This hardening approach may work for some sites that use themes and plugins without frequent updates
3. Addressing plugin-related challenges
- The WordPress Admin page has detailed information on listed plugins. This should be checked before
installation; WordPress regularly updates and flags issues with plugins when discovered. This advisory
remains till the plugin passes WordPress acceptance. Use WordPress plugins where possible rather than
third-party custom plugins.
- Plugins that need write access to WordPress files and directories should be code checked. To check for
known issues with plugins, go to https://wordpress.org/support/welcome/, chat with other WordPress users
on the forums, or reach out to the plugin supplier.
- Once a plugin is installed, it’s good practice to run a malware and vulnerabilities scan.
- Some online malware scanners check for malware through software algorithms that crawl the URL
entered to identify known malware and suspected malicious code. There are plugins that do this as a
routine task, too.
- Similarly, if site performance degrades inexplicably, running the malware scanner is a good idea.
- Disable and delete all unused plugins.
- Some plugins may need and allow PHP or other code to execute from entries in a database, which creates
a risk if the website is compromised. A workaround used in conjunction with locking or disallowing file
editing is to use a custom page template to call the function.
4. Other actions that can be taken to harden and protect your WordPress website
Keep everything updated
- Usually, updates are triggered due to known issues, incompatibilities, and vulnerabilities. Installing
updates and patches help harden the website. Keep WordPress and its supporting applications like the
database, PHP, and others updated
- Major updates to WordPress and supporting applications may need testing before roll out. This will
ensure that the website and the customizations, if any, all work as intended. If the update is found to
be incompatible with other parts of the website, one approach is to assess the vulnerability that is
addressed through the new patch or update and its impact on your website instance. If there is an
impact, you need to decide whether to invest in upgrading or changing the incompatible portions of the
website. Meanwhile, consider disabling or removing compromised sections of the website.
Keep strong access approaches
Websites can be accessed by website admins, registered users or subscribers, and casual site visitors.
The following approaches help reduce vulnerabilities for those accessing and the website.
- Strong Password Strategy – WordPress has a built-in random secure password generator capability.
Admin Module > My Sites > Users > UserProfile > Security.
- Consider setting up Two-Step Authentication as an added security approach. Once enabled, logging
in to WordPress will require entry of a unique passcode generated by an app on the user’s mobile
device or sent via text message in addition to the username and password. This adds another layer of
security while logging in.
- This strong password approach should be used across different interfaces including host/admin,
database, File Transfer Protocol (FTP) accounts, and primary site email addresses of domain/web
- Add more challenge interfaces: Implement CAPTCHAs that users much complete before they can
post, discuss, comment, offer feedback, and respond to the website. This will ensure that bots do not
create mass entries and malicious feeds into your discussion threads.
- Consider setting up auto-logout for idle users in WordPress. This will need a plugin to help
monitor and logout inactive users.
- Use Secure File Transfer Protocol (SFTP) instead of FTP to upload and manipulate files on the
webserver. This keeps your user information encrypted while performing transfers.
Take backups and maintain restorable files before making changes.
Default admin: The default administrator name on WordPress is "admin." If this isn't changed,
it becomes an open door for those looking for vulnerabilities. Bots can keep trying password
combinations (brute-force attack) to attempt a break-in. Similarly, the default URL for admin login is
website.com/wp-admin. Changing this will ensure that those looking to execute password combination
attempts towards the default link do not get access to the admin login page.
Additionally, the maximum failed login attempts can be changed from the to a restricted number of
times, after which the defaulting IP or user is barred from accessing the website
- Default naming conventions:
WordPress WP_ table_prefix: By default, the WordPress database uses WP_ as a prefix to data tables.
Experience has shown that a number of know WordPress-specific SQL-injection attacks have used the table
prefix as WP_. Changing this to another random prefix will break any SQL injection attack that uses this
assumption. Changing the database prefix is done through the wp-config.php file and changing database
table names is done through phpMyAdmin.
- Default file permissions::
1. Lock down write and delete file permissions where possible. This an effective approach, especially
when hosted on shared environments allowing web server user or selected user(s) write access. These
restrictions can be loosened when write access is needed. Create separate folders with limited
restrictions to allow upload of files by users if needed.
2. Database hardening:
- Assign a unique user ID to manage each blog. Have an individual database for each blog, instead of
the default user and a single database for all blogs. This can be set while setting up the WordPress
installation and works as a containment strategy. If a WordPress blog installation is compromised,
this stops intruders from gaining access to and altering other blogs.
- Secure the database (if you are the database admin). Disable features that are not used by your
configuration. For example, if the feature of accepting remote TCP connections is not needed,
disable it. Most operations including posting blogs, uploading files, posting comments need only
data read and data write privileges to the database. Removing user database administration access
will ensure that applying changes to the database structure is not possible for unauthorized users.
This works as a containment approach if the installation is compromised. The vaveat, however, is
that some major updates and supporting applications (including themes and plugins) may require
access to make structural changes in the database (including addition of new tables or changes in
the schema). The work around is to temporarily allow required privileges before installing or
updating the plugin, theme, or application.
Hardening through .htaccess and wp-config.php files
.htaccess and wp-config.php are important files in a WordPress installation and must be secure and
- The .htaccess is a distributed configuration file used by Apache (web server software) to understand
configurations on a per-directory basis. Based on additional instructions in .htaccess, WordPress
instructs Apache how files from its root directory and subdirectories must be managed. For example, the
.htaccess file is modified to be able to handle Pretty Permalinks.
- Disable PHP file and script execution in directories that do not need this facility. For example,
upload folders where a user can upload a file don't need to allow PHP file and script execution. These
settings can be adjusted in the .htaccess file and kept in the hardened folder. The Apache server will
read these instructions in the .htaccess file and disallow any PHP file execution in the upload folder.
- wp-config.php could be saved in a directory above the root directory that WordPress installs into.
Ensure that file read/write permissions are in place for the admin and read permissions are in place for
the web server.
Maintain audit logs and backup/restore capabilities
- An audit log helps track all activities and changes to the WordPress site. This can include user
activity like logins, logouts, updates, posts, and application update activities.
- The activity log can be referred to for any suspicious activity or changes made. There are backup
plugins that allow restoration to a specific point in an audit log. Notifications can be set for
critical website changes initiated.
General good practices
- Compromised computers, if used for admin-related work on the web server, can be used to gain
access to confidential information through keyloggers, viruses, spyware, or malware.
- Compromised local network: If an admin or user is on a compromised local network and accessing
the web server for admin related work, confidential information could be extracted.
- Monitor actively: Monitor logs to track changes to files and applications. Third-party
applications like OSSEC help trace suspicious activity through logs and file change alerts. Plugins are
available to monitor, track, analyze, and notify about suspicious activity.
Some popular WordPress security and hardening plugins
Jetpack is a plugin platform that consist of multiple plugin options including security, performance,
marketing, and design tools. The security component of the plugin provides, site security features
including malware scanning, spam protection, brute-force protection, and downtime and uptime monitoring.
The security plugin includes capabilities for:
- Automatic malware and other code threat scans with the option to restore the website from malware in
- Block spam comments and form responses with anti-spam features powered by Akismet.
- Brute-force attack protection to protect the WordPress login pages from attacks.
- Monitoring the site uptime and downtime and getting instant email alerts about any change.
- Secure login with optional two factor authentication(2FA) for extra protection.
- Auto-update individual plugins for easy site maintenance and management.
Jetpack details: https://wordpress.org/plugins/jetpack/
- Version: 9.5
- Active installations: 5 million +
- Works on WordPress version: 5.6 or higher
- Tested up to WordPress version: 5.7
- Works on PHP version: 5.6 or higher
- Languages supported: 43
Wordfence Security includes an endpoint firewall and malware scanner to protect WordPress sites.
Wordfence maintains a threat defense feed that updates the newest firewall rules, malware signature,s and
malicious IP addresses to manage website safety in addition to 2FA.
Wordfence's security scanner features:
Protects the site at the endpoint, enabling deep integration with WordPress.
- ntegrated malware scanner blocks requests that include malicious code or content.
- Malware scanner checks core files, themes, and plugins for malware, bad URLs, backdoors, SEO spam,
malicious redirects, and code injections.
- Compares site core files, themes, and plugins with what is in the WordPress repository, checking
their integrity and reporting any changes.
- Protection from brute-force attacks by limiting login attempts.
- Web Application Firewall identifies and blocks malicious traffic.
- Repairs files that have changed by overwriting them with the original version.
- Checks site for known security vulnerabilities and alerts to any issues. Also alerts to potential
security issues when a plugin has been closed or abandoned.
- Checks the safety of your content by scanning file contents, posts, and comments for dangerous URLs
and suspicious content.
- Offers 2FA for secure remote system authentication available via any time-based one-time password
(TOTP) authenticator app or service.
- Login page CAPTCHAs stop bots from logging in
- Disable or add 2FA to XML-RPC.
- Block logins for administrators using known compromised passwords.
- Real-time firewall rule and malware signature updates via the Threat Defense Feed (free version is
delayed by 30 days).
- The Real-time IP blocklist blocks all requests from the most malicious IPs, protecting your site
while reducing the load on it.
- Checks to see if your site or IP have been blocklisted for malicious activity, generating spam, or
another security issue.
Wordfence details: https://wordpress.org/plugins/wordfence/
- Version: 7.5.2
- Active installations: 4 million+
- Works on WordPress version: 3.9 or higher
- Tested up to WordPress version: 5.7
- Works on PHP version: 5.3 or higher
- Languages supported: 5
3. Tips and Tricks HQ
Tips and Tricks HQ offers features to secure user registration, login, and accounts, file systems, and
firewalls. It also offers spam protection, blocklist referencing, front-end text protection, database
security, security scanning, and more. Some other features include:
- Reduced security risk by checking for vulnerabilities, and implementing and enforcing the latest
recommended WordPress security practices and techniques.
- Offers a feature of security points grading system to measure how well the site is being protected
based on the security features activated.
- Security and firewall rules are categorized into three categories, basic “ntermediate, and advanced,
allowing applicability of the firewall rules progressively allowing check and without impacting the
- User-based security features:
- Detect if user accounts have identical login and display names.
- Enforce strong passwords using the password strength tool.
- Prevent user enumeration. This prevents users or bots from discovering user info via author
- Get notified via email whenever a user gets locked out from too many failed login attempts to
protect against brute-force attacks. View a list of all locked out users and unlock individual or
bulk IP addresses as needed.
- Monitor the account activity of all user accounts on your system by keeping track of the username,
IP address, login date and time, and logout date and time.
- See a list of all users who are currently logged in to your site.
- Specify one or more IP addresses in a special whitelist. The whitelisted IP addresses will have
access to your WP login page
- Add Google reCAPTCHA or plain math CAPTCHA to WordPress login forms and system logins.
- Add Honeypot to the WordPress’s user registration form to reduce registration attempts by robots.
- The file change detection scanner alerts about any files that have been changed in the WordPress
system. These can be investigated to check if that was a legitimate change or if bad code was injected.
- Spam monitoring includes:
- Monitoring the active IP addresses that persistently produce the most spam and blocking them
- Preventing comments from being submitted if they doesn’t originate from your domain.
- Implementing CAPTCHAs on comment forms to add an additional layer of security against comment spam.
- Automatically and permanently block IP addresses that have exceeded a certain number of comments
labelled as spam.
All-in-one WP security and firewall details:
- Version: 4.4.8
- Active installations: Nearly 1 million
- Works on WordPress version: 5.0 or higher
- Tested up to WordPress version: 5.7
- Languages supported: 13
Sucuri Security offers an auditing, malware scanning, and security hardening WordPress plugin. This
plugin consisting of a security suite offering users a set of security features for WordPress. Some of the
key features include:
- Security activity auditing - Monitor all security-related events including changes that occur within
the application and its environment, including who's logging in and what changes are being made.
- File integrity monitoring - Compare known good file versions with the current files. This covers all
the directories at the root of the install, including plugins, themes, and core files.
- Remote malware scanning: Security scanner – Use the SiteCheck feature to scan for malware.
- Blocklist monitoring – Monitor blocklist engines to prevent known malicious IP addresses and users
from accessing a site, and remove legitimate user sites from that list if any are inadvertently added.
- Effective security hardening – Configuration learnings from cleaned websites are used to harden
- Post-hack security actions – Use these to help with recovery in the event of a hack.
- Security notifications.
- Website Firewall (premium) – Includes protection against:
- DOS and distributed DOS (DDOS) attacks
- Exploitation of software vulnerabilities
- Zero-day disclosure patches
- Brute-force attacks against your access control mechanisms
- Performance optimization
- Advanced access control features
- Failover and redundancy
Sucuri Website Firewall filters out bad traffic before it reaches the website.
Sucuri security details: https://wordpress.org/plugins/sucuri-scanner/
- Version: 1.8.26
- Active installations: 800 thousand+
- Works on WordPress version: 3.6 or higher
- Tested up to WordPress version: 5.7
- Languages supported: 10
5. MalCare Security
MalCare Security offers a free malware detection and removal plugin with a one-click malware removal
option. It also offers a cloud-based firewall for website protection. Geo-blocking at a country level
helps to mitigate hack attacks originating from certain geographies. MalCare comes integrated with a
website management module that ensures security and site management from a single dashboard. The tool
checks performance and notifies when a website goes down; it also keeps an eye on site loading speed.
MalCare allows white label solutions to help developers support customers with their own branding.
1. Cloud-based malware scanner
- Daily scan
- On-demand site scans
- Scan non-WP files
2. Instant malware removal
- View details on hacked files
- Instant automatic malware removal
- Removal of unknown and new malware
- Email, chat, and social media
3. Intelligent malware protection
- Web application firewall
- IP Allow listing
- CAPTCHA-based login protection
- Logs for traffic and logins
- Alerts for suspicious logins
4. Website hardening
- Block PHP execution in untrusted folders
- Disable file editing
- Block plugin or theme installation
- Change security keys
- Reset all passwords
6. Complete website management
- Centralized dashboard
- Plugins and themes management and update
- Management of users, teams, and clients
- Generate and schedule reports
- White-labeling solution
- Monitoring optime and site speed
- Blocklist alarms
- Slack integration
MalCare security services details: https://wordpress.org/plugins/malcare-security/
- Version: 4.57
- Active installations: 100 thousand+
- Works on WordPress version: 4.0 or higher
- Tested up to WordPress version: 5.7
- Supports PHP version: 5.4.0 or higher