Securing WordPress Against Hackers and DDoS Attacks

Robert Gibb
Robert Gibb

There’s no disputing the popularity of WordPress, which powers more than 74.6m sites around the world, with 48% of Technorati’s top 100 blogs being managed by the platform. In the online world though, anything that’s popular is more open to attack and WordPress is no exception. However, the types of attack that tend to hit WordPress sites – unless you’re a big brand – are generally carried out by people without a huge amount of technical know-how. These are often referred to ‘script kiddies’ as they use common code, techniques and kits in order to hack target sites.

XML-RPC for WordPress

The good news about this is that it means that often an attack can be dealt with quickly and easily. It’s not necessary to get to the stage where an attack does damage though, as most can be prevented in the first place. So today, we’ll be looking at how you can secure your installation and avoid common hacks.

Start with the Server

Before you think about securing your site, you should start from the ground up and that means making sure that your hosting server is secure in the first place. Starting with the basics, you should choose a host based on security and reputation and not on price. Whilst I’m sure there are some decent cheap hosts out there, for the most part hosting that costs you $2 per month is not going to cut the mustard.

Most of the managed WordPress hosting services have a reputation for secure hosting. They don’t all allow some performance-related plugins though, so you should check first to see exactly what access and level of control you have.

Most of them offer:

  • Managed WordPress hosting
  • Automatic security updates
  • Daily backups
  • One-click restore points
  • Automatic caching
  • Top-tier security

Whatever host you decide to go with you should check that they offer the following:

  • Run stable versions of server software and patch as necessary
  • Enable a server-level firewall
  • Allow you to back up and restore often and easily (site and database)
  • Intrusion detection

Managed hosts (such as WPEngine for example) use caching which is passed through a CDN, so if you really don’t want to use a managed WordPress host, then do consider implementing a CDN alongside a caching plugin such as W3 Total Cache. This is a simple way of setting up your site so that all traffic that’s passed through the CDN caches is then also passing through a secure socket layer (SSL/TLS). If you need a hand getting your head around these technologies, I’d recommend the following visual guides by MaxCDN. In the interest of full disclosure, I work for MaxCDN, but I’m sure you’ll find them to be useful resources:

Unfortunately, WordPress installations on shared servers, rather than those on a VPS or dedicated server, are generally installed and configured in such a way that’s easiest for the host, but not necessarily the most secure.

Note that the following configurations are for advanced users who are familiar with coding or basic sysadmin tasks. If you’re not, then ask your web developer to set this up for you.

Logins, Passwords and Plugins

Just a quick word on this one that bears repeating given that more than 70% of WordPress installations are vulnerable to attack. Always ensure that when you have installed WordPress that you update to the latest version as soon as it becomes available. The same goes for your theme and for all plugins that you use. The same applies to your server software. It might sound obvious to many of you, but the statistics speak for themselves, there are many, many older versions of the platform installed.

When it comes to passwords, I come across people on a daily basis who still use something like ‘companyname123’ as their password and these are people that are in the tech industry and should know better. So for yourself and every other user, generate complex passwords and store in a password manager such as LastPass, it’s safer that way.

Apply Automatic Updates

To ensure that minor and major updates take place in WordPress automatically, you can make a small change to the code which will apply them. This removes the need for you to do it manually (only minor updates are applied automatically to WordPress v.3.7 and later) but you should ensure that you enable automatic, frequent backups in the event that something goes wrong and it takes your site out.

To enable updates, apply the following code to your wp-config.php file:

#Enable all core updates, including minor and major:
define ( 'WP_AUTO_UPDATE_CORE', true );

It’s more common that you’ll experience a problem with automatic updates if you use plugins that are not updated reasonably frequently, so do try to ensure that the plugins you install are maintained and support is available where possible.

Disable PHP Error Reporting

If a plugin or theme that you’re using throws up an error, then it’s possible that the resulting error message will display your server path which in turn could be intercepted by hackers. With this in mind, you should disable error reporting by adding the following code to your wp-config.php file:

error_reporting (0);
@ini_set ('display_errors', 0);

Alternatively, if you’re not confident when it comes to editing your config files, then you can ask your web host to disable it for you.

Stop Brute Force Attacks

If you were to monitor how many login attempts there are on your WordPress site each day you’d probably be shocked. These are common attacks which are preventable to some degree by using complex passwords. Brute force attacks generally come from a botnet that attempts to guess your admin password. You can mitigate the risk and stop most brute force attacks by adding an extra layer of protection at the login screen level with HTTP AUTH.

To do this you’ll first need to password protect your directory by setting up .htaccess password protection. Once you’ve done this, you need to add the following code to your .htaccess file:

#Protect wp-login
<files wp-login.php="">
AuthUserFile ~/.htpasswd
AuthName "Private access"
AuthType Basic
require user mysecretuser

This will bring up the authentication box which prompts you to put in your username and password and you’ll then be required to login on the normal WordPress login screen – you should of course use different passwords for both.

You can also prevent brute force attacks by monitoring IP addresses that attempt to login and then locking them out. Or, you can simply change the admin username from ‘admin’ to your own name or something else and then delete the default admin user profile. You and your webmaster/developer really should be the only people with administrative rights across the site.

URL Based Exploits

These are really a stab in the dark for hackers who attempt to find weak spots in the site by making URL requests that should return an error but are sometimes completed.

The URL might look something like this:

Commonly, a hacker will use an opening bracket in the URL so firstly, to overcome this, it’s necessary to generate a 403 Forbidden page to stop any request that contains the bracket. To do this, just paste the following line into your .htaccess file:

RedirectMatch 403 [

To create a more complex ruleset, you needn’t write all the code yourself. If you’re familiar with working with .htaccess and your site is on an Apache server, then you can use the 5G Firewall which is a blacklist for common exploits. You don’t have to use all of the lines either, as it’s modular, and in the event that it does produce errors, you can delete line-by-line until you discover the problem.

You can protect the .htaccess file itself by adding the following line to the file:

<files .htaccess>
order allow,deny
deny from all

WordPress Security Plugins

You can of course use one of the security plugins that are available for WordPress too. Before installation, you should check that any plugin you use is supported and updated frequently. If so, then you should also check out the ratings and reviews to determine which is seen to be the best by the WordPress community.

Remember too, that if you have a lot of plugins on your installation, to periodically removing anything you’re not using. Ask yourself if the functionality that any given plugin allows you is really necessary and cut out the ones you can do without. For those plugins that you’ve deactivated you should also delete them as they provide a potential way in for a hacker. If plugins are no longer supported, then you should look for an alternative as it’s bound to create a vulnerability at some point, if it hasn’t already.

For the most part, WordPress security is about using common sense and understanding that a lot of the time, hacks and malware can be put down to errors by the end user. For the most part, hackers get in via exploits in software, so if you ensure that you always have the latest versions you’ll do a good job protecting yourself. Hackers look for the easiest route unless they are targeting you specifically, so tighten up your site and don’t make it easy for them.

Further Reading

If you’re interesting in reading more, here’s a selection of previous articles related to WordPress security on SitePoint that are worth taking a look at:

Frequently Asked Questions on Securing WordPress from Hackers and DDoS Attacks

What are the best practices to secure my WordPress site from hackers?

To secure your WordPress site from hackers, it’s crucial to keep your WordPress core, themes, and plugins updated to the latest versions. These updates often include security patches that can protect your site from known vulnerabilities. Additionally, use strong, unique passwords for your WordPress admin account and limit login attempts to prevent brute force attacks. Installing a reputable security plugin can also provide an extra layer of protection by scanning for malware and blocking suspicious activity.

How can I protect my WordPress site from DDoS attacks?

DDoS attacks can be mitigated by implementing a Web Application Firewall (WAF) that can filter out malicious traffic. Services like Cloudflare and Sucuri offer WAFs that can protect your site from DDoS attacks. Additionally, using a Content Delivery Network (CDN) can help distribute traffic across multiple servers, reducing the impact of a DDoS attack. Regularly backing up your site can also ensure that you can quickly recover in case of an attack.

What is a Web Application Firewall (WAF) and how does it protect my WordPress site?

A Web Application Firewall (WAF) is a security measure that monitors, filters, and blocks HTTP traffic to and from a web application. It protects your WordPress site by identifying and blocking common attack patterns, such as SQL injection and cross-site scripting (XSS). By implementing a WAF, you can protect your site from various types of attacks, including DDoS attacks.

How can I ensure that my WordPress passwords are strong and secure?

To ensure that your WordPress passwords are strong and secure, use a combination of uppercase and lowercase letters, numbers, and special characters. Avoid using common words or phrases, and never use personal information such as your name or date of birth. Consider using a password manager to generate and store complex passwords. Additionally, change your passwords regularly and never use the same password for multiple accounts.

What are the benefits of using a Content Delivery Network (CDN) for my WordPress site?

A Content Delivery Network (CDN) can improve the performance and security of your WordPress site. By distributing your site’s content across multiple servers around the world, a CDN can reduce the load on your main server and deliver content to users more quickly. This can improve your site’s speed and user experience. Additionally, a CDN can help protect your site from DDoS attacks by distributing traffic across its network.

How can I limit login attempts to my WordPress site?

Limiting login attempts to your WordPress site can help prevent brute force attacks. You can do this by installing a security plugin that provides this feature. These plugins can block an IP address after a certain number of failed login attempts. You can also set the duration of the lockout and customize the number of login attempts allowed.

How often should I backup my WordPress site?

The frequency of backups depends on how often you update your site. If you regularly add or update content, you should consider daily backups. If your site doesn’t change often, weekly or monthly backups may be sufficient. Regardless of the frequency, ensure that you store your backups in a secure location and consider using a backup service that offers automatic backups.

What are some reputable security plugins for WordPress?

There are several reputable security plugins for WordPress, including Wordfence, Sucuri, and iThemes Security. These plugins offer a range of features, such as malware scanning, firewall protection, and login security. They can also send you alerts if they detect any suspicious activity on your site.

How can I monitor the security of my WordPress site?

Monitoring the security of your WordPress site can be done through various methods. Security plugins often provide monitoring features, alerting you to any potential threats or suspicious activity. Regularly reviewing your site’s access logs can also help identify any unusual behavior. Additionally, consider using a service that provides real-time monitoring and alerts.

What should I do if my WordPress site gets hacked?

If your WordPress site gets hacked, the first step is to identify and remove the malware. This can be done using a security plugin or a professional malware removal service. Once the malware is removed, update all your WordPress core, themes, and plugins to the latest versions. Change all passwords and review user accounts to ensure no unauthorized accounts have been created. Finally, restore your site from a clean backup and monitor your site closely for any further suspicious activity.