Securing WordPress: from A to Z

Securing WordPress: from A to Z
datum-geschreven 13 Jan 2024

Admin was the default username for new WordPress installations for years. Many users didn’t change it, resulting in thousands of hacked WordPress websites.
And even now, that username is still used too often!

Backdoors allow hackers to regain access to your WordPress website through a single line of code.

Code is often written in PHP and then encoded to base64 so that the server doesn’t recognize it.

Daily spamming will get your website listed on the spam list.

Errors on your site without any modifications? It might have been a hacker, but it could also occur due to conflicts between WordPress, plugins, and themes during automatic updates.

Filezilla is the most commonly used program to manage your server files. You can check the modification date to see which files have been altered by a hacker.

Encoded data like your password is stored in the database, making it unreadable. (But it can be changed.)

Hackers write scripts and spread them on the internet, attacking thousands of websites. They rarely target specific sites.

Illegal plugins are often equipped with backdoors and spam scripts.

Javascript is commonly used to overwrite information on your website. For example, all links might be replaced with links to websites that the hacker profits from. This code can be very short and doesn’t need to be in your theme or templates, making it hard to find.

Lost customers seeing ads or an error on your website will usually not revisit it. They will instantly search for other sites offering similar services or products.

Learning to remove hacks and secure WordPress takes months. Hackers attempt to infiltrate your WordPress website weekly using smart scripts, and there are thousands of active scripts with more added every day.

Matt Mullenweg is the founder of WordPress. He developed WordPress at the age of 19.

Notepad++ and even the standard Notepad in Windows are tools with which a hacker can write a hack script. The ease of use contributes to the abundance of scripts in circulation.

Open source is the reason why there are so many WordPress websites online. The CMS is free to use, and anyone can develop plugins and themes for it.

Plugins can be downloaded for free from, but there are also premium plugins available for purchase.

Queries are server requests. With hundreds of queries from various IP addresses, a DDoS attack is launched. iThemes Security blocks various queries and limits the number of queries an IP address can make.

Comments on your website may contain links with an injection. Clicking on such links while logged in as an administrator can execute commands against your own website.

80% of the spam you receive in your email inbox comes from websites that have been hacked.

Templates like the page template and the header template are often injected with advertisement links, making those links visible on every page of your website.

Uploads folders are often filled with spam files. Every website has a default upload folder that the server and WordPress can write to. This is essential for updating the website, adding images, etc. Hackers like to exploit these folders. The year and month are usually part of the default structure. Check there if you want to get rid of hacked website files!

Remove plugins you don’t use. Even when deactivated, they are still available on the server, causing security issues.

WordPress is a very secure and up-to-date system. The use of poor plugins and themes is what causes the problems.

XSS stands for Cross-Site Scripting, one of the major vulnerabilities in websites. It is abbreviated as XSS to avoid confusion with CSS (Cascading Style Sheets).

Yoast SEO is a WordPress plugin created by Joost van der Valk, a Dutchman. His plugin is well-known worldwide and used by thousands of businesses. Plugins like Yoast SEO are regularly updated, ensuring their security.

You can secure your WordPress website if you have knowledge of servers, plugins, and updates. All this information is available for free on WPbeveiligen!


Hopefully, you have learned more about securing WordPress, or you’ve discovered some interesting facts.

Securing WordPress goes much deeper, but we’ll spare you the details in this article. If you want to read more, regularly visit our WordPress security articles page.

Did you enjoy or find this article informative? Share it with others so they can also learn more about WordPress security!

De meeste artikelen worden geschreven door Mathieu Scholtes, de eigenaar van WPBeveiligen. Op de hoogte blijven van het laatste WordPress nieuws? WordPress tips? WordPress aanbiedingen?
Connect dan op Linked-in!

Heb je een vraag? Tip of gedachte? Deel die!

Breng me op de hoogte
0 Reacties
Inline Feedbacks
Bekijk alle reacties