Wordpress security

How to secure WordPress?

Updated: July 1, 2019 by Agnes Talalaev

In this article we won’t dive into technical details, but try to address a common misconception instead. We will explain what website security is in general and how it should be approached when dealing with WordPress.

As per calculations, approximately 380 new websites are created every minute. However, the actual number of new websites being created every day is probably a little more than 500 000. In a perfect world, security should be kept in mind from the beginning of the development process, but this unfortunately is always not the case.

Unfortunately, people usually get acquaintanced with website security when a website is experiencing an attack which results in being defaced, stuffed with SEO spam, being blacklisted or spreading malware.

There are hundreds of WordPress security providers out there who all claim their plugin to be “the best”, “most complete” and the “only thing you need”. We understand the marketing efforts, but there are concerns in this kind of message.

Why is WordPress security important?

WordPress sites are being hacked and infected every day. Some statistics say that about 30,000 websites are infected with some type of malware daily. Every public website is a resource available on the internet and therefore it’s a target.

Whether it’s your customers’ data such as emails, shipping details and credentials or just the server resources (processing power and storage), it’s all something that hackers can monetize or use for their own good.

It’s important to understand that as soon as your website is available to the public, it immediately becomes a target. Your website will be scanned on a daily basis for vulnerabilities and outdated software, configuration errors and it will most definitely be actively brute-forced.

Screenshot from the WebARX dashboard. Blocked brute-force attacks.

Even if you don’t keep any visitor data such as emails, your website is still perfect for conducting watering hole attack or to just host malware and redirect traffic to malicious sources.

WordPress security is not plug-and-play

WordPress security cannot be plug-and-play. Never trust services that promise 100% security, because security is a process and should be considered more as a continues risk management.

Paying a company so that you don’t have to worry or think about security creates opposite results in the long term.

Why using multiple security plugins is not a good idea?

When it comes to WordPress security (or any other CMS) site security, the owners and developers load their sites with multiple security plugins, because the more is better right? Unfortunately, this can cause more harm than good.

WordPress security plugins also need to be updated, and they too can have vulnerabilities. (e.q WordFence XSS vulnerability). Security plugins, especially the ones that connect the site with a web application firewall or some simpler filtering engine can create conflicts and the traffic might not be properly monitored and filtered.

Some also change the settings on a hosting environment via .htaccess and nginx.conf file. When multiple plugins try to push their own changes, you can end up with an unstable site with questionable security configurations.

Why should you question “one click malware removal” tools and services?

We often see service providers that offer “daily malware removal”, “one-click malware removal” and similar services that seem to be working well for website owners because every time they do it, a report shows that the website is clean. And it seems to be good because it does it often.

Instead of throwing out the bad guys on a regular basis, maybe it’s time to take a real effort and instead of investing into a fancy bucket to throw water out of a sinking ship, invest into tools to keep the water out.

Malware infection is the result of a problem. Does it really make sense to focus on the consequences? As far as you don’t solve the problem, you will end up in a dead circle of infections and cleanups.

How should WordPress security be approached?

Monitoring actionable insights

When it comes to content management systems like WordPress, it’s highly important to have a proper overview of every single component your website uses. If you’re an agency or a developer, it’s important to be able to set alerts and receive the information from a single place.

Whether it’s a vulnerable PHP version, vulnerable plugin version or a buggy theme, you want to know this information immediately. It’s not only about the internals, but the external information as well.

Screenshot from WebARX dashboard. External security monitoring results.

You should always know and be alerted about:

  • Is the website blacklisted?
  • Is the website mentioned in defacement databases or hacking forums?
  • What kind of information can be enumerated from your site with the use of simple tools?
  • Is the SSL certificate properly set up and when is it expiring?
  • Is the domain expiration date around the corner?

Receive alerts about plugin vulnerabilities and activate firewall now!


Comprehensive website monitoring is essential, it’s not just about up-time, it’s about the integrity and about knowing where to look at. If you know where to look at and what to improve, it will be much easier to keep the pace with the latest and modern security practices.

Focus on prevention

It can take just days from a disclosed plugin vulnerability to a full-scale attack campaign. Attacks in this nature are almost always automated. To be able to fight back, you have a small time window to take action. In such cases, web application firewalls have critical importance.

Web Application Firewall will monitor traffic your website recieves and will take action on malicious or suspicious traffic. Web application firewalls are of critical importance to block exploitation attempts when a vulnerability is present which is yet to be patched.

Screenshot from WebARX dashboard. Blocked plugin vulnerability exploitation attempts.

For example. WebARX web application firewall is managed and virtual patches will be distributed automatically among the sites when vulnerabilities are discovered. Threat intelligence and prevention is our main focus and thus our firewall engine is updated on a daily basis.

What to do when a website is hacked?

First of all, we have offered remediation services and malware removal since 2014 and have tested a lot of different tools. Many of them claimed to find malware on 100% accuracy. This has never happened.

Scanners are either heuristic or pattern based and malware is always engineered to be invisible from scanners. Some scanners find malware better, some struggle with false positives and many just don’t work at all.

Over the years of experience, we have stayed to supervised remediation. It means that we use different techniques to clean up the site and make sure that not a single backdoor remains on the site.

After double checking, we install and configure a web application firewall and monitoring on the site. We have written a tutorial which is considered to be the most comprehensive malware removal guide available for WordPress.

Remember, WordPress Security is a process!

WordPress security is much more than just a security plugin and strong passwords. It’s a process.

We tend to get lost and confused in the world of ads and marketing messages without really knowing what is good for us. If you have the proper tools, sometimes the most effective way is to just take an hour per week to look what could be improved.

Keep in mind, security is a process, not a plugin you can install.

Check if your WordPress security can be improved!

Try WebARX for free!
Wordpress security

Start your free 7-day trial now

Protect your websites from malicious traffic - set-up in under 3 minutes.

Try it now

WebARX is compatible with the following platforms: