5 Facts About WordPress Website Security

The best WordPress website security you can buy is a good backup. It won’t prevent your site from being hacked, but it will make recovery much faster and will help you avoid the worst case scenario—destruction of all of your data.

If you don’t have a good backup service, I suggest you stop reading this article right now and go find one. Then come back and read about all the ways to enhance your WordPress website security so that you never need to use your backup service.

SQL Injection: The Main WordPress Website Security Threat

The number one way hackers take over your website is using what is called a SQL injection attack. Simply put, this is when hackers find a flaw in your WordPress website security and use that flaw to directly inject Structured Query Language (SQL, pronounced sequel) into your WordPress database.

Almost everything about your site is stored in a SQL database. That includes your posts, your settings, your static pages, your comments, and more. The only thing not commonly stored in the database are images and downloadable files—it’s much quicker for your web server to transfer these files directly without going through WordPress. (However, the names and locations of these images and files are stored in your database.)

If hackers can directly inject SQL code into your database, they can do anything they want to your WordPress. It’s even more powerful than hacking your administrator account because they can use SQL to automate their takeover of your site.

Many for-profit hackers who use SQL injection to compromise your WordPress website security will replace many of your links with spam links. Others will create a hidden directory on your site for use in phishing attacks. Non-profit hackers, often called script kiddies, will probably just “tag” your site as hacked by replacing the front page with an obscene image.

Years ago I forgot to keep my WordPress website maintenance up to date and got hacked! One day I went to my site and found the homepage hyjacked and tagged.  Of course I was hosting with Hostgator and they helped me get the site back under control. I learned a valuable lesson and this never happened to me again.

WordPress Website Security Against SQL Injection

The WordPress development team knows their software runs almost half of all active sites on the Internet, so they work very hard to make sure there are no security flaws which allow hackers to inject rouge SQL. However, every once in a while they do find a flaw (or they get WordPress website security reports from people like you that hackers have found a flaw) and they quickly work to fix it. When they have a fix, they release it as a free upgrade to WordPress.

If you don’t install this patch upgrade to WordPress immediately, you’re inviting hackers into your website. That’s because WordPress is completely free and open, so the hackers can download to the patch upgrade and see how it fixes the flaw—with that information, they can quickly create an attack that works against unpatched websites.

The best WordPress website hosting companies automatically upgrade their hosted sites so you should always have the latest version of WordPress. But if you occasionally get warnings about outdated software, do your WordPress website security a favor and get a better hosting company which provides free automatic updates.

Even Google sends you a message when your WordPress website is not secure. See the screenshot below.

The High Price Of Cheap Hosting

Website hosting companies keep prices down by hosting dozens or hundreds (or, sometimes, even thousands) of websites on each of their web servers. That’s great for them—they make money—and great for you—it keeps prices down. But it can have one disastrous effect: hacking one site hacks all the websites on the same server.

Imagine you’re very conscientious about your WordPress website security. You do everything right. But then imagine somebody on the same server as you does everything wrong. Or, even worse, imagine a hacker buys a website on the same server as you using a stolen credit card.

With direct access to the machine your website runs on, a hacker can often penetrate security in a few minutes or hours.

At least that used to be the case. High-quality website hosting companies have beefed up their WordPress website security using virtual machines and other tricks which create partitions between websites. These partitions slow down the servers a little bit, costing the company more money, but they greatly increase WordPress website security for customers like you.

Some companies advertise this service, but so few customers understand how it works that many companies don’t bother telling anyone about it. If you want to find out whether your hosting company offers good security, I suggest you search Google for “____ WordPress website security”. (Replace ____ with the name of the hosting company you use or plan to use.)

If you see a lot of complaints, either avoid the company or give them a call to see what they’ve done to fix the problem.

WordPress Website Security In The Cloud

Before you start moving parts of your website into the cloud using services such as Amazon S3, FeedBurner, or Disqus, consider whether these companies will keep your data safe and give it back to you if you change services.

A basic file hosting service such as Amazon S3 should be safe—especially if you setup a DNS alias.

For FeedBurner, consider that your WordPress blog feed is probably the second most important part of your site after your domain name. Hundreds or thousands of people are subscribed to your feed and if your feed goes down or if FeedBurner (Google) decides to start charging a huge rate for your feed, you could need to start your subscriber list all over again.

Again, you can mitigate much of the risk by using a DNS alias for your feed URL address. That way you can always move away from FeedBurner with a little technical know-how and (at most) 48 hours of downtime for the DNS change to propagate.

But customer interface systems such as Disqus may tell you in their terms of service that they own all the comments submitted through them. That means they could one day hold your comments hostage unless you pay them a large fee.

If your site depends on comments, this can be a huge problem. Even if your site doesn’t depend on comments, losing all of your comments all at once because you can’t or won’t pay the fee is basically the same as when a hacker overcomes your WordPress website security and deletes all of your comments using a SQL injection attack.

The only solution here is to read terms of service before you start using a service and consider what you’ll do if that service disappears so you don’t lose any WordPress website security.

The other main solution for your WordPress security is to check out WPpipeline as this amazing tool backups WordPress, clones, updates, install blogs and much much more.


  1. Nadia Barbara says

    I agree that the best way to secure your website is to acquire a good back up. I guess we cannot stop hackers from doing what they want, but having a back up can help us recover our data faster.
    Nadia Barbara recently posted..SEO Tip: Google Analytics

  2. says

    I absolutely love your blog and find many of your post’s to be exactly I’m looking for.
    Would you offer guest writers to write content for you personally?
    I wouldn’t mind writing a post or elaborating on a number of the subjects you write regarding here. Again, awesome website!

  3. James Smith says

    I always try to be updated whenever there are updates and regularly keeping backup of WordPress websites to be prevent from any hacker attach.

    This is one of the informative article which guide me a lot for – how to secure my website?

  4. says

    I tend to be very careful and update WP, themes, and plugins whenever they are available. I’m also using WordFence and 6Scan. I’ve noticed that there have been a lot of attempts to access my site, using the default “Admin” log in. I would highly recommend anyone starting a WP site to change their default log in immediately.
    Jim Liston recently posted..The Line

    • Mitz says

      Yes I like to install through Fantastico in cpanel and it lets you choose a password for admin when you are installing.. Very good tip to make sure you do not have a default admin password.. Thanks for the reminder! :)

  5. says

    It is almost impossible to make a site hacker proof these days. Taking a backup is only solution left for bloggers. My site got hacked a month back and the reason was a loop hole in theme I was using. I recommend everyone, don’t get attracted to free things…They can never provide the advantages of paid ones.
    Naser recently posted..Top 5 Best Alternatives to iPad 3

  6. says

    Recently our company noticed just how important website security is. We were hit with a bad case of malware and the site was down for over a week. I’m now trying to find help with WordPress security. Thanks for the excellent article!

  7. Tanya says

    awesome site, thanks for posting, although experience counts a lot in transposing what you see, having sites like these as inspiration is always a plus, keep em coming

  8. says

    From my experience updating WordPress doesn’t necessarily help against potential attacks. You may be fixing some potential loopholes, but also open yourself up to new exploits not yet discovered. There are several WP security plugins that are worth installing though and can help with a variety of attacks like SQL injections and especially limiting login attempts. From what I’ve seen on my blogs there’s a huge rise in brute force login attempts in the last year or so.
    Nicholas May recently posted..Types of Traditional and Modern Japanese Martial Arts

  9. Lauren says

    Great opportunities to learn, Facts About WordPress Website Security. well The number one way hackers take over your website is using what is called a SQL injection attack.

  10. Karan makharia says

    nice share. i actually paid for cheap hosting. i didn’t too backup of my website and then one day it got hacked and the database was deleted. Totally agree with you that we should 1st take the backup

  11. Donny says

    I had a major security breach a few months ago, and I think it was primarily due to me not updating WordPress very often. I also didn’t have any kind of security features installed at all. Since then I’ve installed OSE Firewall, which blocks a lot of your standard attacks. Though I’m sure it’s not impenetrable, I haven’t had any issues since.
    Donny recently posted..Call of Duty – Black Ops 2: How to Unlock Weapon Camo

  12. Shane Ryans says

    Great points your website is only as secure as you make it and I think many of us have had to deal with one kind of attack or another but they were never easy fixes, and more than likely cost hours of fixing.
    Shane Ryans recently posted..Why keyword negatives are important

  13. Brenda Macalino says

    Those fact of word-press was really great… and this is really I want to see because I need to learned more about this…
    Brenda Macalino recently posted..Insight on Life

  14. says

    I didn’t realize Google monitored and reported on WordPress versions if they found them out of date and at risk for security vulnerabilities, this is actually a good thing. The first step to a secure WordPress is always to use the latest release, the next I would suggest is Better WP Security plugin which I found to be exceptional at locking down your WordPress and securing it. Plus it’s free.
    Justin Germino recently posted..Maluuba a Good Siri Alternative for Android

    • Mitz says

      Ha ha ..Well you won’t get this message if you are up to date though… I have been behind lately and had a few of these in my messages.. Pretty cool though to get reminded.

  15. sofiya says

    Excellent post, especially for beginners! I love wordpress and am able to use it to accomplish pretty much whatever I need for my own blogging sites. I recommend WP for big, complicated jobs too–but clients should be aware that they will probably have to pay for custom development.
    sofiya recently posted..Tips For Using Facebook in Your Job Search Hunt

    • mitz says

      Yes you are right there.. the only thing is the backup that Hostgator takes for me is a complete clone of my website.. I do not have to do anything to get it back up to where it was. :)

      When they moved my websites they had clones transferred over with their software. I did nothing!

      When your website makes money it is a must to spend on security and backup.
      mitz recently posted..5 Facts About WordPress Website Security

    • Mitz says

      Yes it is embarrassing for an expensive hosting to get hacked. After all you do pay for extra security and backup usually. My dedicated hosting comes with all that and more. The tools are there to use. No need to buy extra software and plugins. :)

  16. Aasma says

    If you use updated version of WordPress then you’re certainly making hackers task difficult. Plus use security plugins available for WordPress. If hackers won’t know about your WordPress version then it also makes their task quite difficult and there are few plugins which helps you to hide your current installed WordPress version.
    Aasma recently posted..MLM Software Delhi Noida Gurgaon

    • Mitz says

      Yes I agree Aasma
      Keeping updated is very important and is often overlooked by webmasters. I guest post on some blogs where they do not update until a month later. I want to do it for them but do not have the authority. :)

  17. Elena says

    This is truly great and useful information for all the website owners. My friend’s website was injected with a malicious code a few months ago and it took him a while to get rid of it from the website and his computer. What a pain! Not counting all those visitors he lost because there was a warning from Google next to his website information. The morale of the story is do all the software updates on time, get anti-virus program and protect your computer and your blog in every possible way!
    Elena recently posted..Getting to the Heart of the Geek vs. Nerd Debate

  18. says

    This is a really a helpful post. i am not regular visitor of your website, but after reading this post i will visit your site daily..!!!thanks for sharing…!!!

  19. Rahul Kashyap says

    My according online and offline business is very important for our life. if we want to success in our life. so security is most important for our businesses. So obesely website security necessary. all of that your article is informative and valuable for every business man. :)
    Rahul Kashyap recently posted..Life of Pi (2012)

  20. Ti Roberts says

    Website security is extremely important and I think that it goes ignored too often. If you’re spending hours of your time into building a successful blog, you must protect it. It doesn’t make sense not to. Thanks for sharing on Bizsugar.


  21. Maja says

    Never compromise on quality. Always purcahse service of well known companies even if they are costly. Always upgrade your wordpress blog with free updates delivered by WordPress. Cloud computing is a novice technology that is a milestone in security.
    Maja recently posted..Short Haircuts for Men

  22. says

    I had the shared hosting issue come up when I was with JustHost. Someone had an account on the machine and was able to access everyone’s MySQL database from their shared hosting account. When I switched back to HostGator and changed all the passwords, I no longer had an issue.
    Steve recently posted..Taxes Can Be Simple With TurboTax 2011

Letsbuildwebsites.com runs on the Genesis Framework

Genesis Theme Framework for WordPress

When I changed to the Genesis Framework and the eleven40 Theme my page load score went from 58 to 79 instantly. This was without any optimization at all. The other thing about this framework and theme is that it was so simple to setup that I can highly recommend it to each and every person that visits this blog! Genesis is the smart choice for your WordPress website or blog.