ArtsAutosBooksBusinessEducationEntertainmentFamilyFashionFoodGamesGenderHealthHolidaysHomeHubPagesPersonal FinancePetsPoliticsReligionSportsTechnologyTravel

WordPress Security Audit

Updated on May 1, 2018


There is a huge increase in WordPress installations. WordPress has recently released that there are over 59 million in existence today. It is very easy to get a WordPress blog up and running and the learning curve is very small. But due to the increase of installations there is also an increase in WordPress hacking. In fact, left to the default settings, you are almost guaranteed to have your WordPress website hacked.

While I won't go into a complete WordPress Security Audit, I will give you some tips that can serve to reduce hackers from penetrating your website. When you make it more difficult for hackers, you increase the chances of them moving onto other websites. Hacking is about probabilities just like anything else in life.


WordPress Creates a Default Administrative User

If you have ever installed WordPress before from your hosting CPanel, it's usually a few simple steps in a wizard-based program. You enter some information in fields, press a button, and boom! You're WordPress website is good to go.

WordPress installs a default user that is called 'admin'. But guess who else knows this information? Hackers. They know that 90% of WordPress owners won't change this default user name. They are counting on you keeping that user intact. You make it easy for them to hack when you do.

Choose a Secure Password

Whether you decide to keep the 'admin' user or not, make sure you choose a secure password. This password should not contain identifiable information such as birthdays, pet names, etc. You would be surprised how easy it is for hackers to find out that information.

Your password should have a length of at least 10 characters. It should include a combination of uppercase and lowercase letters. Include at least two numbers, and a few special characters !@#$%&*, etc.)

The best idea is to use a random password generator. People don't like this option because they have to remember these passwords. However, they are the best option to ensure you are creating the most secure password possible. Consider using a password manager for help. This way, you won't have to remember passwords.

A Sneaky Trick to Play on Hackers

WordPress does allow you to create an alias for your website. This alias will appear on the posts that you create with your regular user. Here's a neat little trick you could use to thwart the efforts of hackers.

Create a user that is not the default 'admin' user. Make this user an administrator. Sign in as this new user and delete the default 'admin' user. Then, create an alias for this new user and call the alias 'admin'. This will show up as 'admin' in your posts. Hackers will think it is the actual user name. When they try to guess the password based on 'admin' as the user name, their efforts will fail.

We'd Love To Hear From You

Have You Ever Had A WordPress Security Audit Done On Your Website?

See results

WordPress Security Flaw

There have been many successive updates to WordPress. And yet, they still insist on displaying a message, "you entered the wrong password for username admin" after you incorrectly log in. It's Security Tactics 101 to let the user know that they incorrectly typed in one or the other but don't give them one of the items as being correct. The message above tells hackers hey this installation still has the default user name.

WordPress Still Has Some Work to Do

WordPress has improved some of its security flaws. For instance, they have stopped publishing the WordPress version in the readme.html file. They updated it each time they made an update to WordPress. Hackers could tell immediately which version of WordPress you had installed. If your version was earlier than the latest, they knew exactly which hacks could work on your website. This is the biggest reason to make sure you have the latest version of WordPress installed.

While WordPress has finally stopped publishing the version, it's still relatively easy to get the information. In most cases, someone can right-click on a page of the website, select View Source, and search for the phrase "WordPress". You can try this experiment yourself. See if you can find the version of WordPress from the page source. Don't worry too much if you don't understand all of the cryptic code. Just do a search for the text "WordPress" and examine each instance. You will likely find the version somewhere in there.

See the image above for a website that is showing the version in the Page Source.

You may believe that hackers won't go through the trouble of doing this, but remember they have automated tools that do it for them. They won't manually scan a website. They will let their tools alert them to the vulnerable websites.

Have You Backed Up Your WordPress Website?

If you haven't, then this tells me you don't care about losing your website. Now, you may think that your hosting provider has a back up. You'd better check. And also check to see when they can restore it for you. Several places take days to get to it because it's often located externally and has to be delivered onsite in order for them to install. Can you wait that long? Back up your website!

The good news is it's relatively easy to back up your website these days, especially one using WordPress for its Content Management System (CMS). There are several plugins available and they can be automated for hands-free operation.

Always Update WordPress

The above video shows how to update your WordPress installation. You should do this whenever you get the message (make sure you back up first). The reason you want to make sure you do this is because WordPress is always updating to counteract hackers. So if a hacker finds out that you are using a previous version of WordPress, you have given them a foot in the door of your website. Always update to the newest version of WordPress.

Make Sure Your Plugins and Themes are Compatible with the Latest WordPress Version

Within the last several years, WordPress shows the compatibility status of WordPress plugins and themes. This is good news since you don't want updates to these plugins and themes to wreck your WordPress installation. While it is true that your hosting company should be able to fix the problem when it happens, why let it?

Be aware that a plugin could be compatible but still introduce malicious code into your WordPress installation. Hackers could pass off the plugin as legitimate and then hijack your installation. Luckily, the WordPress community will alert people when this happens. If there is a problem, your hosting provider will learn of it and check for any website that has the plugin install. They may require you to uninstall it, but you would want to do that anyway.

We'd Like To Know

When Was The Last Time You Backed Up Your WordPress Installation?

See results

Can't We Just Install Some Plugins?

There are plugins available that can help secure your website. They can also prevent people (to some degree) from viewing your page source. However, the more plugins you use, the more it bogs down your website. This isn't mentioned to try and discourage you from using plugins. You need to use discretion when doing so. Also, not every plugin will behave properly. You may think you are safe but the plugin creator doesn't update the plugin, or it was bad code to begin with. The plugin creators don't even need to have ill intentions for this to occur. Many inexperienced coders write bad code.



If You Don't Believe It Happens...

I have had several of my WordPress websites hacked into before. It was because of this reason that I created a service called WP Auditors. We run free scans on peoples WordPress website and then give them a report of what needs to get done. Since we started doing this, we have not had any incidents of hacking on our websites or our clients.

The reason why I even wrote this Hubpage, is because someone on an online forum that I belong to was upset that her website got hacked. Luckily she really only got started in creating the blog so there wasn't any content of substance on her site. But what if there was? Without a back up her site would be toast!

Hacker-Proof Your Passwords

Use a secure password. Don't make it easy for hackers to do their jobs.

Common Passwords

Don't use these password (or ones like them)
Don't use these password (or ones like them)

Brute Force Attack

A brute force attack is one of the most common forms of hacking. Hackers start by scanning (with software) for any WordPress website that has the default 'admin' user name. When they find websites with this, half the job is done. This means, sites with the 'admin' default are 50% less secure right from the start.

The next step for hackers is to apply a set of commonly-used passwords. These passwords are obtained from previously successful hacks, or from networking with other hackers. Again, the process is completely automated.

If you are a bit more diligent with your password where it is not contained in the commonly-used password database, then the hackers have some more work to do. The automated program will flood your site with millions of combinations for the passwords. This is where the term brute force comes into play. They keep going until they find a match on your website. This is the primary reason to make your password as long as possible. When your password is only a few characters long, it can take hackers little time to figure it out. If you had a password of length 10 or more, it will take them a lifetime using the current technologies available.

As mentioned, hackers don't mind going through this exercise because they have computer programs to do it for them.

Password Hacking Times

Longer Passwords Are Better - Much Better!

If you take a look at the chart above, you can easily see that if you make your passwords long enough, and combine uppercase, lowercase, numbers, and symbols, it will really make it very difficult for hackers to penetrate your WordPress installation. And you can also see that adding some uppercase, numbers & symbols really goes a long way in thwarting these jokers.

Stay Informed

Reading about security is about as exciting as watching paint dry. No one wants to take the time to do it. However, if you don't, it may be too late to take steps to stop hackers. At the very least, you should be reading the website on a regular basis. They give tips on how to keep your website safe as well as other developments the company is working on.

You could load an RSS reader with WordPress' blog. This way, you will be alerted to updates. You could also follow them on your favorite social media channel and learn about updates from there.

Another option is to sign up for This website/plugin has become the de facto standard in WordPress security. It's not necessary to install and use the plugin for you to get information about security updates. However, when you sign up for their newsletter, be prepared to receive notifications to update along with a bit of scare tactics about what may happen if you don't use their service. Hey, they have to make money too, right? If you can bypass the pressure of upgrading, the information they send can be useful for staying informed.

Should You Have Your Website Audited?

It's not a bad idea to find someone who can scan your website for security vulnerabilities. They can then make recommendations based on their audit or make the changes if you allow them. If you are going to have someone do this, make sure you ask questions about how they will audit your site. Unfortunately, there are a lot of pretenders on the internet who will sell you audit solutions that won't do much to keep your site secure. Ask them about a guarantee before committing to any company.

You Can't Win 'Em All

Unfortunately, hackers are always hard at work trying to find ways to get through. The security tips are not complete audits and you should consider having an audit done by qualified professionals. But, if you use these tips it will give you a greater chance of keeping hackers at bay than if you just leave your installation to "factory defaults".

We'd Like To Know

Will You Take Measures To Secure Your Site After Reading This Article?

See results

Give Us Your Thoughts On Security For WordPress

    0 of 8192 characters used
    Post Comment

    No comments yet.


    This website uses cookies

    As a user in the EEA, your approval is needed on a few things. To provide a better website experience, uses cookies (and other similar technologies) and may collect, process, and share personal data. Please choose which areas of our service you consent to our doing so.

    For more information on managing or withdrawing consents and how we handle data, visit our Privacy Policy at:

    Show Details
    HubPages Device IDThis is used to identify particular browsers or devices when the access the service, and is used for security reasons.
    LoginThis is necessary to sign in to the HubPages Service.
    Google RecaptchaThis is used to prevent bots and spam. (Privacy Policy)
    AkismetThis is used to detect comment spam. (Privacy Policy)
    HubPages Google AnalyticsThis is used to provide data on traffic to our website, all personally identifyable data is anonymized. (Privacy Policy)
    HubPages Traffic PixelThis is used to collect data on traffic to articles and other pages on our site. Unless you are signed in to a HubPages account, all personally identifiable information is anonymized.
    Amazon Web ServicesThis is a cloud services platform that we used to host our service. (Privacy Policy)
    CloudflareThis is a cloud CDN service that we use to efficiently deliver files required for our service to operate such as javascript, cascading style sheets, images, and videos. (Privacy Policy)
    Google Hosted LibrariesJavascript software libraries such as jQuery are loaded at endpoints on the or domains, for performance and efficiency reasons. (Privacy Policy)
    Google Custom SearchThis is feature allows you to search the site. (Privacy Policy)
    Google MapsSome articles have Google Maps embedded in them. (Privacy Policy)
    Google ChartsThis is used to display charts and graphs on articles and the author center. (Privacy Policy)
    Google AdSense Host APIThis service allows you to sign up for or associate a Google AdSense account with HubPages, so that you can earn money from ads on your articles. No data is shared unless you engage with this feature. (Privacy Policy)
    Google YouTubeSome articles have YouTube videos embedded in them. (Privacy Policy)
    VimeoSome articles have Vimeo videos embedded in them. (Privacy Policy)
    PaypalThis is used for a registered author who enrolls in the HubPages Earnings program and requests to be paid via PayPal. No data is shared with Paypal unless you engage with this feature. (Privacy Policy)
    Facebook LoginYou can use this to streamline signing up for, or signing in to your Hubpages account. No data is shared with Facebook unless you engage with this feature. (Privacy Policy)
    MavenThis supports the Maven widget and search functionality. (Privacy Policy)
    Google AdSenseThis is an ad network. (Privacy Policy)
    Google DoubleClickGoogle provides ad serving technology and runs an ad network. (Privacy Policy)
    Index ExchangeThis is an ad network. (Privacy Policy)
    SovrnThis is an ad network. (Privacy Policy)
    Facebook AdsThis is an ad network. (Privacy Policy)
    Amazon Unified Ad MarketplaceThis is an ad network. (Privacy Policy)
    AppNexusThis is an ad network. (Privacy Policy)
    OpenxThis is an ad network. (Privacy Policy)
    Rubicon ProjectThis is an ad network. (Privacy Policy)
    TripleLiftThis is an ad network. (Privacy Policy)
    Say MediaWe partner with Say Media to deliver ad campaigns on our sites. (Privacy Policy)
    Remarketing PixelsWe may use remarketing pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to advertise the HubPages Service to people that have visited our sites.
    Conversion Tracking PixelsWe may use conversion tracking pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to identify when an advertisement has successfully resulted in the desired action, such as signing up for the HubPages Service or publishing an article on the HubPages Service.
    Author Google AnalyticsThis is used to provide traffic data and reports to the authors of articles on the HubPages Service. (Privacy Policy)
    ComscoreComScore is a media measurement and analytics company providing marketing data and analytics to enterprises, media and advertising agencies, and publishers. Non-consent will result in ComScore only processing obfuscated personal data. (Privacy Policy)
    Amazon Tracking PixelSome articles display amazon products as part of the Amazon Affiliate program, this pixel provides traffic statistics for those products (Privacy Policy)
    ClickscoThis is a data management platform studying reader behavior (Privacy Policy)