KillerSites Blog

How to make WordPress More Secure

June 8, 2014

A lot of people use WordPress and WordPress is hacked all the time. How do you prevent WordPress from being hacked? My top 4 things to do:

  1. Great passwords that contain both upper and lower case letters, numbers and a symbol or two like underscores, dashes etc.
  2. Keep WordPress up to date! Fortunately in 2014, WordPress can be set to auto update. Do it and save yourself headaches.
  3. Don’t use plug-ins unless you absolutely have to. Do some research to be sure that they are safe and secure.
  4. Delete any unused themes. WordPress comes installed with a few themes … delete them because they could be a place for hackers to drop in malicious PHP files.

I recently had an old WordPress based site hacked and though I had updated it to the latest version of WordPress, will still found a malicious PHP file in this folder:


… Yes, inside the images folder. That’s one example of where these bastards will stick their malicious code. Remember, they don’t want you to find it. We don’t know for sure but I am guessing they got in the file BEFORE I updated WordPress.

Final Comments
I have to tell you that over the years, the few times we’ve been hacked … it’s always been via WordPress.

We are really reconsidering our use of WordPress, since it can be such a liability. We are asking ourselves, how much does WordPress really bring to the table(?) and weighing that against the risks.

BTW, I am not picking on WordPress, all the major CMS’ out there (Drupal, Joomla) are major points of attack. The open nature of these products, makes them that much easier to hack than closed-sourced (code is not public) private software.

For our new projects, we are rolling out our own blog tool – with all the advanced PHP frameworks out there and given that our needs are fairly simple, it makes sense to us.

If you do end up using WordPress, be sure to follow the above steps.

I hope that helps,

Stefan Mischook