How can I keep my WordPress Website safe?

WordPress websites account for nearly 20% of ALL websites on the internet. While there are many Content Management Systems to build a site on (and no cms at all), WordPress is the big dog for a reason. It’s easy to get up and running, there is a huge eco-system of themes and plugins, and website owners find it extremely easy to use.

WordPress is almost always a fine choice of CMS for your next website; but it’s important to understand how to keep your website safe from malicious attacks.

Because WordPress is so popular, many black-hatted shady individuals target the platform for ways to exploit it. Many attacks on your site fall into these main categories:

  1. Brute Force Attacks – where a bot, or script, repeatedly attempts to log into your site by guessing your password. These sorts of attacks can be multiplied by using WordPresses xmlrpc.php script, with damaging results. Your site could grind to a halt, or go offline alltogether, or worse – they could very well crack your password!
  2. Inclusion Attacks – where a hacker pokes and prods your site for a way to inject something into your pages. Most often this is a spam email script, used to leverage your website and your reputation, to send out hundreds, if not thousands of spam emails. Sometimes though, it could be embedded pornography, scrapers to steal your customer data, or other such things.
  3. Injection Attacks – where a hacker finds a way to inject data right into your database – the powerhouse of your website. This could potentially gain them administrative access, and access to ALL of your data.

The good news is you can mitigate ALL of these strategies with some smart planning, strong theme and plugin development practices, and some common sense.

Defending agains’t a Brute Force Attack

Brute Force attacks are typically handled on the server itself – all servers should have a firewall (ours do!) that will identify multiple, repeated login attempts for a given username, or originating from a similar place. The firewall will throttle these attempts, or even block them for a period of time, and reduce the overall sluggishness caused by your website having to deal with so many login attempts. While that’s good news, it’s still important as a website owner to ensure your website is un-brute-forceable! Some easy things for you to do:

  1. Never use ‘admin’ as your login!
  2. Always use an ultra-secure password, and use a password manager to remember it for you.
  3. If you’re not using xmlrpc.php (the majority of folks don’t), consider disabling it completely.
  4. Use a software firewall like WordFence or Brute Protect to create your own layer of security.


Defending against Inclusion and Injection Attacks

  1. Regularly scan your site for malicious injections. WordFence does this for you, so does Sucuri.
  2. Set up strong access rules using so that malicious injection attempts are blocked using WordFence or Sucuri.
  3. Keep the WordPress Core, Plugins, and Themes as up-to-date as possible. Many updates are simply security patches, and it’s important to be on top of them!


What to do if I’ve been hacked?

First of all, don’t panic. Hacks happen, and it does suck – a lot. But if you’re hosted with Eggplant on our Managed Hosting plan we’ll take care of it for you, and restore your website back to its original state as best we can. If you’re not on the plan, don’t fret either – we’ll still help you out. Just Contact Us!



Written by Shawn Wernig

Shawn Wernig

Lead Creative at Eggplant Studios

Shawn Wernig is the lead creative behind Eggplant Studios. While not full time (let's face it, more than full time) designing websites for his clients, Shawn enjoys good beer, double-doubles, and hiding from his phone.