ITHEMES PRESENTS

A GUIDE TO
WORDPRESS
WEBSITE SECURITY
10 THINGS YOU NEED TO KNOW
Is WordPress really secure?

The answer to the question “is WordPress secure?”

is it depends. WordPress itself is very secure as long
as WordPress security best practices are followed.

On average, 30,000 new websites

are hacked each day. WordPress
websites can be an easy target for What you'll learn in
attacks because of plugin this guide:
vulnerabilities, weak passwords
and obsolete software. The different types of
WordPress security
vulnerabilities
Thanks to an active community
Mistakes users and
and open-source development,
admins make
WordPress continues to be an
WordPress security   
excellent choice for a wide variety best practices
of websites because of its ease of Actions you can take
use, flexibility and continued today to reduce your risk
development. of a hack or breach

And by following a few simple

WordPress security best practices,
you can greatly reduce your
vulnerability to attack.

1
1. Yes, WordPress websites
are a target for hackers.

WordPress currently powers over 31% of all

active websites on the internet, so it has become a
target for hackers with malicious intent.

Why? If a hacker can find a

way into one of the 75
million WordPress
WordPress
websites on the web, they 31%
can scan for other
websites that are running
similar insecure setups
and hack those, too.

Unfortunately, Total Websites

vulnerabilities are 69%

inevitable because not all

website owners and users
are careful, thorough or
conscious about their WordPress Usage Across the Internet
Source: W3TECHS, 2018
online security.

2
A recent report by Sucuri analyzed 34,371 infected
websites to highlight hacking trends in compromised
websites.  

According to the report,

WordPress infections rose 90
from 74% in 2016 to 83%
in 2017, so it's even more
important to stay vigilant 60

in your security efforts.

30
"In most instances, the
compromises which were
analyzed had little, if 0
anything, to do with the WordPress Joomla! Magento Drupal
83% 13.1% 6.5% 1.6%
core of the CMS
application itself but more
with its improper Infected Websites Platform Distribution
Source: Sucuri.net
deployment, Hacked Website Report 2017

configuration and overall

maintenance by the
webmasters."

3
2. WordPress has known
security vulnerabilities. 

According to a recent report by wpscan.org, WordPress

has nearly 4,000 known security vulnerabilities. 

Of known vulnerabilities:
Themes
11%

52% are from

WordPress plugins
37% are from core Plugins
WordPress 52%
Core WordPress
11% are from 37%
WordPress themes

Source: WPSCAN.ORG, 2018

As an industry standard, security vulnerabilities

are disclosed to the public soon after they're
discovered and only after a fix has been released
to solve the issue. However, some websites
continue to run insecure versions of plugins,
themes and core WordPress despite the risk.

4
The Top 5 WordPress
Security Issues 

1. Brute Force Attacks

WordPress brute force attacks refer to the trial
and error method of entering multiple username
and password combinations over and over until
a successful combination is discovered. The
brute force attack method exploits the simplest
way to get access to your website: Your
WordPress login screen. 

2. File Inclusion Exploits

File inclusion exploits occur when vulnerable code
is used to load remote files that allow attackers to
gain access to your WordPress website's wp-
config.php file, one of the most important files in
your WordPress installation. 

3. SQL Injections
Your WordPress website uses a MySQL database
to operate. SQL injections occur when an attacker
gains access to your WordPress database and to
all of your website's data. SQL injections can also
be used to insert new data into your database,
including links to malicious or spam websites.

5
4. Cross-Site Scripting
Cross-site scripting vulnerabilities are the most
common vulnerability found in WordPress
plugins. The basic mechanism works like this: an
attacker finds a way to get a victim to load web
pages with insecure javascript scripts. 

5. Malware
Malware, short for malicious software, is code
that is used to gain unauthorized access to a
website to gather sensitive data. A hacked
WordPress website usually means malware has
been injected into your website's files. 

A hacked website can be a headache for a number of reasons, and

especially for your SEO rankings. Google and other search engines
quickly blacklist websites that are discovered to be hosting
malicious files or scripts. Some browsers, like Google Chrome and
Firefox, will display warning signs to users or completely block the
ability to view a suspicious website. 

6
Types of Website Malware

Malware is a broad term for a family of malicious files that can vary
depending on the attacker's intent. Several families of website malware
have been identified:

Type of Malware  Description 

Backdoor Files used to reinfect and retain access to a website

Spam SEO A compromise that targets a website's SEO

Programs that may be used by hackers to attack

HackTool
computer systems and networks

Spam generating tools designed to abuse

Mailer
server resources

Defacement Hacks that leave a website's homepage

unusable and promote unrelated subjects

Attempts to trick users into sharing sensitive

Phishing
information (logins, credit card data, etc.)

Source: Sucuri.net

7
3. When running a
WordPress website, your
hosting matters.

Not all web hosts are created equal, and choosing one
solely on the price alone can end up costing you way
more in the long run.

Since the server where your

website resides is also a target for
WordPress Hosting
attackers, using poor-quality
Tips:
shared hosting can make your site
more vulnerable to being
Choose a host with a
compromised. Shared hosting can solid security
also be a concern because infrastructure.
multiple websites are stored on a Security should be a
single server. If one website is primary selling point
of their offering.
hacked, attackers may also gain
Confirm access to
access to other websites and their
24/7 support.
data.  Research how the
company handles
While all hosts take precautions to hacked or blacklisted
secure their servers, not all are websites discovered
on their servers.
vigilant or implement the latest
security measures to protect
websites at the server level.

8
WordPress Hosting
Technical Specifications
For Better Website Security

The following is a list of technical specifications to use as

guidelines when choosing a hosting company for your
WordPress website.

Recommended Security Guidelines for Your

WordPress Hosting:

Easy installation of SSL certificates*

Active version management of server software
Support for SFTP (not just FTP)
Latest supported PHP version is at least 5.6,
    although 7.0+ is recommended.
Support for TLS  1.2 and 1.3
Firewall protection*
Website log retention*
Routine security audits
Malicious activity detection*

* Note: Some hosting companies may offer these as separate Need a 

services or add-ons with additional fees WordPress hosting
recommendation?
Check out
iThemes Hosting!
9
4. The plugins and themes
you install matter.

Only install WordPress plugins and themes from trusted

sources. Why? Unverified versions can contain malicious
code.

Only install themes and plugins from

WordPress.org, well-known Tips for choosing
commercial repositories or directly plugins and themes:
from reputable developers. It doesn’t
Only install themes
matter how much you lock down your
and plugins from
WordPress website if you are the one reputable websites.
installing malware. Avoid using "nulled" or
bootleg versions of
If you find a premium WordPress premium plugins or
plugin or theme that isn’t being themes.
Premium themes and
distributed on the developer’s website
plugins should always
or from a reputable marketplace, do
offer support option
your research before downloading it. with your purchase. 
Reach out to the developers to see if Make sure the plugin
they are in any way affiliated with the or theme has been
website that is offering their product updated recently.
at a free or discounted price.

10
5. Updates matter. A lot.

When your WordPress site is running outdated

versions of plugins, themes or WordPress, you run the
risk of having known exploits on your website.

WordPress runs on open

source code and has a team WordPress Update
specifically devoted to finding, tips:
identifying and fixing
WordPress security issues that Update notifications are
found in your WordPress
arise in the core code.
dashboard in the top
As security vulnerabilities are
admin bar.
disclosed, fixes are Always backup your
immediately pushed out to website before running
patch any new security issues major updates.
discovered in WordPress. Run updates as soon as a
new version is available. 

That’s why keeping WordPress

and all your themes and
plugins updated to the latest
Managing multiple
version is a vital component of WordPress sites? Check
a successful security strategy.  out iThemes Sync to
manage all your
website updates from
11 one dashboard.
6. The quality of your
password matters.

Your WordPress login is the most commonly attacked

vulnerability because it provides the easiest access to
your website's admin page.

Brute force attacks are the most

common method of exploiting Password Tips:
your WordPress login. Brute force
Use a password with a
attacks refer to a trial and error combination of lower
method used by hackers and bots and uppercase letters,
to discover username and symbols and numbers.
password combinations in order Never reuse passwords.
to gain entry to a website.  Change your passwords
often.
Use a password
Brute force attacks can be
manager like LastPass
effective because WordPress or 1Password to
doesn’t limit the number of failed generate and store
login attempts someone can passwords.
make. So be mindful of using a Turn on two-factor
strong, complex password for authentication for your
WordPress login (see
your WordPress admin login. 
page 15).

12
7. If you don't have a
backup plan in place, you're
in trouble.

By default, WordPress doesn't have a built-in backup

system. What are you doing to backup your website?

If the worst happens and your

website is hacked, how do you WordPress backup tips:
get it back? How do you revert
Set up backup schedules
back to a clean version of your
to automatically run.
website? You'll need to have a Store your backups
backup—or a complete copy— safely off-site in a secure,
of your website to restore it. remote destination. 
Run complete backups of
WordPress backups are critical your website's database
and all files. A database
to an overall security strategy.
backup alone isn't
While your host may offer
sufficient. 
backups, not all are equipped to Make sure your backup
handle the complexities of a solution has restore
WordPress installation. functionality.

Make sure your backup solution

handles backing up the
database and all your website
files and provides a way to Need a backup solution?
Check out BackupBuddy,
restore it back.  the 3-in-1 WordPress

13 backup plugin.
8. You can take steps to
secure your website and
minimize your risk.

Good news! Most WordPress security issues can be

prevented if site owners simply follow WordPress
security best practices.

Just like locking the doors of your house, investing in an alarm

system and paying for insurance, your website should have
security and safety measures in place. Better WordPress
security can be achieved in just a few simple steps.

A Simple WordPress Security Checklist:

1. Choose quality hosting.

2. Secure your WordPress login with a strong password and two-
factor authentication.
3. Keep your plugins, themes and WordPress software updated.
4. Uninstall and completely delete unused and abandoned
plugins and themes.
5. Only use trusted software distributors for plugins and themes.
6. Have a WordPress backup plan in place.
7. Add SSL to your website.

14
9. Add two-factor
authentication to your
WordPress admin login.

One of the best ways to secure your WordPress site is

with two-factor authentication.

Two-factor authentication adds an

extra layer of protection to your WordPress Two-factor
WordPress login. In addition to authentication tips:
your password, an additional time-
Use a WordPress security
sensitive code is required from
plugin such as iThemes
another device such as your
Security Pro to add two-
smartphone, in order to factor authentication to
successfully login. your website.
Encourage privileged
Two-factor authentication is one of users such as admins to
the best ways to lock down your activate two-factor on
their login. 
WordPress login and nearly
Mobile apps, rather than
completely minimizes the potential
email or SMS text, are
of successful brute force attacks. best for two-factor
authentication. Try
While WordPress doesn't offer a Google Authenticator or
built-in way to add two-factor Authy for your two-factor
authentication, you can use a method.

plugin like iThemes Security to add

the functionality. 
15
10. A WordPress security
plugin can help.

Install a WordPress security plugin like iThemes Security Pro

to add even more protection to your website. 

Themes Security Pro works to lock

down WordPress, fix common iThemes Security setup
holes, stop automated attacks and tips:
strengthen user credentials.  
After installation, use the
one-click Security Check
You can download the free version to activate the
recommended features
of the plugin from WordPress.org
and settings.
or upgrade to iThemes Security Pro
Enable two-factor
for even more security features like
authentication (Pro) and
two-factor authentication,
configure setup with the
scheduled malware scans, user mobile app of your
logging and more.  choice. 
Whitelist your IP
Turn on email
With a team of WordPress security notifications to get
experts behind you, you can have security alerts and
added peace of mind that your updates 

website is safe and secure. 

16
SAVE 50% OFF ALL ITHEMES
SECURITY PRO PLANS
SECURE & PROTECT
WORDPRESS WITH A TRUSTED
SECURITY PLUGIN

SECUREWPNOW
Use coupon code                                              to
save 50% off* all iThemes Security Pro plans.

SAVE 50% OFF NOW

* Coupon good on any

*new* iThemes Security
Pro purchase. Can't be
used to renew or extend
and existing iThemes
3,000+ 5-star ratings! Security Pro subscription.