Using Wordpress? Make sure you read this

29 Nov 2016

WordPress is the most popular and targeted content management system. According to statistics From 40,000+ WordPress Websites in Alexa Top 1 Million, more than 70% of WordPress installations are vulnerable to hacker attacks.

Below are some of the super-simple steps we take everytime we deploy a Wordpress installation, to make sure its safe!

  1. Keep your WordPress version up to date:  The developers at WordPress are working very hard to fix security issues, and keeping your site updated with the latest version will help immensely.
  2. Username and Password choice: The choice of username and password can be very important. Choosing something that is easy to guess makes your site vulnerable. A common mistake people make is using admin as part of their username and password. This is the default in WordPress, making it very easy to guess. 
  3. Restrict Number of Login Attempts: Use a plugin, like Wordfence to limit the number of incorrect login attempts to 3. If someone is not able to login after 3 times, he probably does not have authorization to. Setup alerts and a website lockdown if there are several incorrect attempts
  4. Choose a Good Website Hosting Company: Choosing a web host is extremely important. Going for cheap options maybe tempting, but the security they provide is often not good enough. We personally use Hostgator.
  5. Login URL: It is a good idea to rename your login URL. There are several plugins that allow you to do this. If the attacker does now know your login URL, he will not be able to login! 
  6. Protect the wp-admin directory, disallow file editing: You can setup dual passwords to access the admin area of the WordPress site. One password to login, and another to access some parts of wp-admin. This will ensure that even if an intruder is able to login, he will not be able to change too much. You can also disallow file editing in the admin section, so that even if someone does gain unauthorized access, he will not be able to edit any files in the admin section.
  7. Use SSL to encrypt data: This is the oldest trick in the book, yet most overlooked. Implementing an SSL certificate ensures secure data transfer between browser and server. Hackers will not be able to breach the connection easily. And SSL certificates such as Lets Encrypt are free!
  8. Monitor Your Changed files: Wordfence (the best firewall we have used for Wordpress) is a plugin that allows you to monitor files that have been changed on the website. It is 100% free and open source. Read more at
  9. Disable XML – RPC in WordPress: WordPress uses an XML-RPC interface. If you disable this interface, applications will not be able to talk directly with your WordPress site. This will enhance security to a great extent. However, by doing so, you will lose any XML-RPC API functionality that your applications rely on, but most of us don’t use it. 
  10. Take Regular Backups: Last but not the least, taking regular backups ensures that you can restore your site if it has been hacked. So use a good cloud operator, and take backups of your site. 

With an experience of deploying more than 100+ Wordpress installations, InSwiGo can help in securing your Wordpress site, or if you have been recently hacked. Fun Fact: Our CTO is a CEH - Certified Ethical Hacker, and regularly contributes to the community to make a more secure Wordpress.