WordPress Security Tips

Oftentimes, when a customer complains of their site being defaced or infected with malware, we will investigate and discover that they are using a CMS such as WordPress. The danger in using these packages, from a security standpoint, is that they are so common as to make a large target for malware writers. Combine this with their support for third-party add-ons and the rapid speed of development, and it’s easy to see how vulnerabilities can creep in.

If you’re looking for a quick and dirty security intro, here it is — Update, update, update. Check release notes for any vulnerability fixes; if you see any, it’s time to upgrade. In addition, audit your plug-ins. Third-party add-ons are often not checked as thoroughly as the core code. Just because a plug-in is popular doesn’t mean that it’s secure.

Having said that, when it comes to more comprehensive information specific to WordPress, we’d prefer to direct you to the experts:


As always, we welcome your questions and feedback!

1 thought on “WordPress Security Tips

  1. I work as a sysadmin and we’re facing with exploits and vulnerable wordpress installations on a daily basis.

    one of the most common things users do in order to get their wordpress site hacked, us that they never keep it up-to-date and have open permissions applied to their data.

    to keep your wordpress safe, one should always keep it up-to-date and need to make sure he doesn’t have any world-wide-writable data. once can check it using:

    To find world writable file:

    find /path/to/wp -type f -perm -o+w -exec ls -l {} \;

    To find world writable directory:

    find /path/to/wp -type d -perm -o+w -exec ls -ld {} \;

    and to fix them, basically all files should have 644 and the directories 755.

    another, common reason is as suggested by you, that the customers use 3rd party plugins which are also outdated and vulnerable

    great blog posts, BTW. just keep up that way.

    take care,

    – d

Comments are closed.