The Top 10 WordPress Security Tips


With WordPress running on one in five websites, it comes as no surprise that these sites are a popular wordpress hosting target for experienced hackers and script-kiddies alike.

WordPress sites are notoriously lacking when it comes to security, often due to the insufficient security expertise of the developer, or the use of the many potentially insecure plugins available. For example, in 2013, around 90,000 WordPress sites were hijacked for use in a botnet. They are also a popular target for malware.

The following are the top 10 measures that can be taken to address some basic security holes or malpractices that are commonly present in thousands of WordPress sites today:

1. Run the Latest Version of WordPress

Running the latest version of any software is probably the most obvious security measure that should be taken. However, with over 86% of WordPress installations running outdated versions, this point can’t be stressed enough. Each update not only brings with it new features, but more importantly, bug fixes and security fixes. These help your site remain safe against easy-to-exploit vulnerabilities.

2. Run the Latest Versions of Themes and Plugins

However, running the latest version of WordPress is not enough – your site’s plugins and themes blogging could still contain vulnerabilities that can compromise security. Recently, for example, an older version of Slider Revolution, a very popular WordPress plugin that is used by a virtual private servers large number of WordPress themes sold on the Envato Market, allowed malicious users to steal database credentials.

3. Be Selective When Choosing Plugins and Themes

Plugin enumeration easily allows attackers to discover what plugins your WordPress site is using. By avoiding the installation of unnecessary plugins you automatically reduce your site’s attack surface. When choosing which plugins and themes to use, be selective. Before installation, read up and check how many downloads they have and when they were last updated.

4. Remove Inactive Users

Users, especially administrators and others which have the ability to modify content, are among the weakest points of any site because, unfortunately, most users choose weak passwords. If you absolutely need to keep inactive users in your WordPress database, change their role to ‘subscriber’ in order to limit their actions.

“Running the latest version of WordPress is not enough – your site’s plugins and themes could still contain vulnerabilities”

5. Prevent Directory Listing

Directory listing occurs when the web server does not find an index file (i.e. an index.php or index.html) – and, if directory listing is turned on, the server will display an HTML page listing its contents. This could be used to exploit a vulnerability in a WordPress plugin, theme, or even the web server itself.

6. Use Complex Security Keys

WordPress makes use of a set of long, random and complex security keys. A security key functions similarly to a very strong password or passphrase and should contain elements that make it harder to generate enough options to crack. You can either make your own random keys, or you can use web hosting WordPress’ online key generator.

7. Restrict Access to wp-admin Directory

Password protecting your WordPress admin area through a layer of HTTP authentication is an effective measure to thwart attackers attempting to guess users’ passwords.

8. Disable File Editing

By default, WordPress allows administrative users to edit PHP files of plugins and themes inside the admin interface. This is often the first thing an attacker would look for if they manage to gain access to an administrative account since this functionality allows code execution on the server, so disabling it enhances security.

9. Enable HTTPS for all Logins and wp-admin

HTTPS is usually synonymous with shopping carts and internet banking, but in reality, it should be used whenever a user is passing sensitive information to the web server and vice-versa. TLS/SSL may significantly consume server resources depending on traffic, consequently it is not required for the entire site. However, WordPress’ login form and admin area are probably the most sensitive areas of a site and therefore it is strongly advised that TLS/SSL is enforced here.

10. Restrict Direct Access to Plugin and Theme PHP files

Allowing direct access to PHP files can be dangerous. Some plugins and PHP files can contain PHP files that are not designed to be called directly, causing the PHP interpreter to display errors or warnings which may lead to information disclosure. Additionally, restricting direct access to PHP files prevents attackers from bypassing security measures (such as authentication) when code is split up into smaller files.

Aim to follow these basic measures to keep your WordPress sites safe – they are a good starting point in making security a top, domain names and ongoing, priority.

Top 10 WordPress Tips


With wordpress WordPress running on one in five websites, it comes as no surprise that these sites are a popular target for experienced hackers and script-kiddies alike.

WordPress sites are notoriously lacking when it comes to security, often due to the insufficient security expertise of the developer, or web hosting the use of the many potentially insecure plugins available. For example, in 2013, around 90,000 WordPress sites were hijacked for use in a botnet. They are also a popular target for malware.

The following are the top 10 measures that can be taken to address some basic security holes or malpractices that are commonly present in thousands of WordPress sites today:

1. Run the Latest Version of WordPress

Running the latest version of any software is probably the most obvious security measure that should be taken. However, with over 86% of WordPress installations running outdated versions, this point can’t be stressed enough. Each update not only brings with it new features, but more importantly, bug fixes and security fixes. These help your site remain safe against easy-to-exploit vulnerabilities.

2. Run the Latest Versions of Themes and Plugins

However, running the latest version of WordPress is not enough – your site’s plugins and themes could still contain vulnerabilities that can compromise security. Recently, for example, an older version of Slider Revolution, a very popular WordPress cloud hosting plugin that is used by a large number of WordPress themes sold wordpress on the Envato Market, allowed malicious users to steal database credentials.

3. Be Selective When Choosing Plugins and Themes

Plugin enumeration easily allows attackers to discover what plugins your WordPress site is using. By avoiding the installation of unnecessary plugins you automatically reduce your site’s attack surface. When choosing which plugins and themes to use, be selective. Before installation, read up and check how many downloads they have and when they were last updated.

4. Remove Inactive Users

Users, especially administrators and others which have the ability to modify content, are among the weakest points of any site because, unfortunately, most users choose weak passwords. If you absolutely need to keep inactive users in your WordPress database, change their role to ‘subscriber’ in order to limit their actions.

“Running the latest version of WordPress is not enough – your site’s plugins and themes could still contain vulnerabilities”

5. Prevent Directory Listing

Directory listing occurs when the web server does not find an index file (i.e. an index.php or index.html) – and, if directory listing is turned on, the server will display an HTML page listing its contents. This could be used to exploit a vulnerability in a WordPress plugin, theme, or even the web server itself.

6. Use website hosting Complex Security Keys

WordPress makes use of a set of long, random and complex security keys. A security key functions similarly to a very strong password or passphrase and should contain elements that make it harder to generate enough options to crack. You can either make your own random keys, or you can use WordPress’ online key generator.

7. Restrict Access to wp-admin Directory

Password protecting your WordPress admin area through a layer of HTTP authentication is an effective measure to thwart attackers attempting to guess users’ passwords.

8. Disable File Editing

By default, WordPress allows administrative users to edit PHP files of plugins and themes inside the admin interface. This is often the first thing an attacker would look for if they manage to gain access to an administrative account since this functionality allows code execution on the server, so disabling it enhances security.

9. Enable HTTPS for all Logins and wp-admin

HTTPS is usually synonymous with shopping carts and internet banking, but in reality, it should be used whenever a user is passing sensitive information to the web server and vice-versa. TLS/SSL may significantly consume server resources depending on traffic, consequently it is not required for the entire site. However, WordPress’ login form and admin area are probably the most sensitive areas of a site and therefore it is strongly advised that TLS/SSL is enforced here.

10. Restrict Direct Access to Plugin and Theme PHP files

Allowing direct access to PHP files can be dangerous. Some plugins and PHP files can contain PHP files that are not designed to be called directly, causing the PHP interpreter to display errors or warnings which may lead to information disclosure. Additionally, restricting direct access to PHP files prevents attackers from bypassing security measures (such as authentication) when code is split up into smaller files.

Aim to follow these basic measures to keep your WordPress sites safe – they are a good starting virtual private servers point in making security a top, and ongoing, priority.

Australian Web Hosting at its finest

You’ve successfully registered a new AUSWEB web hosting account.

logo

Founded in 2002, AUSWEB connects thousands of Australian businesses to the internet, with our services ranging from shared web hosting to virtual private servers, dedicated servers and Enterprise Cloud Solutions.
With all our servers and network based in a Sydney TIER3 Data Center (Equinix/Alexandria), AUSWEB provides a reliable local alternative to your online business needs.

Whether you are just getting started with your first website or are an IT Professional, you’ll appreciate the speed and features we offer with our range of plans with the ability to manage all aspects of your web hosting from the popular and user friendly cPanel Hosting Control Panel.

Our web hosting solutions are targeted to the Australian online market and our Australian servers provide the fastest connection speeds possible, whilst our 99.9% uptime guarantee provides peace of mind.

Why host in Australia?

australia-amag-tags-225x300With an increase of developers and small business looking at offshore alternatives to house their websites, we felt compelled to be frank about the reasons why you should choose an Australian host.

The 4 main pointers are:

  1. Latency
  2. SEO
  3. Support
  4. Economy

1. Latency

What is latency?

As defined by the Freedictionary.com:

latency – the time that elapses between a stimulus and the response to it

The speed of downloading or uploading data is dictated by a sequence of handovers of data between various networks starting at your device.

Your device, via your ISP connects to the server, demands the data from the remote server and receives the data, which is then relayed back to you by a route from the server’s ISP back to you via your ISP in the same manner as the initial connection.

In other words, it is one big daisy chain, which wraps around the Earth. That photo you upload to a social network does trips around the world faster than Superman, before you can ask “What exactly did I do last weekend?”.

Often you may wonder why downloading information from your local ISP is so fast (often reaching the ISP’s advertised speed…it is possible!) whilst downloads of half the size from an overseas FTP site might sluggishly drag along for hours? This is because the physical connection to your local server is shorter – just like the way it is with your phone landline!

If your small and static website is hosted overseas, latency is minimal as the volume of information relayed to and from you and the server is quite small, even though noticeable.

However, imagine hosting a large-scale CRM solution, or perhaps an elaborate Java application, which uses high quantities of bandwidth to run. The amount of data sent to and from the server increases, creating a time lag/delay which may often be problematic enough to cause packet loss or timeouts for users accessing it.

In a mission critical scenario, this is something which no business can afford to experience.

2. SEO

Your address is in Australia, your phone number is in Australia. You advertise in Australia to Australian customers. You’ve launched your shiny new site and put on your cork hat…but wait! Google knows your site is in America and naively assumes that yankees are going to want to purchase your novelty BBQ aprons with the boxing kangaroo.

Having your site hosted either in Australian or overseas is going to be detrimental to your carefully planned and fine-tuned SEO.

3. Support

We all know that calling technical support is everybody’s least favourite thing to do during the day!

Should anything go wrong, you would want to get help from somebody who does business when you do business and speaks the way in which you do. No more staying up until 4am to get a remote reboot, or password reset. Voila.

Timezones and proximity to the data center are crucial when things go pearshaped and the last thing one needs is extended periods of downtime because the datacenter is remote to the callcenter. Or yet worse, when the datacenter staff are in another timezone and sound asleep as you are ringing tech support to report peak-hour downtime in Australia!

Ausweb offers support with the confidence of a 24/7, 365 days a year monitoring of servers located in a Sydney city Datacenter, managed and supported from a Sydney city office, entirely by Sydney city staff.

4. Economy

Encouragement of healthy competition is crucial in our home soil and for competition to thrive, Australian web hosts must thrive too. We support you as an Australian business – we are one ourselves!

That and we eat our own brand of “dogfood”. The speed at which you have been able to access this very page is a testimony to the speed our clients appreciate daily as after all, this is just another website powered by Ausweb’s server cluster.

Get started today with some helpful links below: