WordPress Security

WordPress Security: Why You’re At Risk and What You Can Do About It

Why me?

That’s the question most WordPress webmaster ask themselves when their sites are hacked. Contrary to what you might think, most hackers aren’t after your blog or your users; they’re just using your blog to get to what they really want: your users. Hackers want to compromise your blog so they can use it to infect your users with trojans, bots and other malware. Those infected users make money for the hacker, so the more users the hacker can infect, the better for him!

In an attempt to exploit as many sites as possible, hackers constantly monitor the Internet for new security vulnerabilities. As soon as these are published, they scan sites like yours trying to use those vulnerabilities to gain access. If successful, they add exploit code to your homepage that will then infect your users, install malware on their computers, steal their passwords and personal data, and even infect other sites they own.

Steps you should take to protect yourself

  • Keep your password complex enough so hackers can’t guess or brute-force it. Never use common passwords like “password,” “wordpress,” the name of a family member, etc.
  • Keep your software up to date. Always update to the latest version of WordPress and any plugins you have installed.
  • Don’t install plugins from unreputable or unknown sources! Most plugins are not reviewed for security before being published, and many of them contain bugs which could allow a hacker easy access to your entire site.
  • Install a security plugin that protects against new security vulnerabilities immediately as they are discovered.

WordPress security plugins

Most WordPress security plugins employ one of these two methods to secure a site:

  1. Basic plugins that deal with site configuration, like password complexity, administrator directory location, file permissions, etc.
  2. More effective plugins also include rules that filter out suspicious requests (such as obvious attempts at SQL injection, cross-site scripting, and so on).


A new generation of WordPress security plugins has begun with 6Scan. In addition to our enhanced rule-based filtering, 6Scan’s Wordpress security plugin also includes an up-to-date database of all known vulnerabilities for WordPress and its plugins. 6Scan’s protects you immediately when a new vulnerability is published – before the hackers have had the chance to start scanning the Internet and compromising sites with it. Our security response team also proactively analyzes WordPress plugins, releasing vulnerabilities and exploits before they are even discovered by hackers.


You’d never leave your home with the windows open and the doors unlocked. In the same way, you should never leave your WordPress site unprotected. If you do, it’s only a question of time until a hacker notices and takes advantage of it to wreak havoc on your site. Carefully research your requirements and your options, and tighten your WordPress site’s security!