WordPress Security Checkup

For at least half a decade I made a living designing and developing WordPress sites exclusively.  I consulted for Yahoo about WordPress back in the day, made dozens and dozens of WordPress themes, and learned WordPress itself inside and out.

While I still develop WordPress sites from time to time, I do WordPress consulting more often these days.  With my Information Security training plus my WordPress knowledge and experience, it’s no surprise that WordPress security is a popular service.

Why a WordPress Security Check up?

In a way WordPress has become a victim of it’s own success.  It has become such a popular platform for publishing web sites that hackers have targeted WordPress.  While the WordPress platform is fairly secure right out of the box, each update addresses some security issue developers found – generally before hackers can use the vulnerability to attack.  These attacks are much more sophisticated compared with the early SQL injection attacks.

While SQL injections still work on the most insecure WordPress installations, Cross Site Request Forgery, Authentication Bypass,  PHP Object Injection, Remote Code Execution, and other hacker techniques have all been used to bring down WordPress sites.  These don’t even address Brute Force and Malware attacks…

What is WordPress Security Consulting?

What I do is take an inventory of what makes up a clients WordPress installation and come up with a plan to help secure the installation.  I then present that plan to my client. We then discuss the plan and I implement the security practices that we agree are needed.  Most of the time this is all of the fixes I suggest, but I am flexible and if the client is hesitant to any one idea we move it to the back burner.

Each client and job is unique and I treat them as such.  A large part of any WordPress site depends on where it is hosted, what plugins the site is using, not to mention what theme the site uses.  The biggest mistake I still see, all these years later, is that people still don’t properly back up their sites.  There is nothing that feels better than being able to patch a security vulnerability, and replace a compromised site with a up to date back up.

Here are some free tips that you should implement right now and you’ll be instantly more secure:

  • Change the default username login and have a STRONG password…  I cannot stress this enough.  I have seen WordPress sites with generic passwords compromised again and again.  Your login username should NOT be admin…
  • Set up Two Step Authentication. Two Factor Authentication can keep hackers out of your site EVEN IF they get your password somehow.
  • Keep WordPress, your plugins, and your themes updated.  This seems like a no-brainer, but you would be surprised by the number of times I have seen a website owner let one of these three lapse leading the their site being compromised.
  • Limit login attempts.  Brute force attacks try to login over and over ( and over…).  Limiting login attempts over a specific time period helps ensure these types of attacks don’t crack your password.
  • Make sure permissions on your WordPress files are set correctly on the server.  You may need help with this one, but any reputable hosting service should at least discuss this with you if you ask nicely 🙂

If you need some help with your WordPress powered site, whether that help be in the security realm, integration,  compliance, on site seo, or something else entirely, contact me.  I will be more than happy to discuss your site free of charge.


  1. I had a WordPress site that got hacked and I lost everything. I wish I had you give it a checkup before that.

Leave a comment

Your email address will not be published. Required fields are marked *