Wordpress Security » Didgeroo

WordPress Security

Apr 19, 2013
Wayne Freeman


In March, Chris gave a presentation on WordPress Security to the #WPLDN monthly meetup at Google Campus.

How do hackers gain access?
Wordpress is secure isn’t it? The simple answer is yes, however in recent times WordPress has seen massive growth and with this it has become an obvious target. WordPress now powers a whopping 54% of all CMS websites. If you were a hacker, would you spend hours trying to find a security flaw in a CMS used by 0.2% of the web, or 54% of the web?

Thankfully, WordPress has a very active development community that hastily responds whenever a security zero-day vulnerability is discovered. It is, however, up to website owners to update their sites with the latest security patches. WordPress makes this simple; just one click to update, but website owners can be too busy (or just plain lazy) and this is what hackers depend on.

In addition to zero-day vulnerabilities, there are also a number of other points of entry for hackers:

  • Installation of compromised themes and plugins containing malicious code.
  • Brute force login attempts
  • Locally installed malware


What do hackers do with a compromised website?
Defacement is one of the most common and obvious signs a website has been hacked. This is when a page selling Viagra, for example, suddenly appears in place of the home page. However sometime defacements are not so obvious. A clever defacement will only display to certain IP address, using specific web browsers, during specific times. This way the defacement can potentially go undetected for weeks if not months.

In addition to defacements, hackers also may use a compromised website to do any of following:

Host a phishing site posing as an online bank, collecting login details. The phishing site may be buried deep within your wordpress installation in order to avoid detection.
Host a botnet agent. This a piece of code that can be remotely controlled to send spam or launch further attacks such as a DDOS.

How do I ensure my Website is secure?

  • Make sure that WordPress, its themes and plugins are all kept up-to-date
  • Only install WordPress extensions downloaded from reliable sources
  • Rename the admin account and use strong passwords
  • Use scanning software/plugins:
    • to enhance security (brute force attack protection)
    • daily scans for malicious content
  • Set up email notifications in Google Webmaster Tools. This will ensure you are notified if Google detects malicious code on your website.
  • Ensure good backups are maintained. If the site is ever hacked, often a restore is the only safe fix.

I cannot stress enough how important it is to follow these recommendations. If you are an online business, then sales will likely cease if your website is hacked. Even if your website is not your core business, potential clients will likely look elsewhere if they see your website has been defaced.


Didgeroo Managed WordPress Hosting
To save you time, and for added peace of mind, Didgeroo has recently launched a new Managed Secure Web Hosting service. This service scans, updates and backs up your website, so you can be security reassured and can get on with your core business.