WordPress is a very popular and completely open source software. The great thing about security is that there is a large community working with them, and they can find errors and security risks faster than using internal CMS solutions. (When one method of identifying weaknesses is actually to exploit weaknesses, it is difficult to identify weaknesses, and having a large user base is more likely to be discovered.)

The downside is that malicious hackers know exactly how your website is built. They already have a “blueprint” for your website. If there are any weaknesses in the core, themes, or plugins you are using, they can know these weaknesses without having to visit the backend of your website.

Therefore, in this article, I will show you how to fix 5 security threats in any fully default installation of WordPress. (If you have taken some precautions, you may find that you have fixed one or two, but it is important to fix all five to minimize the risk of being hacked.)

Your website shows that you are using WordPress, and the version

WordPress version

The default version of WordPress will contain a few lines of code, indicating that your website is built with WordPress, even the version for those who know where to look. Depending on the theme, it may even be displayed visually on every page of your website.

The reason this may be a security risk is that people may target your website, not because it is built on WordPress. If someone finds a security hole in the WordPress core, theme, or plugin, they may find a way to enter your website to take advantage of it. However, if you successfully hide that your website is built with WordPress, then people who search for WordPress sites using bots or crawlers will be tricked into thinking that your site is not a viable goal.

How to fix:
To solve this problem, you can use Hide My WP Plugin. Using this useful little plugin, you can avoid unnecessary traffic on the server and at the same time protect against attacks specifically targeted at WordPress sites.

Everyone knows where your login page/admin area is located

Log in

If you still indicate that you are using WordPress (that is, you did not actively hide it by using plugins such as “Hide My WP”), then the malicious person already knows where to attempt a brute force attack on your website.

How to fix:

In order to solve this threat, greatly reduce the chance of being hacked, and reduce server pressure, we need to prevent malicious people and robots from accessing our login page.

There are two main ways to do this. You can use a plug-in (or a few lines of code) to change the physical location of the login page to another location, or you can restrict access to the login page and management area by IP address. You can use a plugin dedicated to this particular thing or use a security plugin such as Sucuri to do this, Text fence, iThemes Security Pro or All-in-one WP security and firewall.

WordPress has a default table prefix that everyone uses

WordPress table prefix

The table prefix is ​​the prefix before the table name in the database. Use the standard WordPress prefix instead of users, it will be wp_users. If you use the default table prefix, then people can more easily access your site by exploiting possible sql injection weaknesses. Because they know exactly where to inject information into your database before they can access your website.

One of my websites was actually hacked due to SQL injection, so this is a very real threat and you need to take countermeasures to deal with it.

How to fix:

Fortunately, it is very easy to eliminate this threat. If you have installed WordPress with the default wp_ prefix, you can easily change it using plugins like Sucuri. First, you need to back up your database before using this option, because the possibility of problems is very small. You can do this by clicking a button. Then you can choose a new prefix, or simply let Sucuri randomly generate a new prefix for you.

Note: If you are installing WordPress for the first time, you can make changes in the installation interface.

WordPress theme and plugin files can be edited via the dashboard

WordPress plugin editor

The problem with this is that if hackers can access your website, they can cause a lot of damage. They can infect your website with other people’s malware (which may cause your website to be blacklisted by Google and removed from the search engine index), damage your website, or easily open back doors.

How to fix:
You can add this line of code to the wp-config.php file:

define( 'DISALLOW_FILE_EDIT', true );

Or use a security plugin to do this for you (basically only insert that line of code for you). The only problem is that some plug-ins allow people to turn this feature on and off, so a very dedicated hacker may be able to install the plug-in, open the plug-in, and then access the editing code without FTP access.

If you want to be very thorough and prevent this from happening, you can disable all plugins and theme updates/installation by adding this line of code to wp-config.php:

define( 'DISALLOW_FILE_MODS', true );

But obviously, this means that you must change its value to false every time you want to update or install a plugin or theme (we don’t really recommend this option, because keeping themes and plugins up-to-date is one of the best ways to Make sure your website is not vulnerable).

WordPress has very open firewall settings, and can even allow known malicious bots to try to attack

WordPress firewall Serrings

The default firewall setting of WordPress is actually in terms of freedom. This means that some unwelcome robots and other unwelcome visitors will be approved.

How to fix:
You can manually copy them into your .htaccess file by installing basic 5G blacklist firewall rules (you can find it here) or install This plugin, Or use a security plug-in to better optimize the rules in .htaccess.

Unlimited WordPress login attempts

Although the default setting is indeed unlimited login attempts, when installing WordPress on your site, you may have chosen to restrict login attempts. However, if you don’t have one, this is a very simple fix.

How to fix:

Just install Restrict login attempts plugin. Or, if you use WPEngine hosting, this is a feature they have built in for you-no plugins required! If you have protected your login area by allowing only your own IP address to access dasbhboard, you do not need to do this. However, if you just hide the address of the login page, this is a good double protection against potential brute force attacks.

in conclusion

Cybercrime is growing rapidly, and the Internet is becoming the home of criminals, not the “real world.” In some countries, this has already happened. Although most of these are credit card and bank fraud, there are more and more hackers there. As website owners, we must do our best to protect ourselves and our website.

Although the default installation of WordPress has some weaknesses, the beauty of WordPress is that it can easily solve almost all problems of your website, including the security threats mentioned in this article. In addition to having a unique username and strong password, by installing security plug-ins, editing some settings, and inserting one or two lines of code, you can already significantly reduce the risk of your website being hacked or infected with malware.

Have you taken any measures to improve the security of your WordPress site? What kind? We would love to hear some of your tips and tricks! Please let us know in the comments.