No Fooling – How to Secure WordPress

WordPresslogoI know it’s April Fool’s Day, but this is a straight up serious post.  If you own, operate, host, support, or develop WordPress sites, this article is for you.

We have written a few articles covering the subject of WordPress security.  I recently received an email from John Stevens over at, inviting me to review their excellent tutorial, 28 Ways to Secure WordPress Website, written by Karol K. (@carlosinho). Find him at  This is a longer article, and if you are planning to work through all 28 of the steps, you may need to allocate a day or two to get them all completed.

Karol divided the tasks into three groups, Beginner, Advanced, and Pro.  You should drop what you are doing and take care of the beginner level today.

In a related post from WordFence, they published the results of a survey that investigated how WordPress site were hacked.  The top two methods were through unpatched vulnerabilities in plug-ins (56%) and brute force password exploits (16%).  Just completing the first seven steps in Karol’s Beginner Tier would close over eliminate over 70% of your risk.

WordPress sites have become a favorite way for cyber-criminals to deliver exploit code to their victims.  Last year there were hundreds of thousands of WordPress sites hacked by cyber-criminals using commercial grade exploit kits that are easy to acquire on the Dark Web. The DIY nature of WordPress means that there are lots of sites out there built by non-technical amateurs using default user names (admin) or easy user names (like your real name) and passwords that are easy to guess or easy to break using automated brute force techniques.  You do not want to be one of them, and this article will help you overcome the weaknesses you may have inadvertently allowed in your website.

28 Ways to Secure WordPress Website

WordFence – How Attackers Gain Access




About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Serving small business owners in the St Paul, Minneapolis, and western Wisconsin area since 2001. Cybersecurity and hacking have been a passion of mine since I entered the computer and networking business in 2000. I hold several cybersecurity certifications including Certified Information Systems Security Professional (CISSP), Certified Advanced Security Pratitioner (CASP), and Certified Ethical Hacker (CEH). Other computer industry certifications include A+, Network+ and Microsoft Certified System Engineer (MCSE). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of security on their computers, networks, and websites. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. We also provide Cybersecurity Awareness Training for clients and their employees. I am a frequent speakers at cybersecurity conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference, the (ISC)2 World Congress, and the ISSA International Conference, and many local community organizations, Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2008.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.