No Fooling – How to Secure WordPress

WordPresslogoI know it’s April Fool’s Day, but this is a straight up serious post.  If you own, operate, host, support, or develop WordPress sites, this article is for you.

We have written a few articles covering the subject of WordPress security.  I recently received an email from John Stevens over at, inviting me to review their excellent tutorial, 28 Ways to Secure WordPress Website, written by Karol K. (@carlosinho). Find him at  This is a longer article, and if you are planning to work through all 28 of the steps, you may need to allocate a day or two to get them all completed.

Karol divided the tasks into three groups, Beginner, Advanced, and Pro.  You should drop what you are doing and take care of the beginner level today.

In a related post from WordFence, they published the results of a survey that investigated how WordPress site were hacked.  The top two methods were through unpatched vulnerabilities in plug-ins (56%) and brute force password exploits (16%).  Just completing the first seven steps in Karol’s Beginner Tier would close over eliminate over 70% of your risk.

WordPress sites have become a favorite way for cyber-criminals to deliver exploit code to their victims.  Last year there were hundreds of thousands of WordPress sites hacked by cyber-criminals using commercial grade exploit kits that are easy to acquire on the Dark Web. The DIY nature of WordPress means that there are lots of sites out there built by non-technical amateurs using default user names (admin) or easy user names (like your real name) and passwords that are easy to guess or easy to break using automated brute force techniques.  You do not want to be one of them, and this article will help you overcome the weaknesses you may have inadvertently allowed in your website.

28 Ways to Secure WordPress Website

WordFence – How Attackers Gain Access




About the Author:

Cybersecurity guru to business owners in the St Paul, Minneapolis, and western Wisconsin area. Computer security and hacking have been a passion of mine since I entered the computer and networking business in 2000. In 2013 I completed a course of study and certification exam to become a Certified Ethical Hacker (CEH). In 2016 I was certified as a Certified Information Systems Security Professional (CISSP). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of computer security, network security, and web site security. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also provide Cybersecurity Awareness Training for clients and their employees. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. The views expressed on this Web site are mine alone and do not necessarily represent the views of my employer.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.