No Fooling – How to Secure WordPress

WordPresslogoI know it’s April Fool’s Day, but this is a straight up serious post.  If you own, operate, host, support, or develop WordPress sites, this article is for you.

We have written a few articles covering the subject of WordPress security.  I recently received an email from John Stevens over at, inviting me to review their excellent tutorial, 28 Ways to Secure WordPress Website, written by Karol K. (@carlosinho). Find him at  This is a longer article, and if you are planning to work through all 28 of the steps, you may need to allocate a day or two to get them all completed.

Karol divided the tasks into three groups, Beginner, Advanced, and Pro.  You should drop what you are doing and take care of the beginner level today.

In a related post from WordFence, they published the results of a survey that investigated how WordPress site were hacked.  The top two methods were through unpatched vulnerabilities in plug-ins (56%) and brute force password exploits (16%).  Just completing the first seven steps in Karol’s Beginner Tier would close over eliminate over 70% of your risk.

WordPress sites have become a favorite way for cyber-criminals to deliver exploit code to their victims.  Last year there were hundreds of thousands of WordPress sites hacked by cyber-criminals using commercial grade exploit kits that are easy to acquire on the Dark Web. The DIY nature of WordPress means that there are lots of sites out there built by non-technical amateurs using default user names (admin) or easy user names (like your real name) and passwords that are easy to guess or easy to break using automated brute force techniques.  You do not want to be one of them, and this article will help you overcome the weaknesses you may have inadvertently allowed in your website.

28 Ways to Secure WordPress Website

WordFence – How Attackers Gain Access




About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.