13 WordPress Security Myths | Protect Your Website From Being Hacked!

Although WordPress is home to a vast community of users from all around the globe and is the top content management platform, that number-one spot puts a target on its back and many WordPress security myths appear.

You’ll find plenty of security advice about protecting your sites as well as way to improve WooCommerce security, but this has led to many myths that don’t actually do anything beneficial for protecting your site. Some of these tips may even leave it more vulnerable to attacks.


WordPress Security Myths

Let’s examine the top 13 WordPress security myths and what you can do to protect your WordPress website properly.


1. Hide your wp-admin or wp-login pages, and nobody can find login URL

The logic behind this idea is keeping potential hackers from hacking things that they can’t find. If your login URL isn’t the standard WordPress /wp-admin/ URL, aren’t you protected from brute force attacks? While hiding your wp-admin URL can help stop some attacks, it won’t stop them all.

The reason this strategy doesn’t work is because there are other ways to log into your WordPress sites besides the normal way of using an Internet browser, such as REST API or XML-RPC. This means even if you change WordPress login URL, a plugin or theme that you use can still link to the altered URL.

While hiding backend feature is good enough to prevent most direct access attempts, those who find your custom wp-admin or wp-login URLs can still be redirected to your login pages.


hide wordpress login url


Another reason this doesn’t work is that hiding the backend completely would break your site. Everything you install assumes that wp-admin will be in the URL.

Hiding login URL can obscure, but it cannot completely change the actual link to your WordPress logins, and customizing the login URL can actually cause lots of problems, as many themes, plugins, and apps hard-code the wp-login.php into their base code.

If these plugins, themes, etc. cannot find the link, they find an error instead. A more reliable solution would be using two-factor authentication and denying compromised passwords.


2. Hide your WordPress version number and theme name for extra protection

The idea behind this tactic is that, if hackers have this information, they can use it to access your site.

Hiding your WordPress version information or theme name won’t keep you safe from security breaches as there are many bots searching for known vulnerabilities in the code running on your website.


hide wordpress plugin version number


Instead of obscuring this information, make sure your WordPress installation is always up-to-date to ensure that you have the latest security patches installed.


3. Rename your wp-content directory, and you are safe

Your plugins, themes, and media uploads folder are all contained in the wp-content directory on your site. There’s a ton of code and information there to make use, so it is, of course, prudent to protect this information.

However, changing the content directory name won’t actually add that extra layer of protection to your site. Using browser developer tools, the name of your wp-content can be found even if you change it.


rename wordpress content directory


Renaming it can even cause conflicts with plugins that have a hard-coded wp-content directory path that they need to use to work.

The only reason you should be concerned about your wp-content directory is if it contains a plugin or theme with a vulnerability that can be exploited. The best way to prevent this is by keeping your themes and plugins up-to-date to avoid security vulnerabilities.


4. Hacking only happens to large sites

Even if your WordPress site is small with low traffic, it’s vital to be proactive when it comes to securing your site.

Hacker doesn’t care how large or busy a site is. Any site that is vulnerable can become a hub for malicious sites, spam emails, or even mining bitcoin. The key is vulnerability rather than site size or traffic levels.

You can mitigate this by always keeping plugins, themes, and WordPress itself up to date, and install a trusted security plugin for WordPress. Quality hosting and two-factor authentication are also important parts of keeping attackers at bay.


5. WordPress isn’t a secure platform

You may have heard this claim before, but it simply isn’t true. WordPress, being one of the top content management systems online today, didn’t get to where it is now without solid, reliable security measures.

The biggest vulnerability comes from users and can be avoided with precautionary measures taken by site owners. The number one reason for hacks is outdated software, and most plugins will be patched regularly to fix potential vulnerabilities in their code.

Make sure always to keep your themes and plugins updated. When a site gets hacked, it’s not a WordPress flaw–it’s a lapse of a user’s vigilance that leaves them open for attack.


6. Regular updates always keep your site safe

While updating your plugins and themes regularly is vital to maintaining security on your site, it’s not a cure-all for potential exploitation of your site. WordPress has many plugins and themes available, and a high number of them has not been updated two or more years.


wordpress theme update


Plugins that haven’t received proper, regular maintenance can contain outdated features that slow your load times or, even worse, break your site.

Check to make sure your plugins receive active support to keep you safe against potential exploits and remove old plugins that no longer receive support to minimize the risk of hacking.


7. Backups will always fix your website

Backups are one of the most common solutions for fixing compromised websites. While a full site backup (check best free WordPress backup plugins) allows you to restore your site, it leaves you with the same security vulnerabilities that compromised your site in the first place.


  • Name
  • Free version
  • Paid version
    With additional upgrades and addons
  • Full site backup
    Is it possible to backup entire site with all files
  • Database backups
    Is it possible to backup only database
  • Backups to Dropbox
    Is it possible to save backup files to Dropbox
  • Backups to Amazon S3
    Is it possible to save backup files to Amazon S3
  • Backups to Google Drive
    Is it possible to save backup files to Google Drive
  • Backups to FTP
    Is it possible to save backup files to FTP
  • Backups to Rackspace
    Is it possible to save backup files to Rackspace
  • Email notification
    Email notification when backup is created
  • Changes only backups
    In order to reduce server resources and save space only new changes are added to backup
  • Scheduled Backups
  • Realtime backups
    Backups files are created whenever you make changes on your site
  • Migrate site
    Copy site or move it to a new host
  • Individual file restore
    Restore individual files/file from backup instead of whole thing
  • Restore backup from interface
  • Security and Malware scan
    Options to serach for viruses and other infections
  • Database repair and optimization
    Options to optimize wordpress database
  • Multisite support
  • Price for paid version
    With all addons and features (cheapest plan for 1-2 sites)
  • BackWPup
    It has also premium/paid version with additional addons and upgrades
  • Only in paid version
  • 75$
    For standard plan
  • BackUpWordPress
    It has also premium/paid version with additional addons and upgrades
  • Only available with paid addon which price is around 24$
  • Only available with paid addon which price is around 24$
  • Only available with paid addon which price is around 24$
  • Only available with paid addon which price is around 24$
  • Only available with paid addon which price is around 24$
  • 60$
    For personal plan
  • UpdraftPlus
    It has also premium/paid version with additional addons and upgrades
  • Only available with paid addon which price is around 15$
  • Paid addon
    Only available with paid addon which price is around 30$
  • Paid addon
    Only available with paid addon which price is around 25$
  • 99$ (unlimited number of sites)
    For developer plan with all addons and for unlimited number of sites


So, how do you fix this? Don’t rely on backups alone to fix your site after a successful hack, as you will lose data and records such as transactions that occurred after your last backup.

To save your information, be vigilant about applying patches to actual code flaws before you can fall prey to a successful hacking attempt.


8. Changing WordPress table prefix improves your security

This is a common recommendation. Changing the prefix of your WordPress database tables will prevent SQL injection attacks. However, it’s not as simple as changing out the “wp_” to a different value.

There has yet to be any proof that this method will do anything to improve your site security. And it can put your entire site at risk if it isn’t perfectly executed.


change wordpress database prefix


Measures like this are considered “security theater” because they make you feel like you’re putting in a lot of effort to improve your security while actually achieving very little. To protect your site against SQL injection attacks, it requires a three-pronged approach to security.

You’ll need an effective Web Application Firewall on top of continually patching and updating your plugins, themes, and core. And, of course, make sure you’re monitoring your site for suspicious login attempts or malware.


9. My site has an SSL certificate, so it’s completely safe

Something to keep in mind about SSL certificates is that the security they provide is purely transactional. It only protects information being passed between your site and your visitors — things like credit card information and personal data (see how to add free SSL certificate to WordPress site).


install ssl certificate wordpress


However, SSL certificates do not protect files and data that are on the site itself. To cover your site’s data, it is vital to have a Web Application Firewall and make sure that your plugins, themes, and core files that are up to date.


10. My website is safe; I use CDN or cloud firewall

Content delivery networks, or CDNs, and cloud firewall services like Cloudflare, Incapsula or Sucuri secure your sites by rerouting traffic to their servers and filtering traffic by firewall rules. If your traffic is compatible with the firewall rules, it goes on to your site.

While you may think this is the perfect way to avoid exposing your site’s actual server location, your site’s originating IP address can still give you away, and it can be difficult to obscure, if not impossible.


  • Content delivery network
  • Protection against the largest volumetric attacks
  • Full application-layer visibility
  • Mitigation of attacks against DNS servers
  • Protection of non-web infrastructure services
    (FTP, SMTP, VOIP, etc.)
  • Detection and mitigation of Application Layer attacks
  • Instant customization and propagation of security rules
  • Real-time visibility and control
  • Protection of origin IP addresses against DDoS attacks
  • External DDoS attack monitoring for network infrastructure
  • Compression and minification
  • Content and network optimization
  • Caching of both static and dynamically generated content
  • Serving cached resources directly from physical memory
  • Secondary level caching on SSD's for real-time cache updates
  • PCI-compliant Web Application Firewall (WAF)
  • Access Control
  • IP reputation-based monitoring system
  • Self Service Customization of security rules
  • 60-second security rule propagation
  • Backdoor protection to guard against malware infection
  • API Integration
  • Two factor authentication to prevent stolen passwords
  • Global server load balancing
  • Application layer Local server load balancing
  • Application layer site failover
  • Real-time application layer health monitoring
  • Application delivery rules
    (e.g. redirections based on cookies, header, etc)
  • Ticket System
  • Phone support
  • HTTP/2 Support
    HTTP/2 is the latest evolution of the HTTP protocol, which offers significant improvements to website load speeds and responsiveness.
  • Data Centers
  • Origin-Pull
  • Push (upload to CDN servers)
  • Purge/Purge all
  • Gzip
  • Honors all origin server headers
  • Can override origin server headers
  • Set caching headers for pushed files
  • Custom CNAMEs
  • Hotlink Protection
  • Live chat
  • Free backups
  • Integration with WordPress
  • Price
  • Incapsula
  • Always-on
  • 30
  • Resend from origin, or compress on edge
  • Shared certificate is free on all except free plan.
  • Shared certificate is free on all except free plan.
  • Integrates independently of WordPress. You need to change DNS settings. You will get all instructions in email and on Incapsula dashboard.
  • Free and paid plans
    A free plan includes bot protection, access control, login protect, CDN and Optimizer, website analytics, and community support. A paid PRO plan starts at $59 per month and includes the same features as the free plan, plus SSL support, advanced performance and email support.
  • CloudFlare
  • Manual
  • 86
  • Integrates independently of WordPress. You just need to sing up to CloudFlare and then assign new DNS servers to your domain name. CloudFlare picks up from there.
  • Free and paid plans
    They offer a free basic plan suitable for small websites and blogs and paid packages which vary from $20 – $200.
  • Akamai
  • More than 100,000
  • Resend from origin, or compress on edge
  • To get pricing for Akamai's products you need to contact them.
  • MaxCDN
  • MaxCDN will start offering DDOS and WAF soon
  • MaxCDN will start offering DDOS and WAF soon
  • MaxCDN will start offering DDOS and WAF soon
  • MaxCDN will start offering DDOS and WAF soon
  • MaxCDN will start offering DDOS and WAF soon
  • MaxCDN will start offering DDOS and WAF soon
  • MaxCDN will start offering DDOS and WAF soon
  • 75
  • The CDN handles the gzipping
  • After setting up your pull zone, you can integrate MaxCDN through the cache plugin. For example W3 Total Cache, Super Cache or WP Rocket.
  • Starting from $9/month to $299/month
    There is also custom per-gigabyte pricing
  • KeyCDN
  • 25
  • Only if origin server does Gzip
  • After setting you can integrate through the cache plugin. For example W3 Total Cache, Super Cache or WP Rocket.
  • Pay As You Go
    You don't need to buy any packages. Price starts from $0.04 / GB


This has been a common issue with cloud firewall providers, and the simple solution is to implement endpoint security measures on your site. If you protect your data at its origin point, that’s the best direct defense against hackers and other forms of attack.


11. IP blocking keeps hackers at bay

There are useful services online for recording suspicious logins and tracking the IP addresses, and can even block these IPs entirely.

While you may think IP blocking is an effective method of preventing hackers from accessing your site, hackers constantly change IPs and often operate from multiple IPs simultaneously to accomplish their goals.

When you block one IP address, they can simply switch to the next one they have lined up. Worse still, not blocking IPs properly can crash your site, which can be time-consuming to fix.


12. A secure username and password are all you need

While a unique admin username and a strong, complex password are vital to proper security on your site, it’s not a foolproof method for thwarting potential hackers.

One common tactic that is used to breach sites is using bots to cycle through thousands of common passwords with the standard “admin” username.

Make sure you do change your name from admin and incorporate multiple types of characters in your password, including capital and lowercase letters, numbers, punctuation, and other unique symbols that will make it harder to crack.

Keep in mind, though, that an effective username/password combo won’t protect from everything. Hackers have other means of attacking your site, including through vulnerabilities in out-of-date themes or plugins, data breaches, and even phishing schemes.


13. Just disable plugins/themes that you don’t use

This is a common mistake many site owners do. Rather than remove old plugins, they disable them instead. However, even inactive plugins and themes can be exploited because of the lack of updates or security fixes.

While you can update disabled plugins and themes, the better option is to remove things you don’t need to minimize security risks.


WordPress Security Myths Conclusion

There are many reasons why WordPress sites get hacked. After reading through these WordPress security myths, optimizing security on your site may feel a little daunting. It’s not always easy to tell if security measure will be effective and what is simply “security theater.”

Keeping your WordPress site safe is very important as well as prevent content theft. While there’s no way to ensure that a site will be 100% invulnerable to attacks, there are plenty of practices and precautions you can incorporate into your site management and maintenance that can minimize the risk of hacking and provide you with the peace of mind.

To be safe it is best to install WordPress security plugin like iThemes Security, WordFence, MalCare, Swift Security or Hide My WP which provide vast number of settings and options which you can enable to protect your website and implement security layers. For more information see iThemes Security review, MalCare review, Wordfence vs iThemes Security, Swift Security vs Hide My WP.

DISCLOSURE: Posts may contain affiliate links. If you buy something through one of those links, I might get a small commission, without any extra cost to you. Read more about it here.

1 thought on “13 WordPress Security Myths | Protect Your Website From Being Hacked!”

  1. Atul Kumar Pandey

    Thanks for sharing this amazing article on WP security, I was amazed to see that even small sites are being targeted and attacked by hackers. Now it is necessary for all to have some sort of security in place before going live.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top