Although WordPress is home to a vast community of users from all around the globe and is the top content management platform, that number-one spot puts a target on its back and many WordPress security myths appear.
You’ll find plenty of security advice about protecting your sites from people who want to help, but this has led to many myths that don’t actually do anything beneficial for protecting your site.
Some of these tips may even leave it more vulnerable to attacks.
WordPress Security Myths
Let’s examine the top 13 WordPress security myths and what you can do to protect your WordPress website properly.
1. Hide your wp-admin or wp-login pages, and nobody can find login URL
The logic behind this idea is keeping potential hackers from hacking things that they can’t find.
If your login URL isn’t the standard WordPress /wp-admin/ URL, aren’t you protected from brute force attacks?
While hiding your wp-admin URL can help stop some attacks, it won’t stop them all.
The reason this strategy doesn’t work is because there are other ways to log into your WordPress sites besides the normal way of using an Internet browser, such as REST API or XML-RPC.
This means even if you change the login URLs, a plugin or theme that you use can still link to the altered URL.
While hiding backend feature is good enough to prevent most direct access attempts, those who find your custom wp-admin or wp-login URLs can still be redirected to your login pages.
Another reason this doesn’t work is that hiding the backend completely would break your site. Everything you install assumes that wp-admin will be in the URL.
Hiding login URL can obscure, but it cannot completely change the actual link to your WordPress logins, and customizing the login URL can actually cause lots of problems, as many themes, plugins, and apps hard-code the wp-login.php into their base code.
If these plugins, themes, etc. cannot find the link, they find an error instead.
A more reliable solution would be using two-factor authentication and denying compromised passwords.
2. Hide your WordPress version number and theme name for extra protection
The idea behind this tactic is that, if hackers have this information, they can use it to access your site.
Hiding your WordPress version information or theme name won’t keep you safe from security breaches as there are many bots searching for known vulnerabilities in the code running on your website.
Instead of obscuring this information, make sure your WordPress installation is always up-to-date to ensure that you have the latest security patches installed.
3. Rename your wp-content directory, and you are safe
Your plugins, themes, and media uploads folder are all contained in the wp-content directory on your site.
There’s a ton of code and information there to make use, so it is, of course, prudent to protect this information.
However, changing the content directory name won’t actually add that extra layer of protection to your site.
Using browser developer tools, the name of your wp-content can be found even if you change it.
Renaming it can even cause conflicts with plugins that have a hard-coded wp-content directory path that they need to use to work.
The only reason you should be concerned about your wp-content directory is if it contains a plugin or theme with a vulnerability that can be exploited.
The best way to prevent this is by keeping your themes and plugins up-to-date to avoid security vulnerabilities.
4. Hacking only happens to large sites
Even if your WordPress site is small with low traffic, it’s vital to be proactive when it comes to securing your site.
Hacker doesn’t care how large or busy a site is. Any site that is vulnerable can become a hub for malicious sites, spam emails, or even mining bitcoin.
The key is vulnerability rather than site size or traffic levels.
You can mitigate this by always keeping plugins, themes, and WordPress itself up to date, and install a trusted security plugin for WordPress.
Quality hosting and two-factor authentication are also important parts of keeping attackers at bay.
5. WordPress isn’t a secure platform
You may have heard this claim before, but it simply isn’t true.
WordPress, being one of the top content management systems online today, didn’t get to where it is now without solid, reliable security measures.
The biggest vulnerability comes from users and can be avoided with precautionary measures taken by site owners.
The number one reason for hacks is outdated software, and most plugins will be patched regularly to fix potential vulnerabilities in their code.
Make sure always to keep your themes and plugins updated. When a site gets hacked, it’s not a WordPress flaw–it’s a lapse of a user’s vigilance that leaves them open for attack.
6. Regular updates always keep your site safe
While updating your plugins and themes regularly is vital to maintaining security on your site, it’s not a cure-all for potential exploitation of your site.
WordPress has many plugins and themes available, and a high number of them has not been updated two or more years.
Check to make sure your plugins receive active support to keep you safe against potential exploits and remove old plugins that no longer receive support to minimize the risk of hacking.
7. Backups will always fix your website
Backups are one of the most common solutions for fixing compromised websites.
While a full site backup allows you to restore your site, it leaves you with the same security vulnerabilities that compromised your site in the first place.
- Free version
- Paid version
- Full site backup
- Database backups
- Backups to Dropbox
- Backups to Amazon S3
- Backups to Google Drive
- Backups to FTP
- Backups to Rackspace
- Email notification
- Changes only backups
- Scheduled Backups
- Realtime backups
- Migrate site
- Individual file restore
- Restore backup from interface
- Security and Malware scan
- Database repair and optimization
- Multisite support
- Price for paid version
- Paid addon
- Paid addon
- 99$ (unlimited number of sites)
So, how do you fix this? Don’t rely on backups alone to fix your site after a successful hack, as you will lose data and records such as transactions that occurred after your last backup.
To save your information, be vigilant about applying patches to actual code flaws before you can fall prey to a successful hacking attempt.
8. Changing WordPress table prefix improves your security
This is a common recommendation. Changing the prefix of your WordPress database tables will prevent SQL injection attacks.
However, it’s not as simple as changing out the “wp_” to a different value.
There has yet to be any proof that this method will do anything to improve your site security.
And it can put your entire site at risk if it isn’t perfectly executed.
Measures like this are considered “security theater” because they make you feel like you’re putting in a lot of effort to improve your security while actually achieving very little.
To protect your site against SQL injection attacks, it requires a three-pronged approach to security.
You’ll need an effective Web Application Firewall on top of continually patching and updating your plugins, themes, and core.
And, of course, make sure you’re monitoring your site for suspicious login attempts or malware.
9. My site has an SSL certificate, so it’s completely safe
Something to keep in mind about SSL certificates is that the security they provide is purely transactional.
It only protects information being passed between your site and your visitors — things like credit card information and personal data.
However, SSL certificates do not protect files and data that are on the site itself.
To cover your site’s data, it is vital to have a Web Application Firewall and make sure that your plugins, themes, and core files that are up to date.
10. My website is safe; I use CDN or cloud firewall
If your traffic is compatible with the firewall rules, it goes on to your site.
While you may think this is the perfect way to avoid exposing your site’s actual server location, your site’s originating IP address can still give you away, and it can be difficult to obscure, if not impossible.
- Content delivery network
- Protection against the largest volumetric attacks
- Full application-layer visibility
- Mitigation of attacks against DNS servers
- Protection of non-web infrastructure services
- Detection and mitigation of Application Layer attacks
- Instant customization and propagation of security rules
- Real-time visibility and control
- Protection of origin IP addresses against DDoS attacks
- External DDoS attack monitoring for network infrastructure
- Compression and minification
- Content and network optimization
- Caching of both static and dynamically generated content
- Serving cached resources directly from physical memory
- Secondary level caching on SSD's for real-time cache updates
- PCI-compliant Web Application Firewall (WAF)
- Access Control
- IP reputation-based monitoring system
- Self Service Customization of security rules
- 60-second security rule propagation
- Backdoor protection to guard against malware infection
- API Integration
- Two factor authentication to prevent stolen passwords
- Global server load balancing
- Application layer Local server load balancing
- Application layer site failover
- Real-time application layer health monitoring
- Application delivery rules
- Ticket System
- Phone support
- HTTP/2 Support
- Data Centers
- Push (upload to CDN servers)
- Purge/Purge all
- Honors all origin server headers
- Can override origin server headers
- Set caching headers for pushed files
- Custom CNAMEs
- Hotlink Protection
- Live chat
- Free backups
- Integration with WordPress
- Integrates independently of WordPress. You need to change DNS settings. You will get all instructions in email and on Incapsula dashboard.
- Free and paid plans
- Integrates independently of WordPress. You just need to sing up to CloudFlare and then assign new DNS servers to your domain name. CloudFlare picks up from there.
- Free and paid plans
- More than 100,000
- I am not familiar what settings you need to make in order to integrate Akamai CDN with website
- To get pricing for Akamai's products you need to contact them.
- After setting up your pull zone, you can integrate MaxCDN through the cache plugin. For example W3 Total Cache, Super Cache or WP Rocket.
- Starting from $9/month to $299/month
- After setting you can integrate through the cache plugin. For example W3 Total Cache, Super Cache or WP Rocket.
- Pay As You Go
This has been a common issue with cloud firewall providers, and the simple solution is to implement endpoint security measures on your site.
If you protect your data at its origin point, that’s the best direct defense against hackers and other forms of attack.
11. IP blocking keeps hackers at bay
There are useful services online for recording suspicious logins and tracking the IP addresses, and can even block these IPs entirely.
While you may think IP blocking is an effective method of preventing hackers from accessing your site, hackers constantly change IPs and often operate from multiple IPs simultaneously to accomplish their goals.
When you block one IP address, they can simply switch to the next one they have lined up.
Worse still, not blocking IPs properly can crash your site, which can be time-consuming to fix.
12. A secure username and password are all you need
While a unique admin username and a strong, complex password are vital to proper security on your site, it’s not a foolproof method for thwarting potential hackers.
One common tactic that is used to breach sites is using bots to cycle through thousands of common passwords with the standard “admin” username.
Make sure you do change your name from admin and incorporate multiple types of characters in your password, including capital and lowercase letters, numbers, punctuation, and other unique symbols that will make it harder to crack.
Keep in mind, though, that an effective username/password combo won’t protect from everything.
Hackers have other means of attacking your site, including through vulnerabilities in out-of-date themes or plugins, data breaches, and even phishing schemes.
13. Just disable plugins/themes that you don’t use
This is a common mistake many site owners do. Rather than remove old plugins, they disable them instead.
However, even inactive plugins and themes can be exploited because of the lack of updates or security fixes.
While you can update disabled plugins and themes, the better option is to remove things you don’t need to minimize security risks.
WordPress Security Myths Conclusion
After reading through these WordPress security myths, optimizing security on your site may feel a little daunting.
It’s not always easy to tell if security measure will be effective and what is simply “security theater.”
While there’s no way to ensure that a site will be 100% invulnerable to attacks, there are plenty of practices and precautions you can incorporate into your site management and maintenance that can minimize the risk of hacking and provide you with the peace of mind.