Securing Wordpress

Juan Rozas
Juan Rozas used Ask the Experts™

I've a website in an IIS server.
For securing Wordpress, is enough to write protect the “plugins” folder and write some rules to web.config file?
To what kind of attacks is still the site exposed?

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2016

always make sure that wordpress it up to date (don't forget to update your plugins), Wordpress is a complex beast and due to its popularity is a desirable target.  You have to keep on top of it. all of the time.
Technical Specialist
Awarded 2017
Distinguished Expert 2018
You need to secure the server and the network it is on too.

For WordPress, use and application firewall such as WordFence
Most Valuable Expert 2017
Distinguished Expert 2018

The terminology generally used is Hardening you can read more about it on the Wordpress site here

Which covers the requirement quite comprehensively

Remember there are two components to Hardening your site

a) The WordPress environment
b) But equally important the hosting environment

You can tick all the boxes for WP but still get hacked because your hosting environment is not secure.

How to harden your hosting environment is entirely dependent on the hosting environment itself.
OWASP: Forgery and Phishing

Learn the techniques to avoid forgery and phishing attacks and the types of attacks an application or network may face.

David FavorFractional CTO
Distinguished Expert 2018
Julian's right on.

I run a private hosting company + many new clients come to me because... as Julian said, "they've ticked all the WordPress security boxes" + still get continually hacked.

This relates to hosting environment.

Unfortunately with IIS you never really know who's on your machine doing what.

With Linux, hosting lockdown is straight forward.

With IIS (shudder), your best bet is to keep all your software up to date + if you get hacked even with your software up to date, consider switching to locked down Linux.


Thanks to everyone for your answers.
Most Valuable Expert 2017
Distinguished Expert 2018

David FavorFractional CTO
Distinguished Expert 2018

One point about WordFence.

Because this runs at the WordPress level every request has to flow through the entire LAMP Stack...

Kernel -> Apache -> PHP -> Database -> WordPress core + theme + plugins.

This is required for every request, so anytime anyone really want's to take your site down, all they have to do is flood your site with requests.

Because of the massive database burden WordFence + all other WordPress security plugins add to server resource usage...

It's way easier to take down a site running WordFence (or any other security plugin) than sites with out these plugins.

That said, running this suite of software allows bad IPs to be blocked at the Kernel, so once they're blocked there's no resource drain for any future request.

All my clients require this because of the level of traffic they run.

Here's the way to do low resource security, with no manual intervention required, like clearing IP blocks when they're no longer attacking...

1) which any sensible hosting company should be running. If they can't/won't enable this for you, switch hosting companies.

Once fail2ban is running, then install a couple of zero config plugins to stop attacks.



4) Once these are installed + verified to work, you can strip out all security plugins + have near zero resource usage to block attacks.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial