10 steps to strengthen your WordPress security

Security is one of the most important things in the world today and WordPress security is often being called out for not being secure and easily hackable. But is it really? It turns out that it depends on how you use it and how you implement the site’s functionalities. By following 10 “basic” steps that you will find in this post you can make your site much much harder to hack. So, let’s get straight to it boosting up your WordPress security.

1. Sanitize user data

Every user input should be treated as a potential security issue. In order to make sure that user input does not carry any harmful values you should always sanitize those same values. WordPress offers a large set of methods that can help you to do so and here are some of them:

sanitize_email( $email ) – Strips out all characters that are not allowed in an email address.
sanitize_file_name( $name ) – Sanitizes a filenames replacing whitespace with dashes.
sanitize_text_field( $str ) – Sanitize a string from user input or from the db.

Rest of them you can find here – http://goo.gl/aGkL26

2. Use $wpdb->prepare() method when executing custom SQL queries

When writing a custom SQL query for a certain functionality or a certain plugin you need to be 100% careful since someone can easily exploit badly written query. One example of badly written SQL query is the unprepared one. Unprepared queries can eventually lead to SQL injection exploit which will allow untrusted person to manipulate with your database data or even drop it entirely. Example on how you can avoid these scenarios can be found on the official WordPress documentation – http://codex.wordpress.org/Class_Reference/wpdb

3. Avoid shell execution functions

Shell execution functions (like system() or exec()) should be avoided as much as possible since they can cause huge damage if they become accessible to an untrusted person. If, by any case, someone reaches it, he or she will be able to remotely execute shell scripts right on your server which can lead to deleted files, code being changed and many more disastrous things. If you really, really must execute shell scripts from PHP then be sure to escape the values that you will place inside that function and be sure that the untrusted person cannot access it in any way nor can values be entered directly.

4. Be careful when using eval()’ed PHP functions

PHP eval() method is used to evaluate and execute string as an regular PHP code. When using methods like require() or preg_replace() you’re in fact using methods that use the eval() method behind the scenes. So what does that mean? Basically every input you give to the method will be eval’ed in a certain point of time which means that you need to escape the user input values as well before sending them to a eval’ed method like preg_replace(). The unescaped values can cause a great disaster as well. Here’s an example of what can happen if you do not escape the value:

preg_replace(“/.*/e”,”system(‘echo /etc/passwd’)”);

This exploit is called code injection since someone is trying to push extra lines of code into the application. Make sure that you do not allow this in your theme or your plugin.


When you publish your site into production make sure that you set the WP_DEBUG and WP_DEBUG_LOG constants to false. Also, you should set PHP error reporting option to false. You can do so by editing the php.ini file or by executing follwing methods:

@ini_set(‘display_errors’, 0);

If you don’t, everyone will be able to see thrown errors and exceptions which can lead to potential code exploits and injections.

6. Avoid custom authenticators

Writing a custom WordPress authenticator is possible but it’s also dangerous if you don’t do it right. Also, there’s no guarantee that your authentication will work the next time you update WordPress itself since the authentication API can easly change in any point of time. If you really need one you should be extra careful during the implementation process.

7. Use the hooks

Try to use WordPress provided filters and actions as much as possible as using them will ensure your theme or your plugin is stable and secure. And that it won’t interfere with other installed plugins. You can find all the hooks you will ever need on the official WordPress hooks documentation page.

8. Go easy on plugins

Too often I see people installing tons and tons of plugins while they really only use just few of them. When you combine that with the fact that a really small number of those administrators do regular updates of those same plugins you get a recipe for disaster. The thing is that there are good (maintained) plugins and bad ones. Bad plugins are often untested, unchecked and are not maintained by the creator or the community. Those plugins are the reason why people say that WordPress security is flawed since they’re most likely candidates for some form of exploit (SQL injection, code injection etc.).

9. Maintain and backup

Backup is an essential part of your WordPress security. By regularly updating the plugins and WordPress itself and by backing up your data on daily or weekly basis you’ll be much more secure. Updates are there for a reason so do not hesitate to click that little “Update” button. Also, if you are doing those regular backups you will also be sure that you can always restore data from a previous point in time if something goes wrong after an update. One thing that people often forget is to update the PHP itself which I also highly recommend to do.

10. Follow the experts

Last but not least, follow the experts. You can follow them on Twitter or you can read their blogs. Do that, since they are one of the most valuable resources that you can have regarding WordPress security. Personally, I highly recommend the Sucuri’s Blog.

And there you have it. 10 steps to take to make it harder for hackers to make their way into your site  keeping your WordPress security as strong as ever.

About Domagoj Gojak