Warding Off WordPress Vulnerabilities


WordPress just released its first major update in more than four years, yet concerns still remain about the platform’s perceived history of vulnerabilities.

And while WordPress has undoubtedly endured its share of hacks and attacks, it is far from alone.

In recent years, the entire Internet has become a giant target for cyber criminals. Because WordPress has the distinction of being one of the world’s most popular website creation tools, it simply makes up a larger portion of that particular bullseye.

The truth is that WordPress’ vulnerabilities are easily preventable with attentive, proactive hosting.


Vulnerabilities to WordPress sites are typically the result of one or more of the following:

  • When the site is hosted on the cheap
  • When the CMS is not diligently updated with security releases
  • When backups are not completed and cataloged
  • When plugins are not meticulously monitored


Plugins would appear to be the most significant gateway to hacks, and those hacks almost always involve defacement.

Defacement refers to vandalism that alters a page’s appearance for political purposes or bragging rights. It is easy to remedy, simply by restoring the prior day’s backup.

For this reason, backups should be made daily and cataloged. If a hack is identified a week after the fact, the full version can be swiftly restored to that from eight days prior.

Plugins that have been subject to vulnerabilities are regularly announced on bulletins. Authors are typically quick to release security updates.


Occasionally, vulnerabilities are discovered, but the related plugins are abandoned and never updated. When this happens, the best course of action is to:

  1. Use as few plugins as possible.
  2. Use plugins that are widely supported – or even paid for – such as WooCommerce, Gravity Forms, TablePress, etc.
  3. Avoid plugins that provide remote control of many WordPress sites, such as ManageWP and InfiniteWP. These are highly targeted, and vulnerabilities are regularly found here.
  4. Limit cloning and staging plugins, such as Duplicator and WP Staging, to short-term use only, and delete them immediately after you are finished.
  5. Keep tabs on which plugins have been found to have flaws.

Themes are similar. Each theme has its own author, and thus is subject to abandonment. Additionally, if significant changes are made to a theme, updating it is not advisable.

The most secure route is creating a custom theme based on a custom design. Higher level “theming systems,” such as Divi by Elegant Themes, are also an option. Divi, for example, requires a paid license and boasts an excellent reputation.


WordPress websites should never be stagnant. Ever.

At IMPACT, our hosting partner immediately applies security updates as they are released by WordPress. In most cases, websites are auto-updated on the same day of release.

Our hosting partner also utilizes the intrusion prevention software Fail2Ban. If an access attempt fails three times, that IP address is banned for one hour. Multiple bans result in access restriction for one month. This includes attempts to access the administrative backend of a WordPress site.

IMPACT creates backups daily and catalogs versions of a site for six months. We also backup client websites to another storage location that is permanent and never deleted.

Our clients include CPA firms, law firms, technology companies, and more – all high-stakes industries that cannot, in any way, tolerate hacks to their websites.

Thanks to our experts, they will never have to.

About the author