WordPress Security Plugin – BulletProof Security

In this tutorial, we show you how to install, configure, and use the BulletProof Security plugin for WordPress.

WordPress Security Plugin - BulletProof SecurityThis tutorial is part of our tutorial series on WordPress Security. In this tutorial, you will learn how to install, configure, and use the BulletProof Security plugin for WordPress.


WordPress Security Plugin – BulletProof Security

BulletProof Security

BulletProof Security - WordPress Plugin

(BulletProof Security)

Plugin URL


Plugin Description

BulletProof Security is designed to be a fast, simple and one-click security plugin that adds .htaccess website security protection for your WordPress site.

Some of the main features of this plugin include:

  • Activate .htaccess website security and .htaccess website ‘under maintenance’ modes from within your WordPress Dashboard – No FTP or Web Hosting Control Panel access required.
  • One-click security solution that creates, copies, renames, moves or writes to the provided BulletProof Security .htaccess master files.
  • Protects both your root website folder and wp-admin folder with .htaccess website security protection, as well as providing additional website security protection.
  • Protects your WordPress site against XSS, RFI, CRLF, CSRF, Base64, Code Injection and SQL Injection hacking attempts.
  • Performs one-click essential operations (like create, copy, rename, move, write, etc.) to protect files such as wp-config.php, bb-config.php, php.ini, php5.ini, install.php and readme.html with .htaccess security protection.
  • Allows you to activate .htaccess website security and .htaccess website “under maintenance modes” from within your WordPress Dashboard with no FTP required.
  • Protects both your root website folder and wp-admin folder.
  • One-click Website Maintenance Mode (HTTP 503) for the front and back end. Maintenance Mode also allows you to create and activate your custom “Under Maintenance” web page using various templates provided.
  • Performs additional website security checks (e.g: DB errors off, file and folder permissions check, System Info: PHP, MySQL, OS, Server, Memory Usage, etc.)
  • Automatic .htaccess file updating on upgrade installation and new .htaccess security filters automatically added during the upgrade.
  • Security Status Page – Displays website security status information.

Best of all, you don’t need to know or understand anything about .htaccess website security files in order to use the BulletProof Security plugin. The plugin provides “AutoMagic” buttons that let you set everything up with nothing to configure or set up.

Practical Tip

BulletProof Security also has a PRO version that offers significant additional security features, including:

  • 1-Click Setup Wizard: Fast, Simple, One-Click Installation
  • AutoRestore: Automatic File Restore
  • Quarantine: Automatic File Quarantine
  • Real-time File Monitor: Email & Dashboard Alerts
  • Plugin Firewall (True IP Firewall): Protects the WP Plugins Folder, IP Address Updated in Real Time
  • Uploads Anti-Exploit Guard (UAEG): Protects the WP Uploads Folder
  • Login Security & Monitoring: Advanced Login Security & Monitoring
  • JTC Anti-Spam / Anti-Hacker: Hacker Protection, Spammer Protection, DoS/DDoS Attack Protection, Brute Force Login Attack Protection, User-Friendly CAPTCHA
  • .htaccess Website Security: Firewalls
  • Custom php.ini Website Security
  • F-Lock – Read Only File Locking
  • Security Logging
  • HTTP Error Logging
  • PHP Error Logging
  • Email Alerts
  • Versatile Set of Pro-Tools
  • and more …

To learn more about the PRO features of this plugin, visit the site below:


Remember to back up all files and data on your site before installing and configuring this plugin, as the plugin performs a number of modifications to important files on your site.

If you need help setting up this plugin, please ask a professional WordPress service provider for assistance.

To learn how to perform WordPress file and data backups, see the tutorials in the module below:

Plugin Installation

From your WordPress administration area, select Plugins > Add New

BulletProof Security Plugin

Select the Install Plugins > Search tab, then type in “bulletproof” into the search field and click on the Search Plugins button …

BulletProof Security Plugin

Activate plugin after uploading, or locate the plugin in the search results area and click Install Now

BulletProof Security Plugin

Activate the plugin after installing it …

BulletProof Security Plugin

When the BulletProof Security plugin is first activated, a warning message displays at the top of your admin screen …

BulletProof Security Plugin

See the ‘Plugin Configuration’ section below to learn how to complete the steps indicated in the warning message and configure your .htaccess file in security mode.

Once the plugin has been activated, click on Settings

BulletProof Security Plugin

You can also access the plugin’s settings and options area by selecting BPS Security from your WP dashboard menu …

BulletProof Security Plugin

Plugin Configuration

The BulletProof Security configuration and settings area is divided into the following sections:

  • htaccess Core
  • Login Security
  • Security Log
  • Maintenance Mode
  • System Info

Note: We’ll go over each of these sections briefly below, as the developers of BulletProof Security plugin already provide video tutorials on their site covering installation and setup, and a users forum where you can get help, support and further instructions on using some of the plugin’s more advanced features.

htaccess Core

Select ‘BPS Security > htaccess Core‘ from your WP-admin menu …

BulletProof Security Plugin

This section allows you to configure .htaccess file security options for your site …

BulletProof Security Plugin

Basically, BulletProof Security will take your default .htaccess file, which looks like this …

BulletProof Security Plugin

And modify the information by automatically adding security commands and instructions to your files like this …

BulletProof Security Plugin

This section includes a number of tabs …

BulletProof Security Plugin

We strongly recommend clicking on the ‘Read Me’ buttons before performing any kind of operation with this plugin …

BulletProof Security Plugin

The plugin modifies important files on your site and the ‘Read Me’ sections contain important information and additional instructions for getting help …

BulletProof Security Plugin

Security Modes Tab

If you have already backed up your site, then use the recommended options for your installation and click on ‘Create secure.htaccess file’ in the ‘Security Modes’ tab …

BulletProof Security Plugin

A message will pop up letting you know that clicking the ‘OK’ button will create the secure.htaccess file for your site, but it will not activate the file (this will be done in the next step below).

Click ‘OK’ to proceed …

BulletProof Security Plugin

Your security root master .htaccess file will be created …

BulletProof Security Plugin

Important Info

We recommend making a backup of your WordPress .htaccess file at this point, especially if you have made any prior modifications to your .htaccess file. As .htaccess is a file located on your server, making backups of your WordPress database won’t back this file up (because it’s not in your database).

To backup your htaccess file, you will need to FTP into your server and download the file to your hard drive.

Backup your .htaccess file

(Backup your .htaccess file)

The next step is to activate BulletProof mode for your root folder by selecting the ‘Root Folder BulletProof Mode’ radio button in the ‘Activate Security Modes’ section and clicking the ‘Activate’ button …

BulletProof Security Plugin

A message will appear asking you to confirm if you have created the master .htaccess files using the ‘AutoMagic’ buttons, and if you have taken steps to back up your existing .htaccess files (this is especially important if you have made any custom modifications to your .htaccess file). The message will also remind you that you will overwrite your existing root .htaccess file by clicking the OK button.

Click ‘OK’ to proceed or ‘Cancel’ to abort …

BulletProof Security Plugin

A message will display on your screen confirming that your site’s root folder protection has been successfully activated, and reminding you that if you have root folder security activated, you will also need to activate wp-admin folder security protection …

BulletProof Security Plugin

To activate wp-admin folder security protection, scroll down the ‘Activate Security Modes’ screen until you come to the ‘Activate Website wp-admin Folder .htaccess Security Mode’ section, then select the ‘wp-admin Folder BulletProof Mode’ radio button and click the ‘Activate’ button …

BulletProof Security Plugin

A message will display on your screen confirming that BulletProff Security wp-admin Folder Protection has been activated and that your wp-admin folder is now protected …

BulletProof Security Plugin

The other security options in the ‘Activate Security Modes’ section are automatically set up when you activate the plugin itself:

Activate Deny All htaccess Folder Protection For The BPS Master htaccess Folder

Activating BulletProof Mode for Deny All htaccess Folder Protection copies and renames the deny-all.htaccess file located in the /plugins/bulletproof-security/admin/htaccess/ folder and renames it to just .htaccess. The Deny All htaccess file blocks everyone, except for you, from accessing and viewing the BPS Master htaccess files.

Activate Deny All htaccess Folder Protection For The BPS Backup Folder

Activating BulletProof Mode for Deny All BPS Backup Folder Protection copies and renames the deny-all.htaccess file located in the /bulletproof-security/admin/htaccess/ folder to the BPS Backup folder /wp-content/bps-backup and renames it to just .htaccess. The Deny All htaccess file blocks everyone, except for you, from accessing and viewing your backed up htaccess files.

If your server does not allow these options to be automatically created and activated, then you will need to manually activate these yourself by selecting the radio buttons and clicking ‘Activate’ …

BulletProof Security Plugin

Security Status

After configuring the plugin’s .htaccess file security modes, click on the Security Status tab to view your security and protection status …

BulletProof Security Plugin

This section shows the status of your activated BulletProof Security .htaccess files, file and folder permissions, additional security measures that the plugin has implemented on your site (you can reset and recheck these), and general security file check results.

We recommend going through the accompanying ‘Read Me’ notes for each of these sections for more information on what the data means and further instructions.

Backup & Restore Tab

Use this section to create and restore backups of your .htaccess files …

BulletProof Security Plugin

The first time you install the plugin, you may see warnings in this section about your .htaccess files …

BulletProof Security Plugin

Select the ‘Backup .htaccess Files’ radio button and click ‘Backup Files’ …

BulletProof Security Plugin

BulletProof Security will create backups of your .htaccess files and notify you that these files now exist and have been backed up successfully …

BulletProof Security Plugin

You can also use this section to restore your last .htaccess file backups.


  • The backup can be restored should the .htaccess file become corrupted as a result of a hacking attempt.
  • In cases where you install a plugin that writes to your htaccess files you will want to perform another backup of your htaccess files. Each time you perform a backup you are overwriting older backed up htaccess files.
htaccess File Editor Tab

This section lets you lock/unlock files for editing and modify the content of your htaccess files without having to access these via FTP or your webhosting control panel …

BulletProof Security Plugin


  • The File Editor is designed to open all of your .htaccess files simultaneously and allow you to copy and paste from one window (file) to another window (file), but you can only save your edits for one file at a time. Whichever file you currently have opened (the tab that you are currently viewing) when you click the ‘Update File’ button is the file that will be updated / saved.
  • Keeping the .htaccess file locked prevents anyone writing to it. Unlocking it lets you edit the code directly. You can edit the files directly through the plugin edit interface in this section.
Custom Code Tab

This section lets you add custom code to your .htaccess files …

BulletProof Security Plugin


Important: Before adding any custom codes to your .htaccess files, please go through the ‘Read Me’ notes, watch the video tutorials and visit the BulletProof Security Forum. If you don’t know what you are doing, then ask a professional to help you, as entering the wrong information in this section could crash your site!

Help & FAQ Tab

This section provides links to help and resources …

BulletProof Security Plugin

The other tabs in this section are used for providing plugin users with additional information and marketing-related information.

Login Security

To access the plugin’s ‘Login Security’ section, select ‘BPS Security > Login Security‘ from your WP-admin menu …

BulletProof Security Plugin

This section lets you configure settings that will help to protect your WordPress site from brute-force attacks

BulletProof Security Plugin

You can specify the maximum number of login attempts, lockout times, set alerts and notifications and configure a number of additional login security and monitoring options in this section.

If you make any changes to the settings in this section, remember to click on the ‘Save Options’ buttons and the ‘Submit’ button when finished to update and save your new settings …

BulletProof Security Plugin

For more information on protecting your WordPress site from brute-force attacks, see the tutorial below:

Security Log

To access the plugin’s ‘Security Log’ section, select ‘BPS Security > Security Log‘ from your WP-admin menu …

BulletProof Security Plugin

This section lets you view logs of all blocked attempts by hackers, spammers, scrapers, bots, etc., specify settings for sending email alerts, add exceptions, and set the maximum database size for keeping and purging stored log data …

BulletProof Security Plugin


  • Beware of using the Security Log error logging feature as the error log will continually fill up and create a very large file, which can cause your server to crash. We recommend using this feature only to diagnose security issues.
  • View the ‘Help & FAQ’ tab and click on the ‘Read Me’ buttons for additional information related to this section of the plugin.
  • Remember to click on the ‘Save Options’ buttons if you make any changes to the settings in this section, and click on the ‘Update File’ button at the bottom of the screen when finished to update and save your new settings.
Maintenance Mode

BulletProof Security views “maintenance mode” web pages as part of WordPress security, as these can be compromised by hackers and give access to the WP-admin area if not properly secured.

For this reason, BulletProof Security incorporates a complete Maintenance Mode feature within the plugin itself.

To access the plugin’s ‘Maintenance Mode’ section, select ‘BPS Security > Maintenance Mode‘ from your WP-admin menu …

BulletProof Security Plugin

The BulletProof Maintenance Mode feature:

  • Includes various background and center images (text box image),
  • Allows you to embed image files and YouTube videos,
  • Offers ‘FrontEnd’ Maintenance Mode, ‘BackEnd’ Maintenance Mode or both FrontEnd & BackEnd Maintenance Modes,
  • Is fast and simple to use so that you can switch in and out of Maintenance mode quickly and easily.

BulletProof Security Plugin

For instructions on how to set up a maintenance mode page using the BulletProof Maintenance Mode feature, see ‘Plugin Usage’ section below.

System Info

To access the plugin’s ‘System Info’ section, select ‘BPS Security > System Info‘ from your WP-admin menu …

BulletProof Security Plugin

This section provides detailed information about your system, SQL database, and PHP server, and lets you check your website headers …

BulletProof Security Plugin

Note: System info data can be used to analyze security risks.

Plugin Usage

Once the BulletProof Security plugin has been installed and configured, there is really nothing else to do as far as securing and protecting your site is concerned. The plugin will block attempts by hackers and notify you of these as specified in the plugin settings and options.

One of the features of this plugin that is worth learning how to use is the BulletProof Maintenance Mode feature.

Maintenance Mode

To set ‘Maintenance Mode’ for your website on and off, select ‘BPS Security > Maintenance Mode‘ from your WP-admin menu …

BulletProof Security Plugin

If you want to display a countdown timer letting your visitors know how long your site is going to be down for, then tick the ‘Enable Countdown Timer’ checkbox, and specify a maintenance mode duration (in minutes), in the ‘Maintenance Mode Time’ and ‘Header Retry-After’ fields as shown in the screenshot below …

BulletProof Security Plugin

You can also choose a color for your countdown timer from the ‘Countdown Timer text Color’ drop-down menu …

BulletProof Security Plugin

Next, decide whether you want to enable FrontEnd maintenance, BackEnd maintenance, or both FrontEnd and BackEnd maintenance modes …

BulletProof Security Plugin

  • FrontEnd Maintenance Mode means that your website Maintenance Mode page displays to website visitors instead of your website.
  • BackEnd Maintenance Mode refers to allowing access to the WordPress Administration area (back-end).


Important: If you plan to enable BackEnd maintenance mode for your site, you must enter your IP address into the ‘Maintenance Mode IP Address Whitelist Text Box’, or you will be locked out of your own site!


Below the FrontEnd/BackEnd activation options, is the editor section where you can add the Maintenance Mode “message” that you want your visitors to see when maintenance mode is activated.

BulletProof Security Plugin

You can add text, images, styling options and even videos to your Maintenance Mode Text Box. For more details, make sure to click on the link to the plugin’s ‘Maintenance Mode Guide’ …

BulletProof Security Plugin

You can add background and center images, or a background color to your Maintenance Mode message box …

BulletProof Security Plugin

BulletProof Maintenance Mode lets you select your background and box image options from drop-down menus …

BulletProof Security Plugin

Background image files/options and center images (text box image) are independent of each other, so you can mix and match different background images with different center images (text box image), and even different countdown timer colors …

BulletProof Security Plugin

After selecting your Maintenance Mode page design options, the next step is to specify some additional options …

BulletProof Security Plugin

By selecting/deselecting the checkboxes, you can decide whether or not to:

  • Display your visitor’s IP address
  • Display Admin/Login Link (this allows the administrator to log in from the home page)
  • Display a dashboard reminder notice when your site is in Maintenance Mode.

Below are some examples of dashboard reminder notices.

When FrontEnd Maintenance Mode only is turned “on”, this reminder notice displays …

BulletProof Security Plugin

In the example below, both FrontEnd and BackEnd Maintenance Modes are turned “on” …

BulletProof Security Plugin

  • Send email reminders when Maintenance Mode countdown timers have completed. This is useful for reminding you, your webmaster, or a staff member assigned to managing your site to turn off Maintenance Mode and reactivate your site to visitors …

BulletProof Security Plugin

After configuring all of the Maintenance Mode options, click on the ‘Save Options’ button …

BulletProof Security Plugin

You will be asked to confirm. Click ‘OK’ to proceed …

BulletProof Security Plugin

A confirmation message informing you that your Maintenance Mode form has been created successfully will display on your screen …

BulletProof Security Plugin

You can now preview your form by clicking on the ‘Preview’ button …

BulletProof Security Plugin

Your form will open up in a new browser window …

BulletProof Security Plugin

Repeat the save and preview process to configure your form options until you are happy with the design for your Maintenance Mode page …

BulletProof Security Plugin

Once you are happy with your choices, click on the ‘Turn On’ button to activate this feature and put your site in Maintenance Mode …

BulletProof Security Plugin

A message will display informing you that Maintenance Mode has been turned on for your site …

BulletProof Security Plugin

Log out of your site and check how your Maintenance Mode page looks …

BulletProof Security Plugin

The plugin remembers your settings, so you can turn Maintenance Mode on or off anytime you like simply by clicking on the ‘Turn On’ and ‘Turn Off’ buttons …

BulletProof Security Plugin

Remember to turn Maintenance Mode “off” to make your site visible again to visitors …

BulletProof Security Plugin


BulletProof security offers a convenient way to put your WordPress site into maintenance mode by integrating the Maintenance Mode feature with its Security application.

If you find the BulletProof Maintenance Mode options limited, however, there are other options.

To learn more about putting your WordPress site into Maintenance Mode, see the tutorial below:

Uninstalling BulletProof Security

When you configured the BulletProof Security plugin as shown in earlier steps above, you will remember that the plugin modified important .htaccess files on your site.

If you decide to remove the BulletProof Security plugin from your site, you must first restore these files to their original default before deactivating and deleting the plugin.

To restore your original .htaccess files, select ‘BPS Security > htaccess Core‘ from your WP-admin menu …

BulletProof Security Plugin

Scroll down to the ‘Activate Security Modes’ section, then select the ‘Default Mode WP Default htaccess file’ radio button and click ‘Activate’ …

BulletProof Security Plugin

The plugin will restore the original htaccess file for your site …

BulletProof Security Plugin

You are not quite done yet … just one more step!

Next, select ‘Delete wp-admin htaccess File’ radio button and click on ‘Activate’ …

BulletProof Security Plugin

You should now see messages displayed at the top of your screen informing you that your site is no longer protected by BulletProof Security …

BulletProof Security Plugin

You can now safely deactivate and/or remove the BulletProof Security plugin from your site.

Congratulations! Now you know how to protect and secure your WordPress site with the BulletProof Security plugin.

For more details, go here}:

BulletProof Security

(Source: BulletProof Security Website)


"Learning WordPress has been a huge stumbling block for me. I've been looking for something that covers absolutely everything but doesn't cost an arm and a leg. Thank you so much ... you have just provided me with what I have been looking for! Truly appreciated!" - Tanya


WordPress Security Explained

Learn why WordPress is a secure web platform for building and running your business online …

WP Security OverviewIn early 2013 a worldwide brute-force attack began hitting WordPress installations on almost every web host in existence around the world.

These attacks were caused by botnets (computers infected with malware and programmed to attack other sites).

Powering millions of websites around the world makes WordPress a target for hackers

(Being the world’s most popular CMS makes WordPress a target for malicious attacks by hackers)

In March 2014, many technology sites reported that over 162,000 WordPress-powered sites had been hacked.

Thousands of websites are hacked every year! Will yours be one of them?

(160,000+ WordPress sites were attacked in a massive DDoS attack in early 2014. Image source: BlogDefender.com)

According to the Cnet report,

“With some old-fashioned trickery, hackers were able to get more than 162,000 legitimate WordPress-powered Web sites to mount a distributed-denial-of-service attack against another Web site.”

(Source: cnet.com/news/ddos-attack-is-launched-from-162000-wordpress-sites)

As described by security firm Sucuri, hackers had leveraged a flaw to attack unsuspecting WP web sites and direct a distributed-denial-of-service cyberattack (DDoS) towards another popular website.

When brute force attacks on WordPress sites happen, it’s natural for website owners to start questioning if WordPress really is a safe application for running a business web presence.

WordPress is often the target of attacks by hackers, due to its popularity. But should you really be concerned about WordPress as a secure platform for building your business presence online?

In this article, you will learn some of the main reasons why you should consider using WordPress if you have any concerns about website security.

WordPress Security Explained

Let’s start with the facts …

Thousands of websites are hacked every year … not just WordPress sites!

The sheer number of attacks on websites and blogs worldwide is rising, and things are getting worse.

It’s safe to assume that if your website or blog hasn’t been hacked yet, then it’s only a matter of time … regardless of the web platform you use!

Since it’s not a matter of if, but a matter of when before someone tries to hack your website, are there any advantages that WordPress can offer you in terms of security?

Is An “Open Source” Software Safe?

Some people will often argue that WordPress should not be used for building and running a web presence because its “open source” code is freely available.

Open source CMS platforms like WordPress, Drupal and Joomla are free to use and anyone can view the underlying code.

The argument, then, goes something like this: If anyone can study the Open Source software code for WordPress, then hackers can also easily get hold of all of the code and study all of it in detail, searching for weaknesses and vulnerabilities that can be exploited …

It's no longer a matter of if, but when before your website will be targeted by hackers ... WordPress or no WordPress!

(It’s not a matter of if, but a matter of when before someone attempts to hack your website … WordPress or no WordPress!)

While it’s true that WordPress is free to download and hackers can easily access it and study the code searching for security holes and vulnerabilities (hackers can do the same with any software application), the fact that WordPress is a free, open platform actually makes it a lot more secure in several ways.

This is because WordPress has the support of a huge community comprised of thousands of people such as software programmers, plugin developers and theme designers who are constantly working to help to improve the program and make WordPress more secure …

With WordPress, an open community of web developers is responsible for keeping the software platform maintained and updated.

(The WordPress platform is built, maintained and updated by a large community of thousands of web developers around the world. Screenshot source: WordPress.org)

WordPress continually evolves largely through the effort of a global community working around the clock to fix issues. Everyone benefits from thousands of individuals dedicated to improving the software, identifying and fixing security issues and making it safer for every user …

The WordPress core software is built and maintained by an open community of web developers

(WordPress is built and maintained by an open community of volunteers. Screenshot source: WordPress.org)

The moment any security vulnerabilities are identified by developers or users, these are recorded in user forums and addressed by the WordPress development team …

WordPress is continually being improved upon by thousands of committed individuals community of developers and users

(WordPress is continually being improved by a global community community of users and web developers. Image: WordPress.org)

The WordPress community support system is very responsive and anybody can contribute to fixing the platform.

For example:

  • If you discover bugs and security weaknesses, you can report these by sending an email to security@wordpress.org.
  • If you find issues in a WP plugin, you can report these by emailing plugins@wordpress.org.

This is why the WordPress community is constantly releasing new updates, and why you need to keep your sites and blogs frequently updated …

WordPress frequently releases new updates to address any security vulnerabilities found

(WordPress continually releases new version updates to plug security weaknesses)

WordPress CMS Vs Proprietary Applications

Compare the benefits of using an open source CMS technology like WordPress with proprietary CMS technologies where often a smaller team with limited time and resources is responsible for developing, monitoring and improving software security, fixing bugs, etc., and you will very quickly realize the value of using WordPress to power your site on a secure platform.

The WordPress CMS is 100% free to download, modify and use, and hundreds of volunteers and expert developers are continually working to improve the software. Can a proprietary CMS company afford to employ as many developers and programmers and still deliver users software that is 100% free to download, use and modify as they wish?

WordPress Vs Other Open Source Platforms

CMS Platforms

(CMS Platforms)

Whilst on the topic of Open Source content management systems, there is valid research showing that WordPress is safer than other leading Open Source CMS platforms like Drupal and Joomla.

For example, here is one study showing how many security vulnerabilities were found in popular platforms during a certain period …

WordPress has less security vulnerabilities than other leading CMS applications

(WordPress has fewer security vulnerabilities than other CMS platforms. Screenshot: National Vulnerability Database)

Other research indicates that, because WordPress is quite easy to use and to update, when sites across different CMS platforms were tested for security vulnerabilities, WordPress sites had fewer exposure to risk …

WordPress is more secure than other CMS applications

(WordPress users are not as exposed to vulnerabilities as other CMS platform users. Image: BlogDefender.com)

WordPress Is Not Always To Blame

If someone hacks into your WordPress site, don’t be too quick to place the blame on the WordPress CMS platform.

According to security vendor Commtouch and StopBadware, a nonprofit organization that helps webmasters identify, remediate and prevent website compromises in a published report entitled “Compromised Websites: An Owner’s Perspective“, most webmasters are not fully aware of the security threats their websites are exposed to, how to secure a website, or deal with compromises.

In fact, 63% of webmasters surveyed in this report didn’t even know how their websites were hacked after an attack …

Many webmasters don't even know how their websites got hacked.

(Most webmasters don’t even know how their sites were hacked. Screenshot image: StopBadware.org)

Of immediate concern, however, is the fact that most security-related problems come from site owners forgetting to update their CMS software to a newer version …

Many security issues come from sites running an outdated WordPress version.

(Many WordPress sites use outdated versions. Source: Sucuri.net)

When WordPress security issues were examined in more detail, it was found that only around between 20% – 30% percent of vulnerabilities discovered in 3rd-party code are actually found in the WordPress CMS core, while 65% – 75% percent of all security issues are found in plug-ins and extensions created by third-party developers …

WordPress Security Issues

(WordPress Security Issues. Source: WebDesign.org)

Like many modern web platforms, WordPress is regularly updated in order to address new security threats that may arise. Improving security is an ongoing concern, and to that end, you should always keep your WordPress site, themes, and plugins updated to the latest version.

WordPress Is Secure – Even Banks Use It!

The amount of misinformation online about WordPress security has even caused the co-founder of WordPress, Matt Mullenweg, to chime in and reply to posts online.

In a blog post entitled “A Bank Website on WordPress” published on April 15, 2015, Matt wrote the following about WordPress security …

There’s a thread on Quora asking “I am powering a bank’s website using WordPress. What security measures should I take?” The answers have mostly been ignorant junk along the lines of “Oh NOES WP is INSECURE! let me take my money out of that bank”, so I wrote one myself, which I’ve copied below.

I agree there’s probably not a ton of benefit to having the online banking / billpay / etc portion of a bank’s website on WordPress, however there is no reason you couldn’t run the front-end and marketing side of the site on WordPress, and in fact you’d be leveraging WordPress’ strength as a content management platform that is flexible, customizable, and easy to update and maintain.

Matt then goes on to provide a couple of security tips, before stating the following …

For an example of a beautiful, responsive banking website built on WordPress, check out Gateway Bank of Mesa AZ. WordPress is also trusted to run sites for some of the largest and most security-conscious organizations in the world, including Facebook, SAP, Glenn Greenwald’s The Intercept, eBay, McAfee, Sophos, GNOME, Mozilla, MIT, Reuters, CNN, Google Ventures, NASA, and literally hundreds more.

As the most widely used CMS in the world, many people use and deploy the open source version of WordPress in a sub-optimal and insecure way, but the same could be said of Linux, Apache, MySQL, Node, Rails, Java, or any widely-used software. It is possible and actually not that hard to run WordPress in a way that is secure enough for a bank, government site, media site, or anything.

Millions of businesses, including banks, global corporations and e-commerce sites choose WordPress to build their presence online, not just bloggers.

Other Areas That Can Affect Blog Security

Other areas that can affect blog security include factors like:

  • No platform is safe from hacking. As many as 90% of all websites across all platforms are vulnerable to attack, mostly due to outdated software.
  • The biggest vulnerability of all CMS platforms seems to be the users themselves. An example of this is users ignoring good password security recommendations.
  • Lack of constant system monitoring. All security processes need to be regularly monitored, tested, updated and improved.
  • Server setup. For example, sites on shared hosting servers are only as secure as the least safe site on the hosting grid, so if someone else on your shared server gets their site hacked into, then every site on that server becomes vulnerable to being hacked also.

There’s No Reason Why You Should Not Use WordPress

As this article has hopefully shown, WordPress is quite secure. As long as you commit to implementing basic website security measures and keep your WordPress software (and plugins, themes, etc.) updated, there is really no reason why you should not use WordPress for your web site or blog.


WordPress Security – Tips

To learn about ways to protect your WordPress site from brute force attacks see this article:  How To Protect Your WordPress Site Or Blog From Brute-Force Attacks

An unsecured site presents malicious users with a valuable resource for distributed attacks, spreading malware and engaging in information theft. Blog Defender Security Plugin for WordPress Websites & Blogs makes your WordPress site invisible to botnet and hacker attacks. Learn more about this plugin here:

If you are currently using an outdated version of WordPress make sure to make a complete backup before updating your software to protect your site from the latest security threats. This way, if things don’t go as planned, you can always restore.

If you don’t want to perform manual backups, there are many WordPress plugins you can use. You can read about a WordPress backup plugin that can fully automate your backup process here: Back Up, Duplicate & Keep Your WordPress Websites Protected With Backup Creator Plugin For WordPress



For more information on the above, refer to the sites below:

Hopefully, this article has given you a better understanding of issues that can affect your website and how WordPress can help you get better business results online. To learn more about the security benefits of using the WordPress CMS platform please see our related posts section or subscribe to receive updates and notifications when new articles are published.


"I was absolutely amazed at the scope and breadth of these tutorials! The most in-depth training I have ever received on any subject!" - Myke O'Neill, DailyGreenPost.com

How To Protect Your WordPress Site From A Brute-Force Attack

Learn how to protect your WordPress site from being brute-force attacked, or having its security compromised by hackers or bots.

WP SecurityBeing the world’s most used content management system makes WordPress a target for hacking attacks.

In 2013 a mass brute-force attack struck WordPress installations across almost every WP hosting server in existence.

These attacks were caused by botnets (infected computer networks programmed to attack other sites with security vulnerabilities).

How To Protect Your WordPress Site From A Brute-Force Attack

About Brute-Force Attacks

A brute-force attack is a technique used to break an encryption or authentication system by trying all possibilities.

(Source: Chinese University Of Hong Kong)

There are many ways hackers try to break into a WordPress site. One of these is by trying to guess the site’s administration login username and password. This can be done using software tools that can guess hundreds of possible logins in minutes.

If you’re using easy-to-guess usernames and passwords, your website could be an easy target for hackers.

This is called a “brute-force” login attack.

Botnet Definition

A botnet is a number of Internet-connected computers communicating with other similar machines in an effort to complete repetitive tasks and objectives. This can be as mundane as keeping control of an Internet Relay Chat (IRC) channel, or it could be used to send spam email or participate in distributed denial-of-service attacks. The word botnet is a combination of the words robot and network.

(Source: Wikipedia/botnet)

”Botnets” are networks of computers that have been infected with malicious software, which are then controlled remotely as a group, often without the computer owners’ knowledge or awareness.

Botnets are regularly used to send mass spam emails from the infected computers of unsuspecting users.

The screenshot below was taken from a site that monitors online security showing the locations of the command centers of a botnet that has been actively compromising computer networks all around the globe since 2009 called “Zeus” …

ZeuS is a botnet that has been actively compromising computer networks all around the world since 2009.

(The Zeus botnet has been actively infecting computer networks all around the world since 2009. Screenshot: SecureList.com)

These ongoing botnet attacks are well organized and highly distributed. Over 90,000 IP addresses were identified by several webhosting companies just in the initial attack, when millions of attempts to force their way into WordPress site administration areas took place. The worldwide brute force attacks then continued, with over 30,000 WordPress blogs being hacked per day.

Coverage of the April 2013 brute force botnet attack was widely reported in all the major webhosting companiesand leading technology publications, such as TechNews Daily, Forbes, Tech Crunch, BBC News, PC Magazine, and even on the official website of the US Department of Homeland Security …

WordPress is often the target of malicious attacks by hackers

(Being the world’s most used CMS makes WordPress a target for malicious attempts by hackers)

Does This Mean We Shouldn’t Use WordPress Anymore?

No. In fact, there are lots of good reasons why you should use WordPress if you are concerned about the security of your web presence.

To learn why WordPress is a secure platform for websites, see this article: Is WordPress A Secure Website Platform?


It’s important to note that, in the case of April 2013 mass brute force botnet attack described above, no specific WordPress vulnerability was being exploited (the same script was also attacking sites built using other applications like Joomla).

Mike Little, one of the co-founders of WordPress with Matt Mullenweg, made this comment about the brute force attacks:

It is a “simple” script that attempts to login using the admin login and a generated password. So if your password is too short or based on dictionary words it will be guessed and then the script can login legitimately and do whatever it wants including installing scripts (as plugins) or editing files. The attack tries to guess your password, if it succeeds, the most secure site in the world is wide open because they have your password.


Protecting Your WordPress Blog From Brute Force Attacks – Ten Security Points

You may think that the information in your website offers no value to hackers, but the reality is that to a hacker, all websites provide an opportunity to profit or benefit at your expense.

If hackers can find a way to break in and compromise the control of your site, your website or blog can then be used as part of a larger network of “bots” to target more valuable web sites.

Additional undesirable effects of having your website hacked include getting blacklisted by Google, having spammy links promoting things like viagra, porn, etc. inserted in your content and page title and descriptions, redirecting visitors to phishing sites and other websites, data exfiltration (stealing customer details or Personal Identifiable Information from your web applications), and lots of other nasty things.

The reality is that brute-force software bots are trying to hack into your web site while you are reading these very words. Whether they can break in successfully depends on how difficult you will make things for them to keep trying until they work out a way to get access, or are forced to decide to look for a less secure target.

How Much Information Are You Broadcasting To Hackers About Your Site?

Do you own a WordPress site? If so, visit a site like Hackertarget.com and run your website through their WordPress security check …

Hackertarget - WordPress Security Scan(Hackertarget – WordPress Security Scan Image source: Hackertarget.com)

You will see that the scan returns various results and information about your website …

Website Security Scan

(Hackertarget – WP security scan results. Product image: Hackertarget.com)

It should be obvious after using the above tool that if you can access all of this information, then hackers can too.

WordPress Security Scan(Image source: Blog Defender)

Being able to see what version of WordPress you are using, which plugins and themes you have installed on your site, and which files have been uploaded to certain directories in your site can be valuable information to hackers, as these can inform them about exploitable vulnerabilities, especially where site owners haven’t updated their files.

If your site or blog runs on WordPress and you’re not taking appropriate steps to bolster the security of your site, then it’s practically guaranteed that, at some point, someone will attempt to hack your website, because these brute force attacks are systematically targeting WordPress installations worldwide!

Whenever a site gets broken into, webmasters will find themselves “locked out” of their own site, or notice that their files have been altered or even that their content has been completely wiped out. Typically, most sites will be infected with malicious scripts without the owner even being aware that this has happened.

To avoid the heartache (and potential financial loss) that comes with having your web site being hacked into, below are ten simple, yet essential and effective security measures that will help to prevent your WordPress site from being brute-force attacked.

Useful Information

Note: Some of the steps listed below need some technical skills to modify core WordPress and server files. If you have no web coding skills, or don’t want to mess around with file code, then ask your web host or search for a WordPress service provider in our WordPress Services Directory.


Security Measure #1 – Get In Touch With Your Webhosting Service

Get in touch with your hosting service and ask them what systems they offer to protect your site from being attacked, and what they are doing to make sure that your files and data get backed up.

Make sure that your hosting service provider backs up your server files and that, if disaster strikes, you can easily get your site back.

Security Measure #2 – Perform Complete WordPress Backups And Keep Your Website Or Blog Frequently Maintained

You should never rely just on your webhosting provider for your site backups. Instead, learn how to maintain and manage your WordPress site or pay someone to get this done for you and maintain a habit of religiously performing a complete WordPress site maintenance routine frequently (e.g. weekly, monthly, etc …)

A complete WordPress maintenance routine ensures that:

  • All unnecessary data and files are deleted,
  • All WP data and files are free of errors, optimized and backed up,
  • All software, plugins and themes are up-to-date,
  • etc …

A complete WordPress maintenance routine looks like this …

Maintaining your WP installation fully backed up and updated is vitally important for WordPress security.(Maintaining your WP installation frequently backed up and up-to-date is vitally important for WordPress security. Screenshot image: WPTrainMe.com)

Again, we cannot stress enough how important maintaining your WP web site completely backed up and up-to-date is. WP site maintenance is not hard or time-consuming, but it must be done to ensure the security of your website. If you don’t want to learn how to do WP maintenance yourself, pay a professional to do it but make sure this gets done. Backing up your site is the next most important thing you must do after making sure that you still have a pulse!

If you don’t want to back up your site manually, there are many plugins you can use. You can read about a WordPress backup plugin that can fully automate your backup process here: Back Up, Copy And Keep Your WordPress Sites Protected With Backup Creator Plugin For WordPress

Security Measure #3 – Do Not Use “Admin” As Your Username

The large scale brute-force botnet attack on WordPress sites was mostly attempting to compromise website admin panels and gain access to the site by exploiting sites that used “admin” as their account name.

For reasons of website security, avoid setting up WordPress sites with the username admin. This is the first thing hackers will test. If your blog’s username is admin, you will should change this immediately.

For a detailed step-by-step tutorial that shows you how to change your username, go here: Changing Your WordPress Username From Admin To A More Secure User Name

Security Measure #4 – Your Password

A “brute force” attack occurs when a malicious script continually and persistently tries to guess the right password and username character string that will give them entry to your website.

Unless some measure is put into place to block the brute-force attack from happening (see further below for a couple of simple and effective suggestions for doing this), the “bot” will just keep attacking your site until it eventually “cracks” the code.

Passwords that are easy to guess, therefore, make very easy targets for brute-force attacks. Make sure that you change your password combination to a string containing at least 8 or 9 characters long, with both upper and lowercase letters, and “special” characters (%^#$@&*).

Useful Tip

Roboform is a password management program that lets you easily generate different unbreakable passwords …

You can use a password management tool like Roboform to help you generate strong passwords(You can use a password management tool like Roboform to help you generate strong login passwords)

For a detailed tutorial created especially for non-technical WP admin users that shows you how to change your admin password, go here: Changing Your WordPress Password

Security Measure #5 – Protect Your WP Config File

The wp-config.php file allows WordPress to communicate with the database to store and retrieve data and is used to define advanced options for WordPress.


(WordPress WP Config file)

If a hacker breaks into your WordPress site, they will try to access your wp-config.php file, because this file contains your database information, security keys, etc. Getting access to this information would allow them to change anything in your database, create a user account, upload files and take control of your site.

In order to protect your WordPress site from being attacked and even being used as part of a bot net, therefore, prevent people from being able to easily find your wp-config.php file. This requires knowing how to edit database information, move files around in your server and changing access permissions.

Security Measure #6 – Delete Or Rename Unnecessary Installation Files

Rename or delete the install.php, upgrade.php and readme.html files from your server.

These files are completely unnecessary after installation and can be removed. If you don’t want to delete these files, just rename them.

Security Measure #7 – Keep Your WordPress Files, Plugins & Themes Up-To-Date

Hackers look for vulnerabilities they can exploit in previous WordPress versions, including outdated versions of WP plugins and themes.

Ensure that all of your WordPress software files, themes, plugins, etc. are always up to date.

Security Measure #8 – Disable The Theme Editor

WordPress comes with a built-in editor feature that allows you to edit theme and plugin code from the dashboard area.

In WordPress, you can access your WordPress Theme Editor by selecting Appearance > Editor in the dashboard menu …

WordPress Theme Editor Menu

(The WordPress theme editor can be accessed via the WP admin menu)

This allows anyone accessing your blog to view and edit your WordPress theme files, and create mayhem on your site.

If you want to prevent unauthorized people from being able to access the WordPress Theme editor, you will need to disable it. This can be done by adding code to your wp-config.php file.

Security Measure #9 – Remove Access To The Site’s Uploads Directory

The WordPress “uploads” directory contains all the media that gets uploaded to your website.

By default, this folder is visible to anyone online. All a person needs to do to see the contents stored in the “uploads” folder is visit the directory using their browser …

(WordPress uploads directory)

(WordPress uploads folder)

If any directories in your website have vulnerabilities that can be exploited by hackers or malicious users, anyone can upload unauthorized file types to your site.

Protecting your directories will prevent online users from viewing your ‘uploads’ folder and other important directories. This can be done using plugins, setting file permissions, uploading a blank index.php file (this is literally an empty file called “index.php”) to your uploads directory, and so on. Again, it’s best to seek professional help if you are not sure about what to do.

Security Measure #10 – Install WordPress Security Plugins

There are a number of great security plugins for WordPress available that will address many common security issues faced by WordPress site owners, such as preventing unauthorized users from gaining access to vital information about your site, protecting your site from botnets, preventing unauthorized file uploads, etc.

Many WordPress plugins address some but not all areas of WordPress security. One security plugin that does a comprehensive job of scanning, fixing and preventing issues that could lead to hackers accessing your files and damaging your site is SecureScanPro.

SecureScanPro - WP security plugin

(SecureScanPro – complete security plugin for WordPress)

SecureScanPro is easy to install and easy to use, and fixes most of the security issues that WordPress users need to address.

Another security plugin you may want to consider using is BlogDefender.

Blog Defender WordPress Security Suite

Blog Defender Security Product Suite For WordPress Websites & Blogs(Blog Defender Security Solution For WordPress)

This product is a suite of WordPress security video tutorials, plugins and tools, plus a WordPress security PDF/DOC file.

BlogDefender scans you WordPress site for potential security weaknesses …

Blog Defender WordPress Security SolutionAnd then shows you how to easily fix these …

Blog Defender Security Suite For WordPress Websites & BlogsIf you don’t want to buy a security plugin like SecureScanPro or BlogDefender, you can use various free plugins, such as Limit Login Attempts

Limit Login Attempts - WordPress Security Plugin

WordPress is a very secure platform, but neglecting basic maintenance tasks like ensuring that your WordPress core files, plugins and themes are kept up-to-date, tightening file and data security and taking other necessary precautions can expose your site to malicious by hackers and bots.

No matter what kind of business you run or plan to run online and how small you think your web presence is, you cannot ignore the importance of website security.

As a final reminder of the importance of keeping your websites protected, below is the advice given by an expert on web security to all WordPress users following the worldwide brute force attacks on WordPress in April 2013 …

Owners of websites based on WordPress CMS must improve at least basic security settings and implement best practices such as the use of robust passwords and the accurate management of “admin” accounts.

Pierluigi Paganini, Chief Information Security Officer, Security Affairs


As you can see, website security is of the utmost importance if you run a WordPress site. Hopefully, the information in this article will help keep your WordPress site protected from brute-force attacks. If you need any further help or assistance with WordPress security, please consult a WordPress security specialist, or search for a WordPress technical provider in our WordPress Services Directory.

We also recommend subscribing to WPCompendium.org to receive notifications whenever we publish new articles on WordPress security and reviews of new security plugins and solutions.


"I was absolutely amazed at the scope and breadth of these tutorials! The most in-depth training I have ever received on any subject!" - Myke O'Neill, DailyGreenPost.com