Our blog

WordPress Security

WordPress Security:

Any CMS like WordPress can be affected by two major factors when it is in public or protected environment.

  1. Environmental Issues (Hosting Environment)
  2. Configuration Issues (Plugins, Modules)

Environmental Issues:

1.             Threat: Fuzzing attack

Countermeasure: Implement IPS

Attackers try to attack on any server using fuzzing. Fuzzing will increase number of user request on server and it may lead any web portal to stop working. Fuzzing works with specific signature and one can prevent these attacks by filtering those signatures.

Environmental issues can be taken care by implementing some basic security mechanisms like IPS.   Mod_security is personally recommended for LAMP environment. This will prevent base level attacks and provide extra layer of security to hosting environment. Implementing mod_security is only possible when we have managed hosting, on shared hosting implementing custom rules is not possible.

2.             Threat: Information Disclosure

Countermeasure: Server hardening

One can easily get server information using HEADER verification; HEADER provides much information like Application version (PHP), Server details (Apache, OS details)

By providing proper hardening mechanism server signatures can be changed and it will become very difficult for attacker to start attack.

WordPress do provide CMS version with meta header which should be removed to prevent application from possible attack vector.

Configuration level:


  1. Spamming
  2. Username / Password hack
  3. SQL injections
  4. Site hack
  5. Cross site scripting
  6. DOS / DDOS
  7. All other known and unknown vulnerability


  1. Make sure that copy of all plugins and WordPress is updated
  2. Implement CAPTCHA
  3. Monitor site/site log weekly for any unusual activity
  4. Removal of plugins when it is not required

Some important plugins to be installed/used for extra security

Semisecure Login Reimagined


Semisecure Login Reimagined increases the security of the login process by using a combination of public and secret-key encryption to encrypt the password on the client-side when a user logs in. JavaScript is required to enable encryption. It is most useful for situations where SSL is not available, but the administrator wishes to have some additional security measures in place without sacrificing convenience.

Stealth Login


This plugin allows you to create custom URLs for logging in, logging out, administration and registering for your WordPress blog. Instead of advertising your login url on your homepage, you can create a url of your choice that can be easier to remember than wp-login.php, for example you could set your login url to http://www.myblog.com/login for an easy way to login to your website.

You could also enable “Stealth Mode” which will prevent users from being able to access ‘wp-login.php’ directly. You can then set your login url to something more cryptic. This won’t secure your website perfectly, but if someone does manage to crack your password, it can make it difficult for them to find where to actually login. This also prevents any bots that are used for malicious intents from accessing your wp-login.php file and attempting to break in.

Login LockDown


Login LockDown records the IP address and timestamp of every failed login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery. Currently the plugin defaults to a 1 hour lock out of an IP block after 3 failed login attempts within 5 minutes. This can be modified via the Options panel. Administrators can release locked out IP ranges manually from the panel.

Chap Secure Login


Whenever you try to login into your website, you can use this plugin to trasmit your password encrypted. The encryption process is done by the Chap protocol; this is particularly useful when you can’t use ssl or other kinds of secure protocols. By activating the ChapSecureLogin plugin, the only information transmitted unencrypted is the username; password is hided with a random number (nonce) generated by the session – and opportunely transformed by the MD5 algorithm. In the first login there will be an error, but don’t worry is only a tecnical error. Indeed in the next login’s operation, if the values are correct, there will not be errors, but you give mind because the password will sended in unencrypted way. If you want more details about this algorithm, check “Building a CHAP Login System”. This is a zero-configuration plugin.



Backup, restore, migrate your WP installation, both code and MySQL tables, with a single click.

Antispam Bee


Protects your blog from spam by replacing the comment field. It’s easy to use and extremely effective. Really!

Math Comment Spam Protection


Asks the visitor making the comment to answer a simple math question. This is intended to prove that the visitor is a human being and not a spam robot



Blackhole is a trap for bad bots. The concept is simple: include a hidden link to a robots.txt-forbidden directory somewhere on your pages. Bots that ignore or disobey your robots rules will crawl the link and fall into the trap, which then performs a WHOIS Lookup and records the event in the blackhole data file. Once added to the blacklist data file, bad bots immediately are denied access to your site.

AskApache Password Protect


This plugin doesn’t control WordPress or mess with your database, instead it utilizes fast, tried-and-true built-in Security features to add multiple layers of security to your blog. This plugin is specifically designed and regularly updated specifically to stop automated and unskilled attackers attempts to exploit vulnerabilities on your blog resulting in a hacked site

Wp Security Scan


This plugin will scan your WordPress installation for security vulnerabilities and it will suggest some corrective actions.

Apart from above implementation, http://codex.wordpress.org/Hardening_WordPress should be taken care while implementing WordPress CMS portal.

Interested in our Testing Services?

Contact Apexon +1 408-727-1100

By submitting this form, you agree that you have read and understand Apexon’s Terms and Conditions. You can opt-out of communications at any time. We respect your privacy.

By submitting this form, you agree that you have read and understand Apexon’s Terms and Conditions. You can opt-out of communications at any time. We respect your privacy.

Other stories you may enjoy...

Healthcare Apps and the Need for Security

One of the most exciting areas in tech right now promises to be “the most personal” ever. A key aspect of making wearable devices like the Apple Watch personal is through...

Developing an App for the 2020 General Election?

Here is a thought: With the UK General Election having just finished, could the next one in 2020 be the first to use a mobile app to allow people to vote? The polling...

Be honest. Describe the state of your test cases.

“There’s some dead wood in there.” “Hmmm…. Someone really needs to clean them up.” “A little outdated.” For those reading this in the northern hemisphere,...