21 November 2023
Expert Insights

WordPress: Reminder of Best Practices

Publié par Gautier Duc Dodon

Did you know? In 2023, WordPress accounts for over 40% of the Content Management Systems (CMS) on the internet. Its ease of installation, stability, and constant updates make it a user-friendly tool for deploying a website. However, its popularity also makes it a prime target for cyberattacks.

It’s not uncommon to find a client’s site using a vulnerable WordPress installation, which could serve as an entry point and compromise an entire application environment.

The purpose of this article is to reshare some cybersecurity rules applicable to WordPress for a more secure web environment and to highlight a few tools for maintaining it.

Choosing the WordPress Theme

There are websites that offer cracked themes for WordPress. A cracked theme is most often a pirated version of a premium theme.

Apart from being illegal, these themes are also dangerous for your site. They often contain hidden malicious code that can destroy your website and database, or record your administrator credentials and those of your users with the intent of exfiltrating them.

By purchasing an official premium theme, you may spend a few euros on a secure platform, but you avoid taking risks. This also ensures access to responsive support and updates for the selected theme.

The most well-known and secure platform to date is ThemeForest.

WordPress Administration: A Secure Connection to the Backoffice

The well-known URL for accessing the WordPress backoffice is /wp-admin, and it’s likely the first test that a malicious person will attempt. The good news is that this access path can be easily modified, making it a routine operation to perform.

Using strong passwords, combined with two-factor authentication, provides advanced security for backoffice connections. Additionally, monitoring the IP addresses of users who connect enables the blocking of malicious IPs as needed.

Avoid using simple passwords like “12345” or “password”. If the password is easy to remember, it poses a risk.

As a reminder, a good practice is to use a long password, randomly generated, containing special characters, uppercase and lowercase letters, and numbers. This password should be unique and can be stored in a password manager like Keepass.

Finally, by default, WordPress allows users to make as many password attempts as they wish. This capability exposes a site to brute force attacks. Limiting the number of login attempts reduces the risk of brute force attacks, as the attacker is blocked before they can complete their attack. Simple but effective!

In summary:

  • Change the WordPress backoffice URL: Use WPS Hide Login.
  • Choose strong passwords.
  • Enable two-factor authentication, at least for users with high privileges (WordPress updates, content publishing, etc.).
  • Limit the number of login attempts: Implement “Log-in attempts” feature.

Security Plugin: An Essential Tool for Website Monitoring

A comprehensive surveillance and monitoring tool, it enables staying informed about risks and necessary actions to maintain website security.

In summary, a security plugin manages WordPress security, searches for malware, and monitors around the clock, 24/7, to regularly oversee activities on the site.

Wordfence is one of the most reliable and recognized plugins in the current market.

Keeping WordPress Updated

Updating the WordPress ecosystem is an essential practice for ensuring website security. With each update, developers introduce changes, often including security enhancements.

Updating a WordPress ecosystem involves updating:

  • The CMS itself
  • The plugins you have installed
  • The theme you are using

Be aware, a plugin or theme that is not regularly updated poses security risks to the entire environment.

Keep them updated or consider changing them rather than taking risks.


It’s important to remember to perform backups on an external environment regularly. Ideally, it’s advised to keep multiple versions of these backups. In the event of a hacking incident, regular backups could help recover at least a portion of the lost data and restore a clean version of the site.

Secure Browsing with HTTPS

Consider deploying a certificate signed by a recognized authority to ensure an HTTPS connection that aligns with best practices. If you’re unable to obtain a certificate signed by an internal authority within your organization, you can purchase one from third-party providers online or acquire one for free from the Let’s Encrypt authority.

Testing WorpPress Security

The WPScan tool can be used to conduct an initial rapid diagnostic:

  • Known vulnerabilities based on the versions of WordPress, plugins, or themes used
  • Accounts and weak passwords
  • Overly explicit error messages

The Global Ecosystem

It’s also important to consider the security of the foundation upon which your CMS is built. A compromise in this foundation can jeopardize the security of your site. This security includes configuring the various software layers and regularly deploying updates or new versions of each component to address security vulnerabilities.

This aspect particularly depends on how your CMS is deployed (managed by a hosting service or installed on a server). However, it is crucial to ensure the security of:

  • The operating system
  • PHP
  • The database