Dieter Petereit June 29th, 2013

At A Glance: How To Secure Your WordPress Site [Infographic]

Securing your self-hosted WordPress site is absolutely essential. That's the reason for our continuous coverage of this particular topic throughout the years. With WordPress becoming more and more dominant as the motor of today's web, the topic stays at the top of our advice list. Throughout the last four years, the number of WordPress blogs having been hacked has more than doubled from 81,000 to over 170,000 per year. The fresh infographic by aggregates everything you need to know to properly secure your site and gives you a decent hint sheet to always keep your eyes on.


WordPress Hacks: Where, How and What to do Against Them?

Two hands full of basic tips help to keep you out of the biggest trouble. Some are things you could have easily guessed, such as keeping your installation updated or regular backups, so that you'll not lose your whole content in the worst case. Some tips are less self-evident, such as securing the folder wp-admin or omitting the user-name admin.

The following infographic has all these hints and some more nicely arranged. I like the color-coded presentation, that shows you where the most and most dangerous security threads lurk.

At a glance you'll notice that weak passwords are a threat, yet they are far from being the most common reason for hackers to succeed - only 8% of all hacks use weak passwords as the entry. Much more relevant as flood gates are plugins and themes. More than 50% of all hacks are possible exploiting security vulnerabilities in common themes and plugins. Themes (29%) are even more relevant than plugins, so be careful what you fall for.

The single biggest security weakness, with 41% of all hacks, is related to questions of hosting. We need to care for problems of database security, encryption, file-permissions, folder-access, securing the network on protocol level and much more. The average WordPress blogger will want to hire an experienced system administrator and is highly advised to actually do so.

WordPress: Almost 70 Million Websites Worldwide

Some information of statistical nature rounds up the infographic. In terms of security you'll get reminded of the botnet attack on WordPress sites in April 2013. More than 90,000 servers performed brute force attacks and were quite successful in doing so. WordPress is still growing fast and today powers more than 17% of the world's websites, which adds up to the fantastic value of almost 70 million websites.

The following infographic has been scaled down to fit into our little magazine. If you want to have a larger view or actually do want to print it out for bedside purposes, click on the graphic. We will then transfer you to, where they have a larger version for you:



Dieter Petereit

Dieter Petereit is a veteran of the web with over 25 years of experience in the world of IT. As soon as Netscape became available he started to do what already at that time was called web design and has carried on ever since. Two decades ago he started writing for several online publications, some well, some lesser known. You can meet him over on Google+.


  1. “Do not install wordpress themes that are available for free?”

    I think this is the worst advice I have ever heard regarding keeping your wp secure.

    Some of the worst hacks ever have occurred through paid themes and some of the most solid code bases are theme’s available for free. This tip is very misleading.

  2. “Do not install wordpress themes that are available for free”. I’ve seen many sites hacked by this when I was working at a huge hosting company years ago. So I agree with it but I’d also add ‘If you do install a free theme use one from a trust worthy site. Also do not ever install wordpress themes you find on pirate websites (same goes with plugins)!!!’

  3. That graph that shows number of WP sites hacked, should also show another line indicating how many WP sites exist at that time. I believe that the number of WP sites increased tremendously over those years, so the percentage of hacked sites may actually not have grown.

  4. “Do not install wordpress themes that are available for free” – What I think this might mean is the large number of people that get a “free” version of a paid theme from a less than reputable source. This is by far the most common issue we have faced with WordPress sites being hacked as they are often full of malicious code.

  5. As a DNN user I am giggling at this article, as a /wp-user/ I would go hide in a closet, seriously any site can get hacked, but this article almost makes it seem like this is “thee” CMS to use if you want to be hacked, fairly easy. Are these themes so tightly integrated in that anyone installing is installing a virus/bug? do the site admins even look in the installed code, do they know what they are looking at, sheesh.

  6. I was hacked a couple of months ago because of one of the plugins I was using. It was easy to fix but I was in a hurry during a whole day. Anyway, I really think WP is amazing!!

  7. I installed a WP site through softaculous one click installers, my 1st ever install of WP to see how it worked. I left the admin name as ‘Admin’, my password wasn’t very clever, I installed a free theme to see what it did and within 2 days it was hacked as well as my entire server of other websites.
    I put it down to the free theme as the trigger, after that it was an easy ride I suppose.
    I’m looking to install a new WP site, but I’m reading all about security first, I’ll build my own theme I think too

  8. I agree that most vulnerable when it comes to hacking is the hosting. They hack the servers and then they get access to VPS, shared hosting and domains. Most important when websote is hacked to react quickly and have a backup around.

  9. Pingback: Hoffman Graphics | Happy Thanksgiving
  10. Hello,

    Its a very nice article on wordpress security. I think wordpress is secure CMS, but you have to take some steps to secure it; because wordpress’s ease millions of people are using it.

    To secure my sites, I always change wp-admin or wp-login to something else, I always install Captcha plugin, I always dis-allow to edit files on wordpress, I always change database prefix from WP_ to something else, I always install Login Attempts plugin, I always delete un-use able plugins (Hello dolly etc), I always update wordpress version and plugin versions — when available, So my sites are never hacked.

    Thanks again for this info-graphic article — I liked it.

Leave a Reply

Your email address will not be published. Required fields are marked *