WordPress Security & Why the Plugin Alone Is Not Responsible

A WordPress website is usually less secure as it is an open-source project. A single plugin like iThemes Security (or any other plugin) is even not enough for your website security.

How can a single plugin cover for an obvious username, a poor password, a poor hosting service or an outdated version of WordPress, themes & plugins?

When it comes to making our website secure, there are a couple of things that we must be proactive about.  Here are some areas that definitely deserve some attention even with a premium security plugin.

Pending updates

WordPress site owners feel crushed even at the mention of automatic updates. This is sad as every new version covers the security loopholes form the previous versions. As a version becomes old, several of its vulnerabilities are exposed. Each new version introduces an advanced layer of security, covering all the lapses from the previous versions.

And unless you take the precaution of hiding your WordPress version, it can be found out easily by viewing your page source. An old version has known vulnerabilities and therefore using an old version is equal to inviting security breaches.

This doesn’t apply to the WordPress core only. This applies to all the plugins and themes that you use on your site. If you can’t update them yourself, you can go in for a managed hosting like the one offered by GoDaddy. With managed hosting, you don’t have to update manually. It is the hosting provider’s concern. Also, if certain plugins or themes seem dicey, you just can’t install them.

It’s convenient to think that updating each time a major version is released is enough. But minor releases are the ones that contribute to your site’s security and some bugs. Major versions generally introduce more functions while the minor releases often cover the vulnerabilities introduced in the major release or any others that come to the surface.

What about the zero day vulnerability?

A zero day vulnerability is a security loophole in a program that the programmer/vendor does not know about.

Remember the infamous episode of Sucuri exposing the recent MailPoet Security Lapse? This happens once in many cases, updating as soon as a new release is introduced is still the best option. And responsible authors immediately ship in a safe and secured version. MailPoet got especially lucky as no breaches were reported.

Weak Passwords

Your security plugin can seriously not do anything about this. I would like to mention the 2012 LinkedIn story. Remember how lots of LinkedIn accounts got hacked.

If you guessed that the top hacked password was the password “link”, then you are 100% right! Imagine so many people not doing any better than this for securing their most important professional profile. Some other interesting passwords included 123456 and the reverse of this string too!

Hackers are smart. Besides, with such out of the world and unimaginable passwords, I’m sure they may be having a really nice laugh about their victory!

I will admit that the password policies are definitely more strict now. You are now required to use numbers, special characters, mixed cases and more. But I am sure some of us will still find scope to be lazy with creating difficult passwords.

And I also wish that we were a tad more appreciative of the password strength meter that most responsible signup services use. Remember people, it’s not there for nothing.

While researching for this article, I came across a cool tool in a post by Christopher Ross. It is a nice password checker tool by Microsoft. You can feed your password to the tool and the tool will return its strength.

Obvious Login URLs

WordPress, by default, comes with login URLs like site.com/wp-admin.php  or site.com/wp-login.php. Retaining the same URLs makes the hackers’ lives easy as they know exactly which page to attack.

Rename wp-login.php is a handy plugin that will help you cover this concern. Hiding the login page makes perfect sense as the hacker would have no idea about where to log in. This is an easy security measure and can really create cause some pains for hackers.

Limiting the number of login attempts

There’ s no point in allowing the unlimited number of login attempts. Not limiting the number of login attempts encourages Brute Force attacks as the hacker can try until he gets lucky. You must install a plugin like Login LockDown that helps in restricting the number of login attempts.

You can decide the period for which an IP should be blocked after a certain number of attempts.

Two-Step Authentication

If you want to further secure entering your website, then two-step authentication plugins can help you with this. You can use Google Authenticator on your site. With this plugin, each time a user tries to log in, a key is delivered over his phone. This ensures that only the legitimate and the doubly authenticated users can log in.


I think that the most popular keyword for hosting providers would be “cheapest hosting”.Because that’s what most people search for while selecting a hosting provider. Such hosting often provides poor or no security. If you have bought a shared hosting plan, then you have to share it with several other websites. If even one of them gets infected, there’s a complete probability of your site getting affected too.

Ideally, security should be one of the most important factors while selecting a hosting solution. You should also check if your hosting provider supports the latest PHP and MySQL versions. You must also understand your hosting provider’s capability in getting your site up and running in case of a breach.

Reputed hosting services backup your data regularly but this shouldn’t stop you from maintaining your own backup files.

Themes and Plugins

We absolutely love the WordPress repository for its free themes and plugins. But we often ignore the need to dig any information about the development team behind them. You must ensure that the theme or plugin that you are downloading and using on your site comes from a reputed developer. It is understood if you can’t manually look and scan through the complete code but there’s no excuse to not running it through some code scanners.

It’s best to stay away from plugins and themes that have not been updated for a long time. In the WordPress repository, you will see a notification if a product has not been updated for a significantly long period. Using such products is dangerous as they may contain several known security lapses.

To perform an even more exhaustive check over your complete site, you can use the Sucuri SiteCheck scanner. It checks your site for several things like malware, injected spam, blacklisting, and firewall settings.

User names

To log into a site, you just need a username and a password. Unfortunately, we fall in love with the default user name “admin”. It’s no wonder that one of the most highly recommended security practices is to change the default user name. You must set it to something else.

Removing the admin account altogether is just as good.

On many occasions, we expose our user names unknowingly. Like if I post using my admin account, then my author page will show my user name.

With the exact user name, the hacker has only to get your password and then he’s all set.

Transferring files

You’ll eventually be sending and receiving files through your site. Switching from the standard FTP (File Transfer Protocol) to SFTP (Secured File Transfer Protocol) will make such transfers safer as your passwords will not be carried or stored in plain text. Using the SFTP protocol enables the encryption of your sensitive data.

Removing unwanted themes and plugins

You should check your site once in a while for disabled themes and plugins. There’s no point in retaining them since you are clearly not using them. Hackers often exploit the vulnerabilities present in your disabled themes and plugins.

Security Audits

People often ignore security audits. Security audit logs are the easiest ways to skim out all the unusual activities from within your site. WP Security Audit Log is a great plugin to maintain such log files. It monitors everything from user activities to your WordPress version. It also keeps a check on your plugins, widgets, and themes. Any modification in a user’s role is also reported.

It comes around as a handy security monitoring solution.

Top WordPress Security Plugins for your website

I wrote this post as a companion to my previous article Simple WordPress Security Tips Helping Save Your Website. While that post explained how picking a strong password and using CAPTCHA, I would now like to show how to use plugins to increase security.

With a click of a button, a plugin makes it easy for most people to secure a site.
Here is a shortlist of the best advanced security plugins for WordPress. These plugins are mostly free, with some having premium versions for those who need more features. To ensure that your website/blog performance is no more affected, it is useful to use only a single plugin. However, it may be right to activating one by one and checking which plugin is the best for your website security.

Sucuri Security

Sucuri Security is a very popular security plugin that offers website monitoring, malware removal, and many other services to secure a WordPress website.

The plugin allows scanning all WordPress core files to detect changes in these files and provide a well-regarded clean-up service if the site has already fallen victim to an attack. An excellent choice for anyone looking for a credible tool to protect their website.

Acunetix WP Security

The Acunetix WP Security Scan plugin is another free tool ideal for scanning your site, determining how secure it is, and then finding out how to fix any weaknesses that are detected.

This plugin can address security concerns that are caused in the core version of WordPress, such as the removal of update information for non-admins, disabling error reporting, and the protection of your admin area.

iThemes Security

Renamed from Better WP Security, iThemes Security packs a lot of features into one package. It is a complete plugin to do everything which is necessary for your website security. It available in a free version as well as in paid version.

Some features of iThemes Security are renaming the “admin” account, enforcing strong passwords for all accounts of a configurable minimum role, preventing brute force attacks by banning hosts and users with too many invalid login attempts.

BulletProof Security

This is a free security plugin for WordPress, which is highly rated and popular. BulletProof Security has been downloaded over one million times and has an impressive 4.8 stars rating from users.

BulletProof Security can protect your website from code injections. It also improves your admin dashboard security and will also responsible for your website security issues.

Login LockDown

Accessing the admin area by guessing the administrator username and password remains a popular way for hackers to infiltrate any website. One way to discourage unauthorized users from logging into your website is Login LockDown.

This plugin will detect and block IPs repeated login attempts permanently or for a defined period of time. It is useful to block hackers from trying to accessing your website.

Lockdown WP Admin

This plugin helps you hide your WordPress admin dashboard and login page. If anyone tries to access these pages will be presented with a 404-page error message.

Activating this plugin makes it very difficult for any unauthorized people to access your admin area. You will still be able to log in yourself using your unique login URL.


The popularity of WordPress can make it a target for those with bad intentions. This is outweighed by the number of tools and services that are on hand to ensure that the security-risk to WordPress site is minimized.
If it’s hard to point at the best security plugin, iThemes Security can be an ideal choice for anyone who wants an easy to use a security plugin, which also provides all the necessary features to keep a site secure.
However, as a lot of options are free, you can easily install each of them and give them a try to determine which is the best choice for you.

How To Monetize Your Blog – Tips

Affiliate Networks like Clickbank and JVZoo and even private affiliate programs like Amazon Associates give you marvelous opportunities to monetize your blog.

The most popular – and the most significant – affiliate network online is Clickbank, as it offers products you can promote across all kinds of niche markets. They usually pay between 20%-75% commissions, which are so much better than the miserly 5%-10% some independent networks pay.

And they think they’re generous! Well, yes, we should be so lucky!

You can go and sign up for a Clickbank or JVZoo account, and start searching the Marketplace for products to promote.


Maximize Your Opportunities

Once you’ve selected a product to promote, there are a couple of critical factors that you should consider to help maximize your profits from affiliate marketing.

This can be done by comparing the percentage of visitors who click on your affiliate links to the traffic on the whole.This includes regularly evaluating the effectiveness of your affiliate links and promoting your blog to maximize traffic.

A blog that has high traffic but a relatively small percentage of clicks on the affiliate links should consider making some changes to try and entice more visitors to take action.

These changes can involve simple things, like the size or location of the banners. However, you should only make one change at a time, as this makes it easier for you to evaluate which changes are the most beneficial.

You can also help to maximize your profit from affiliate marketing by doing self-promotions in order to drive more traffic to your blog because higher traffic generally translates into more significant benefits.

As an affiliate marketer, your commissions are what it’s all about. This is why you need to make sure your blog is set up for exactly that – earning commissions! Basically, you can do this by adding Google AdSense blocks and affiliate banners in strategic spots on your site.

Now, some people will come to your niche-oriented blog with cash in hand and ready to buy, but others may be inquisitive and need that little bit of encouragement before they get out the trusty old credit card.

You can tease and tempt the undecided by adding Anchor Text that leads to the site of the product you’re promoting in every single post (just one or two links and no more, or you may seem desperate).

Think about it – if you don’t give people an option to buy something, then you’re simply wasting time and space!

If you’ve created a “problem-oriented” blog, it’s going to be much easier to monetize it because just about every post you write will have something about the problem in it. So. it will be easier for you to promote the solution.

You can find products to promote on sites like Clickbank, JVZoo, or Amazon, and depending on what you want to sell, there’s also the eBay affiliate network, although this can be difficult to be accepted into – even harder than CPA networks!

To be honest, unless you have a large network of blogs, AdSense ads don’t really make a great deal of sense, as your cut is minuscule. That said, it can’t hurt to put these advertisements in – just don’t expect to “get rich quick” from it!


Get FREE Targeted Traffic to Your Blog

There are many free ways to get traffic to your blog, and you should use a good mixture of the most popular ones, like on-page SEO, article marketing, and social networking.

This great resource for getting free traffic to your blog is from a site called BlogsRater.com.But now let me spoil you. Here is a great way to get free traffic to your blog – which I doubt any guru has ever revealed to you!

This site lets you review other people’s blogs and then rate them. In return, you’ll get your blog seen more often. Don’t forget. Your blog will be rated too, so make sure it’s well-written, informative, and entertaining.

Try to do as many reviews as time allows you, and I guarantee you’ll see some great results.

Please note: I heard on the grapevine that this site is getting more and more traffic by the day and keeps adding huge benefits to its members. It has both free and paid blog lists, but you can be sure that most bloggers are on the free list!

I’d say now is the time to get in there before it gets too overcrowded. And be ready for streams of traffic.