Kishan Jasani

Code, Creativity & Everything I Learn

Real-World WordPress Security Lessons: 5 Things You Should Never Ignore

WordPress Security Lessons

While working on a recent WordPress security issue for a client, I was reminded of how even well-built sites can be vulnerable if small things are overlooked. What started as a routine cleanup turned into a few intense weeks of isolating issues, testing vulnerabilities, and implementing fixes.

In this blog post, I’ll walk you through some of the most critical (and often ignored) WordPress security practices we reinforced during this project — with real examples and quick tips you can apply today.

1. 🚨 Be Careful with Backup Files

One of the first red flags we found was a file named wp-config.phpbkup. It was a backup of the original wp-config.php — and it was accessible directly through the browser.

These types of files can contain sensitive information such as:

  • Database credentials
  • Security keys and salts
  • API keys

Why It’s Dangerous?

Leaving backup files in public directories is like leaving your keys under the doormat — it’s an invitation for attackers.

What to Do?

  • Never store backups in your site’s root or public folder.
  • If you must create temporary backups, delete them as soon as you’re done.

Pro Tip: Run a scan using tools like Netsparker or even a basic find command over your file structure to locate .bak, .bkup, .old, or .zip files accidentally left behind.

2. ✋ Disable File Editing in the WordPress Dashboard

By default, WordPress allows administrators to edit plugin and theme files right from the dashboard under Appearance > Theme Editor or Plugins > Plugin Editor.

If an attacker gets access to your dashboard, this feature gives them the power to:

  • Insert malicious code into your theme or plugins
  • Create backdoors
  • Completely take over your site

How to Disable It?

Add the following line to your wp-config.php file:

define( 'DISALLOW_FILE_EDIT', true );

This simple one-liner disables the file editors in the admin panel, reducing your attack surface significantly.

Bonus: You can go one step further and disable file modifications altogether with:

define( 'DISALLOW_FILE_MODS', true );

This prevents plugin/theme updates via the dashboard — best used when updates are managed via version control or deployment pipelines.

3. 🛠️ Use Security Testing Tools

One of the most effective parts of our cleanup involved running vulnerability scans using Burp Suite — a powerful web security testing tool. It helped us uncover:

  • Open and unauthenticated API endpoints
  • Improper error messages leaking internal information
  • Potential XSS and CSRF issues

Other Tools Worth Trying

  • WPScan: Specifically made for WordPress, detects outdated plugins, exposed user info, and more
  • Nessus or OpenVAS: General vulnerability scanners
  • Browser DevTools: You can spot insecure cookies or CORS misconfigurations quickly

Real Example: Using Burp Suite, we identified an unprotected REST API endpoint that allowed unauthenticated access to user data, including emails and roles. It was fixed by adding proper permission callbacks.

4. 🔄 Keep Everything Updated — Always

Yes, everyone says this, but we still see it ignored far too often.

Outdated themes and plugins are among the most common entry points for attackers. In our case, one outdated plugin had a known security vulnerability that was already patched — but the update was never installed.

What to Update?

  • WordPress core
  • All active (and inactive) plugins
  • Themes — even the ones not currently in use

How to Stay on Top?

  • Use services like ManageWP, MainWP, or WP Remote to manage updates across multiple sites
  • Install security plugins like Wordfence that alert you when components are outdated
  • Set up email notifications for update availability

Bonus: Don’t forget to delete unused themes and plugins. If it’s not being used, it’s just another thing that can go wrong.

5. ✅ Implement the Basics — Don’t Skip Them

It’s surprising how many WordPress sites still lack basic security features. These are low-effort, high-impact changes you can make immediately.

Essential Measures

  • Install a Security Plugin
    These can monitor your site and block common threats.
  • Limit Login Attempts
    Prevent brute-force attacks by limiting the number of failed login attempts.
  • Disable XML-RPC
    If you’re not using the WordPress mobile app, Jetpack, or remote posting tools, disable it:
add_filter( 'xmlrpc_enabled', '__return_false' );
  • Enable Two-Factor Authentication (2FA)
    Especially for admin users. Use plugins like WP 2FA or Google Authenticator.
  • Use SSL Everywhere
    Enforce HTTPS site-wide. It’s basic, but still neglected on some smaller sites.
  • Strong Passwords + Unique Admin Username
    Avoid usernames like admin and enforce password strength using a plugin or custom code.
  • Regular Backups
    Schedule daily or weekly backups and store them securely (Dropbox, Google Drive, S3).

This project was a great reminder that security isn’t a one-time task — it’s a continuous process. Even experienced developers can overlook simple things, and that’s what attackers count on.

Stay vigilant, test regularly, and treat WordPress security as an ongoing priority — not an afterthought.

Remember: It’s always easier (and cheaper) to prevent an attack than to recover from one.

Categories: ,

Leave a Reply

Your email address will not be published. Required fields are marked *