Top WordPress Security Myths Ever (With Mr. Security)

(Image Source:

WordPress is a very popular CMS and have an ocean of active users which in turn also attracts the prying eyes of various hackers from all over the world. But there are a lot of users who don’t take the security of their site seriously, only because of some misconceptions and preconceived notions of flaws from the past.

Even I myself was driven by a lot of myths about WordPress security and never bothered to take the security of my WordPress sites with serious attention. But after being the victim of some serious hacking attempts years ago, I started taking WordPress security very (really) seriously and bade goodbye to all those misconceptions that hovered on my mind.

In this article, I am going to discuss the top WordPress myths in a very creative way in which I am having a conversation with Mr. Security (an expert in WordPress Security, fictional character) who beautifully debunks all my myths with some really logical facts and opens my eyes about WordPress security.

Hope you will enjoy this conversation.

Question #1


I know that my WordPress site is 100% secured and there is nobody who would ever try to hack my site.

Mr. Security:

No, it is certainly not true. If you think that you do not have any personal rivalry with anybody in the internet, and because of which there is nobody who would ever try to hack your site, then you are completely misguided.

It’s not always the case that people would try to hack your site personally, because most of the attacks are automated attacks. There are hackers who build automated scripts to employ brute force attacks on large number of sites. It is very rare, that a particular hacker or a group of hackers would personally target you and try to hack your site but there is an obvious possibility for this too, which would be discussed later.

And if you are driven by the idea that your site is quite new and it doesn’t have much to steal from, then also you are not perfectly correct. Hackers don’t hack always for the sake money.

They can hack your site and redirect all the traffic from your site to a spammy site of their choice or even they can show a bit of intelligence, and redirect only the targeted search engine traffic and keep the direct ones untouched, and all of these smart tricks can happen without your awareness.

They can even hack your site and place some links from your site to some other sites of their choice. I have personally experienced this happening with some of my client’s websites where the hackers placed some links from various pages of the website to some spammy and adult websites. The links were also camouflaged extremely well and were very difficult to be detected.

Question #2


I have got my WordPress site hacked and I know that the only one responsible for this is WordPress itself as it is not secured enough.

Mr. Security:

It is certainly a very wrong idea to put the blame entirely on WordPress. The core of WordPress is very secured, but not 100% obviously. There are some loopholes in the core of WordPress too, but fortunately the development team of WordPress is efficient enough to respond to these loopholes very promptly and fix them as fast as possible.

So it is very important to update your WordPress CMS as soon as you are notified of a new update. This can also help you a lot to protect your WordPress site from getting hacked. Just apply the patches to cover the security loopholes, before any hacker gets close enough to crack it.

Nothing in this world is 100% secured and WordPress is also not an exception to this. Hackers will find some loopholes and you can never prevent this from happening. But the only way to fight this is to have a very strong and prompt the development team to fix the loopholes and bugs before anyone gets affected and the WordPress development team does this job brilliantly.

Question #3


I have installed almost each and every security plugin available to protect my WordPress site, and I am now sure that no one stands a chance to hack me.

Mr. Security:

This is yet another myth that many WordPress users still have. Installing too many security plugins is not going to give you any better security, rather it is going to create a lot of problems by conflicting various plugins. Only a single well-developed plugin can ensure the security that you need.

And you also cannot expect a XYZ plugin to give you 100% security because these plugins are built by various developers from all over the world, and everybody have a different level of programing skills and expertise. So, there is no one who can guarantee you that installing a particular security plugin is going to ensure 100% security of your site.

It’s a judicious decision to install only those plugins which are popular enough and have been developed by well-known developers. Also try to study the plugin carefully before installing it by checking and comparing the no. of downloads, the positive and negative reviews it has got.

Question #4


I install many plugins and themes for curiosity and testing purposes and deactivate them when not needed. I am fully secured now.

Mr. Security:


(Image Source:

Deactivating plugins and themes, doesn’t ensure you 100% security. The best practice is to delete the theme or plugin completely from your server if you are not using it at all.

There remains a huge risk of compromising the security of site if you keep the plugins and themes deactivated in the server, and not delete them completely. Now if these files contains weak or malicious codes then they can easily be accessed by hackers through the Internet and can cause harm to your site.

So never keep unnecessary plugins and themes in your site which you do not need. Try to make it a habit of delete these files completely from the server rather than just deactivating them.

Question #5


I install themes and plugins only from the WordPress Repository, now you can’t say that I am unsecured.

Mr. Security:

Sorry to say, but you are still not 100% secured. When new themes and plugins are added to the WordPress Repository, then the development team checks the necessary files for security loopholes, compatibility issues and bugs. But this doesn’t mean that the items are 100% secured and doesn’t contain any security threat.

These plugins and themes are updated on a regular basis and there is no one to check them after each and every single update. You can check the update log of any plugin or theme to find out the frequency at which bugs are discovered and fixed in every new update.

It is definitely a very good practice to install themes and plugins from the WordPress Repository rather than any un-reputed, third-party source. But unfortunately it still doesn’t ensure you with 100% security.

Question #6


I have a strong password and I am sure nobody can ever crack it.

Mr. Security:


Think again before saying that your password is strong enough and is un-crackable. Never make the mistake of using common passwords like “password”, “12345”, “qwerty” etc. as they can be cracked within minutes.

Try to keep a long password with alphabets, numbers and symbols mixed in it. Also never use the same password for each and every site you use because if a particular site (with a weak security) gets hacked then everything gets exposed at once. Always use different passwords for different sites and also make use of password manager’s like LastPass if needed.

Question #7


I have understood everything that you told me and will implement all of them. Now I can consider myself 100% secured, isn’t it?

Mr. Security:

It is not wise enough to consider yourself 100% secured and sit back relaxed. There is no computer program or software in this world which is perfectly secure and doesn’t have a single loophole or bug in it. The same thing applies to your WordPress site too that whatever security measure you take, there will be some hacker who would be intelligent enough to crack it.

So always keep yourself alert and make regular audits of the security of your site. Don’t just implement some security measure once and sit back and relax for ages. Also try to keep yourself informed about various security news related to WordPress.

Question #8


I am hacked and this ends everything for me.

Mr. Security:


(Image Source:

No, this is certainly not true. Getting your site hacked doesn’t mean the end of all your work as there are various ways to get back what you have lost. You can ask your web host to provide you with the latest backup of your site as most hosts take backups every day and a backup once a week.

It is also a better idea to take backups yourself other than relying on a third-party backup. Make a proper backup plan and take backup on a regular basis.

I hope after reading this article some of your myths related to WordPress security have been finally debunked. Securing your WordPress site is not an impossible task to accomplish. All you need to have is proper knowledge and give the attention and care that your site deserves.

About the author:

+Aritra Roy, is a Blogger, Freelance Writer, Designer and Online Entrepreneur who believes in the power of written words to educate, influence and inspire people.


Sign up today to stay informed with industry news & trends