WordPress security myths

Here are some common WordPress security myths. Internet is full of bad tutorials, don’t waste time on those.

Hide or move wp-admin to prevent brute force attacks

If you search on WordPress security, moving or hiding the wp-admin is one common tip, and there are many plugins that can do this for you. Bots and scanners are activity looking for WordPress-installations and attempting a brute password attack on /wp-admin

This is method is what’s called “security by obscurity”. Relying on this is not real security and cannot see as a good solution.

A big downside of this method is that many plugins depend on the exact location of /wp-admin. You are risking of breaking plugins.

Besides this, the most of the attacks are using vulnerabilities in XML-RPC, and hiding wp-admin are useless.

However, I highly recommend a password attempt plugin to prevent a brute-force attack.

Changing wp-prefix of all tables

Another common tip is to change the wp_ -prefix of the WordPress-tables. The theory is that this will make an SQL-injection harder. In reality, this does not matter; it is just a waste of time.

If an attacker can query against information_schema.tables, he or she will get all info about tables, whatever fancy prefix you put in front of the names, again “security by obscurity”.

For the technical minded this is how a query could be executed.

FROM information_schema.TABLES WHERE
`TABLE_NAME` LIKE '%postmeta';

My site is so small; no one cares hacking it

No site is too small to attack, in fact, smaller sites tend to have worse security. Hackers usually use tools for scanning the Internet for potential victims. If you leave your site unprotected it just matters in hours before it gets the first attack.

Why may you ask? There are a lot of use cases:

  • Sending spam
  • Improving SEO by linking to shady sites that sell drugs
  • Spreading malware to visitor
  • Installing scripts that can be used to a DDOS-attack. I have seen this behavior where attackers do nothing other than gaining access and waiting. One objective could be just waiting for to sell the information and use your site to create a DDOS-attack on other sites.


WordPress is a major platform today, 28% of the web is powered by WordPress. This does not mean that WordPress is less security, the popularity of makes the platform a big target.

There is nothing that beats keeping your WordPress-installation up to date and keeping an eye on this. Keep your WordPress updated, use a good password.

Follow my checklist, and you will be okay. :-)

Further reading

Need a simple way to do smarter deployments? Take a look at GitFTP-Deploy. Try free for 7 days.