You’ll find a lot of WordPress security advice floating around the internet from well-intentioned people who genuinely want to help. Unfortunately, some of this advice is built on WordPress security myths and don’t actually add any additional security to your WordPress website. In fact, some WordPress security “tips” may increase the likelihood you will run into issues and conflicts.
In this post and infographic, we’ll bust some of the most popular WordPress security myths so you can have a more informed approach to your website security strategy.
The Top 5 WordPress Security Myths From Thousands of Support Tickets
We have plenty of WordPress security myths to choose from, but we are only going to focus on the top 5 we have consistently seen in over 20,000 support tickets. These conversations were used as a basis for the following criteria to select the top myths:
- 1. The frequency the myth was mentioned.
- 2. The number of headaches that the myth caused.
- 3. The false sense of security the myth gives.
Myth 1: You Should Hide Your /wp-admin or /wp-login URL (Also Known As Hide Backend)
The idea behind hiding the wp-admin is that hackers can’t hack what they can’t find. If your login URL isn’t the standard WordPress /wp-admin/ URL, aren’t you protected from brute force attacks?
The truth is that most Hide Backend features are simply security through obscurity, which isn’t a bullet-proof security strategy. While hiding your backend wp-admin URL can help to mitigate some of the attacks on your login, this approach won’t stop all of them.
We frequently receive support tickets from people who are perplexed at how iThemes Security Pro is reporting invalid login attempts when they have hidden their login. That’s because there are other ways to log into your WordPress sites besides using a browser, like using XML-RPC or the REST API. After you change the login URL, another plugin or theme could still link to the new URL.
In fact, the Hide Backend feature doesn’t really change anything. Yes, it does prevent most users from directly accessing the default login URL. But after someone enters the custom login URL, they are redirected back to the default WordPress login URL.
The truth is that you can’t completely hide the backend login page of your WordPress website. If you were to change the wp-admin URL, you would break your site. Everything you install on your site, including WordPress, assumes that /wp-admin will be in the URL. When you do something as basic as creating a post, you have to go through the wp-admin before you get to /wp-admin/post.php.
Customizing the login URL is also known to cause conflicts. There are some plugins, themes or third party apps that hard code wp-login.php into their code base. So when a hardcoded piece of software is looking for yoursite.com/wp-login.php, it finds an error instead.
What to Do Instead
Myth 2: You Should Hide your Theme Name and WordPress Version Number
If you use your browser’s developer tools, you can pretty quickly see the theme name and WordPress version number running on a WordPress site. The theory behind hiding your theme name and WP version is that if attackers have this information they will have the blueprint to break into your site.
For example, looking at the screenshot above, you can see this site is using the Twenty Seventeen and the WordPress version is 5.0.3
The problem with this myth is that there isn’t an actual guy behind a keyboard looking for the perfect combination of theme and WordPress version number to attack. However, there are mindless bots that scour the internet looking for known vulnerabilities in the actual code running on your website, so hiding your theme name and WP version number won’t protect you.
What to Do Instead
Myth 3: You Should Rename Your wp-content Directory
The wp-content directory contains your plugins, themes and media uploads folder. That is a ton of good stuff and executable code all in one directory, so it’s understandable that people want to be proactive and secure this folder.
Unfortunately, it’s a myth that changing the wp-content name will add an extra layer of security to the site. It won’t. We can easily find the name of your changed wp-content directory by using the browser developer tools. In the screenshot below we can see that I renamed the content directory of this site to /test/.
Changing the name of the directory will not add any security to your site, but it can cause conflicts for plugins that have hardcoded /wp-content/ directory path.
What to Do Instead
Myth 4: My Site Isn’t Big Enough to Get Attention From Hackers
This WordPress security myth leaves a lot of sites vulnerable to attack. Even if you are the owner of a tiny site with low traffic, it is still crucial for you to be proactive in securing your website.
The truth is your site or business doesn’t have to be big to gain the attention of a would-be attacker. Hackers still see an opportunity to use your site as a conduit to redirect some of your visitors to malicious sites, send out spam from your mail-server, spread viruses, or even to mine Bitcoin. They will take anything they can get.
What to Do Instead
Myth 5: WordPress is an Insecure Platform
The most damaging WordPress security myth is that WordPress itself is insecure. This is simply not true. WordPress is the most popular content management systems in the world, and it didn’t get that way by not taking security seriously.
The truth is that the biggest WordPress security vulnerability is its users. Most WordPress hacks on the platform can be avoided with a little effort from the site owners.
Keep in mind that the number one reason for successful WordPress hacks is outdated software. To get a patch for a security vulnerability, you have to keep things updated. WordPress even allows you to enable automatic updates so you don’t have to manually run updates. But some people still don’t make it a priority to update their sites on a regular schedule. So these sites are filled with outdated software that makes them ripe for attack. When a hacker uses a security hole it isn’t a WordPress flaw, it is a user flaw.
Download the Infographic: The Top 5 WordPress Security Myths
Lets Keep Busting WordPress Security Myths
Hopefully, we were successful in busting some myths you’ve heard related to WordPress security. If you hear someone sharing one of these popular WordPress myths, feel free to send this article their way.
If you have any other WordPress myths you would like to bust, please share them in the comments.
A WordPress Security Plugin Can Help Secure Your WordPress Website
iThemes Security Pro, our WordPress security plugin, offers 30+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress two-factor authentication, brute force protection, strong password enforcement and more, you can add an extra layer of security to your website.
Each week, Michael puts together the WordPress Vulnerability Report to help keep your sites safe. As Product Manager at iThemes, he helps us continue to improve the iThemes product lineup. He’s a giant nerd & loves learning about all things tech, old & new. You can find Michael hanging out with his wife & daughter, reading or listening to music when not working.