WordPress Security

The Top 5 WordPress Security Myths Debunked

You'll find a lot of WordPress security advice floating around the internet from well-intentioned people who genuinely want to help. Unfortunately, some of this advice is built on WordPress security myths and don't actually add any additional security to your WordPress website. In fact, some WordPress security "tips" may increase the likelihood you will run into issues and conflicts.

Avatar photo
SolidWP Editorial Team

You’ll find a lot of WordPress security advice floating around the internet from well-intentioned people who genuinely want to help. Unfortunately, some of this advice is built on WordPress security myths and don’t actually add any additional security to your WordPress website. In fact, some WordPress security “tips” may increase the likelihood you will run into issues and conflicts.

In this post and infographic, we’ll bust some of the most popular WordPress security myths so you can have a more informed approach to your website security strategy.

The Top 5 WordPress Security Myths From Thousands of Support Tickets

We have plenty of WordPress security myths to choose from, but we are only going to focus on the top 5 we have consistently seen in over 20,000 support tickets. These conversations were used as a basis for the following criteria to select the top myths:

  • 1. The frequency the myth was mentioned.
  • 2. The number of headaches that the myth caused.
  • 3. The false sense of security the myth gives.

Myth 1: You Should Hide Your /wp-admin or /wp-login URL (Also Known As Hide Backend)

The idea behind hiding the wp-admin is that hackers can’t hack what they can’t find. If your login URL isn’t the standard WordPress /wp-admin/ URL, aren’t you protected from brute force attacks?

The truth is that most Hide Backend features are simply security through obscurity, which isn’t a bullet-proof security strategy. While hiding your backend wp-admin URL can help to mitigate some of the attacks on your login, this approach won’t stop all of them.

We frequently receive support tickets from people who are perplexed at how iThemes Security Pro is reporting invalid login attempts when they have hidden their login. That’s because there are other ways to log into your WordPress sites besides using a browser, like using XML-RPC or the REST API. After you change the login URL, another plugin or theme could still link to the new URL.

In fact, the Hide Backend feature doesn’t really change anything. Yes, it does prevent most users from directly accessing the default login URL. But after someone enters the custom login URL, they are redirected back to the default WordPress login URL.

[pullquote]The truth is that you can’t completely hide the backend login page of your WordPress website.[/pullquote] If you were to change the wp-admin URL, you would break your site. Everything you install on your site, including WordPress, assumes that /wp-admin will be in the URL. When you do something as basic as creating a post, you have to go through the wp-admin before you get to /wp-admin/post.php.

Customizing the login URL is also known to cause conflicts. There are some plugins, themes or third party apps that hard code wp-login.php into their code base. So when a hardcoded piece of software is looking for yoursite.com/wp-login.php, it finds an error instead.

What to Do Instead

Ultimately, the Hide Backend approach gives people a false sense of security, Instead, use more solid security measures like WordPress two-factor authentication and refuse compromised passwords.

Myth 2: You Should Hide your Theme Name and WordPress Version Number

If you use your browser’s developer tools, you can pretty quickly see the theme name and WordPress version number running on a WordPress site. The theory behind hiding your theme name and WP version is that if attackers have this information they will have the blueprint to break into your site.

Wordpress show theme version number

For example, looking at the screenshot above, you can see this site is using the Twenty Seventeen and the WordPress version is 5.0.3

The problem with this myth is that there isn’t an actual guy behind a keyboard looking for the perfect combination of theme and WordPress version number to attack. However, there are mindless bots that scour the internet looking for known vulnerabilities in the actual code running on your website, so hiding your theme name and WP version number won’t protect you.

What to Do Instead

Instead of worrying about hiding the theme or version number, keep your WordPress software up to date to ensure you have the latest security patches. Managing multiple WordPress sites? Save time managing updates with a tool like iThemes Sync.

Myth 3: You Should Rename Your wp-content Directory

The wp-content directory contains your plugins, themes and media uploads folder. That is a ton of good stuff and executable code all in one directory, so it’s understandable that people want to be proactive and secure this folder.

Unfortunately, it’s a myth that changing the wp-content name will add an extra layer of security to the site. It won’t. We can easily find the name of your changed wp-content directory by using the browser developer tools. In the screenshot below we can see that I renamed the content directory of this site to /test/.

changed content directory

Changing the name of the directory will not add any security to your site, but it can cause conflicts for plugins that have hardcoded /wp-content/ directory path.

What to Do Instead

The only reason to be concerned about the content directory is if it contains a plugin or theme with a vulnerability. Again, keeping your themes and plugins up to date is the best way to know you are running secure software.

Myth 4: My Site Isn’t Big Enough to Get Attention From Hackers

This WordPress security myth leaves a lot of sites vulnerable to attack. [pullquote]Even if you are the owner of a tiny site with low traffic, it is still crucial for you to be proactive in securing your website.[/pullquote]

The truth is your site or business doesn’t have to be big to gain the attention of a would-be attacker. Hackers still see an opportunity to use your site as a conduit to redirect some of your visitors to malicious sites, send out spam from your mail-server, spread viruses, or even to mine Bitcoin. They will take anything they can get.

What to Do Instead

Take active security measures to protect your website. For example, keep your themes, plugins & WordPress updated, install a trusted WordPress security plugin, use quality WordPress hosting and active WordPress two-factor authentication.

Myth 5: WordPress is an Insecure Platform

The most damaging WordPress security myth is that WordPress itself is insecure. This is simply not true. WordPress is the most popular content management systems in the world, and it didn’t get that way by not taking security seriously.

The truth is that the biggest WordPress security vulnerability is its users. Most WordPress hacks on the platform can be avoided with a little effort from the site owners.

[pullquote]Keep in mind that the number one reason for successful WordPress hacks is outdated software.[/pullquote] To get a patch for a security vulnerability, you have to keep things updated. WordPress even allows you to enable automatic updates so you don’t have to manually run updates. But some people still don’t make it a priority to update their sites on a regular schedule. So these sites are filled with outdated software that makes them ripe for attack. When a hacker uses a security hole it isn’t a WordPress flaw, it is a user flaw.

Download the Infographic: The Top 5 WordPress Security Myths

WordPress Security Myths

Lets Keep Busting WordPress Security Myths

Hopefully, we were successful in busting some myths you’ve heard related to WordPress security. If you hear someone sharing one of these popular WordPress myths, feel free to send this article their way.

If you have any other WordPress myths you would like to bust, please share them in the comments.

wordpress security plugin

A WordPress Security Plugin Can Help Secure Your WordPress Website

iThemes Security Pro, our WordPress security plugin, offers 30+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress two-factor authentication, brute force protection, strong password enforcement and more, you can add an extra layer of security to your website.

Get iThemes Security now

Did you like this article? Spread the word: