We have summarized some of the security measures taken by WordPress, which are often misunderstood by many people and often result in tampering and malware embedding!


My company’s (my) website has a small number of hits, and a small site like this is not a target.

Hackers are always looking for easier sites to break into, and taking over any WordPress site is like getting a free anonymous server, and the value of the hacked site is not greatly reduced just because it has a small number of visitors.

Spam mail springboard
A virus downloading site that misdirects users from other sites.

Hacking even a small site can be used for illegal activities such as spamming, downloading viruses from other sites, and so on.

Today’s ultra-high-performance search engines can pick up even the smallest of sites, and even the presence of vulnerable plug-ins can be found in search results when searching by HTML code content or WordPress folder structure, so the risk of being hacked is not proportional to the number of hits or the size of the site. The risk of being hacked is not proportional to the number of hits or the size of the site.

The risk of being hacked is not proportional to the number of hits or the size of the site.

There are WordPress security plug-ins that provide advanced protection only for the login screen, but the WordPress login screen is basically a meaningless string of 10 or fewer characters, including single-byte alphanumeric symbols and numbers, that cannot be breached.

However, if you neglect to update your plug-ins, themes, and vulnerabilities, you increase the risk of hacking.

More than 60% of hackers break into and deface sites by exploiting plugin vulnerabilities, and there are tools available to check and hack through hundreds of plugin vulnerabilities one after another.

Themes and plugins that are not in use are safe because they are deactivated (deactivated).

WordPress plugins and themes can be toggled from the admin screen to use or not use the functionality.

Since plugins and themes are not enabled, you are reassured that they are not being updated, which increases the risk of hacking. This is because many vulnerabilities can be exploited by direct access to the program, so just having a vulnerable theme or plugin on the server can be hacked.

We recommend that unused plugins and themes also be updated or removed from the server.

We’ve performed a cleanup of the hacked site in the server, so we’re good to go.

If you have multiple sites (domains) installed and running on your server, you cannot be completely assured that one site has been tampered with and that one has been restored.

Advanced backdoors can be traced from the top-level folder in the server to folders in other domains, and even if the site is not vulnerable, they may have the ability to embed arbitrary files or rewrite files.
If these backdoors are missed, other sites on the server are at risk of being defaced.

If one of the sites on your server has been defaced, it is recommended that you check the files on all other domains on the same server for malware and take measures to improve security, such as updating the files.

The site that was tampered with has been restored to its pre-tampering state from backups, so it is safe.

If you restore the site from backup to its pre-modified state, the backdoors and malicious files that the hacker embedded are indeed gone, but the cause of the hacker’s intrusion is also restored as well.

In this case, the hacker can again break into and tamper with the site in the same manner.
It is also possible that the backdoor was already in place at the time of the backup and the file has been restored.

How can I get free security measures for my site?

The following article provides a list of basic WordPress security measures that you can take for free.
We hope you will find this information useful, as these measures can also greatly improve security.

5 free WordPress security measures