Protecting Your WordPress Website Against Ransomware

WordPress is the most popular CMS in the world. And while this is usually a good thing, it can also make WordPress a target for malicious software seeking a broad reach.

Unfortunately, because cyber attacks have become larger and more scalable over the years, in the long term it’s often not a matter of ‘if’ but ‘when’ online businesses will come under attack. And the highly publicised successes of recent ransomware attacks mean that this trend is likely to continue.

That being said, there are plenty of steps you can take to make your website much less vulnerable to common attacks.

Understanding The Risk

Ransomware is software that an attacker installs on either your server or your computer after using an exploit to gain access. Once installed, the software will often execute automatically, either immediately or after laying dormant for a while.

Up until a couple of years ago, ransomware attacks usually targeted Windows workstations. However, analysts began recording a rise in instances of attacks on WordPress websites.

Once the software has executed, ransomware uses powerful encryption to lock all of your files, denying you access. What you’re left with instead is an interface demanding a ransom payment – usually in untraceable bitcoin – in order to unlock the files.

Paying The Ransom

A number of high-profile businesses, and even cities, have been affected across the world in recent years. In June, Lake City in Florida paid a $500,000 dollar ransom to hackers that had taken control of their computer systems.

But paying the ransom holds no guarantee that the hackers will unencrypt your data. And even if they do, they can leave parts of the software behind in order to encrypt your files again at a later date.

In some cases, the software creates a .php file containing an interface that is supposed to unlock encrypted files. However, this file doesn’t work, and even if you do gain access, you will need a skilled WordPress Developer to fix all of the broken code.

Keep Everything Updated

Keeping WordPress and any themes and plugins updated to the latest releases is the simplest way to protect your website against ransomware. These updates contain, amongst other things, the latest security patches from developers.

Hackers are constantly searching for vulnerabilities to exploit. Once these have been identified, developers release patches to fix the issues. Out-dated versions of WordPress presents a huge vulnerability, as they won’t have been developed to resist the latest security threats.

You should also check regularly that your host PHP and MySQL versions are up-to-date. A good WordPress agency will take care of keeping everything up-to-date for you, so that you don’t have to worry.

Protect Against Brute Force Attacks

A brute force attack, as the name implies, is an unsophisticated attack where a bot tries to gain access to your website using hundreds of username and password combinations per minute until they get it right.

The blunt nature of these attacks makes them relatively easy to prevent by banning IP addresses that attempt to access your site multiple times with incorrect login details. But without this simple layer of protection, bots can continuously attempt to gain access until they are successful.

Limit Login Attempt Reloaded is a plugin that allows you to limit the number of login attempts, both through the login page and cookies.

Set Strong Access Security

As obvious as it may sound, using short, guessable words – or, even worse, ‘password’ – as your password is going to make your WordPress site incredibly vulnerable.

But even strong passwords that have been used for too long, or for too many different applications, can become vulnerable. We recommend using a password generator such as 1Password to create and securely store strong, unique passwords for each login.

Alternatively, you can add 2-factor authentication to your WordPress login using Google Authenticator. This additional layer of security can be enabled on a per-user basis, allowing less privileged user roles to continue logging in with a password.

Install SSL Certificates

SSL certificates ensure that all data passed between your computer and your browser is encrypted, making it much harder for hackers to intercept the connection.

Managed WordPress hosting providers like WP Engine include automated SSL certificate installation and renewal with all of their hosting plans.

Change The WordPress Database Prefix

WordPress uses a default database prefix, and using this prefix makes your website vulnerable to SQL injection attacks. This can be prevented by changing the default wp- prefix to another word.

If you’ve already installed WordPress with the default prefix, don’t worry. There are a number of plugins that can still allow you to change it – just make sure you backup everything first, in case anything goes wrong.

Turn Off File Editing

If hackers managed to gain access to your admin WordPress dashboard, they will be able to edit any files that are part of your WordPress installation.

Setting strong access security is therefore the first line of defence. However, by turning off file editing, hackers won’t be able to modify any of your files, even if they gain access to your dashboard.

This is done by restricting the theme-editor.php file completely and removing the Theme Editing option from the CMS.

Additional Measures

Additional security measures include always following the best practice development guidelines outlined in the WordPress Codex. Ideally, you should also carry out a peer review of your code, as this helps to improve the overall quality and can root out any overlooked mistakes or vulnerabilities.

You should also check that all of the forms on your website are protected against SQL injections and cross-site scripting, and disable XMLRPC.

A simple way of improving access security is to prevent hackers from knowing your usernames, as this means that they only have to find your passwords to gain access. You can do this by deleting the user with the name ‘admin’ and restricting WP-JSON default endpoints to hide all other usernames.

You can also provide an additional layer of security to your server by running an application such as Sucuri, which scans for vulnerabilities continuously.

Backup Your Website Regularly

One of the main reasons so many companies end up paying hackers the ransom is that they didn’t have good backups in place, meaning that the cost of the ransom was going to be less expensive than losing all of their data.

And with backups, the more you have, the better. Ransomware attacks can also encrypt your backups if these are stored on a local drive. You can backup your data on the server, but off-site backups that are stored in a separate location are even safer.

Managed WordPress hosts usually offer server-side backups as part of their hosting plans.


While you may not be able to definitively stop all attacks – particularly if your company is being targeted – there are a number of steps you can take to ensure that your website doesn’t stand out as easy pickings for hackers.

The scale and sophistication of ransomware is growing all the time, but hackers – like most criminals – are also opportunists, and ensuring that your website is less vulnerable than most is still the best way to keep your data safe.

If you’d like to discuss the security of your WordPress website and how it can be improved then please do get in touch with us.

Let's connect