WordPress has a huge and relatively generous community, due to its increased popularity over the years. Users within this community spend a great deal of their time sharing resources, information and tips for other WordPress users. When it comes to the internet, security tends to be at the forefront of a great many concerns for website owners, as a result, a lot of conversations online, tend to be centered on the best ways to protect ones site. However, despite the best efforts of these users, there are still quite a few myths that are spread, which ultimately end up doing the opposite of what they were intended to do.

1. Rename theWP-Content Directory

The WP-Content directory or folder, holds all the themes, plugins, and media upload data. This folder is like a treasure chest of important data for your site, so it makes sense that people would look to secure it somehow.

However, changing the WP-Content folder name, presumably to increase the security of your site, in reality does no such thing. Finding out the name of the WP-Content directory is very easy, given that all web browser now have built-in developer tools. So that, in of itself makes such a task futile.

Thus, changing the name of this key directory, will not add an additional layer of security to your site, but it may cause conflicts between plugins, especially those that were designed to exist within the default (WP-Content) location.

So what can you do?

When it comes to the WP-Content directory, the only time you should be concerned about its vulnerability is when you have outdated plugins and themes within it. Thus, if you want to keep it secure, it’s very important that you keep it up-to-date.

2. Regular WordPress Updates Keeps Your Site Totally Safe

Let’s get one thing straight. Updating your WordPress site with security updates, will increase your sites level of security. However, it doesn’t guarantee its complete protection against nefarious activity.

The reality is that, WordPress has close to 40k plugins currently available to WordPress users. Of those 40k, more than 15k of these plugins haven’t been updated within the past 5 years. Many developers end up abandoning their plugins, while leaving it available for anyone who wishes to download and use them.

These outdated plugins, not only increase your sites level of vulnerability, but could also contain dated features, which could end up slowing or breaking your website entirely.

3. I Have an SSL Certificate, So My Site Is Safe

An SSL certificate is designed to add an additional layer of security between the website and the visitor. When a website has a SSL certification, the end user can rest assured that communication between them and the website is encrypted. This is especially important when a user is giving away sensitive information, like contact details or credit card numbers. When this data is encrypted, it ensures that, even if the hacker is able to swipe the data, there’s no way that they can actually read it.

You can tell whether a site has a SSL certificate, by its URL. If the site has the certificate, it’ll have the https:// instead of http:// before the website URL address. There’s also the padlock symbol that many web surfers know to look out for, when parting with any sensitive information. However, since 2017, Google has taken steps to ensure that as many websites as possible use SSL certificates by labelling standard http:// sites as insecure in their Google Chrome browser.

Unfortunately, the SSL certificate is more about your visitors than it is your website. As it offers only transactional security, protecting whatever information may be passed from the visitor to your website. But no such security for the data that is contained on the website itself. Without up-to-date plugins, a web application firewall and other security measures, your website will forever remain vulnerable to hackers, even with the SSL certificate! This in term, could put the stored customer data on your site, at risk.

4. Backups Will Repair My Site

When a website has been compromised, the most commonly adopted solution is to use a backup. However, this solution is not without its flaws.

While, restoring your website using a full backup, means that you can bring your site back, after it has been compromised. In many cases, minimising any potential damage. What it doesn’t do is give the webmaster insight into how the website was hacked to begin with.

Just because you’ve backed up your website, it doesn’t mean your site is completely clean, and so, shouldn’t be adopted as a substitute for site cleaning. Ultimately, if you restore the site, it’ll only lead to the hackers eventually gaining access to your system – that’s if you don’t attack the root cause.


Uchenna Ani-Okoye is a former IT Manager who now runs his own computer support website https://www.compuchenna.co.uk.