Some commotion last week in the WordPress community. There was a big leak (for the pros: blind SQL injection) discovered in the SEO plugin of the Dutch Yoast. A plugin that we always advise and implement for our customers. Most importantly: with a Update of the plugin, the leak was closed within 24 hours. In collaboration with the team, the update was even rolled out automatically, so most people did not have to worry about it.

More importantly, while there was a "leak," it only occurred if a hacker attacked a specific site. Good thing, too. 🙂

Yet everyone has been woken up again.

Without getting bogged down in an endless discussion of pros and cons (open source or not, WordPress or not), 5 best practices which we – like Yoast SEO – always use when building and launching WordPress websites or applications!

UPDATE: Also for the plugin 'Google Analytics by Yoast' that is discussed later in this article Update made available.

It is important to mention that we as online experts do not believe in 100% security.


The purpose of each trick is to make it as difficult as possible for people with the wrong intentions.

Before we kick off, an indication of the possible causes if something goes wrong:

  • 41% of hacked WordPress sites were hacked due to a hosting security vulnerability;
  • 29% were hacked via the theme;
  • 22% via a plugin;
  • 8% were hacked because they used a password that was too easy (short).

Source: WP WhiteSecurity

If something does indeed go wrong: make sure you have backups! You can have this done automatically at a good hosting party. Don't forget that in addition to all your files, you also need a backup of your database, which is where all your content is!

1. Good hosting

Doesn't have to be expensive!

BAD hosting also exists. Think of servers that go down a few times a week and/or for a longer period of time. Or parties that do not even communicate a telephone number on the site. That is very important, if the server is really down, you want to be able to switch immediately.

Point 3 in this list is called 'UPDATE!' and that applies just as well to your hosting party. It is up to them to maintain hardware and software, to ensure multiple layers of backups (redundancy) and constant monitoring.

We never actually come across hacked sites, maybe it has happened once in the past 5 years. What we do know for sure is that if you hear about a site where data has actually been lost (which is a bit more serious than 'the possibility of the poor security of the hosting party.

You can have us handle your hosting, we are a partner of the Netherlands-based company CloudVPS. The advantage of this is that the project manager at Van Ons is your contact person.

We will soon discuss our hosting advice in more detail in a separate article.

2. Not too many and only reliable plugins

The possibilities of WordPress are endless. That will be the case, we hardly turn our hand to the CMS for anything.

These endless possibilities are less important if your company depends on income from an online store. Or if you want to generate leads with a few smart landing pages. Then stability and security of the data is a priority.

We strongly recommend that you always use as few plugins as possible and use a fixed list of reliable extensions. Yoast SEO is one of them. Google Analytics from Yoast too. It paid Gravity Forms is recommended for forms. It also had a serious leak once and that was also quickly resolved.

That's the most important thing: the creators of these plugins are professionals, the plugin is their product. People go to work every day to improve and maintain these plugins. The chance of errors and conflicts with other plugins is therefore smaller.

3. Update!



Your browser!

Internet Explorer 8 is from 2009, which is light years. Such old software contains serious security holes. That is why Dutch banks have stopped supporting or will do so sometime in 2015.

Update everything!

Always test an update carefully in a development or staging environment beforehand!

4. Usernames and passwords

We don't use 'admin', which is a standard WordPress username and therefore easy to guess.

We like to use passwords that generates long, somewhat easy-to-remember passwords and short, human-unfriendly versions.

5. FTP and file permissions (chmod)

Always ensure that all folders and files have the correct permissions. Not too little and certainly not too much. Check this page for the correct permissions for WordPress.

No idea where you can see this? Use an FTP program (eg FileZilla Client) and right-click on a folder or file, in most programs this function is called 'file permissions' or 'file permissions' or 'chmod'.