How to Protect Your WordPress Site from Hackers

Most of you already know that WordPress is the most popular platform for creating new websites. But did you know that this platform is one of the most lucrative targets for the hackers as well?

Since so many websites use WordPress, hackers can easily exploit a large number of sites by finding out security loopholes, backdoors, or other weak points of the platform. That is why it is critical to remain proactive about the safety of your WordPress site.

In today’s post, I am going to introduce you to the best ways to protect your WordPress site from hackers.

Keep Everything Up-to-date

Keeping your website updated is one of the easiest and most effective steps to protect your WordPress site. Developers regularly release updates for the core WordPress, themes, and plugins to improve the performance, address existing issues, and to ensure better security. Therefore, it is strongly suggested to enable automatic updates and have these automatically updated.

Protect the Admin Area

By default, anyone can access the login pages of a WordPress site by appending admin, wp-admin, login, etc. after the URL. That makes it a lot easier for the hackers to find out which page they need to target. You should make it more difficult by changing these default pages. Most security plugins will let you change the login and admin page URLs.

Limit the Number of Login Attempts

Another great way to enhance WordPress security is to limit the number of login attempts per user. The default settings allow anyone to try different login combinations as long as they want. You can prevent this security loophole by limiting the number of login attempts for an IP address. Free plugins like Limit Login Attempts and Login LockDown will allow you to do that within a few minutes.

Use Two-factor Authentication

Two-factor authentication will add an additional layer of security to your WordPress website. In this method, you have to provide your username, password, and a unique key to log into the website. That means the hackers can’t login to your site unless they have access to your phone. You can choose to receive an SMS, phone call, or one-time passwords for the second verification step.

Two Factor Authentication, Google Authenticator, Duo Two-Factor Authentication, etc. are the most popular plugins to add this feature to your website.

Avoid Using the Predictable Usernames

Despite being a common security threat, some people still use predictable usernames for their admin account(s). If you have installed WordPress with the default settings, the first account will be created with the “admin” username. In that case, you should create a new admin account with a unique username and delete the default account. Also, do the same for any admin account that uses the first name, last name, site name, etc. as the username.

Use Strong Passwords

Whenever it comes to strengthening security, using a strong password is a standard advice. Still, a lot of people use the conventional, predictable, and easily breakable passwords. If you are using any such password on your WordPress site, you should change it immediately. If necessary, use a dedicated password manager like LastPass to create and store strong passwords for you. Make sure that all the users of your site are also using strong passwords for their accounts.

Add a Captcha to the Login Page

They may be annoying, but captchas still work very well to prevent hackers and other abusers. When you place a captcha on the login page, spammers won’t be able to use scripts or automated bots to try to figure out your username and password. Most contact form plugins come with built-in captcha, while it is also possible to use dedicated plugins like Really Simple CAPTCHA, Captcha, or SI CAPTCHA Anti-Spam.

Use a Security Plugin

Since you are using WordPress, it makes sense to use a dedicated security plugin like Wordfence Security, iThemes Security, or All In One WP Security & Firewall to protect your site from hackers. These plugins will help you set up a firewall, block suspicious visitors, secure the login pages, scan website code, and monitor the overall security status. As the plugins offer a large number of security options, you can choose the necessary security features based on your requirement.

Set Up the Right Permissions

Setting up the appropriate file and directory permissions could be another practical step in enhancing WordPress security. This is especially important if your website is hosted on a shared server. According to the official WordPress instructions, you should never assign 777 permission to any directory. In most cases, you will be fine with 750 or 755 for the directories, and 640 or 644 for the files. Check out the official documentation to know more about the best practices.

Never Use Pirated Themes or Plugins

These days, it is possible to find pirated copies of popular themes and plugins on the internet. Since they are available for free, you may think using these will save you some money. While that is true for the short-term, using the pirated items will open up your website to the hackers, which might become a lot more expensive in the long run. In most cases, the pirated items include malicious code and backdoors to let the hackers take control of your website.

Enhance Security by Using .htaccess

The .htaccess file plays a crucial role in improving your website security. In case you don’t have the file yet, here’s how to create the .htaccess file. You can use this file to hide the wp-config.php file, limit the admin section to specific IP addresses, make the website directories non-browsable, restrict PHP file execution, prevent script injection, prevent image hotlinking, and so on.

Disable the File Editing Feature

In case you have several admins, editors or other users with advanced privileges, it could be a real challenge to ensure the proper security of your website. You can get started by checking out the user roles and providing making sure that they are not provided with extra permissions. Another must-do step is to disable the file editing feature for both the themes and plugins.

Have Regular Backups

Despite being my last advice, it is crucial to have regular backups of your WordPress site. By doing this, you can restore the website even if you get hacked or lose all the data for any reason. There are lots of free and premium backup plugins that enable you to setup daily, weekly, or monthly backups schedules. Among these, UpdraftPlus is my personal favorite. Here’s a step-by-step tutorial on how to backup your WordPress site with UpdraftPlus.

Final Words

The security of your WordPress site depends on how careful you are. Now that you have read this article about the best practices, make sure you are following all the steps to keep your WordPress site secure.

By the way, how many of these tips you already follow? And do you have any other security tips for us? Let me know in the comments below.


I started this tech blog back in 2011 as a place to write down processes I took to fix my client systems and network. Now I write some tips and tricks to help others with the tech issues that one might encounter.

You may also like...