20 possible ways to secure WordPress website from hacking

20 possible ways to secure WordPress website from hacking

Taking a proactive approach to website security is one of the best things you can do for your website and your sanity. No one wants to wake up in the morning, only to find that their sites have been compromised. A lot of website owners don’t think about keeping their WordPress sites secure until it’s too late.

I’ve heard many website owners complain about WordPress security. The thought is that an open source script is vulnerable to all sorts of attacks. Is that a fact? And if so, how do you secure your WordPress website?

We shall be looking at quite a few simple tricks that can help you secure your WordPress website even more.

1. Secure your WordPress website by making sure your hosting is safe.

Almost all hosting companies claim to provide an optimized environment for WordPress, but do they? At Tservers4 Web Hosting, we can assure our clients enhanced security at the server level. The truth is every host must have setup a good firewall on their server against several hacking attempts. They also implement cagefs security, SSL (secured socket layer) using lets’ Encrypt SSL free for all cPanel accounts for certain level of security on their servers. Are we to say this level of security is enough? We shall also try to look at several security measures that must be implemented to further harden security layer on your cPanel accounts, WordPress scripts and general on your websites.

As it currently stands, WordPress does lead as the most commonly hacked website platform. However, this data is skewed a bit, because WordPress is also one of the most popular website building platforms out there–it currently powers over 40% of the web!

Here are some of the most common ways that WordPress sites are hacked:

  • Failing to update the WordPress core or plugins consistently
  • Using nulled plugins or themes (i.e., illegally obtained software)
  • Having poor user admin practices
  • Using a low-quality theme or plugin
  • Inexperience on the part of website owners
  • Password compromise by the cPanel owners

As you can see, a lot of these security risks can be managed just by keeping your site and plugins up to date and only downloading themes and plugins from reputable sources.

With the vast nature of WordPress, security holes do exist. The thousands of different themes and plugin combinations are near impossible to test. In a nutshell, you should only work with reliable, high-quality and safe hosting. This piece of advice seems obvious, right? therefore Tservers4 can be trusted for this.

2. Use Strong Passwords

A lot of websites are hacked because hackers will use password generation tools to brute force attack the admin area. If you’re using a weak password or a password that you use other places online, then you’re significantly increasing your risks of suffering from a brute force attack.

One simple fix to keep this from happening is to use a strong password. When you’re setting up your WordPress site, there are a few different places you’ll need to create a password: admin access, when creating WordPress databases, and when connecting to your website via FTP.

Creating a strong password is one thing, but remembering that password can be even more challenging.

One great way around this is to use a password manager. A password manager is a secure and encrypted tool that stores your website passwords. Then whenever you need to input a password for a particular site or application, the tool will input the password for you.

There are a variety of password managers out there, but here are a few worth checking out:

3. Keep Your Core, Themes, and Plugins Up to Date

A straightforward way to keep your site secure is keeping everything up to date; this includes your WordPress core, your theme, and the plugins you’re using.

At the core, WordPress is incredibly secure and has a team of expert developers who are continuously working to patch security holes and improve the platform. Like most software, updates and patches are released after security risks are discovered.

So, if you’re running an older version of the software, you’re basically leaving your back door open.

Installing too many plugins can also make your site more vulnerable to hackers. Plugins can add a ton of useful functionality and features to your WordPress website, but this comes with the added risk of potentially installing a poorly coded (and therefore vulnerable) plugin.

Whenever you install a plugin, you should take additional time to vet the quality of the plugin and the team behind it. You also need to update plugins whenever an update is released. You might not know if an update has been released, so it’s essential to log in to your dashboard regularly to look for updates.

A poorly coded theme can also leave your site open to security backdoors. Installing a theme from a quality source can decrease your chances of your theme becoming hacked, but you also need to keep your themes updated and running the latest version.

4. Restrict Site Access and User Roles

WordPress allows you to create multiple different user accounts. This can be helpful if you have a team running your site, or you’d like your writers to upload articles directly into WordPress.

However, the more logins and passwords you have floating around, the higher the chances of a single user having a weak password—or their account becoming compromised in other ways.

When you’re creating new user roles for your WordPress site, you should only give them access to the parts of your website, they need to do the job effectively. For example, you could provide a writer access to the posts section, but not the plugins, themes, or site settings areas.

It’s also helpful to enable two-factor authentication across your site. This is a process using an app or plugin that verifies the identity of the user who’s logging into the website.

5. Enable a Website Firewall

A WordPress firewall will essentially create a forcefield around your site. Think of it as a failsafe for if you forget to update your site for several months. In some cases, you might not be able to update individual plugins due to a specific software configuration.

In these situations, a website firewall will keep your site secure, even when specific plugins or themes aren’t running the latest software version.

One common version of a firewall is known as a website application firewall. This acts like a filtering mechanism that all your website traffic passes through before reaching your site. It will filter out bad traffic or even hacking attempts and only let the good traffic reach your site.

As a benefit, this can also help to keep your site online when you’re experiencing a traffic surge, or are undergoing a DDoS attack on your website.

Here are the biggest benefits of running a WordPress firewall:

  • Hackers and bots are automatically blacklisted, so they’ll never reach your site
  • Malware infections, DDoS attacks, and SQL injections will all be prevented
  • Brute force attacks will be a thing of the past
  • Your site could run faster and perform better
  • You’ll sleep better knowing your website is protected 24/7

Below we’ll highlight some great WordPress plugins that also have built-in firewall protection.

Even configuring your site to work with a CDN like Cloudflare will help to protect your site from DDoS attacks, because your website’s traffic will be routed through their network of servers instead of directly going to your website.

If you’re currently hosting your site here at Tservers4, you’ll be able to integrate your site with Cloudflare directly from your website control panel.

6. Have a System for Site Backups

Website backups won’t help to keep your site more secure, but they can help you if your website does get taken offline during an attack. With a backup system in place, you can ensure that you’ll always have an operational site that you can restore from.

Having a backup is always helpful when you’re experiencing any issues with your site. If you’ve been hacked, or your site is malfunctioning for some reason, you can always restore your site to a previous version.

Some hosts will include bundled backups with your hosting plan. But, there are a number of WordPress backup plugins that can help you with backups as well. It can also be helpful to create multiple website backups and store them in different locations.

Here are some popular backup plugins worth exploring:

A WordPress backup plugin can help you from losing all of your hard work. Plus, you’ll always have a backup plan if your site ever does experience a hack.

7. Limit Login Attempts

The login screen on WordPress is especially vulnerable. Having a strong password will help a lot in ensuring a hacker won’t gain access to your site via a brute force attempt.

But, if you want to harden the security even further, then you should consider limiting the number of times a user can input their password before locking them out.

For example, you can limit the number of login attempts to 4 times. So, after the fourth attempt, you’ll receive a notification of that user and their IP addresses. You can even ban specific IP addresses if it becomes a persistent issue.

One of the best plugins for this is aptly named Limit Login Attempts Reloaded.

Best of all, this plugin is entirely free and currently trusted by over one million other WordPress site. Just install the plugin, configure the settings, and your WordPress login screen will be much more secure.

8. Install a WordPress Security Plugin

A lot of WordPress security plugins will have most of the features highlighted above. WordPress security plugins are great, because you just have to install the plugin, configure it, and your site will now be secure from most risks lurking online.

A lot of WordPress security plugins will have features like:

  • Malware scanning
  • Built-in firewall protection
  • Login screen protection
  • Letting you know what plugins and themes are out of date
  • DDos and protection from other online attacks
  • Anti-spam protection for a clean comments section

Here are a few WordPress security plugins worth installing:

Most of the security plugins highlighted above have free versions available, but if you’re serious about securing your site, then upgrading to the premium version is a worthwhile investment.

You can always start with a free version of the plugin and upgrade to premium once you’ve been able to explore all the features and see how well it protects your site.

9. Protect the wp-config.php file

The wp-config.php file holds crucial information about your WordPress installation, and it’s the most important file in your site’s root directory. Protecting it means securing the core of your WordPress blog.

This tactic makes things difficult for hackers to breach the security of your site, since the wp-config.php file becomes inaccessible to them.

As a bonus, the protection process is really easy. Just take your wp-config.php file and move it to a higher level than your root directory.

Now, the question is, if you store it elsewhere, how does the server access it? In the current WordPress architecture, the configuration file settings are set to the highest on the priority list. So, even if it is stored one folder above the root directory, WordPress can still see it.

10. Disallow file editing

If a user has admin access to your WordPress dashboard they can edit any files that are part of your WordPress installation. This includes all plugins and themes.

If you disallow file editing, no one will be able to modify any of the files – even if a hacker obtains admin access to your WordPress dashboard.

To make this work, add the following to the wp-config.php file (at the very end):

define('DISALLOW_FILE_EDIT', true);

11.. Set directory permissions carefully

Wrong directory permissions can be fatal, especially if you’re working in a shared hosting environment.

In such a case, changing files and directory permissions is a good move to secure the website at the hosting level. Setting the directory permissions to “755” and files to “644” protects the whole file system – directories, subdirectories, and individual files.

This can be done either manually via the File Manager inside your hosting control panel, or through the terminal (connected with SSH) – use the “chmod” command.

For more, you can read about the correct permission scheme for WordPress or install the iThemes Security plugin to check your current permission settings.

12.. Disable directory listing with .htaccess

If you create a new directory as part of your website and do not put an index.html file in it, you may be surprised to find that your visitors can get a full directory listing of everything that’s in that directory.

For example, if you create a directory called “data”, you can see everything in that directory simply by typing http://www.example.com/data/ in your browser. No password or anything is needed.

You can prevent this by adding the following line of code in your .htaccess file:

Options All -Indexes

13. Block all hotlinking

Let’s say you locate an image online and would like to share it on your website. First of all, you need permission or to pay for that image, otherwise there’s a good chance it’s illegal to do so. But if you do get permission, you might directly pull the image’s URL and use that to place the photo in your post. The main problem here is that the image is shown on your site, but being hosted on another site’s server.

From this perspective, you don’t have any control over whether or not the photo remains on the server. But it’s also important to realize that people might do this to your website.

If you’re trying to secure your WordPress website, hotlinking is basically another person taking your photo and stealing your server bandwidth to show the image on their own website. In the end, you’ll see slower loading speeds and the potential for high server costs.

14. Remove your WordPress version number

Your current WordPress version number can be found very easily. It’s basically sitting right there in your site’s source view. You can also see it on the bottom of your dashboard (but this doesn’t matter when trying to secure your WordPress website).

version number

Here’s the thing: if hackers know which version of WordPress you use, it’s easier for them to tailor-build the perfect attack.

You can hide your version number with almost every WordPress security plugin that I mentioned above.

For a more manual approach (and to also remove the version number from RSS feeds,) consider adding the following function to your functions.php file:

function wpbeginner_remove_version() {
return '';
add_filter('the_generator', 'wpbeginner_remove_version');

15. Protect the Admin URL login page and preventing brute force attacks

Everyone knows the standard WordPress login page URL. The backend of the website is accessed from there, and that is the reason why people try to brute force their way in. Just add /wp-login.php or /wp-admin/ at the end of your domain name and there you go.

What I recommend is to customize the login page URL and even the page’s interaction. That’s the first thing I do when I start securing my website.

You can implement a good admin backend URL rewrite plugin to make the whole process simple and easy for you  and almost free as well to use.. for example.:

Protect WP Admin b

Why? Because it’s usually the user’s fault that their site got hacked. There are some responsibilities that you have to take care of as a website owner. So the key question is, what are you doing to save your site from being hacked? Protecting the login page and preventing brute force attacks is one of the best things you can do.

16. Rename database prefix from default wp_

It is a very good practice to rename your database prefix..The best at the time of installing your wordpress either from softaculous app installer or by downloading the script and installing from cpanel or even from localhost when you are about to start your website wordpress project from scratch..

Make sure you change the default wp_ to something else like PR_, SF_ etc it can be any combination of other letters but make sure you don’t use the default to create your database tables.

By doing this, you are trying to enforce layers of security on your database against SQL injection attack.

17. Change the admin username

During your WordPress installation, you should never choose “admin” as the username for your main administrator account. Such an easy-to-guess username is approachable for hackers. All they need to figure out is the password, then your entire site gets into the wrong hands.

admin username change

I can’t tell you how many times I have scrolled through my website logs, and found login attempts with username “admin”.

The iThemes Security plugin can stop such attempts by immediately banning any IP address that attempts to log in with that username.

18. Use SSL to encrypt data

Implementing an SSL (Secure Socket Layer) certificate is one smart move to secure the admin panel. SSL ensures secure data transfer between user browsers and the server, making it difficult for hackers to breach the connection or spoof your info.

Getting an SSL certificate for your WordPress website is simple. You can purchase one from a third-party company or check to see if your hosting company provides one for free.

lets encrypt

I use the Let’s Encrypt free open source SSL certificate on most of my sites. Any good hosting company like Tservers4 offers a free Let’s Encrypt SSL certificate with its hosting packages.

The SSL certificate also affects your website’s Google rankings. Google tends to rank sites with SSL higher than those without it. That means more traffic. Now who doesn’t want that?

Enabling SSL on your WordPress site is very simple. In 99% of the cases, all you need to do is install the Really Simple SSL plugin and activate it. But then once SSL is installed from your cPanel and redirect to HTTPS with your .htaccess file then no other settings are required. It will browse to your website using secured socket layer SSL and it will show on the browser like a padlock with https before your site domain name.

19. Make backups regularly to secure your WordPress website

No matter how secure your WordPress website is, there is always room for improvements. But at the end of the day, keeping an off-site backup somewhere is perhaps the best antidote no matter what happens.

If you have a backup, you can restore your WordPress website to a working state any time you want. There are some plugins that can help you in this respect. For instance, there are all of these.

If you are looking for a premium solution then I recommend VaultPress by Automattic, which is great. I have it set up so it creates backups every week. And should anything bad ever happen, I can easily restore the site with just one click.

I know some larger websites run backups every hour, but for most organizations that is complete overkill. Not to mention, you would need to ensure that most of those backups are being deleted after a new one is made since each backup file takes up space on your drive. That said, I’d recommend weekly or monthly backups for most organizations.

On top of the backups, VaultPress also checks my site for malware and alerts me if anything shady is going on.

20. Use two-factor authentication for WordPress security

Introducing a two-factor authentication (2FA) module on the login page is another good security measure. In this case, the user provides login details for two different components. The website owner decides what those two are. It can be a regular password followed by a secret question, a secret code, a set of characters, or more popular, the Google Authenticator app, which sends a secret code to your phone. This way, only the person with your phone (you) can log in to your site.

I prefer using a secret code while deploying 2FA on any of my websites. The Google Authenticator plugin helps me with that in just a few clicks.


In summary, if all of these tricks and techniques can be implemented properly, I want to assure you that your WordPress website will give you rest of mind without hacking compromises. It can be very disastrous to wake up one morning and see your website defaced and compromised so my strong advice for WordPress users is to take action against any form of hacking earlier.

This pieces was prepared by Tservers4 Team.

Thank you for reading.

About the Author
Call me!
content copy not allowed
Secured By miniOrange