A Complete WordPress Security Guide That Protects Your Website From Hackers

WordPress is the most popular Content Management System and it is widely used all over the world. Since WordPress is popular hackers may try to attack the WordPress website. There are multiple ways to attack your website. WordPress security is one of the important factors for any website.

It is very important to keep your website secure and safe because at any time hackers may attack your website and grab the content of your website or they may misuse your website. Once hacked, then you may not be able to enter your website and you will be able to push into a situation losing all your content and effort.

If you run a professional website, then it is an important factor to keep your website secure. Because you will have personal information and some documents on your website. These contents are more valuable for your business. It is a must that your website should be highly secured. In taking measures for security, you cannot say your website is fully protected.

You can just reduce the risk and you cannot fully eliminate it. At any time hackers may find a loophole to attack your website. In this post, we will explain to you How to secure WordPress site from hackers?. There are certain precaution methods to be taken for protecting your website from hackers.

Security Checklist in Order to Protect the Website from Hackers

1.Improve Security of Your Computer

It is very important to make sure that your local computer is secured before connecting it to any remote server. Because through your computer, it may affect the server as well as your website.

Make sure that you have a proper antivirus, all the software in the computer are up-to-date. From your site, you have to ensure that everything is set fine in order to have a secured website. To have a secured connection, you can go for SFTP.

2. Don’t Use Admin as a Username

You have to avoid using the default admin username. Set a username like a password which would be difficult for the hackers to identify. In the older WordPress, the username and the password will be the admin, and it is really easy for the hackers to break it by using brute force attack.

If you are using older WordPress, then try to install the new version of WordPress, where you can change the username something unique and difficult for the hackers to identify. Changing the username is the first most important step in protecting your website.

3. Create a Strong Password

Another important step is to have a secure password for your website. Your password should be unique. If your password is as simple as like your name or like 12345, it is easy for the hackers to guess your password and break it.

Once your website is hacked, the hackers immediately change the password and may inject malware function to your website. So it is recommended to have a secure password with uppercase, lowercase, and case sensitive passwords. For example, it may look like this “GWhj&%4397IkbS”.

These kind of passwords are quite difficult to remember, but it secures your website. You also have an option of creating passwords using the recommended online services such as 1Password & LastPass can help you to manage and create strong passwords.

4. Implementing Two-Factor Authentication:

Two-factor authentication is one of a great way to protect your website from the hacker. Even though they know your password, they cannot access your website. Once a password is entered, they send a verification code to your email or to your mobile.

Only if you enter the correct verification code, you can access your website, so it is difficult for the hackers to gain that code. It is like adding an extra security layer to your website. There are many plugins available for two-factor authentication.

The most recommended WordPress two-factor authentication plugins are Google Authenticator, Authy, Duo, Rublon, and Two-Factor. You can try out any of these plugins, to enable 2FA for your website.

5. Limit the Login Attempts

Limiting the login attempts to your website, may not only prevent your website from brute force attack, it also reduces your server from being overloaded. By limiting the login attempt, the hackers cannot try the possible number of username and passwords.

By default, there is no such feature in WordPress. But there are plugins available to limit the login attempts. With this feature, you can protect your website from being hacked.

6. Updating WordPress Core Files, Themes, and Plugins

It is important to keep the WordPress website, plugins and themes up to date. Because up to date software enhances your website much more. Mainly hackers concentrate on the older version of a software, it is always an important note to update it.

WordPress automatically does minor updates. But major updates have to be done manually. While developing plugins and themes, developers mainly don’t concentrate its security. Once a vulnerability arises, they may know what problem and then they will correct and release the new version.

So using the older version, you will still be under the risk. As soon as the new version is released, it is better to update those themes and plugins. If you have been no longer using particular themes and plugins, delete them in order to protect your website. It is also recommended to use only the trusted WordPress plugins and themes. So being updated will protects WordPress from hackers.

7. Install Trusted Plugins and Themes

Plugins and themes are essential tools for any WordPress website. Plugins and themes determine your website look, responsiveness, make your website attractive, makes your website reach people, improves your Google ranking.

Both the plugins and themes are offered by many people. Make sure you go for a trusted developer. There are nulled plugins and themes. Please don’t for it because they might harm your website.

8. Make Sure to Use Correct Permission Files and Folders:

If you not using managed web hosting, then you have to make sure you choose the correct permission files and folders. To keep your website protected, it is important to make sure and use the correct permission files and folders. Each file and folder has different permission which enables users to read, write and modify.

Generally, WordPress folders should have the permission access “0755” and the WordPress files with the access “0644”. This permission allows you to protect your website. You can also change your file permission through FTP/SFTP client

  • WP-Admin:

A wp-admin directory is important for any WordPress website. In order to protect your website, you have to add additional layer protection for this directory. This additional layer will protect your wp-admin directories.  To protect your wp-admin directory, login to your cPanel>Security>Password Protect Directories. Now a window appears you to select the folder. Now select wp-admin folder. Then in the next screen enable the option “Password protect this directory” and give a name for the protected directory.At last create a username and password for the directory. That’s it, your wp-admin directory is protected.

  • WP-Includes:

Another common issue is that people will leave the wp-includes directory wide open for the browser. Leaving it open, it is very easy for the hackers to by looking into the files. Even the WordPress version may be in that file.

So it is important to prevent access to those files. You can use block those scripts by using mod_rewrite in the .htaccess file. In order to prevent access, you have to add the following code in .htaccess file:

[php]# Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ – [F,L]
RewriteRule !^wp-includes/ – [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ – [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L]
RewriteRule ^wp-includes/theme-compat/ – [F,L]
# BEGIN WordPress[/php]

  • WP-Content/Uploads:

WP-content/uploads directory is one where all your themes, plugins, and media uploads are placed. With this, anyone can surf through your media files and access your sensitive data.

So if you disable this directory, it will harden your security and makes it difficult for the hackers. You have to disable the PHP execution in this directory. To disable it, place the following .htaccess file in the root Uploads:

[php]# Kill PHP Execution
<Files ~ "\.ph(?:p[345]?|t|tml)$">
deny from all

  • WP-config.php:

Wp-config.php file contains the crucial information of your WordPress. Protecting this file is like protecting the core of your WordPress website. If you make this file inaccessible, then it will difficult for the hackers to break your website. So place the following file, somewhere higher than the root directory:

[php]<files wp-config.php>
order allow,deny
deny from all

9. Disable File Editing

If any users have the permission to access your admin area, then they can edit the files on your website. If a spammer has an access, then think what will they do your website. So it is better to disable the file editing because even if a spammer has an access to your WordPress dashboard, they cannot modify your files. In order to disable, add the following code in wp-config.php

[php]define(‘DISALLOW-FILE-EDIT’, true);[/php]

You can also disable the file directly on the dashboard. Appearance>Editor.

10. Backup your WordPress Website Regularly

An essential factor of hardening WordPress website is by doing regular backups. It prevents your data from being lost and protects your website. Backing up your data is very helpful and you can restore your data whenever you want.

In WordPress, you can backup your data in two ways: either manually or by using plugins. You have backup both your database and WordPress files. All the backup data has to be stored in multiple places such as Dropbox, Email, Hard drive etc. Because if any one place corrupts also, we can use the other backup data. Once everything is done, make sure the backup files are properly working.

If you want to know in depth about it, please refer our article How to Backup WordPress Database Manually and by Using Plugins? If your which to go for plugins and confused about using the best backup plugins, you can check our post 9 Best WordPress Backup Plugin For Your Website.

11. Choose a Trusted Web Hosting

You have to choose a reliable and a secured web hosting for your website. A poor website doesn’t take care of your website and it may lead your website to danger. There are so many web hosting companies, that offers you free hosting. But these hosting may allow the hackers to inject unwanted codes into your website.

Never ever go for untrusted hosting. Always prefer a trusted and a secured web hosting. They may be paid or complimentary. It is better to avoid free web hosting companies. Web hosting companies like Bluehost, SiteGround, FastComet etc provides you best hosting, keep you up to date and protects your website from hackers.

When connecting to a server, always use an SFTP connection. This ensures the communication between your machine and server is protected. If you have multiple blogs on the same server, then it is good to keep a separate database and managed by different users.

So if the hacker breaks one of your websites, it is difficult for them to access your other blogs. You can even go for managed WordPress hosting, which supports your website in a good way. Managed WordPress hosting, takes care of all your updates and security factors.

12. Make Use of Good SSL

SSL stands for Secure Sockets Layer. It protects your sensitive data like user information, their credit/debit card details, address, email id by encrypting the data and protects the data from being hacked.

It is an extra layer protection, which turns HTTP to HTTPS and completely keeps all the sensitive data very secured. Many web hosting companies include this SSL certificate in their package. It is good to go with this SSL digital certificate to protect your website.

You can also install Free open source SSL certificate Let’s Encrypt on your web hosting account easily. If you need any help regarding Let’s Encrypt SSL installation please contact me I will help you to install.

13. Change the WordPress Login Page URL

By default, the WordPress login page URL will be like domain.com/wp.admin. Using the same name, it is very easy for the hackers because they already know the default value.

So that they attempt to enter into a website and inject the malicious code. In order to avoid that situation, you have to change the login page URL. So that you prevent your website from spammers and fight against the brute force attack. There is no in-build option in WordPress to do this.

You have to download a plugin and change the URL. One free plugin available for this is WPS Hide Login. Other common plugins are Protect your admin, Rename wp-login.php etc.

14. Changing the WordPress Table Prefix:

Changing the WordPress table prefix is also an important method in protecting your website from hackers. The default table prefix is “wp_”. Hackers are much aware of the default value, and just by giving the default value, they can easily access your website and inject the malicious code.

So it is always a better idea to change the table prefix. For example, you can change it as “wp_gtjy67rFd”.If you want a detailed information on changing the WordPress table prefix, you can refer our article Steps to Change WordPress Table Prefix to Improve Security.

15. Disable XMLRPC:

In general, a DDoS attack will concentrate and target on all the web pages of your WordPress website. But this part of WordPress is an especially main target for the DDoS attack.

This is mainly used for trackbacks and pingbacks where most of the people don’t make use of it. So it is better to disable in order to secure your website. You can just install a plugin called Disable XMLRPC. This plugin disables the XMLRPC API running on your WordPress website.

16. Change Your Security Keys

Normally WordPress uses cookies to identify and check who all logged into your website for commenting or making changes in the dashboard. The cookies contain the login and authentication details.

Here once the password is broken, the hackers can easily gain access to your dashboard and can make any changes. In order to avoid that, you can add an additional layer to your cookie by using WordPress Security keys. The security keys are SECURE_AUTH, LOGGED_IN_KEY, AUTH_KEY, and NONCE_KEY.

You can change the security keys by using the plugin WordPress security key generator. By enabling this, you can change the security key of what is displayed on the page and replace in the wp-config.php file. So that it will be difficult for the spammers to identify. There are many plugins to change the security keys.

17. Hide Your WordPress Version

Another best idea is to hide your WordPress version to protect your site. Because just by looking at your source code, the hackers will find what version your website is currently.

So that by the version, they might use their hacking tricks and try to break it. Once if your version is hidden. It is really difficult for them to identify. You can just add the following in your function.php file:

[php]Function wpversion_remove_version() {
add_filter(‘the_generator’, ‘wp_version_remove_version’);[/php]

It is also must to delete the readme.html file which is located in the root directory of WordPress install. Because this file shows the WordPress version. You can simply log in through FTP and delete it.


18. Hide Author UserNames

It is always a bad idea of having the default author username for any website. Using the default name, it is very easy for the hackers to break your website. The author is actually the admin of the website, so easily the hacker would find the admin username. In order to have a secured website, it is preferred to hide the author name.

To hide the author name, you have to add the following lines of code on your website. By inserting this code into your website, hackers trying to access the author name will return back to the homepage. They won’t be able to get any details of the author.

[php]add_action(‘template_redirect’, ‘bwp_template_redirect’);
function bwp_template_redirect()
if (is_author())
wp_redirect( home_url() ); exit;

19. Use WordPress Security Plugins

One of the best ways to protect your website is by using the WordPress security plugins.  This plugins protect your website from hackers, brute force attack gives a strong password and much more.

It protects your data and makes hackers move away from your website. There are numerous best WordPress security plugins available. If you are confused about which one to choose, you can refer our article 5 Most Important WordPress Security Plugins.

There are even many free online remote scanners to look after your website as a user or a search engine. Few of them are VirusTotal, Sitecheck, Unmaskparasites, and Redleg AW-Snap. You can also use automated scanner plugins such as Quttera Web Malware Scanner and iThemes Security.

Wrapping Up Together

Securing your WordPress website from hackers is a major task. In order to protect your website, it is essential to follow the above-mentioned security checklist. If your site is once hacked, all the data present in your site will be accessed by the hackers, and they may lead you to a dangerous situation.

Hope you got an idea about WordPress security. If you think our article is useful or if you have any doubt, please feel free to comment us. You can subscribe us on Facebook and Twitter.

Leave a Comment