How to Secure WordPress Site from Hackers

If you’re a WordPress website owner reading this article, you care about your site’s security, and with good reason. According to WordPress Hacking Statistics, WordPress accounted for over 95% of all hacked sites.

While WordPress by itself is a secure platform, its immense popularity makes it a preferred target for hackers. Websites big and small, are equally at risk, since hackers can automate their attacks on WordPress sites to scale.

But, what do hackers achieve by compromising websites? And how to secure WordPress site from hackers? Let’s understand that in the next section.

Why Hackers Target WordPress Sites

While this is not an exhaustive list, hackers target WordPress websites for several reasons such as:

  • Hijack the site to redirect users from a heavy traffic site to other unsolicited sites including duplicate sites that collect user details.
  • Generate money through ransomware or sell fake products on original websites.
  • Steal confidential data from database records including customer records, credit card details, financial data, or business data.

While these are worrying, fortunately, for WordPress site owners, there is a way out! We have compiled a list of the ten most effective measures to protect your website from these cybercrimes and their repercussions.

10 Proven Measures How to Secure WordPress Site from hackers

These measures have been recommended by industry experts and experienced WordPress users. The best part? You can easily perform each of these yourself – without relying on any technical expert or agency.

Remember that these measures are not a one-time activity and must be a part of your website maintenance strategy. 

What are these ten tried-and-tested measures? Let’s get started!

1. Keep Your WordPress Plugins and Themes Updated

To keep its users safe and protected, the WordPress team regularly releases an updated version. There is a major WordPress version released approximately every four months.

Reliable and trusted plugin and theme developers also release an updated version at regular intervals. Despite being free to download, a majority of users do not download and install newer versions for fears of their websites breaking or facing incompatibility issues.

How to Secure WordPress Site from Hackers: Updates

Why are these updates so important? Cybercriminals look for any vulnerabilities or bugs in older versions that they can exploit.

We highly recommend that you periodically update your WP version to the latest one, and do the same for your installed plugins and themes.

If manually updating every plugin might seem like a task, you could opt for the “Auto Update” feature in your WP admin account. 

2. Back up Your Website

If you have an online business, you are well aware of the crucial role loading speed and user data play in its success. While even a temporary downtime can mean a dent in your business, a data breach or site crash can completely cripple your business.

Timely backups are the only solution to this issue. Make sure that you periodically back up and store your website and database files at a safe and independent location.

Performing backups manually and frequently, however, are a considerable investment of time, effort, and resources. Besides, this requires a fair degree of technical expertise. Automated backup tools like BlogVault, UpdraftPlus or Backup Migration can help you here.

Just like any other Backup WordPress plugins, these are easy to install and automate and simplify the entire backup process. Depending on your website, you can perform daily/weekly backups or configure scheduled backups without any human intervention. They also come with independent backup storage and easy restore options. 

3. Scan Your Website for Malware Variants

Hackers are notorious for infiltrating sites with malware variants that are hard to detect and remain in the site installation for days or weeks. Regular and in-depth scanning of your website is the only remedy for detecting and removing such threats. 

Fortunately, most security plugins offer scanning as part of their security packages. These scanning algorithms are constantly evolving to detect and counter the latest types of malware infections. In addition to scanning, security plugins like MalCare also offer an immediate and automated malware removal so you don’t have to wait for technical assistance to remove detected malware. 

How to Secure WordPress Site from Hackers: Malcare

4. Limit the Number of Failed Logins

Worried about constant attempts on your login page? You should be, as hackers do try to gain access to your login account, particularly that of your WP administrator. These are called brute force attacks, which are specifically designed to target vulnerable login pages.

An effective way to handle this is to limit the number of failed login attempts. You can quickly achieve this by deploying the CAPTCHA tool that can differentiate between a genuine human user and a bot. You can take the help of security plugins that offer a CAPTCHA tool, among other security features.

How to Secure WordPress Site from Hackers: CAPTCHA

Another good practice is to configure strong alphanumeric passwords comprising at least 10-15 characters. We also recommend that you change your login passwords frequently or at least once in 3 months for maximum efficiency.

Finally, don’t forget to change your default login URL /wp-login.php. Without the correct URL, hackers cannot perform their brute-force attacks on your website.

5. Protect Your Website with a Firewall

In a nutshell, a firewall’s job is to block malware or any potential threat even before it reaches your website. It monitors every request to your site and deems if they are safe or a threat. Bad traffic or requests from suspicious IP addresses are automatically blocked.

Try and set an effective firewall on your computer using security tools like Norton. Alternatively, you can even configure a complete firewall for your WordPress site using security plugins like Sucuri or MalCare mentioned earlier. These are easy to configure and are effective against a variety of threats.

How to Secure WordPress Site from Hackers: Firewall

6. Restrict User Access to Your Website

Do you have hundreds of user accounts on your site? Hackers exploit this situation by trying to force malware and other threats into user accounts, especially users with administrator rights.

As a rule, limit the number of admin users and only assign this privilege to trusted users or those responsible for admin tasks. For other users, assign user rights based on their job function and role. For instance, you can assign various user roles ranging from the subscriber (with the least privileges) to administrator or super admin (with the most privileges) when creating the user access.

How to Secure WordPress Site from Hackers: User roles

You can assign or modify user privileges from your official WordPress account. Many security plugins also include this in their WordPress management features.

7. Secure Your Website Using SSL Certification

Is your site denoted with HTTP:// or HTTPS://? If it’s still HTTP, you need to get an SSL (Secure Socket Layer) certificate for your site.

How are SSL-certified websites more secure? If your site is SSL protected, whenever your web server processes and responds to a user request from any browser, the data exchanged is encrypted so hackers cannot intercept it.

How to Secure WordPress Site from Hackers: SSL

How do you obtain the SSL certification? You can either get it from your current web host or buy it from any third-party provider like Symantec or RapidSSL. Alternatively, you can choose to install a free SSL tool like Let’s Encrypt on your site.

8. Safeguard Your wp-config File

In any WordPress installation, the wp-config.php file is very crucial as it contains information about database credentials, private security keys, and how to prefix the WP database. As a result, this file is commonly targeted by hackers.

How to Secure WordPress Site from Hackers: wp-config

You can take several measures to secure the wp-config.php file in your installation folder. 

For example, you could make this file read-only so that hackers cannot modify or copy its content. Another measure is to change the default location of this file and move it to another folder. Additionally, you can protect the wp-config.php file from access by adding the following code to the .htaccess file in your WP installation:

<files wp-config.php>

order allow, deny

deny from all


9. Uninstall all Abandoned Plugins and Themes

As mentioned in measure 1, hackers commonly exploit vulnerabilities in outdated or unused plugins or themes to meet their objectives. This includes targeting abandoned plugins and themes that are no longer supported or being updated by their respective developers or companies.

Is your website still using such plugins or themes that are no longer being supported? The best guard against this problem is to remove all abandoned plugins and themes or replace them with more active or trusted themes and plugins. Apart from abandoned plugins and themes, you should avoid the use of nulled plugins if present on your site.

10. Harden Your Website

And finally, we come to the last website securing measure, which is not one measure but a combination of 12 measures. Prescribed as a necessity by WordPress, website hardening is the means through which you can strengthen or fortify your site against hackers and potential attacks.

Among the 12 recommended ways, the following two site hardening measures are the most essential:

  • Disabling the file editor, which prevents hackers from gaining control of your website by adding damaging scripts and modifying plugin/theme codes using any file editor. This hardening measure is most effective against SQL injections and SEO spamming.
  • Disabling execution of PHP files, which prevents hackers from inserting their PHP functions in existing files or through creating their folders.

These measures require a fair bit of technical know-how. A convenient alternative is to using the hardening measures offered by security plugins like MalCare as shown below. 

How to Secure WordPress Site from Hackers: Block PHP Execution

In Conclusion

Website security is no longer a good-to-have, but instead, a must-have in your website maintenance strategy. Hackers leave no stone unturned to spread their malicious activities across the internet. While you can never be guaranteed 100% protection against them, you can proactively improve your website security.

We hope the ten measures outlined in this article are useful as you improve your website’s security posture.  Most of them are easy to implement and you can do so without any technical expertise or budget overheads. If budget is not a constraint, we highly recommend that you invest in a security plugin that combines these features while offering automated workflows. 

Are there any measures you think we’ve missed? Do you have any questions? Let us know in the comments below! 

Akshat Choudhary
Founder and CEO of BlogVault, MalCare and WP Remote – successful WordPress plugins designed for complete website management. He has always prided himself on his ability to teach himself things. Since starting BlogVault, Akshat has transformed his side-project into a profitable venture that is scaling new heights in the Indian startup space. As a member of the WordPress community for almost a decade, Akshat’s core belief when building any product is to ensure the end-user doesn’t need assistance and to assist them in the best possible manner if they do.
Photo of author
Bootstrap Themes
Bootstrapthemes editorial team comprises professionals that strive to deliver well-researched and comprehensive content focused on WordPress, web design, and growing your online ventures.

Leave a Comment

Recommended Posts