pen paper writing icon WordPress icon png newspaper icon

How to Protect Your WordPress Site from Hackers

How to Protect Your WordPress Site from Hackers

How to protect my WordPress site from hackers? If this is a question you find yourself asking all too often, you’re not alone.

Thanks to the popularity of the WordPress platform, WordPress websites are always at a higher risk of attacks and hacks.

Thankfully, there are tried and trusted ways to protect WordPress sites from hackers. And no, you don’t need to be a WordPress expert to apply them on your site. 

In this article, we share with you 14 steps that you can take to secure your WordPress site against hackers. Let’s get started. 

How to Protect A WordPress Site From Hackers?

No matter the size or domain of your website, no website is safe from hackers who are always on the lookout for ways to spread their malicious net wider on the Internet. Whether it is deploying automated scripts to ‘crawl’ your WordPress site and detect any vulnerabilities, or using them to gain access into your WordPress account, no part of your website is safe from hackers. 

WordPress protection from hackers essentially means protecting each part of your website from malware, brute force attacks, and other threats. The 14 safety measures we’re about to share offer a strong foundation so you can do just that:

1. Use A Secure Web Host

A secure hosting server and environment is a critical element for protecting your WordPress site. Make sure your hosting company prioritizes keeping their hosted sites safe from hacks through services like regular backups, firewall protection, and malware scanning.

If you are currently hosted on a shared host, consider migrating to a cloud host or managed host that provides stronger assurance of a secure environment.

2. Use Strong Passwords

Strong passwords are probably the easiest measure to protect WordPress from hackers and in stopping brute force attacks. Strictly avoid the use of passwords like “123456” or “password” that are easy to guess. Instead, make sure every password is at least 10-12 characters long and contains a mix of alphabets, numbers, and special characters.

Use strong password

If you have many users, you can use password management tools like 1Password or LastPass to automatically generate and store stronger passwords for each user.

3. Enable Two-factor Authentication (2FA)

While strong login credentials are always effective for stopping brute force attacks, an extra layer of login page protection is available using Two-factor authentication (or 2FA). This measure ensures that even if ‘malicious’ users can guess the correct login credentials, they also need to enter the correct verification code which is sent only to the ‘genuine’ user’s device.

Two factor authentication

To implement 2FA, all you need to do is to install and activate a 2FA plugin like Google Authenticator.

4. Limit Login Attempts

To be successful at gaining account entry, brute force attacks make repeated attempts at guessing the correct user credentials. By default, WordPress sites allow an unlimited number of login attempts. However, that should not stop you from limiting the number of login attempts to 3 or 4. 

Limit login attempts

All you need is to install the CAPTCHA tool that displays the CAPTCHA screen after multiple failed login attempts. This tool is also effective at determining if a ‘human’ user or a ‘bot’ is trying to access the login account.

5. Change Your Default Username “admin

For easy usability, WordPress assigns a default administrator initially for every new WordPress account. This administrator is useful in the initial phase for setting up your WordPress website and creating additional users. However, using the “admin” username has its share of security problems. 

To make it harder for brute force attacks, change this username to a more unique username that is difficult to guess. The best way is to create a  new administrator (with a stronger username) and then remove the default “admin” user.

6. Keep Your Core, Plugins, Themes Updated

A majority of WordPress vulnerabilities are a result of an outdated Core WordPress version, or installed plugins and themes. Hackers constantly look for older software versions, which they can exploit to their advantage. The best protection against hackers is to keep your WordPress site updated to the latest version.

You can apply regular updates from the WordPress hosting account – or enable automatic updates. There’s an additional benefit to keeping your site updated. Most WordPress theme and plugin updates contain speed and performance enhancements that could make your WordPress website faster and smoother. 

7. Regularly Backup Your Website

Though strictly not a security measure that can protect WordPress from hacking, a sound backup and restore strategy allows you to minimize downtime and loss of revenues. If you run an eCommerce site, a backup ensures that you don’t run the risk of downtime or lost customer records or transactions. 

Though you can take manual website backups of your core website files and the database, using a WordPress backup plugin like BlogVault or BackupBuddy can free up your time since they automate and schedule the entire backup process. If you 

8. Add an SSL Certificate

When you add an SSL certificate to your site, you essentially migrate your website to the Secure HTTP (or HTTPS) protocol from the less-favored HTTP protocol. HTTPS encrypts all the data transmitted between your website and your user for their safety and yours.


How can you move to HTTPS? Add an SSL certificate, which can be obtained from your web hosting company or by using an SSL plugin like Let’s Encrypt.

9. Disable File Editing

With the WordPress file editor, hackers can gain website control and execute ‘harmful’ PHP code on the site. This can be a security threat when an administrator account is compromised. The best solution is to disable file editing by adding the following code to the wp-config.php file of your WordPress system:

define( 'DISALLOW_FILE_EDIT', true );

10. Restrict Site Access and User Roles

Unrestricted website access for all users can be a major WordPress risk – particularly to the administrator dashboard. The good part is that you can now restrict access to selected web pages based on the user roles. To do this, you need to install the “Restrict Content Pro” plugin and configure the pages where you want limited user access.

11. Disable Directory Browsing

Hackers use the WordPress directory browsing feature to find files that could have vulnerabilities. Additionally, this feature can be used to copy your WordPress files or find out more about the folder structure. The best solution is to disable directory browsing so that it cannot be misused by hackers. This can be done by adding the following line of code at the end of your .htaccess file in your installation folder:

Options -Indexes

12. Disable PHP Execution.

On their part, hackers can insert malware code and execute them using PHP files. You can improve your WordPress site security by disabling the execution of its PHP files. To disable PHP execution, open the .htaccess file in the “uploads” folder of your WordPress installation and add the following code:

<Files *.php>

deny from all


13. Use a WordPress Security Plugin

While the steps outlined so far do a great job of protecting you from known threats, it can be hard to keep up with hackers and their innovative ways. One of the most effective ways to protect your website from as-yet-unknown or rare attacks, or even multiple types of malware, is to invest in a dedicated WordPress plugin for security.

WordPress security plugins like MalCare and Wordfence can detect even lesser-known malware and you can schedule and automate the entire malware scanning process. MalCare even has a one-click malware removal process so you don’t have to rely on external technical support to clean your site.


14. Enable A WordPress Firewall

If there’s another simple way to protect a WordPress site from hackers, it is to make it hard for them to reach your site. Firewalls act as the last line of defense against ‘suspicious’ IP requests made by hackers. It acts more like a security guard allowing or blocking people from entering your home or office. 


Firewalls keep track of both ‘good’ and ‘bad’ IP addresses and automatically allow or block requests made from them.

Most security plugins like MalCare and Sucuri have an in-built firewall to block all malicious traffic.

Why should You Protect Your WordPress Site from Hackers?

Knowing how to protect a WordPress site from hackers is no longer something you can put off for later. Simply because a hack impacts more than just your web presence or your SEO rankings. A successful malware or brute force attack, even for a few hours, can seriously damage your revenues and undermine your brand authority

Depending on the type of attack, a WordPress hack can cause some or all of the below: 

  • Complete defacement of your website homepage with harmful “pop-up” ads
  • Misuse of your SEO effort that could get your website getting ranked for spammy keywords 
  • Visitors getting redirected to other unsolicited websites selling fake products or banned pharmaceutical products
  • Spam or “phishing” emails being sent to your customers using an authentic business email address
  • Data breaches resulting in the loss of valuable customer records, financial transaction details, and other sensitive data

We hope this article helps you with tips and strategies so you know exactly how to protect a WordPress site from malware and hacks. 

What do you think of the 14 security measures that we have discussed? Are there any that you’d add to this list? Let us know in the comments.