How to Protect Your WordPress Site from Hacking?

Posted on Oct 06 2020 by in Uncategorized 

WordPress has been evolving continually since 2003 and is one of the most successful open-source projects ever.

Built using PHP and MySQL and available under GNU Public License, it is used by 38% of the internet.

But is a website built using WordPress secure? Well, the raw data would say otherwise. Every year hundreds of thousands of WordPress sites get hacked, but it is a small percentage compared to the billion that exist.

Sources –

Since there are no other comparable platforms (the runner up Wix doesn’t have 1% of the customer base that WordPress enjoys), it is hard to say if WordPress is insecure or its sheer size makes WordPress hack numbers gargantuan.

The same applies to Windows vs. macOS or Android vs. AppleOS. The sheer size of Windows and Android makes them take a significant hit from malware.

Basically, once hackers find a security flaw in a WordPress version, it can be used to attack hundreds of sites.

Although WordPress tests each release, there are serious problems once in a while. Version  4.7 allowed the deletion of arbitrary files without verifying the user (CVE-2018-20714). All versions of 4.7 till 4.7.10 had this problem, and the only fix is to upgrade.

A hacker could, in theory, delete –

  • .htaccess – deactivate security for critical folders
  • index.php – the structure of the site
  • wp-config.php – core WordPress file that contains the name, localhost, database name, and other crucial site information details.

How To Secure WordPress Site From Hacking – The Best Tips

When a WordPress site is hacked, there is not only the problem of the site being taken down but worry if customer data has been stolen. Personally identifiable information such as name, address, gender, date of birth, email address, and even payment details might be residing on your site.

Any compromise of such information would see your goodwill plummet.

There is no need to worry. We have curated the best tips to keep your WordPress site secure and hacking free zone. Just follow a few simple (and some not so simple) recommendations, and you do not need to fear any intrusion.

  1. Update Software


At the end of the day, WordPress is software. It does complex tasks, but it resides on a server (private or rented), and just like an antivirus or media player, it needs an update from time to time.

Take care to install the new versions promptly and view the ChangeLog. This list specifies what the problems with the last version were and if it has been rectified.

Also, check the official WordPress forum at regular intervals about any warning. Another excellent resource is /r/ WordPress, the official WordPress Reddit page.

We would not suggest Quora because it is filled with out of date questions. But there is no harm in reading it once in a while too.

It is important to remember to backup your website as XML and SQL before you do any version updates.

  • Update Plugins


You must have several plugins slaving away – at least one for templates and editor, one for mail, and one for spam. If you own an e-commerce site, there must be many more, including a checkout page, invoice manager, product page manager, SEO, and so on.

Not only do vulnerabilities lie in the WordPress platform itself but also these plugins.

That is why, while choosing plugins, it is essential to read reviews about them, Google extensively about any known security flaws, and install after understanding all relevant issues to prevent WordPress hacking.

If you are not conversant with coding and other web development software, it is best to engage a web developer.

Use extensions that have outstanding reviews and always pay added attention to negative feedback than positive ones.

  • Change Login URL


Inspecting the page source would tell a hacker if you are using WordPress. Most website owners do not care to change their default URL for administration. It remains /wp-login.php or wp-admin/

This makes life especially easy for the hacker. All they have to do is find a way in by guessing or brute force attack on your password. Newer computers have made these attacks quite easy.

Therefore it is essential to add another layer of obstacles in front of the hacker. Change the page to www.mysite/my-personal-login or something similar.

If the hacker cannot find your login page, they would have difficulty messing with the site. The easiest way is through a plugin such as Change wp-admin login.

Of course, bookmark the new URL, or you won’t be able to log into your own site!

  • Password Security


This brings us to the importance of passwords. Most choose a weak password, such as koolgal#123. That is simple to remember but also easy to crack. Any word that can be found in the dictionary must be avoided.

An excellent example of a secure but easy to remember password would be k00l9al#1#2#3. Note that it still remains in essence koolgal with “o” swapped out for “0” and a special character between 123.

According to password strength checkers, the simple changes make the new password 3,000 times more difficult to crack even with the best WordPress hacking tools.

Of course, using a password such as [4(5&ar^n3)w] would be even more efficient, but then you need a password manager and have to worry about how secure that app is!

An important tip. Never store your password in an unprotected file on your desktop or laptop. At the very least, take a printout and keep it in your safe or better yet, remember it. Before you ask how to protect my WordPress site from hacking, take basic steps.

  • Use Secure Socket Layer Encryption

Any browser exchanges information with the server using HTTP or HyperText Transfer Protocol.

It has been in use for several decades and is the standard adopted globally. That also means that anyone snooping on your site (say, someone who can intercept the data on your wifi) can read the packets and find the password and other crucial information (you must remember that hackers are a patient and determined lot).

SSL encrypts the data at one end and decrypts it at the other. So essentially, what the hacker scans is a scrambled mix of binary code.

Not that SSL only makes your site more secure for you but your customers. In fact, in recent months, the Chrome browser puts out a warning for anyone about to proceed to a plain vanilla HTTP site.

If you have a monetized site and the warning prevents a few dozen users a day, what chance do you have of succeeding?

On the other hand, it costs very little to purchase an SSL certificate. Look upon it as an investment.

Remember, the SSL must not only apply to specific parts of the site but all of it. Some WordPress site owners are content to run a few pages (order page, etc.) on SSL but leave the rest of the site unprotected.

In that case, when a user is trying to visit -use-a-wysiwyg-web-builder from Google, he would face a warning, and that shrinks your sales funnel manifold times.

  • Two Factor Authentication


Alongside login id and password, send a One Time Password via SMS. This is very secure but might be slightly problematic for smaller sites to implement.

Another idea would be to use a Captcha that makes it impossible to use brute power cracks.

Even a simpler version of math Captcha such as 2 + 7 = … adds to security.

Of course, the login requires more effort from the customer, but it also makes intrusion nearly impossible for hackers.

Hackers are human too. They would stay away from a site that seems very secure because they would have to use more CPU power to get around each time they encounter an obstacle.

Also, reduce the number of login attempts to no more than five. Default WordPress settings allow unlimited login attempts.

If you reduce these, access from a particular IP would be cut off after a certain number of attempts. Even if the hacker uses a VPN, they would have to reset the fake IP address to access your site again and again.

  • Use a Firewall


The internet operates using thousands of ports. These ports are channels that interface between your network and the broader internet.

Like the Coast Guard that watches over traffic that enters from the oceans to territorial waters, a firewall inspects the data flow to and from the website.

Taking the example in #6 above, if someone makes repeated attempts to log in, the firewall would recognize it as unusual activity.

That is not all. A website application firewall or WAF protects against problems such as XSS and SQL injection.

WAF may be hardware or software based. Your home router has a hardware firewall, and Windows laptop has a software firewall.

WordPress allows you to use several firewall plugins that are software based. The best examples include Sucuri and Cloudflare.

  • Using Common Sense

No matter how secure your system, the last mile is always human.

Look at it this way – you have created the safest WordPress site and type in the password for the admin page with complete peace of mind.


the CCTV in your office has been hacked and lets the hacker clearly view what you are typing! Instead of googling “how to recover a WordPress site from a hacking” update your brain’s firewall! Harsh but true.

Another is phishing. You click a link sent via email that brings a Trojan malware into your system. It sits quietly, logging your keystrokes and sending a daily report back to the hackers.

There are many other obvious ways. Keeping your laptop Bluetooth accessible, sharing your wifi password indiscriminately, sharing your router set-up password, and more.

Unless you take care of your security, no one can provide you an entirely secure network. It is not possible.

End of the day…

It is easy to protect WordPress site from hacking. What is needed is effective use of technology coupled with careful habits.

If you are going to run a website as a passive or active income stream, you should take an introductory computer security course. Coursera and EdX provide short courses that would give you valuable insight.

It not only helps protect your WordPress website but also makes your home and loved ones safer.

Also, remember that it is not only the security that you build into your website that matters but also the server where it all resides. That is why it is crucial to rent space from a reputed hosting organization. Most good hosts provide you their own checklist about site security.

Does all of it drive up the cost? Yes. But that is the price you pay for a safe and secure online website.