India’s #1 Web Hosting Company Since 2012

Protect Your WordPress Website From Hackers With These 25 Tips

Posted by
August 7, 2018

Not happy with your web hosting service provider?

Approx. read time : 15 min

This article covers the below points:

Today, technology is taking the online world to a completely different stage. But still several businesses and individuals are finding a platform that is free and open to all and that is WordPress. WordPress is a popular open source CMS and therefore, it is used by all.

Being a free platform, it is vulnerable to several threats by hackers. Therefore, securing your WordPress site from hackers is the first thing that strikes your mind. Hackers are discovering new skills and so, it has become crucial for all WordPress users to take preventive measures in protecting their WordPress site.

On an individual level, you can learn from your mistakes but in terms of business, you just can’t take any risk. You can‘t even imagine the loss you would face, in case your website faces an attack. As a blogger or a eCommerce business owner, you are always occupied with content creation and product sale and so there’s no focus on website security.

No one wants to wake up suddenly on some day and find that your WordPress site is hacked and your website security is scorned by some hacker. Do you want it to be your wake-up call? No. Right?

Below are some tried, tested and efficient ways to protect your WordPress site:

Secure Your Login Page and Avoid Brute Force Attacks

Being a WordPress user, you know that the platform has a standard login page URL. The backend of the website is accessible from there and so, hackers try to brute force their way in. Simply adding /wp-login.php or /wp-admin/ at the end of your domain name will make it for you.

Below are the important things to be considered to secure your login:

1. Changing your login and password

Many WordPress users select “admin” as their default WordPress login username and this is very well known by hackers. Your login should be changed to something else that would confuse a hacker when trying to guess it. The username must comprise of some irrelevant name or something out of the blue but yes ensure that you remember it.

Next is the password which should contain lower case as well as upper case letters, numbers and symbols too. For example: your password should be like “iwbgfMT23$$”. You can make such combinations of the passwords and change them regularly.

For creating a strong password, you can follow a technique mentioned here. Take a sentence that you would recall, if you set it as a password. Pick the initials of the words in that sentence and add some digits and symbols to it. This type of password is almost very hard to be guessed as it would be meaningless.

2. Set up website lockdown and ban users

Have you heard about website lockdown feature? This can help solve a big problem by giving failed login attempts to the outsiders. When the hacker tries to access the site with repetitive wrong passwords, site will get locked and you will be notified of this unauthorized activity.

The iThemes Security plugin offers you the feature of failed login attempts and blocks the attacker’s IP address when the hacker tries to attempt to enter your website.

3. Use 2-factor authentication

Adding the 2-factor authentication (2FA) while logging into a website, is another security measure which is being applied by many websites today. This means the user provides login details for two different components. It depends on the website owner what those two factors would be. Those can be a regular password followed by a secret question, a secret code, a set of characters, etc.

4. Rename your login URL

Changing the login URL is an easy thing to do. The WordPress login page, by default, is easily accessible via wp-login.php or wp-admin added to the site’s main URL.

If the direct URL of your login page is known to the hackers, it is very easy for them to enter your website with a brute force attack. They try to log in with their Guess Work Database (also called as GWDb which is a database of guessed usernames and passwords; e.g. username: admin and password: p@ssword … with millions of such combinations).

This is a small trick that restricts an unauthorized user to access the login page. Only someone who knows the exact URL can do it. You can change the URLs as shown in below examples:

      • Change wp-login.php to something unique; e.g. my_new_login
      • Change /wp-admin/ to something unique; e.g. my_new_admin
      • Change /wp-login.php?action=register to something unique; e.g. my_new_registration

5. Use email as login

You need to input your username to log in by default. Instead of using a username, you can use an email ID for a more secure approach. This is because usernames can be easily predicted while email IDs can’t be. Additionally, any WordPress user account is always created with a unique email address which makes it a valid indicator for getting logged in.

You can use the WP Email Login plugin for this as it starts working immediately after activation and there isn’t any configuration required at all.

For taking a test, you need to simply log out of your website and then log in again but this time you need to use the email address that you used for creating the account.

Related: Protect Your WordPress with These Amazing Security Tips

Secure your admin dashboard

The admin dashboard is the most interesting part for a hacker and the most secured section of all. It is quite challenging part for attacking the admin section but if the hackers succeed, it gives them a moral victory and access to exploit several things.

Here’s what you can do:

6. Protect the wp-admin directory

The wp-admin directory serves as the heart of any WordPress website. In case, this part of your site gets violated then the complete site might get damaged.

You can prevent this by password protecting the wp-admin directory. This type of security measure will allow the website owner to access the dashboard only after submitting two passwords. One is for securing the login page while the other secures the WordPress admin area. If the website users need to get access to only particular parts of the wp-admin, you may unlock those parts when you lock the rest.

The AskApache Password Protect plugin can be used for securing the admin area. An .htpasswd file is automatically generated; the password is encrypted as well as the correct security-enhanced file permissions are configured.

7. Use SSL to encrypt data

Another smart trick to protect the admin panel is to implement an SSL (Secure Socket Layer) certificate. With SSL you can ensure that your data is transferred in a secure way between the user browsers and the server which makes it difficult for hackers to breach the connection or spoof your info.

You can get an SSL certificate for your WordPress website easily, just by purchasing from some dedicated companies or asking for your web host to provide you with one (you will often find an option for SSL with the hosting packages).

Don’t forget that the SSL certificate also has a great impact on your website’s rankings in Google. The websites that are SSL certified rank higher in Google, as compared to those that aren’t. This ultimately means that there’s no more traffic. Do you want this to happen? Therefore, understand the importance of SSL to encrypt data.

Related: SSL Certificate Can Act Like A Superman To Protect Your Website

8. Add user accounts with care

In case, you are running a WordPress blog or a multi-author blog then you might be dealing with multiple people that access your admin panel. Due to this, your website can be highly vulnerable to security threats.

For this, installing a plugin like Force Strong Passwords might help your users for ensuring that the passwords they use are secure or not.

9. Change the admin username

While installing WordPress, don’t choose the username as “admin” for your main administrator account. This is very easily guessed by the hackers and they just need to know the password after this, leading to destruction of your website.

These types of attempts can be stopped with the use of the iThemes Security plugin that cleverly bans any IP address immediately as it tries to attempts to login with the “admin” username.

10. Monitor your files

For additional security, use plugins such as Wordfence, or again, iThemes Security that monitor the changes to the files of the website.

Secure the database

The site’s data and information is stored in the database and so, it is important to protect it. Below are the ways in which you can secure it:

11. Change the WordPress database table prefix

In case you have installed WordPress, you might be aware of the wp- table prefix used by the WordPress database. You need to change it to something unique.

Your database becomes highly vulnerable to SQL injection attacks with this default prefix. You can prevent such attack simply by changing wp- to some other term, for example, you can make it mywp-, wpnew-, etc. You can take the help of plugins such as WP-DBManager or iThemes Security for this.

12. Back up your site regularly

Though you think your website is secure with all the essentials but it’s always better to improve. So, it’s always better to keep an off-site backup of your website saved somewhere.

When you have a backup, it can help you restore your WordPress website to a working state at any time you require. There are some plugins such as VaultPress, BackupBuddy, BlogVault, CodeGuard, UpdraftPlus, etc. that can help you in taking backup of your WordPress website and restore it when required.

Related: 7 Excellent WordPress Backup Plugins For Easy Website Backup

13. Set strong passwords for your database

Even your main database user needs to have a strong password. It is the one that WordPress uses for accessing the database.

As recommended above, use combination of uppercase, lowercase, numbers, and special characters for the password.

14. Check your ‘comments’ and forms settings

When you enable comments on your posts, it is important to check your ‘Discussion’ settings. Ensure that all the comments are approved manually. It would add more administration work from your side but it’s always the best way for ensuring that no spam comments are entered.

Also, don’t miss to check that akismet is activated and that a Captcha is enabled on all your contact forms.

Secure your hosting setup

Almost all the hosting companies commit to offer an optimized environment for WordPress, but we can take a step further:

Related: Understanding Managed WordPress Hosting and When do you need one?

15. Protect the wp-config.php file

Crucial information about your WordPress installation is stored in the wp-config.php file which is the most important file in the root directory of your site. Securing it means securing the heart of your WordPress website.

If the wp-config.php file isn’t accessible to the hackers then they can’t breach the security of your site.

The good point here is that this can be done very easily. You simply need to take your wp-config.php file and place it to a higher level than your root directory.

If you store it to some other place, how can the server access it? The configuration file settings in the current WordPress architecture are set to the highest priority. So, though the file is stored one fold above the root directory, it is still visible to WordPress.

16. Protect xmlrpc.php (optional but recommended)

Only protecting the wp-config file isn’t enough. You also need to protect xmlrpc.php file as hackers commonly use it to hack a WordPress website. This file helps in remote communication with WordPress.

The use of xmlrpc (it is enabled by default from the WordPress version 3.8) can also be done to execute DDoS (Distributed Denial of Service Attacks) which can have a big impact on your website.

In case, you use the services such as JetPack, the official mobile wordpress app, pingbacks & trackbacks then only the XMLRPC is needed to be enabled.

For securing your xmlrpc.php file add the below code to your .htaccess:

17. Secure your .htaccess

Only tweaking your wp-config.php for security isn’t enough, you also need to secure your .htaccess file. Hackers can easily delete the code securing the wp-config.php file making your WordPress site vulnerable to attacks.

You should consider protecting your .htaccess file as one of the top priorities. You can do this by adding a code in the root .htaccess file of your domain:

18. Protect wp-admin files

The wp-admin file comprises of sensitive data and needs to be accessed only by the owners. You can prevent other users from accessing this file by using .htaccess.

You can add the following code by opening the .htaccess file present in the wp-admin folder:

This code restricts all the users other than those using the “xx.xx.xx.xx” IP (your static IP) from accessing the files in wp-admin.

19. Disallow file editing

The users those have admin access to your WordPress dashboard can easily edit any files that are a part of WordPress installation. These files include all the themes and plugins.

But, if you restrict file editing, a hacker too wont’ be able to modify any file even if he gets the admin access to your WordPress dashboard.

Add the following command to the wp-config.php file (at the very end):

20. Connect the server correctly

It is recommended to connect the server only via SFTP or SSH while setting up your site. Since SFTP offers more security features as compared to the traditional FTP which aren’t included in FTP.

The server when connected in this manner ensures that the files are transferred securely. This service is offered by many hosting providers as a part of their package. In case it’s not, it can be done manually.

21. Set directory permissions carefully

If you set wrong directory permissions, it can prove to be fatal, especially in a shared hosting environment.

In this case, it is better to change the files and directory permissions for securing the website at the hosting level. Set the directory permissions to “755” and files to “644” for protecting the complete file system – directories, sub-directories, and other files.

This is done manually through the Files Manager inside your hosting control panel or via the terminal (connected with SSH) by using the “chmod” command.

22. Disable directory listing with .htaccess

In case, you create a new directory as a part of your website and don’t include an index.html file in it, your visitors can get the complete directory listing of everything that is in that directory.

For example, if a directory called “data” is created, you can see everything in that directory simply by typing in your browser. There’s no need of password or anything.

This can be prevented simply by adding the below line of code in your .htaccess file:

Secure your WordPress themes and plugins

Any WordPress site comprises of themes and plugins as essential ingredients. But it’s quite unfortunate that they can pose serious security threats. Let’s check the ways in which WordPress themes and plugins can be secured:

Related: Top 20 WordPress Plugins for E-commerce Website

23. Update regularly

Developers support every good software product and also it gets updated regularly, but WordPress gets updated very frequently. These updates are done for fixing the bugs and sometimes contain vital security patches.

If you don’t update your themes and plugins, you can be in a serious trouble. Don’t forget that many hackers rely on the fact that people are least bothered to update their themes and plugins. Often, these hackers exploit bugs that are already fixed.

So, it’s always recommended to update the WordPress products regularly.

24. Update your WordPress version

Make it a point to update your WordPress site to the latest version. Each time when you see there’s an update available, it means that the WordPress team has already added the security patches.

Similar to all the reputed software products even WordPress is supported by its developers and gets updated quite frequently.  These updates are actually the fixes for bugs and also contain vital security patches sometimes.

If you don’t update your themes and plugins, you can face serious trouble. This is because several hackers know that people don’t care much about updating their plugins and themes. Therefore, hackers exploit the bugs that already have been fixed.

This means it is very important to update your WordPress products regularly – plugins, themes and everything.

25. Remove your WordPress version number

It’s very easy to find the current WordPress version. It is basically placed in the site’s source view.

This indicates that if the hackers know which version of WordPress is being used by you, it is very easy for them to plan the perfect attack.

It is possible to hide your version number with any security plugin mentioned earlier.


For a beginner, there’s a lot to be taken from this article. The more you care about your WordPress website security, the harder it will be for a hacker to break in. It is important to take some protective measure to secure your WordPress website from hackers. You simply need to follow the above mentioned guidelines for your website security. Hackers can cause big losses to your website or business. So, always remember prevention is better than cure.

Are looking for managed WordPress hosting? You have landed at the right place. Just at Rs.69/mo get managed WordPress hosting to start your online business today itself.

Pallavi is a Digital Marketing Executive at MilesWeb and has an experience of over 4 years in content development. She is interested in writing engaging content on business, technology, web hosting and other topics related to information technology.

Next to read
This article covers the below points: Secure Your Login Page and Avoid Brute Force Attacks 1. Changing your login and password 2. Set up website lockdown and ban users 3. Use 2-factor authentication 4. Rename your login URL 5. Use email as login Secure your......