[15 Tips] - How to Protect Your WordPress Website

[15 Tips] – How to Protect Your WordPress Website

You'll find affiliate links in the blog and you can read the Affiliate Disclosure here

I have been a victim.

 I have suffered a website hack that destroyed my website, and because I wasn’t able to recover from it, led to the closure of my business.

I know how bad it hurts to know that the hack was a very common type and if I would have just followed a few simple rules to protect my website, I won’t have lost my business. And even through this was more than 5 years ago, I still use its memory as a precautionary reminder whenever I setup a new website.

Long story short, I ran a vBulletin based website, which is still the best forum software in the world, and it got hacked because I didn’t update it in a while and didn’t hide the vBulletin version number. It would probably have not been hacked if I had hosted it on a good server and not been trying to save every last buck I could with hosting.

Now I host my websites on SiteGround because they provide fast, secure hosting at affordable prices

Why this guide?

While there are a number of WordPress security guides out there most of them, including WordPress’s own hardening guide, can be confusing so I’ve created this Beginner's Guide to WordPress Security - everything you need to know to secure your WordPress website.

Why hackers hack your website?

 It’s important to know why most WordPress hacks take place, to understand what you can do to prevent the most common attacks.

Most attacks aren’t done specifically to target you or your website because someone wants your business to suffer. Most attackers are simply looking to get some backlinks from your website or send spam email from your server.

Most attackers don’t even visit your website to hack it. They have created scripts that check your website for common security loopholes and automatically run pre-defined attacks.

This happens to work because most people don’t take the time to understand website security and take some fairly easy steps to prevent attacks.

This guide is not foolproof

There’s no such thing as a hack proof website. There never was and there will probably never be. Implementing some or all suggestions in this guide will still not guarantee that your website cannot be hacked.

The good news is that since most attacks are automated, if the scripts do not find anything they can exploit in your website security, they move on to the next website and completely ignore your website for that particular type of attack. This is because most hackers aren’t looking to find new ways to exploit WordPress, there are a number of websites they can exploit by existing means.

What I can confidently say is that once you have implemented all the steps in this guide, your WordPress website will be a lot more secure and cannot be hacked with the most common methods. These methods account for more than 95% of all WordPress websites hacked.

I’m going to give you a list of things to do and a list of things recommended in other WordPress security guides that you should NOT do!

So let’s get right to it:

Use Common Sense

Sometimes fairly obvious stuff gets overlooked which leads to a hacked website. The following safety tips aren’t just useful for securing WordPress websites and can be used for all website security.

Get a good host

Most websites get hacked because the hosting environment for the website isn’t secure enough. Since most websites are hosted on shared hosting accounts, there are chances that a successful attack on one website opens up the door to an attack on all websites on the server. Simply put, somebody else’s outdated WordPress installation on your server might lead to your website getting hacked.

This is why it’s important that hosting companies invest in infrastructure which has sufficient security precautions, including account isolation, built in.

Unfortunately, in the race for making the most money, some shared hosting providers overlook this with disastrous consequences for their clients.

I recommend you use any of the following WordPress hosts to make sure your website is protected even if other websites on your server get hacked.


Account Isolation

Free Site Transfer

















 Read More: Which is the best WordPress Hosting?

Use Strong Passwords

Since years WordPress set the default admin username to admin, and a lot of users still use this as the username for their administrative accounts.

This is the reason why a lot of brute force scripts try to gain access to your account by guessing the password for the username admin. This can be avoided simply by changing your administrator username to something else. Here’s a simple video that shows how to:

You should also use strong passwords for your account and force other users of your WordPress website to do the same.

Always use a password that’s different from any other password you use. This applies to the passwords for your WordPress admin account, your server account and your email account, to begin with. Real password security is when you use a randomly generated safe password for each of these services and never write it down.

Use this website to check if any of your passwords have ever been compromised

Of course that’s incredibly difficult to do and nearly impossible when you use a multitude of services to manage your website. This is why I recommend password management tools like DashlaneRoboform or LastPass which manage your passwords securely and are also equipped with built in strong password generators.

"People often represent the weakest link in the security chain and are chronically responsible for the failure of security systems. - Secrets and Lies: Digital Security in a Networked World"

Bruce Schneier

Never give access to someone you don’t trust

For obvious reasons. They might mess up your website by mistake or on purpose. They might do things which inadvertently make your website open for attacks.

When thinking about who to give access to, think “What would they lose if my website got hacked?”

If the answer is, not a lot, then reconsider giving them access. If the person isn’t qualified to perform the specific tasks you want them to perform on your website, don’t give them access.


[WP Security Tips] - Give Website Access Only To Those Who Stand To Lose If Something Goes Wrong! - #BloggingDoneBetter


Never give access to more people than absolutely necessary and restrict access for each to their specific role

 WordPress has predefined roles which limit the access of each user. Before granting access to anyone read up on these rules and choose the one which is appropriate for each user. If you want to play around with access levels, you can use this plugin to make it easier. Just be sure of what you are doing or this could quickly become – a bad thing!

Keep your computer clean and always use an internet connection you can trust

The web isn’t the only place from where malicious code can infect your website. This can happen from any of the devices you use to login to your website or your hosting accounts.

Always keep your computer (and other devices) clean and free from any virus, spyware, malware, adware or rootkits. An investment made in the security of your devices is an investment made into the security of your website.

For Windows, I recommend you look at the following:

Comodo Internet Security: It's what I use 🙂

Also, avoid using public internet access when logging into your website or hosting account. Public networks are susceptible and your sensitive information can be read by others on the same network.

If you absolutely must use a public network to access your website, use a VPN.

The only one I trust is Trust.Zone but I'd like to hear your suggestions too. Leave me a comment below and if I like it, I'll add your recommendation to this post.

[WP Security Tips] - If You Must Use A Public Network To Access Your Website, Use A VPN - BloggingDoneBetter


Never reveal your website protection layers ...

(that’s why I’m not going to do that either)

Its best never to talk about what security precautions you have taken to protect your website. Don’t even tell your best friend or spouse (I feel like a secret agent …)

Seriously though, the less others know about your website security, the less likely they are to tell others. The less others know, the more difficult it is for them to hack your website.

Even in this guide, I’m not going to reveal all the security measures I have in place, but rest assured that I have included all the necessary stuff.

Keep Backups (lots of them)!

Don’t get complacent about backups. You only find out how important backups are when you need them.

[WP Security Tips] You Can Never Have Too Many Backups Of Your Website! - #BloggingDoneBetter


You should have online backups, offline backups, remote backups and remote copies of all these backups!

Only then you can say you have enough backups 🙂

The only backup tool for WordPress I trust is UpdraftPlus. It has built in remote backup (with scheduling) capability and can be thoroughly customized with add-ons.

'One person's "paranoia" is another person's "engineering redundancy".'

Marcus J. Ranum

How to secure your WordPress website

Before you start implementing any of the steps below to secure your website, it’s a good idea to scan it for malware. Doing this first helps in several ways:

If your website isn’t hacked, it gives you peace of mind knowing that everything’s OK and you can begin the process to securing your website. If your website is hacked, you should ignore all the steps below and get professional help for cleaning your website.

Most hosting companies, including shared hosting companies, which support WordPress will include automatic core WordPress updates, which means they will update your WordPress installation soon after a new version is released.

In some cases, this can take up to 24 hours and I don’t like to keep my websites running on old versions for so long so I have setup Wordfence to email me instantly whenever a new version of WordPress available. I update WordPress as soon as I can, no matter where I am in the world, once I receive that email, it becomes my first priority to update all my sites.

About automatic updates: While it might seem like a good idea to turn on automatic updates for all your themes and plugins so they get updated as soon as an update is published to the WordPress repository, I don’t like this option because sometimes the update creates new issues.

I prefer to manually update plugins one by one (if more than one update is pending) and with each plugin update I quickly check if anything on my website looks broken. Of course it’s not a thorough test, but it allows me to quickly spot issues and if needed, temporarily disable the plugin and shoot an urgent email to the developer asking them to fix what’s broken.

If you still want to run automatic updates, here’s how to do it:

To automatically update WordPress plugins, add the following code to your wp-config.php file:

add_filter( 'auto_update_plugin', '__return_true' );

To automatically update your theme, add this code to wp-config.php (your WordPress theme must support automatic updates for this code to work): 

add_filter( 'auto_update_theme', '__return_true' );

Don’t use too many plugins and uninstall the one you aren’t using

Check which plugins/themes haven’t been updated in a long time and look for replacements. The developers have probably lost interest in maintaining the plugin/theme and might not respond to requests for updating.

Always use plugins and themes which have excellent support and are created by reputed companies. Beware of poorly coded themes/plugins, they might be cheap but their security loopholes might cost you big money in the long run.

You can check the quality of the code in your plugins using a plugin called Plugin Check. To check the code in WordPress themes, use Theme Check.

If you have doubts about a theme/plugin, please let me know by sharing in the comments and I’ll try my best to guide you in the right direction.

Don’t use free themes and never even think about using a paid theme which can be downloaded for free from one of those shady sites (you’ll find these sites when you search for a paid theme and attach the word free next to it). The reason these themes are free is because they have code injected in them which makes it easy to hack your site.

And obviously don’t install any software on your server (WordPress software or not) which has been downloaded from torrent websites. You will almost always be exposing your website to hackers who have added their malicious code to such “free” software.

Change the WordPress table Prefix

The WordPress standard table prefix is “wp_’and this is known to everyone who wants to hack your WordPress website. Changing the table prefix to something different will make your website much harder against SQL injection vulnerabilities.

Easiest way to do this is using iThemes Security plugin

Add WordPress Security Keys ...

Always protect your salt keys like I have done

… if they have not already been added. You’ll find this is the wp-config.php file. You can generate safe keys using WordPress Salt Keys Generator. This will not be an issue if you have installed your copy of WordPress using an automatic installation service like Softaculous, but you should still check and if the keys aren’t present, just update your wp-config.php file or ask your hosting support to do this for you. Most hosting companies which supports WordPress will do this for you quickly and free of charge.

Secure salt keys generated from WordPress Salt Keys Generator

Remove WordPress Version Number

Hackers keep a tab of the vulnerabilities they are able to exploit in each version of WordPress and one of the first things their automated scripts look for is an outdated version of WordPress, so it’s important to hide it.

You should hide your WordPress version even if you constantly keep your WordPress installation updated to the latest version. It just makes good sense.

You can do this by modifying your functions.php file and adding this simple line of code to it:

remove_action('wp_head', 'wp_generator');

Don’t disable XML-RPC

There are many outdated posts on WordPress security which advocate disabling WordPress XML-RPC API because it can be used for DDoS attacks against your website.

 Here's why this isn't needed anymore:

First: DDoS attacks aren’t very difficult to handle if you have a good host. I also recommend using CloudFlare because even their free plan offers basic protection against DDoS attacks.

Second: It’s not very likely that small and medium sized websites will be targeted in a DDoS attack unless you tick off a hacker or pose a challenge to them to bring your website down. Good hackers are creative AND intelligent people, and you should never make the mistake of thinking you can outsmart them and for god’s sake, never issue a challenge to them unless it’s intended to discover security loopholes and fix them.

Third: Several plugins (like Jetpack) and apps rely on XML RPC to communicate with your WordPress website and disabling XML RPC means they will no longer function as intended.

Fourth: WordPress has become pretty good with preventing abuse of the XML RPC API since it was first introduced years ago, in WordPress version 3.5

So it’s ok to NOT disable XML RPC in WordPress. For more information check out this post on Wordfence blog.

If you still wish to disable it, use this plugin instead of this one to make sure that you aren’t disabling important functionality of XML RPC.

Don’t Change the Login Pages

Some people recommend changing your WordPress login pages. For example changing wp-login.php to something else.

This is too complicated for new users and is also likely to cause discomfort to existing users who have become comfortable with logging into WordPress websites with their preferred methods.

Changing the login pages doesn't provide any additional levels of security if you have followed the steps above and ensured the safety of your user accounts.

Stay in the loop

Hackers keep finding new ways to break into WordPress websites. Keeping up to date with what’s going and how to protect yourself is essential.

It’s ok to be paranoid about safety

It's ok to seem paranoid about security. Hundreds (even thousands) of websites gets hacked every day and it’s your job to make sure that your effort and investment is protected.

So not matter what anyone says, if it doesn’t feel safe for your website, don’t do it!

"Security... it's simply the recognition that changes will take place and the knowledge that you're willing to deal with whatever happens."

Harry Browne

7 Point WordPress Security Checklist

 And to sum it all up, here's a 7 point checklist to help you secure your WordPress site: 

  1.  Get a good host which takes security seriously. I recommend SiteGround.
  2. Don’t use the username Admin anywhere on your website. If you are using Admin as your username, just create a new account and delete the Admin account. WordPress will allow you to attribute all the posts under the Admin username to your new username.
  3. Change your password and force other users to change their passwords too. I recommend password management tools like Dashlane, Roboform or LastPass which manage your passwords securely and are also equipped with built in strong password generators.
  4. Clean your PC. I use and recommend Comodo Internet Security.
  5. Uninstall all plugins that you can afford to uninstall.
  6. Keep multiple backups from various sources (hosting backups, backup plugins etc) and store them in different locations (your PC, external hard drive, cloud storage etc). I recommend UpdraftPlus for WordPress backups.
  7. Get a WordPress security plugin like Sucuri or WordFence. Spend a few minutes making sure they are properly configured. Take a look at the security solutions I recommend.

 Follow these points and keep your WordPress website safe. If you like this post about WordPress Security, please share it with your friends!