How to Secure Your WordPress Website from Hackers: A Step-by-Step Guide

WordPress is one of the most popular content management systems (CMS) in the world, powering over 40% of websites. Its ease of use and flexibility are unmatched, but that also makes it a prime target for hackers. From brute force attacks to malware injections, WordPress websites face a wide range of security threats. Fortunately, there are many steps you can take to protect your site from these attacks.

In this guide, i will walk you through some practical and effective ways to secure your WordPress website, using custom code and plugins where possible. In this guide i have included relevant WordPress or PHP code snippets, .htaccess rules, and other tips to make your site safer.

Why WordPress Security Is Important?

Before diving into the how-to, it’s important to understand why securing your WordPress website is essential. If your site is hacked, you could:


  • Lose control of your website.
  • Suffer data breaches, including sensitive user information.
  • Have your site blacklisted by search engines.
  • Damage your reputation, which can be hard to rebuild.

Now that you understand the importance of securing your WordPress site, let’s explore how you can do this effectively.

1. Keep WordPress, Themes, and Plugins Updated

One of the simplest yet most effective ways to secure your WordPress site is to keep everything up to date. WordPress developers regularly release updates that patch security vulnerabilities. The same goes for plugins and themes.

How to Update WordPress

You can update WordPress, plugins, and themes by navigating to your dashboard:

  1. Go to Dashboard > Updates.
  2. If updates are available, click Update Now.

You can also set automatic updates for core files, plugins, and themes by adding a few lines of code to your wp-config.php file:


// Enable all core updates
define( 'WP_AUTO_UPDATE_CORE', true );

// Enable automatic updates for plugins
add_filter( 'auto_update_plugin', '__return_true' );

// Enable automatic updates for themes
add_filter( 'auto_update_theme', '__return_true' );

Let’s say you’re using a theme that hasn’t been updated for a while. Hackers could exploit vulnerabilities in that outdated theme to inject malicious code into your site. By keeping it updated, you avoid this risk.

2. Use Strong Passwords and Two-Factor Authentication

Weak passwords are one of the easiest ways for hackers to gain access to your website. WordPress accounts are often targeted in brute force attacks, where hackers attempt to guess your username and password.

How to Implement Strong Passwords

Use a password manager to create and store complex passwords. Avoid common passwords like “admin123” or “password”—the more random, the better.

A strong password might look like this: e4Gp@9xYz!R#P7. It’s difficult for a hacker to guess and significantly reduces the chances of a brute force attack succeeding.


Add Two-Factor Authentication (2FA)

Two-factor authentication adds an extra layer of security by requiring not only a password but also a second form of verification (e.g., a code sent to your phone).

To set up 2FA, you can use plugins like Google Authenticator or WP 2FA:

  1. Install and activate the plugin.
  2. Navigate to the plugin settings and follow the prompts to connect your site to a 2FA app (like Google Authenticator or Authy).

Now, even if a hacker guesses your password, they’ll still need that second code to access your site.

3. Change the Default Login URL

By default, WordPress login pages are accessible at yourwebsite.com/wp-login.php or yourwebsite.com/wp-admin. Hackers know this, and they’ll often target these URLs with brute force attacks. Changing the URL makes it harder for hackers to find the login page.


How to Change the Login URL

You can change the default login URL by using a plugin like WPS Hide Login:

  1. Install and activate the WPS Hide Login plugin.
  2. Go to Settings > WPS Hide Login.
  3. Change the login URL to something unique (e.g., yourwebsite.com/my-secret-login).

This simple change will significantly reduce the chances of brute force attacks.

4. Limit Login Attempts

By default, WordPress allows unlimited login attempts, which leaves your site vulnerable to brute force attacks. Limiting login attempts prevents hackers from continuously trying different username-password combinations.

How to Limit Login Attempts

You can easily limit login attempts by using a plugin like Limit Login Attempts Reloaded or Wordfence. These plugins lock out users after a certain number of failed attempts.


Let’s say you configure the plugin to lock users out after 5 failed login attempts within 15 minutes. If someone fails to log in five times, they will be temporarily blocked from accessing the login page.

5. Install a Security Plugin

Security plugins offer a wide range of features to help protect your site, including firewall protection, malware scanning, and real-time monitoring of suspicious activities.

Best Security Plugins for WordPress

  • Wordfence Security: Offers firewall protection, malware scanning, and login protection.
  • iThemes Security: Helps with two-factor authentication, brute force protection, and scanning for vulnerabilities.
  • Sucuri Security: Offers monitoring, malware removal, and website firewall.

Once you install Wordfence, it will scan your site for potential vulnerabilities and notify you of any issues. You can also enable a firewall to block malicious traffic before it reaches your website.

6. Secure Your wp-config.php File

The wp-config.php file contains critical information about your WordPress installation, such as your database credentials. Securing this file is crucial to keeping your site safe from attacks.


How to Secure wp-config.php

You can restrict access to the wp-config.php file by adding the following code to your .htaccess file:

<files wp-config.php>
    order allow,deny
    deny from all
</files>

This will prevent anyone from accessing your wp-config.php file via a web browser.

7. Set Correct File Permissions

Incorrect file permissions can leave your site vulnerable to attacks. If your files and directories are set to be writable by anyone, a hacker could potentially modify them.

How to Set Correct File Permissions

Use an FTP client or cPanel to set the correct file permissions for your WordPress files:


  • Directories: Set file permissions to 755.
  • Files: Set file permissions to 644.

You can also use the following command via SSH to change file permissions for all files and directories:

**bash**
find /path/to/your/wordpress/ -type d -exec chmod 755 {} \;
find /path/to/your/wordpress/ -type f -exec chmod 644 {} \;

8. Disable File Editing in the Dashboard

By default, WordPress allows you to edit theme and plugin files directly from the dashboard. This is a handy feature but also poses a security risk. If a hacker gains access to your dashboard, they can inject malicious code into these files.

How to Disable File Editing

To disable file editing, add the following line to your wp-config.php file:

<?php
define( 'DISALLOW_FILE_EDIT', true );
?>

This simple line will disable the Appearance > Editor and Plugins > Editor options in the WordPress dashboard, preventing anyone from editing your theme or plugin files via the dashboard.


9. Use SSL (Secure Sockets Layer)

SSL encrypts data transmitted between your website and your users, making it more difficult for hackers to intercept sensitive information like login credentials.

How to Enable SSL

To enable SSL, you’ll need an SSL certificate. Many hosting providers offer free SSL certificates via Let’s Encrypt. Once you’ve installed an SSL certificate, update your WordPress settings:

  1. Go to Settings > General.
  2. Change the WordPress Address and Site Address from http:// to https://.

You can also enforce SSL across your site by adding the following code to your .htaccess file:


*** add these lines to your .htaccess file ***
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://yourwebsite.com/$1 [R=301,L]

10. Backup Your Website Regularly

No security measure is 100% foolproof, so it’s important to have backups of your website in case something goes wrong. If your site is hacked or compromised, a recent backup will allow you to quickly restore it.

How to Backup WordPress

There are many plugins available for backing up your WordPress site, such as UpdraftPlus and BackupBuddy. These plugins allow you to schedule automatic backups and store them in external locations like Google Drive or Dropbox.

11. Monitor Your Site for Suspicious Activity

Even if you follow all of the above steps, it’s important to keep an eye on your site for any suspicious activity. Hackers often leave subtle signs that they’ve gained access to your site, such as unauthorized logins or changes to your files.

Tools to Monitor Your Site


You can use security plugins like Wordfence or Sucuri to monitor your site for suspicious activity. These tools will alert you if they detect anything out of the ordinary.

Let’s say Wordfence detects an unauthorized login attempt from an unfamiliar IP address. You can block that IP and investigate further to ensure your site hasn’t been compromised.

Final Thoughts

Securing your WordPress website from hackers requires a combination of best practices, regular updates, and proactive monitoring. While no system is completely hack-proof, the steps outlined in this guide will significantly reduce the risk of your site being compromised.


By implementing strong passwords, enabling two-factor authentication, securing your wp-config.php file, and using security plugins, you’re well on your way to a safer WordPress site. Remember, it’s easier to prevent an attack than to recover from one.

Stay vigilant, keep your site updated, and don’t hesitate to back up your site regularly. These small actions can save you a lot of trouble down the road!

We will be happy to hear your thoughts

Leave a reply