How to Secure WordPress From Hackers

Being a WordPress site owner, you can’t ignore the fact that it is one of the most vulnerable platforms for security attacks. Majority of hackers target this particular content management platform due to the different reasons. One of the key reasons is its growing popularity – WordPress is on the top of CMS market with more than 60 percent market share.


Securing WordPress from hackers is easy and very important!

Apart from this, there are lots of setbacks that needs to be fixed if you want to protect your site from being hacked. To make that happen, we bring you this blog post where we will share a comprehensive checklist that will help protect your login pages, admin pages, installed themes, and plugins from being damaged by a hacker.


Follow these steps to secure your WordPress website:

1. Secure Your WordPress Login Page

Everyone knows that the backend of a WordPress site is one of the most delicate parts. It is a place from where you manage your entire website. And that is the reason why most of the hackers try to gain access to the site via login page – this gives them a good opportunity to damage the reputation of your site among your potential clients and customers.


Here are some smart tips to help you secure the WordPress login:

1.1. Protect your login details (username & password)

You can’t take a chance of using the default username and weak password for your WordPress admin panel. This is a serious offense, especially if you are working on improving your site’s security.

So change out the default admin username for something else. You can do this manually in your database or alternatively there are several plugins which will assist you in doing so. Additionally use a very strong password, I suggest that you use a password generator to create a password which is strong.

Change the default admin username for WordPress.

Don’t forget to change your password every two to three months. This will give a tough time to hackers from gaining access to your website.

1.2. Set up two factor authentication

Setting up the two-step authentication is one of the best ways to protect your website from brute force attacks. With this method you will need to enter the password, along with an authorization code that is sent to your mobile device so that you can login into your site. It simply helps you add an extra layer of security to restrict hackers from getting into your site via brute force attacks.

1.3. Switch to SSL (HTTPS)

This is one of the most advanced WordPress security tricks that will definitely prevent your site from hackers. HTTPS basically provides a secure encryption between the web browser and web service to restrict the hackers from accessing your site while transmitting the data from one server to another. It will also protect you from suspicious hidden scripts available on your system.

You can use the One Click SSL plugin to quickly and easily enable SSL on your WordPress website.

Enabling SSL on WordPress will improve your Google search engine rankings.

1.4 Use a VPN

A virtual private network (VPN) will go a long way in making sure your WordPress site stays safe. Downloading a VPN and using it regularly when working on your website will add a layer of encryption. It’s especially important when you log into your CMS on a public or shared network. This encryption significantly reduces the chances of a hacker intercepting personal data, such as log-in information, location, and much more.


2. Update WordPress Themes and Plugins

Don’t forget to update the core of WordPress, installed themes and plugins on a regular basis. This can drastically improve the security of your website. The availability of suspicious elements in the themes and plugins could make your site vulnerable to security attacks.

Keep WordPress core, themes and plugins updated at all times for security.

It becomes imperative to make your themes and plugins updated with their latest versions. These updates include some major as well as minor security patches to let you fix the issues related to security. And the best part is that WordPress rolls out the latest version on a continual basis to let you keep your site healthy and secure.


3. Never Keep Unused Themes or Plugins

Keeping unused plugins installed or even activated is one of the most common mistakes WordPress users make.

Since these themes and plugins may not have been updated from a long time, make sure you delete them from your WordPress website. So, first, you need to identify all the unused or outdated themes and plugins and then deactivate and delete them from your WP admin dashboard.


4. Purchase Themes from Reliable Sources

There are many fake websites that claim to offer you premium plugin for free. Such websites are either irremediable or fake. And the worst part is that most of the beginners fall into their trap and download the premium plugins from them at free of cost.

If you access their link, you will be taken to the illegal sites that can damage your site with malware. So, make sure you download the plugins either from the official WordPress plugin repository or from reliable sources.


5. Protect the wp-config.php File

Turning off error reporting in WordPress is essential. Since the wp-config.php file contains confidential data related to your site, ensure that you prevent it from being accessed. Securing a wp-config.php file means you are protecting 80 percent of your website from security attacks.

In order to protect it, you will need to add the following line of code in your .htaccess file:

<Files wp-config.php>
order allow, deny
deny from all


6. Turn Off PHP Error Reporting

Generally, themes and plugins create an error message when they don’t work properly. Such messages are kept on saving in the error report that allows hackers to find the available loopholes within the corrupt theme or plugin.

They just see your error reports to access your server path with the aim to access to your website. Of course, these files help you detect the errors instantly, but it is better to disable them. For that, you can add the following string of code to your wp-config.php file:

@ini_set('display_errors', 0);

Also ensure that WP_DEBUG is set to false in the wp-config.php file on a production site.


7. Get Reliable, Secure Hosting

It is always important to choose a reliable host when it comes to beefing up the WordPress security. In fact, a survey found that most of the WordPress websites hacked because of insecure hosting sever.

Top quality, secure web hosting is extremely important.

You can choose Tribulant, SiteGround, Brontobytes, or Bluehost if you are looking for the shared hosting. And, if you want to raise your budget, you can opt for a dedicated hosting plan or VPS hosting. You will get advanced security features, regular updates, 24/7 hour assistance and a lot more that will keep your site in a safe and secure environment.



The tips mentioned above in this blog post will protect your website from hackers and other major security threats. You can follow these tactics to ensure a safe, secure and successful WordPress site without much effort. There are more things you can do to secure your WordPress website so don’t stop here and continue researching how to make your website bulletproof.

Earn Money by Referring People

Refer customers to us with your affiliate link and earn commission on sales from your link.

Get Started
  1. Shivam Sahu on January 14, 2018

    Hi Antonie

    Indeed a great list of common WordPress security mistakes.

    A couple of days back I faced a situation where there was some unwanted ads being displayed on my blog and that was something I did not install. When inspected I found that there was a lot of unwanted codes that were injected into the WordPress theme files and other main files.

    On further inspection I found out the following 3 things which were the reasons for this:

    1). Not updating the other WordPress installation, plugins and themes that are being run from the same hosting account if you are using a shared hosting
    2). Optimizepress 1.0 is known to have a security issue and they have released an update to it. This doesn’t update in the normal updates from your wordpress dashboard. You might want to update it manually, if you haven’t done it yet.

    3). Not Cleaning and optimizing your database periodically

    4). Leaving the default themes like twentyeleven etc. as it is and not updating them. This primarily happens if you are using a different theme and these default themes just remain there.

    5). Not uninstalling plugins that haven’t been updated for a long time by its creators.

    These are prone to attacks. A couple of solutions that I found was installing plugin like Wordfence or, Bullet Proof Security or, Better WP security.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Save 15% On All Purchases

Use this amazing, limited offer and SAVE BIG! Buy any of our WordPress plugins, extension plugins or newsletter templates.

Save 15% On All Purchases

You have Successfully Subscribed!

Pin It on Pinterest