How to secure WordPress from hackers

Cyber-attacks are among the fastest growing crimes in the world, and nothing is stopping the increase in rate or sophistication of such crimes.  Many very well-known companies such as eBay, Yahoo, Sony, Target, Adobe, and others were headline news after their customer information was hacked and stolen. All websites these days are subject to attacks by hackers and malware. In this article I will show you how to secure WordPress from hackers, spammers and malware.

How to secure WordPress from hackers

Because Security is so important these days, admins and website owners should do everything they can possibly do to protect their websites and to build the trust of visitors.

There are several issues involved in the security of WordPress that you should be aware of. Below are some recommended steps and procedures that can maximize the security of your WordPress site.  Applying security procedures is the only way to prevent hackers, spammers and malware from your website

1- Essential Security Procedures to secure Word Press

Although WordPress is a secure platform in itself, you’re never truly safe from people with malicious intent. With WordPress’ use is on the rise, it has become a target for hackers, so maximizing your website security is now more important than ever before. Below are some of the essential security procedures that you should follow to improve the security of your WordPress site.

A-   Secure WordPress  from hackers using a strong password

One of the easiest ways that hackers use to break into a website security is through its weak password. Many webmasters don’t take the time to create solid, strong passwords because they claim it takes too much time to create and manage passwords and it is difficult to remember all the different passwords. While this may be true, if you compare it to the frustration and the time it takes to rebuild your site, then you will know how much time and effort you will save by creating solid strong passwords.

The longer and more complex your password is, the harder and the longer it takes for hackers to “crack” because more complex passwords require much greater computing power and time.

Here are some tips on how to create a strong password to  secure WordPress from hackers

  • Every password should be at least 12 characters
  • Every password should be a mix of special characters, lowercase letters, capital letters and numbers.
  • Every site should have a different password
  • Don’t use actual phrases, numbers  or words for a password

To find out how secure your password is, type your password in this site:

To generate a strong password visit this site:

B-   Change ADMIN user name

By default, WordPress sets the administrator username to “admin” at installation time.

A large number of hackers try to take advantage of this information by trying to use “Brute Force Login Attacks” to guess the password by using “admin” as a username.

Therefore, changing the default “admin” user name to a new name is one of the first things you should do on your site as soon as you finish installing WordPress.

C-   Install a security plugin

There are many free and paid WordPress security plugins that can be installed and configured to perform a certain level of security for WordPress.  Here is a partial list of some of the popular ones:

  • iThemes Security
  • Wordfence Security
  • Sucuri Security
  • All In One WP Security & Firewall
  • Jetpack
  • SecuPress
  • BulletProof Security

To learn more about them and how to choose one for your website go to WordPress plugins site  and search for security.

D-  Limit login attempts

WordPress by default allows unlimited login attempts. This allows hackers to compromise websites through a Brute Force Login Attack. They use repeated login attempts until they guess the password.

To prevent this, you can install a lock down plugin to limit login attempts to a number you choose in the setting of the plugin.

There are many free plugins that allow you to limit login attempts. Here is a list of free plugins from

E-    Hide your login screen

You can also hide you login page by changing its name.

change the URL of your WordPress login page ( to a different name using an add on plugin. Search for a plugin here:

F-    Secure data base

The database in a WordPress website is the most important asset as it contains much of the site’s valuable information. It is also a target for hackers who use SQL injections and malicious and automated code which targets certain database tables.

WordPress database by default starts with a prefix “wp_ “, making it easy for hackers to guess.  One way to add a layer of protection for the database is to change the table prefix from “wp_” to something else which will be difficult for hackers to guess.

G-  Hide WordPress versions and meta information

WordPress automatically adds some information inside the “head” tags of every page on your site’s front end. One of these pieces of information is the current WordPress version. It looks like this:

<meta name=”generator” content=”WordPress 3.5.1″ />

This information can help hackers or crawlers scan your site to see if it is a version with a known exploit.  To protect your site from this type of attack, you need to hide this information. Most security plugins can take care of this issue.

H-  Install a firewall plugin

A firewall is a security software or service that controls traffic to your website by blocking all web requests that violate the firewall security rules.

Some free security plugins come with some sort of a firewall. Have a look at this link:

For business and eCommerce websites, a strong real time firewall such as  Sucuri Firewall  is recommended.

I-      Add Registration CAPTCHA

If you add a Captcha to the WordPress registration page, then anyone who attempt to register will be asked to enter the answer to a simple mathematical or graphical question – if they enter the wrong answer, they will be denied registration.

This is another effective way to prevent hackers and spammers.

This plugin can do just that

Advanced noCaptcha & invisible Captcha (v2 & v3)

J-     Use CAPtcha in comment forms

Since a large portion of WordPress comments is mainly produced by automated bots and not by humans, adding a captcha field in the comments form is another great way for reducing SPAM from bots.

K -Use SSL Certificates

SSL is a secure connection between your server and the browser that encrypts data as it travels, making it difficult for hackers to intercept login and user information. If SSL is enabled in a website the site URL changes from http to https, which indicates to the visitor that any information he enters in a login or order form are safe and secured.

Fortunately, many web hosting companies including the most popular ones (such as A2Hosting,  GreenGeeks, BlueHost, SiteGround and others) are providing free SSL certificates with their hosting packages.  Most of them offer Let’s Encrypt  SSL which is a free, automated, and recognized by most modern browsers, and usually is  automatically enabled.

L-   Protect wp-config.php

The “wp-config.php” file is one of the most important files in WordPress. It is a primary configuration file and contains crucial things such as details of your database and other important components. If a hacker can access this file, he/she can do a lot of damage to your website.

You can protect this file by changing its permission (see next section) or by the use of .htaccess.

It is also advisable to back up your wp-config.php and keep it in a safe place should you need to re-use the backed-up file in the future.

M- Secure Word Pres by changing the permissions of  Secure Files, Folders

One way to protect the important files and folders in WordPress is to change their permissions.

You can easily change permissions from the File Manager in Cpanel. Here is how:

Select the file or folder, click on permissions, type the new number then click save.


For wp-config.php and .htaccess files change permissions into 444

For other files and directories use the following:

Directories: 755 or 750

Files:           644 or 640

By doing this you are restricting access to make any changes to these files and folders. This way hackers are prevented from accessing these files.

Please note that some of the above procedures can be accomplished by a  security plugin. to learn more about WordPress security plugins, read this article

2- Secure WordPress  from hackers using .htaccess

htaccess directives provide an extra layer to protect WordPress from hacking. htaccess is a plain text system file that resides in the hosting server. It is a great tool that can be used to do some amazing things by using directives and commands to control websites.

Here is what you can do with htaccess to secure WordPress site.

  • Prevent access to .htaccess
  • Prevent decretory browsing
  • Prevent access to wp-config File
  • Protect wp-content folder
  • protect the wp-includes folder
  • Prevent script Injections
  • Restrict PHP file execution
  • Restrict access to plugins and themes in PHP Files
  • Ban query strings ending with question mark “?”
  • Prevent username Enumeration
  • Stop Spam on WordPress blogs and websites
  • Prevent Image Hot Linking
  • Limit logins by IP
  • Prevent unauthorized access to wp-admin Directory
  • Ban Bad User Agents, referrers, script-kiddies and more

Warning. Unless you have enough technical knowledge, it is not recommended to edit htaccess. Always make a backup copy of htaccess before editing it. To learn more about htaccess security read this article.

3- Secure WordPress from hacking  using a secured hosting

Security plays a crucial role when it comes to selecting a web hosting company. Therefore, one of the important ways to secure WordPress form hacking is to use a secured web hosting provider. The minimum security that is expected from a web host is SSL security which protects visitor critical information using https protocol. Most hosting companies now provide “Let’s Encrypt” free SSL with their plans. However, if you have an e-commerce website you need to consider using another layer of security by purchasing an advanced SSL certificate.

In addition to SSL security,  it important to know to choose your web hosting company that provides, daily backups, and regular malware scanning. A2hosting and SiteGuarding are among the web hosting companies that provide reliable web hosting with complete website security.


When it comes to putting your website online, nothing is more important than security. If you have a blog or are running a small or large business on the internet, then securing your website should be your very first priority! If you follow the above procedures, you can sleep peacefully at night knowing that your WordPress site and data cannot be accessed and/or manipulated by anyone without your permissions.

If you don’t have time, or don’t know how to to follow the security procedures mentioned above you, can use any of  many online security services such as fixmysite,  or Malcare.

I hope by now you  have learned some ways on how to secure WordPress from hackers. All you have to go and apply them.

Leave a Comment