How can you protect WordPress from hackers?

Hackers are lurking everywhere, constantly looking for holes in your machine. They use automated bots, tools and free hacking systems like Kali Linux to try and find the tiniest vulnerability that they can exploit.

In this guide, I want to teach you about how to protect your WordPress site from any newbie or veteran hacker. I want to make sure that they give up trying to hack into your WordPress because its just so dam hard.

So lets begin!

1) Choose a secure hosting provider

Firstly, never choose a shared hosting plan if you are going to be dealing with transactions, email marketing or handling any sensitive data.

When you use a shared host, you share the server’s resources with many other customers. This opens you up to many risks of cross-site contamination. This is where a hacker can use a neighboring site to attack your website.

Choose a single host plan with a secure web host who will always work harder to protect you. This is why you would pay a higher fee for someone like Bluehost compared to paying for a shared host like Namecheap.

When choosing a host, you must always ensure that they provide one or more of the following:

  • Firewalls
  • DDoS Protection
  • Virus Protection
  • Security Protection
  • Spam Filter
  • SSL Security Certificate
  • Domain Name Privacy

I’d recommend checking out these host providers below to see which one provides the securest hosting deal for you.

Bluehost – Free domain, SSL, and one-click WordPress installation

SiteGround – All plans come with SSL, HTTPS, and Cloudflare CDN

A2 Hosting – FREE daily backups, CDN, email, and SSL

AWS – Self-hosting – you get to control and create everything

Strong Passwords and User Permission

From my previous post, How to hack your WordPress with 3 commands only, hackers can easily access your website if you use a common password with no special characters.

Names, birthdays, and street addresses should always be avoided in passwords. You dont want any stalkers to end up scraping or using that information against you. Ensure your passwords are at least 12 characters long and contain letters, special characters and numbers.

So why does it need to be 12 characters long?

The answer is simple. The longer and more special your password is, the longer it takes for a hacking software to crack it. Let’s take the example below:

  • 9 character passwords = 5 days to hack
  • 10-character words = 4 months to hack
  • 11-character passwords = 10 years hack.
  • 12 characters passwords =  200 years to hack

As you can see, a 12 character passwords would be the best. However, not everybody can remember 10 to 12 character long passwords. This is why you would use a secure Password Manager to store everything. One password manager I would recommend checking out is LastPass. You can check out my review here.

This image has an empty alt attribute; its file name is Screen-Shot-2020-12-27-at-10.40.09-AM.png

Lastly, another way to protect your WordPress is to not give anyone access to your admin account. If you have a team or guest writers, then make sure that you understand user roles and capabilities in WordPress before you add new user accounts and authors to your WordPress site

Move Your WordPress Site to SSL/HTTPS

You must be thinking what the hell is SSL or HTTPS?

These are mainly protocols on how your browser will encrypt data to and from the internet. This is essential as it will stop any web sniffers and prying eyes from seeing your live data like passwords, cookies and text. All this information is sent to and from your browser.

The SSL/HTTPS protocol encrypts data transfer between your website and users browser. This encryption makes it harder for someone to sniff (secretly look) using tools like Wireshark to steal your information. ©

Once you have enabled HTTPS or SSL, your website will switch to HTTPS in the address box. It is always in a sign of a padlock.

To get the HTTPS for your website, you will need a SSL certificate. Most SSL certificates can be expensive and are normally be bought from certificate authorities like Godaddy. Some can go from $60 to hundreds of dollars each year. However, due to the high price tag, most website owners choose not to use it. This is not recommended at all as anyone can see what your sending over the internet on that website!

Luckily, a non-profit organization called Let’s Encrypt decided to offer free SSL Certificates to all. This project is mainly supported by Google Chrome, Facebook, Mozilla, and many more. If you want to install it you can see the installation instructions here.

3) Choose a secure theme

secure WordPress theme is a theme that doesn’t include any (known) security vulnerabilities, is consistently updated, follows proper code standards, and is compatible with both your WordPress and your site’s elements like plugins.

I bought my theme from where the creators are constantly updating its packages so I dont have to worry about it becoming vulnerable.

Again if you are going to run a business on WordPress, I highly recommend you get a paid theme. It may cost you, but at least you wont get any surprised attacks in the future.

Keeping WordPress Updated

Keeping WordPress updated

Everyone forgets that WordPress is an open source software which is often maintained and updated by the creators. Hence why you should always ensure that WordPress updates are being updated for the security of your WordPress site. By default, WordPress automatically installs minor updates. However, for major releases, you will need to manually update it via the Updates button.

WordPress also comes with thousands of plugins and themes that you simply can install on your website. You too will need to make sure that your WordPress core, plugins, and theme are all using the latest version. If not, you will be vulnerable to an attack!

Almost all plugins and themes are maintained by their creators or third-party developers who regularly release updates. However, not all are secure or updated by default. This is why you will need a security plugin to scan for outdated software on your WordPress.

Get a Security Plugin like Wordfence

I would highly recommend getting a security plugin like Wordfence or succrri. They will protect your wordpress and give you a deeper layer of security.

The below is a preview of what a Wordfence Dashboard looks like.

Wordfence plugin dashboard screen

As you can see, it will have a Firewall and Scan monitor which will give you a clear picture on who is trying to attack you at all times.

Wordfence’s firewall is powered by its Threat Defense Feed, which is a fancy term for a collection of firewall rules, malicious IP addresses, and malware signatures.

The Threat Defense Feed is integrated with the Wordfence plugin installed on your WordPress site. It is powered by your server.

When you buy the Wordfence Premium, you get real-time updates to your Threat Defense Feed. It includes:

  • Real-time IP Blacklisting, Firewall Ruling and Malware Signature Updates.
  • Premium Support.
  • IP/Site Reputation Checks.
  • Geo-Country-level Blocking.

You can always try the free version too. Its better to be safe than hacked.

Scanning WordPress for Malware and Vulnerabilities

If you have a WordPress security plugin installed, then those plugins will routinely check for malware and signs of security breaches.

However, if your web traffic slows, you could see a sudden drop in web traffic or search rankings. When this happens, it is better to manually run a scan. You can use a WordPress security plugin like Wordfence to do it for you, or use a free online malware and security scanner.

Since, running these online scans are pretty simple, we can just enter our website URL and the scanner will use crawlers to go through our website and look at any known malware and malicious code on.

Please remember that most online security scanners can just scan your website. They cannot remove the malware or clean a hacked WordPress site. This is where Wordfence comes into play allowing you to remove it with a few clicks!

Protect Your WordPress – Add two-factor authentication

This is a must for any WordPress site. You should always ensure you enable Two Multi-Factor Authentication for all user roles. This is a great way to add an extra layer and protect yourself and your users from brute force attacks such as password guessing and credential stuffing.

What is Two-Factor authentication?

Two-Factor authentication is an automatic technique where it requires users to log in by using a two-step authentication method. The first is using a username and password, and the second step requires you to authenticate using a separate device or app.

A lot of common websites like Google, Facebook, Twitter all allow you to enable it for your accounts. For instance, I use LastPass Authenticator because it integrates so easily to my Password Manager, sends a backup code to my phone number and can autofill passwords on separate websites. My review of it is here

How to Setup Two Multi-Factor Authentication on WordPress?

I will be using the LastPass Authenticator for the tutorial. However, instructions are similar for all auth apps. Open your authenticator app, and then click on the Add button.

1. Go onto you security plugin and select setup 2MFA.

2. This will bring up a QR code that you will scan with your authenticator app like LastPass Authenticator

3. Select the scan bar code option and then point your phone’s camera on the QRcode shown on the plugin’s settings page.

Add website

That’s it. Your authentication app is now ready so you can save it. We can now log into your website and will be asked for the two-factor auth code after we enter your password.

Enter your two-factor auth code

Simply open the authenticator app on your phone and enter the code you see on it.

Install a WordPress Backup Solution

Backups will always be your first defense against any attack. Nothing is always 100% secure. In addition, backups allow us to quickly restore your WordPress site in case something bad happens.

Moreover, there are many free and paid WordPress backup plugins that are available. The best way to backup is to regularly save a full-site backup to a remote location (not your hosting account) like Amazon’s S3 storage bucket.

Based on how frequently you want to update, your ideal setting might be either once a day or weekly real-time backups. It all depends on what your needs are

To implement this, we can use plugins like VaultPress or UpdraftPlus. You can also do it manually on AWS too. All providers should both be reliable and should be constantly updating their products which allows the users to update without any code needed.

Disable File Editing

In WordPress we recommend turning off the file editing feature as if it gets into the wrong hands, it could become a huge security risk. Inside every WordPress, they have a built-in code editor which allows you to edit your theme and plugin from the admin area. Anybody could inject code or send sensitive data without you knowing it.

Disable file editing in WordPress

You can easily protect your WordPress by adding the following code in your wp-config.php file.

// Disallow file editdefine( 'DISALLOW_FILE_EDIT', true );

Alternatively, you can do this with 1-click using by using the Sucuri or Wordfence plugin.

Go and Disable PHP File Execution in Certain WordPress Directories

Another way to to harden our WordPress is by disabling PHP file execution in directories /wp-content/uploads/.

You can do this by opening using nano or vim text editor and paste this code:

<Files *.php>deny from all</Files>

Next, you need to save this file as .htaccess and upload it to /wp-content/uploads/ folders on your website using an FTP client like CyberDuck.

Ensure You Disable XML-RPC – Protect Your WordPress

Lastly, XML-RPC is always enabled by default in WordPress 3.5+ because it helps by connecting your WordPress site with other web and mobile apps.

Because of its powerful feature, XML-RPC can significantly allow more of the brute-force attacks.

For example, imagine that WordPress didnt have XML-RPC, a hacker would need to try 100 different passwords separately on your website and they would not be blocked.

But with XML-RPC, a hacker can use the system.multicall function to try 1,000,000 passwords with a program like WPscan without getting blocked. If you too would like to try this out, check out my WPscan tutorial.

I would recommend that you disable it if you’re not using XML-RPC.

Note: Using the .htaccess method is the best because it’s the least resource intensive.

Please note that no website is 100%, not even a Government websites. However, we can make it difficult for hackers to use their tools so they give up.


Unfortunately, many WordPress owners dont start to take security serious until its too late. By that time, the attacker already knows your system inside out. You would need to either backup your system or pay somebody to secure your WordPress which can be expensive.

This is why I have laid out the steps in this guide to make it a lot harder for hackers to get into your system.

A recap of what we have learnt:

  • Fortified our Password
  • Downloaded a Security plugin
  • Updated our plugins and WordPress
  • Used SSL/HTTPS
  • Scanned for Malware
  • Used Two Multi-Factor Authentication
  • Installed a backup solution
  • Disabled file editing
  • Learnt how to disable PHP file execution
  • Disconnected XML-RPC

Hopefully, if you follow these simple steps it will make it a lot harder for hackers to get into your system. If you want to try and hack your own WordPress read this.

Good Luck in strengthening your system and hope to see you soon.

I hope you have enjoyed post. If you would like to learn more, remember to sign up to our newsletter to get more tutorials, guides and walkthroughs like this.