How to Protect Your WordPress Site from Hackers

As a business, one of your most vital assets is your website. Not only does it create a digital storefront to sell your product on a global scale, but it also houses your company and brand’s reputation. A well thought-out, eye-catching website will say much more about your business than a simple template with spelling errors and broken images. WordPress allows business owners around the world to utilize their platform to build an effective web presence for themselves, but as the popularity of WordPress continues to increase, hackers from around the globe have keyed in on the low hanging fruit that is unsecured WordPress websites for businesses. Here are some great tips on how to prevent your WordPress website from being hacked.

The Problem with Being Popular

wordpress hero


WordPress is an amazing and current platform to build a website on. In fact, it accounts for 74.6 million websites and is continuing to grow. The disadvantage of this immense popularity is it has become a huge target for hackers and scammers.  When you’re the most popular CMS on the market everyone knows your weaknesses and short comings. Each new set of patch notes acts as a blueprint for hackers to determine new vulnerabilities.

Another case of hacking on a wide spread scale due to immense popularity is Windows XP.  Windows XP came on to the market fourteen years ago and, still to this day, it accounts for 20% of all Windows operating systems in use.  During the height of its popularity it had many security vulnerabilities and was patched weekly. To this day, even though support for the OS has stopped, it is still vulnerable to attacks. I see WordPress following a similar trend with its constant updates and new versions.

The Problem with “wp-login-php”

yu no enter password

The inherent problem with using the default login page for WordPress is that everyone will be using that same url slug to login to their website. One great plugin called Stealth Login allows users to create custom URLs for WordPress. You can also activate “Stealth Mode” which will stop users from being able to access wp-login.php. This is not a foolproof solution for protecting your site, but it will stop bots that seek out the wp-login.php file to get into your site and make it more difficult for hackers to find.

Another tactic that can be used on your login page is to limit the number of failed login attempts before blocking a user’s IP. With this data you can block that IP to stop forceful entry before it happens.  NEVER use Admin as a username. This is the first account created by WordPress and first username hackers will attempt when trying to break into a WordPress site.

The last tip that should be used on the WordPress login screen is removing the error message when incorrect values are entered. This will stop hackers from knowing what piece of information is correct and what is wrong.

The Problem with Easy Pa$$words


When most people create passwords, we make something that’s really easy to type, a common pattern, or things that remind us of the word password or the account that we’ve created the password for. Or we think about things that make us happy, and we create our password based on things that make us happy. And while this makes typing and remembering your password simple, it also makes it easy for a hacker to guess your password.

Similar to the login page of your WordPress site, the password you choose is crucial to preventing all types of hacks. Using long (12 characters or more) passwords that are not common words or phrases, special characters, and varying lower and upper case letters will make passwords that are nearly impossible to guess even by a super computer trying an infinite number of combinations of passwords. When sending these passwords over email one best practice I suggest adopting is sending a screenshot image of the password instead of the text. E-mails are not a secure way to send information and by adding it as an attachment or in the body of the email will stop bots from stealing this information.

The Problem with Outdated/Multiple Plug-ins and Themes

Plugins and themes are two features that contribute to the popularity of WordPress. However, if one plugin that is installed on a site has security vulnerabilities, it can act as a back door for malware.  One recent example of this was with the RevSlider plugin. This plugin was pre-installed on many themes and due to its vulnerabilities resulted in over 100,000 sites being hacked. Here are some tips you should use to limit your plugin/theme vulnerability:

  • Delete plugins and themes that are not being used. Old plugins that are no longer supported with updates or compatible with the newest version of WordPress are a liability.
  • Don’t use a plugin from an unknown or unrated developer. Pay close attention to the plugin developer’s ratings and comments. Anyone can develop a WordPress plugin, and installing one of these that lacks continued developer support will lead to issues in future updates to WordPress.
  • Update Every Week! Monthly is not good enough. The more outdated your plugins and themes, the more exposed you are to exploits targeted at these older versions.

The Problem with not Knowing Your Host and Network

managed wp

In my experience, the two factors that have led to WordPress sites being compromised are lack of knowledge of your network/server and your shared hosting provider. When it comes to your network/server, you need to keep things clean and updated. It is a great idea to regularly run a full malware and anti-virus scan. Keep that software up to date!

Next, you need to check with your shared hosting provider. The hack may have affected multiple sites and not even started with your install. That’s not tremendously important if you still ended up getting hacked, but in those instances it can be a small comfort to know you haven’t been specifically targeted.

And on a practical note, you should be aware of whether or not your host is responsible or a theme/plugin. {Via Elegant Themes} The best advice I can give is to use a managed WordPress set up for all sites. Managed WordPress hosting is a service where all technical aspects of running WordPress are managed by the host. This includes security, speed, WordPress updates, daily backups, website uptime, and scalability.