15 Steps to Secure Your WordPress Site From Hackers [2023] Print

  • 999

Is your site secure from hackers?

Are your customers’ and visitors’ confidential data safe from cybersecurity attacks?

Hackers are trying hard to beat your WordPress security, so be diligent in securing your website. The last thing you don’t want to happen is to see your site in nowhere.

In this step-by-step guide, you will learn how to secure your site from hackers.

Let’s dive right in.

Why WordPress Security Is Critical?

Your reputation and information are protected.

An issue with a data breach can result in the release of public data, identity theft, ransomware, or the failure of servers. Your business’ growth and reputation are not well served by these events. Most of them are a waste of time, money, and effort.

It is expected by your visitors.

Business growth brings an increase in problems to solve. The security of your customers’ information is one of those issues. If you fail to provide this fundamental service right from the start, you will lose your customers’ trust. You’re caught in a catch-22: If your security measures work, your customers won’t even need to know about them.

Google prefer secure websites

There has long been a connection between website security and visibility in Google (and other search engines). In order to maintain a high-ranking website, you need to keep your WordPress website secure. The Ultimate Guide to Google Ranking Factors discusses what other factors influence Google’s ranking of your website.

Making sure WordPress is up-to-date

Regular updates and maintenance are required for WordPress to remain open-source software. Minor updates are automatically installed by WordPress by default. The update must be initiated manually for major releases. Ensure that the theme, plugins, and core of your WordPress site are all up-to-date.

User permissions and strong passwords

Passwords stolen from WordPress users are the most common means of hacking. Using stronger passwords for your website can make it harder for hackers. Adding new user accounts and authors to WordPress require an understanding of user roles and capabilities if you have a large team or guest authors.

Here is the ultimate guide to securing your WordPress website.

1. HTTPS Secures Your Site

We will start by securing the website with HTTPS by design.

The network and wire cables are the conduits through which everything you do flows. When a browser sends data to a server via HTTP, it is exchanged as plain text. As a result, anyone who can access the network between the server and the browser can see your unencrypted data.

It’s possible for attackers to access sensitive data if your connection isn’t protected. If an attacker has access to your network, they can’t read your data, since HTTPS encrypts your data.

To secure your website, enable HTTPS as soon as possible. Use this guide if you haven’t moved to HTTPS yet.

2. Make Sure Your Passwords Are Strong

A weak or pawned password is the most common way hackers gain access to websites. Batter-force attacks are possible because of these.

Passwords are the most effective way to enhance your security. Make sure your passwords are strong and check them regularly for breaches.

3. Store Your Passwords in Passwords Managers

If you log in to a public network while working, you cannot be sure that no one is monitoring what you type on your computer or monitoring your passwords.

For this issue, you should use a password manager that allows you to access your passwords easily and store them securely.

It is impossible for them to get your passwords, even if they gain access to your PC. There are no WordPress plugins that are password managers.

4. Create a CAPTCHA for Login & Registration

You’ve already made life for hackers a lot harder when you secure your website with HTTPS and use strong passwords.

It can be made even harder by adding CAPTCHA to the login form. A captcha protects your login forms from brute-force attacks.

5. Login Protection Against Brute Force Attacks

You are protected from brute force attempts with Login CAPTCHA up to a certain point, but not completely. After captchas are solved, the tokens are often valid for a short period of time.

reCAPTCHA by Google, for example, lasts for two minutes. It is possible for attackers to try brute-force login attempts during those two minutes.

This problem can be resolved by blocking failed login attempts based on IP addresses.

6. Configure Two-Factor Authentication (2FA)

You are more protected with secure passwords and captchas on login forms, yes.

Imagine if hackers recorded your password on video using surveillance methods and used them to access your website?

The only way to protect your website from hackers if they know your password is two-factor authentication.

7. Update WordPress Core and Plugins Regularly

A vulnerability can arise in WordPress core or plugins, and when it does, it is reported and fixed. In order to prevent hacking of your website, be sure to update your plugins with the latest version.

define( ‘WP_AUTO_UPDATE_CORE’, ‘minor’ );

Since automatic updates may break your websites without your knowledge, I wouldn’t recommend switching to it.

Although these updates include security patches for WordPress core, I recommend enabling minor updates to the core by adding this line to wp-config.php.

8. HTTP Headers for Security

Browser and server actions are restricted with security headers when browsing websites, adding another layer of security.

Cross-site Scripting (XSS) and Clickjacking attacks can be prevented by security headers.

Security headers are:

  • Strict-Transport-Security (HSTS).
  • Content-Security-Policy.
  • X-Frame-Options.
  • X-Content-Type-Options.
  • Fetch Metadata Headers.
  • Referrer-Policy.
  • Cache-Control.
  • Clear-Site-Data.
  • Feature-Policy.

9. Make Sure WordPress Files Have The Correct Permissions

WordPress’ files are protected by file permissions on the operating system that hosts them; these rules determine how files can be read, edited, and executed. In particular, shared hosting requires this measure of security.

The wrong setting can allow attackers to read any content on your website – specifically wp-config.php – when one of your websites on shared hosting is hacked.

  • All files should be 644.
  • All folders should be 775.
  • wp-config.php should be 600.

Files and folders can be modified, deleted, and read by the web server (WordPress) and your hosting account (user account).

Wp-config.php cannot be read by other users. You may need to alter wp-config.php to 640 or 644 if setting 600 takes your website down.

10. WordPress File Editing Can Be Disabled

Editing files is possible from WordPress’ admin backend. SFTP is usually used by developers, so this is not necessary.

11. Remove All Unnecessary Features

You may not need all the features that WordPress offers. WordPress, for instance, has an XML-RPC endpoint for interacting with external programs. Brute-force logins can be accomplished by using this endpoint.

Activate the plugin Disable XML-RPC-API to disable XML-RPC.

WordPress also has a built-in way to list all users of the site using a REST-API endpoint.

The user’s list is accessed by appending “/wp-json/wp/v2/users” to any WordPress install.

In functions.php, add this line of code to disable users’ REST-API.

function disable_users_rest_json( $response, $user, $request ){

 return ”;

}add_filter( ‘rest_prepare_user’, ‘disable_users_rest_json’, 10, 3 );

12. Turn Off The WordPress Version

Within the HTML of your web pages, WordPress automatically injects a comment containing the WordPress version. By doing this, you’re providing the attacker with additional details.

13. Add a Firewall to WordPress

Firewalls monitor incoming HTTP requests on websites and analyse them. The system uses sophisticated logic to filter out requests that may lead to security threats. SQL injection is a common type of attack. DDoS attacks can also be prevented by firewalls, which detect abnormally large numbers of requests coming from a single IP address and block them.

As a result, this method is more resistant to DDoS attacks.

HTTP requests are sent to the web server and then blocked by application-level firewalls running on the server. Consequently, the server expends resources to block them.

14. Back-up Your Data

The best solution for recovering from a hack is to restore the website from the most recent version that wasn’t infected.

Unless you store backups of your website, cleaning it can be a time-consuming process. The malware may have also deleted all the data in some cases, meaning that all the data cannot be restored.

Backup your website’s database and files regularly to prevent such scenarios

15. Keep Track of Users’ Activities

There are many ways to protect your website against unknown hackers. However, what if one of your employees has access to your website admin and adds links into content that isn’t appropriate?

A shady employee cannot be detected using any of the above methods.

Instead, you should monitor activity logs. It is possible to discover that one of the employees modified an article they weren’t supposed to edit by looking at each user’s activity.

Additionally, you can examine the activity that looks suspicious and see what changes were made.

What to Do When You Are Hacked?

Security experts may give you advice, and you may know how to harden your website from hacks, but still, they happen.

Here are the steps you need to take if your website is hacked:

  1. Changing your email password and other personal information first helps to prevent hackers from accessing your website, as they may have accessed your email first.
  2. Back up your website to the latest backup without being hacked.
  3. Replace all user passwords.
  4. If plugin updates are available, update them.


Cyberattacks can take many forms, ranging from malware insertion to distributed denial-of-service (DDoS) attacks. Because of the CMS’s popularity, WordPress websites are frequently targeted by hackers.

Securing a WordPress site is a continuous process. Because cyberattacks are always developing, you must reevaluate it on a regular basis. The danger will always exist, but you may mitigate it by using WordPress security features.

We hope that this post has given you a better understanding of the significance of WordPress security measures and how to put them in place.

Was this answer helpful?

« Back