Checkout the best WordPress Black Friday Deals

How to protect WordPress site from hackers (Updated)

WordPress is a popular content management system that powers over 40% of all websites on the internet. However, its popularity also makes it a prime target for hackers who want to exploit vulnerabilities and gain unauthorized access to websites. In this article, we will discuss some ways to protect your WordPress site from getting hacked.

We have an illusion of security, we don’t have security

Isaac Yeffet

Keep WordPress, Themes, and Plugins Updated

One of the easiest ways to keep your WordPress site secure is to keep the WordPress core, themes, and plugins updated. Hackers often exploit vulnerabilities in outdated software, and WordPress is no exception. By keeping everything up-to-date, you can ensure that your site has the latest security patches and fixes.


  1. Improved security: Updating WordPress core, themes, and plugins can help to fix security vulnerabilities that have been discovered in previous versions. This can make your site less vulnerable to hacking attempts and other security threats.
  2. Bug fixes: Updates can also fix bugs that were present in previous versions, which can improve the stability and functionality of your site.
  3. New features: Some updates can also bring new features and improvements, which can enhance the user experience and functionality of your site.


  1. Compatibility issues: Updating WordPress core, themes, and plugins can sometimes lead to compatibility issues with other plugins or themes that you have installed. This can cause your site to break or not function properly.
  2. Time-consuming: Updating WordPress core, themes, and plugins can be time-consuming, especially if you have many plugins or a complex site.
  3. Potential for data loss: There is a small risk that updating WordPress core, themes, and plugins can cause data loss if something goes wrong during the update process. It is always recommended to have a backup of your site before making any updates.

Use Strong Passwords

Using strong passwords is another simple but effective way to protect your WordPress site. Weak passwords can be easily guessed or cracked by hackers using automated tools. A strong password should be at least 12 characters long and include a mix of uppercase and lowercase letters, numbers, and symbols. Here are some free online password generators that I recommend by Bitwarden and 1Password.


  1. Increased Security: Using a strong password greatly reduces the likelihood of unauthorized access to your WordPress site. Strong passwords are more difficult to guess, and can deter automated tools used by hackers to crack passwords.
  2. Peace of Mind: By using a strong password, you can rest assured that your website is more secure from attacks. This can give you peace of mind, knowing that you have taken the necessary steps to protect your site.
  3. Compliance: In some cases, using strong passwords may be a requirement for compliance with industry standards or regulations. For example, if your site processes sensitive information such as credit card numbers, you may be required to use strong passwords to meet regulatory requirements.


  1. Complexity: Strong passwords can be difficult to remember, especially if they are a random mix of letters, numbers, and symbols. This can lead to frustration and time wasted trying to recall passwords.
  2. Inconvenience: Using strong passwords may require you to change them frequently, which can be inconvenient and time-consuming.
  3. Human Error: Despite the best efforts of website owners, strong passwords can still be compromised due to human error. This includes writing down passwords or sharing them with others.

Use Two-Factor Authentication

Two-factor authentication adds an extra layer of security to your WordPress site. With two-factor authentication, users are required to enter a unique code in addition to their password to log in. This code is typically generated by an app on their smartphone or sent via SMS.


  1. Increased security: Two-factor authentication adds an extra layer of security to your WordPress login process, making it more difficult for hackers to gain unauthorized access to your site.
  2. Protection against password breaches: If your password is compromised in a data breach, two-factor authentication can prevent someone from logging in to your WordPress account using that password.
  3. User accountability: Two-factor authentication can help identify the person responsible for any suspicious activity on your WordPress site, since they would need to have both the password and the second authentication factor to log in.
  4. Easy implementation: Many two-factor authentication plugins are available for WordPress, and the setup process is usually straightforward.


  1. Inconvenience: Some users may find two-factor authentication to be an additional and unnecessary inconvenience, especially if they need to go through the process each time they log in to their WordPress account.
  2. Potential lockout: If you lose access to your second factor authentication device or method, such as your phone or authentication app, you may be locked out of your WordPress account.
  3. Limited options: While many two-factor authentication plugins are available for WordPress, some may require additional setup or configuration, or may not be compatible with certain plugins or themes.
  4. False sense of security: While two-factor authentication can add an extra layer of security to your WordPress site, it is not foolproof and should not be relied on as the sole security measure. It is important to implement other security measures in addition to two-factor authentication, such as using strong passwords and regularly updating WordPress and its plugins.

Limit Login Attempts

Limiting the number of login attempts can help protect your WordPress site from brute-force attacks. A brute force attack is when a hacker tries to guess your password by repeatedly trying different combinations. By limiting the number of login attempts, you can prevent this type of attack from being successful.


  1. Enhanced Security: By limiting login attempts, you can protect your WordPress site from brute force attacks that try to guess passwords by repeatedly trying different combinations. This will make it difficult for hackers to gain unauthorized access to your site.
  2. Reduced Server Load: Limiting login attempts can reduce server load and increase the site’s speed, as the server won’t have to process too many login requests.
  3. Prevent Account Lockouts: By limiting the number of failed login attempts, you can prevent users from getting locked out of their own accounts due to incorrect login attempts.


  1. Lockouts for Legitimate Users: If the login attempt limit is set too low, it could result in legitimate users getting locked out of their own accounts if they make a few incorrect login attempts. This could be frustrating for users and negatively impact their experience.
  2. False Sense of Security: While limiting login attempts can enhance the security of your WordPress site, it is not foolproof. Attackers can use other methods to gain access to your site, such as exploiting vulnerabilities in plugins or themes, or through phishing attacks.
  3. Difficulty in Logging In: If you forget your password or make a mistake while logging in, you may not have many chances to try again before you get locked out. This can be particularly problematic if you’re in a hurry or need to access your site urgently.

Install a Security Plugin

There are several WordPress security plugins available that can help protect your site from getting hacked. These plugins can perform tasks such as scanning your site for vulnerabilities, monitoring for suspicious activity, and blocking malicious IP addresses. Popular security plugins include Wordfence, iThemes Security, and Sucuri.


  1. Improved security: Security plugins provide an extra layer of protection for your WordPress site by detecting and preventing potential security threats such as malware, brute force attacks, and hacking attempts.
  2. Easy to use: Most security plugins are user-friendly and easy to set up, even for those who have little to no technical knowledge.
  3. Regular updates: Security plugins are regularly updated with new features and patches to keep up with the latest security threats and vulnerabilities.
  4. Customizable settings: Most security plugins offer customizable settings that allow you to adjust the security level according to your website’s specific needs.
  5. Alerts and notifications: Security plugins can notify you via email or other means if any suspicious activity is detected on your website, allowing you to take appropriate action promptly.


  1. Performance impact: Some security plugins can slow down your website’s performance, especially if you have a lot of plugins installed or your website is hosted on a shared server.
  2. False positives: Security plugins may sometimes flag legitimate actions as suspicious, resulting in false positives that can be frustrating for website owners.
  3. Compatibility issues: Some security plugins may not be compatible with certain themes or plugins, which can cause conflicts and errors.
  4. Over-reliance: Relying solely on a security plugin may give a false sense of security, leading to neglect of other important security measures such as regular backups and updates.
  5. Cost: While many security plugins are free, some premium security plugins may come with a cost, which can add up over time.

Disable File Editing

By default, WordPress allows administrators to edit theme and plugin files from within the WordPress dashboard. However, this feature can also be exploited by hackers to upload malicious code to your site. To prevent this, you can disable file editing by adding the following code to your wp-config.php file: define(‘DISALLOW_FILE_EDIT’, true);


  1. Enhanced Security: By disabling file editing, you are making it more difficult for hackers to gain access to your website by changing or modifying the code of your plugins and themes.
  2. Prevent Accidental Errors: Disabling file editing also prevents accidental errors caused by inexperienced users making changes to the code of their website.
  3. Better Control: You can have better control over the website’s code changes as it restricts anyone from modifying the code from the WordPress dashboard.


  1. No Quick Fixes: Disabling file editing means you cannot quickly make any small changes to your code from the WordPress dashboard. You will need to do it manually via FTP.
  2. Dependency on FTP: You may need to rely on FTP clients to make changes in the code, which can be challenging for those who are not familiar with it.
  3. Potential Compatibility Issues: If you use third-party plugins or themes that require modifications to their code, disabling file editing can lead to compatibility issues.


HTTPS encrypts data sent between your website and visitors, making it more difficult for hackers to intercept and steal sensitive information such as login credentials. To enable HTTPS on your WordPress site, you will need to obtain an SSL certificate and configure your server to use HTTPS.


  1. Improved Security: HTTPS encrypts all data between the server and the client, making it difficult for hackers to intercept or steal data.
  2. Boosts SEO: Google favors HTTPS-enabled websites and gives them a slight ranking boost in search results.
  3. Builds Trust: HTTPS websites are identified by a padlock icon in the address bar, which indicates to users that the site is secure and trustworthy.
  4. Provides Authentication: HTTPS verifies the authenticity of the website, ensuring that users are accessing the intended website and not a fraudulent one.
  5. Better User Experience: HTTPS can improve website performance, leading to faster load times and a better user experience.


  1. Additional Cost: HTTPS requires a valid SSL/TLS certificate, which can add to the cost of running a website.
  2. Configuration Issues: Configuring HTTPS can be complex and time-consuming, especially for those who are not technically savvy.
  3. Mixed Content Issues: Mixed content occurs when a website is partially HTTPS and partially HTTP. This can cause warnings or errors in the browser and degrade the user experience.
  4. Incompatible Software: Some older browsers or operating systems may not support HTTPS, making it difficult for some users to access the website.
  5. Performance Overhead: HTTPS can increase the workload on the server, leading to slower website response times and increased resource usage.

Use Web Application Firewall

A web application firewall (WAF) is a security measure that protects your website by filtering out malicious traffic before it reaches your server. It acts as a shield between your site and the internet, analyzing incoming traffic to determine if it’s legitimate or a potential threat. A good WAF will block malicious traffic before it can reach your site, preventing hacks and other security issues.

There are several WAFs available for WordPress sites, both free and paid. Some popular options include Sucuri, Wordfence, and Cloudflare. Each of these WAFs has its own set of features and benefits, so it’s important to research which one will work best for your site.


  1. Improved security: WAFs protect your website from various attacks like SQL injection, cross-site scripting, and other common web-based vulnerabilities.
  2. Easy implementation: Most WAFs can be easily installed as a plugin on your WordPress site without any technical expertise required.
  3. Automatic updates: WAFs can automatically update their security rules to protect your site against new and emerging threats.
  4. Reduced server load: WAFs can offload some of the security responsibilities from your web server, which can reduce the server load and improve site performance.
  5. Enhanced monitoring: WAFs can provide detailed logs and reports that can help you monitor and track any potential attacks on your site.


  1. False positives: WAFs can sometimes mistake legitimate traffic for malicious traffic, which can result in false positives and block legitimate users from accessing your site.
  2. Increased complexity: Adding another layer of security through a WAF can make your website more complex and difficult to manage.
  3. Cost: Some WAFs can be costly, especially if you opt for a premium service that offers more advanced features and better support.
  4. Technical issues: WAFs can sometimes conflict with other WordPress plugins or themes, leading to technical issues that require additional troubleshooting and support.
  5. No guarantee of 100% security: While WAFs can provide additional protection for your site, they cannot guarantee complete security. It’s important to have multiple layers of security and follow best practices to keep your site secure.

Maintain Audit Logs

Audit logs are records of all the activity on your website, including who accessed it, what actions were taken, and when they were taken. By maintaining audit logs, you can keep track of any suspicious activity and identify potential security threats. This can help you identify the source of a hack and take the necessary steps to prevent it from happening again.

There are several WordPress plugins available that can help you maintain audit logs, including WP Activity Log, Jetpack, and Sucuri Security. These plugins will record all activity on your site, including logins, content changes, and plugin installations.


  1. Enhanced security: Maintaining audit trails can help in detecting and preventing security breaches. It helps in identifying the source of unauthorized access and the changes made to the website. This enables quick action to be taken to fix any security issues.
  2. Better compliance: If your website is required to comply with certain regulations or laws, maintaining audit trails can help in meeting these requirements. Audit trails provide proof of compliance and can help in passing audits.
  3. Improved accountability: Audit trails can help in tracking who made what changes and when. This can help in holding employees or third-party vendors accountable for their actions on the website.
  4. Better decision-making: Audit trails provide valuable insights into how your website is being used. By analyzing the data, you can make informed decisions about improvements to the site.


  1. Increased storage space: Maintaining audit trails can take up a significant amount of storage space on your server, especially if your website generates a lot of traffic.
  2. Performance impact: Writing data to the audit trail can slow down the performance of your website, especially if you are using a resource-intensive plugin.
  3. Privacy concerns: Audit trails can contain sensitive information such as user login credentials, IP addresses, and browsing history. This can raise privacy concerns and make your website vulnerable to hacking attempts.
  4. Complexity: Setting up and maintaining an audit trail can be complex, especially if you are not familiar with WordPress or website development.

Use a good hosting provider

The hosting provider you choose for your WordPress site can have a big impact on its security. A good hosting provider will have robust security measures in place to protect your site from hacks and other security threats. They should also regularly update their software and hardware to stay ahead of potential threats.

When choosing a hosting provider, it’s important to do your research and choose a reputable company with a proven track record of security. Some popular options for WordPress hosting include Bluehost, DreamHost, and Kinsta.


  1. Improved site performance: Good hosting providers offer faster load times, better uptime, and more reliable servers, which can significantly improve your WordPress site’s performance.
  2. Better security: A good hosting provider will have advanced security measures in place to protect your site from malware, hacking attempts, and other threats.
  3. Automatic backups: Many hosting providers offer automatic backups of your WordPress site, so you can quickly restore it if anything goes wrong.
  4. Technical support: A good hosting provider will offer technical support to help you troubleshoot any issues with your site.
  5. Easy WordPress installation: Many hosting providers offer easy WordPress installation options, making it simple for beginners to get started with their website.


  1. Cost: Good hosting providers tend to be more expensive than low-quality hosting providers.
  2. Technical expertise required: While many hosting providers offer easy WordPress installation options, setting up and configuring your site may require some technical knowledge.
  3. Customization limitations: Some hosting providers may limit your ability to customize your WordPress site, which can be frustrating for experienced users.
  4. Overloaded servers: If your hosting provider oversells its servers, it can lead to slower load times and other performance issues.

In conclusion, protecting your WordPress site from getting hacked requires a proactive approach. By keeping everything up-to-date, using strong passwords, enabling two-factor authentication, limiting login attempts, installing a security plugin, disabling file editing, and using HTTPS, you can significantly reduce the risk of your site being compromised by hackers.

More information on hardening WordPress

6 thoughts on “How to protect WordPress site from hackers (Updated)”

    • You’re welcome Michele, it looks like you really care about your blog and you’re doing great. Your blog must be proud of you, happy blogging!

  1. I use Bluehost and I seem to go through phases where I am not actually hacked, at least I don’t think I am, I just get crazy comments.

    • Hey Victoria, Bluehost is one of the most recommended WordPress hosts mainly because they automatically update the core WordPress files if the user fails to keep them updated. Quite sometime back they achieved the feat of upgrading very old WordPress installations without breaking users’ sites. That was truly commendable!

      Coming to comments spam, you can use a free anti-spam plugin like Akismet to prevent your site from being bombarded with spam. Hope that helps.

    • You’re welcome Kimberly. I was a fan of Wordfence too but right now I’m using Sucuri + Cloudflare for protecting my site.


Leave a Comment