Secure your WordPress website
Digital Marketing

How To Secure Your WordPress Website From Hackers?

Website securityA website is your online identity. If you are a blogger, entrepreneur, or eCommerce store owner, you will need a website. However, once you make your website public, you become vulnerable to all the mischief in the online world. Malware, phishing, brute force, and DDoS attacks, hackers, and spammers are just a few examples. Cyber-attacks in any form can bring your website down. This can cause huge losses to your marketing, your income, and most of all, your reputation. Therefore, launching your website is not the end of the road. You need to implement the best security practices to keep your site healthy, up, and running!

As the saying goes, “Prevention is better than cure”, it is best to protect your site from security breaches by taking proactive measures. Today, I will discuss 10 ways to protect your WordPress site.

1) Secure Web Host and Website Platform

I have observed that many newbies prefer to go for cheap web hosts. However, there are factors that must be considered before choosing any web hosting platform. If you are not building your site for casual experimentation, but have long-term plans, I will recommend that you choose a web host that has an impeccable reputation, responsive customer service, high availability, and most importantly, good security. Of course, better services come at a price!

You need to look for independent reviews like one from PCMag and then decide who you will buy web hosting services from.

I have a list of web hosting providers that can help you in your search:


WordPressOnce you have decided on your web host, it is time to create your website. Unless you are a web developer (which most of us are not), you can go for the website platforms available in the market. With security in mind, you should opt for a platform that is secure and easy to apply security patches in the future.

In this sense, I will prefer the following platforms:

I personally like WordPress because it’s easy to apply updates every time a new security patch is released. It only takes one click and the update alert is already displayed on the dashboard.

2) Strong Password

Keeping a strong password is one of the basic security measures for any online activity where you need to log into a portal. If you don’t use strong passwords because you can’t remember them, then you are a hit with security threats. You need a password for your WordPress admin area, FTP accounts, database, hosting account, C-panel, and email addresses that use your site’s domain name.

I recommend the following general rules for password management:

  • Do not keep the WordPress username as “administrator”. It makes life easier for hackers to perform brute force attacks if your admin username is ‘admin’. Either set a custom username during WordPress setup or change the username if you have already set your username as “admin”.
  • Change your password after a certain period of time.
  • You may want to use quality password managers that will generate and store passwords securely.
  • Install the WP-Members Security plugin which will take care of your password requirements and maintenance.

3) SSL Certification

When you use the Internet, confidential information such as payment details, login information, etc. are transferred. If your site is without SSL or HTTPS, then it can be easy food for hackers.

SSL is a protocol that encrypts data between your website and your browser. If you install SSL on your website, hackers will have a hard time tracking your information. You may have seen that Google lists all non-SSL websites as “Not secure”. Therefore, a site with SSL not only makes it trustworthy but also ranks high in Google searches.

SSL certificates are provided by your web host at a price. Some hosts provide them for free. You can also buy SSL certificates from any authorized CA.

Read my article for more details: HTTP to HTTPS – SSL Certificate Installation

4) Site Backup

Among all the security steps, keeping a valid backup (especially the wp-config.php file) of your site tops them all. There are plugins like VaultPress or UpdraftPlus that serves your purpose.
You have to make a proper schedule of taking backups. You can store full backups of your site, either on your local machine or on a cloud service like DropBox.

5) Limit Login Attempts

One of the common attacks on your WordPress website is from humans or bots trying to forcibly log in. This is called brute force attacks. Hackers use different username and password combinations until something breaks and they get illegitimate entry to your site.

To avoid these types of attacks, you can install a plug-in to prevent illegal login attempts. There are many plugins available that solve this problem.
I will recommend any of the following plugins for your WordPress site:

Limit Login Attempts Reloaded
Limit login attempts
WP limit login attempts

After activation, you need to visit the “Settings” section of the plugins to configure the desired parameters.

6) Automatically Log Out Idle Users

Another security concern you have to take care of is to logout idle or inactive users. Sometimes a user might log in to your website, but do not perform any activity. He might get busy attending other tasks. The idle session might give an opportunity for hijackers to gain unauthorized access to your site.
This is why I advise you to install a plugin in your site that will automatically kick off idle users based on some configured time.

I suggest the following plugins:

Inactive Logout
Idle User Logout

7) Install Latest Patch and Updates

WordPress, plugins, and themes release updates periodically. The updates include bugs and security improvements. It is always better to install the latest version of the WordPress components.

The beauty of the WordPress platform is that it regularly informs you in your control panel about new patches or updates. With just one click of the updates button, you can keep your site up to date.

8) Security Plugins

After the backups, the next thing that complements your website’s security posture is to install security plug-ins. The purposes of the plugin are to audit security activity, scan malware, monitor file integrity, and many more hardening rules.

Fortunately, I can recommend three best WordPress security plugins:


9) Minimize Spam

Receiving an overwhelming amount of spam is another security threat that can bring your website down. I will discuss 3 aspects of this threat:

a) Spam Through Contact Form

Setting up the contact form to capture visitor or potential customer information can lead to spam on your website. Hackers can use web crawlers to fill your contact forms with unwanted information.

To avoid this, you can include the CAPTCHA field in your contact form. Individuals must complete the entire CAPTCHA before submitting the form. Plugins like Captcha Code or Really Simple CAPTCHA help you build this functionality in your contact form.

Another option is to use the JetPack plugin to create your contact form. The JetPack forms work in conjunction with the Akismet plugin. Akismet filters all spam. The Akismet plugin comes by default with the WordPress installation. You don’t need CAPTCHA if you have JetPack contact forms.

b) Spam Through Business Email Address

In many cases, you may want to add your business email address on your website. This becomes easy prey for spammers to send spam to your mailbox. Either you don’t include the email address on your website unless it’s unavoidable, or you use the email obfuscation tool. You can use the tool at the Albion Research Site. You can also implement a plugin like Obfuscate Email.

c) Comments

If you enable comments on your website, you will receive a certain amount of spam. You can take some effective steps to prevent unwanted comments from appearing on your posts and pages.

From Settings → Discussion in your WordPress dashboard, you can configure comment moderation. Comments will not appear on your site unless you have approved them. Furthermore, you can also restrict comments only to users who have registered on your website.

Another option is to use anti-spam plugins such as Akismet and Antispam Bee. They help flag spam and filter unnecessary messages from appearing on your site.

10) Reduce Downtime, Monitor Uptime

Availability is one of the key principles of website security. It goes a long way towards building online trust and brand equity by keeping downtime to a minimum. You can achieve this by hosting your site on a distributed network and, of course, with constant monitoring.

A website can stop working for various reasons. Server crashes, failed updates, patch installation, or even DDoS attacks. To protect your website, you should consider using a CDN service. CDN distributes your website to many data centers in the world, and therefore even if one server goes down, your website will still be available. You can avoid a single point of failure by using CDN. Additionally, your site’s performance also improves when you have CDN, as the contents are fetched from the nearest data center cache. Cloudflare and Incapsula are two CDNs worth trying. You can use the free or paid version. The paid version comes with many additional features. However, the free version satisfies the requirements of a small website.


The next step is to monitor the uptime of your site. It is always necessary to keep a record of any instance where your site has gone offline. This tracking helps you perform RCA and troubleshoot potential threats and issues with your site. You must take the help of uptime monitoring services to monitor your site. You can try the services of the following free uptime monitors:
Google Webmaster Tools


I hope this blog will enable you to make your websites secure!! Security is one space that newbies do not put to much of emphasis. However, it is true that if you ignore your website security, you may lose your site. So, be careful, next time!!!

Leave a Reply

Your email address will not be published. Required fields are marked *

error: Content is protected !!