An Exclusive Guide to Secure your WordPress Website From Hackers

WordPress is one of the most popular content management system (CMS) across the Internet. But like other CMSs, WordPress is also exposed to the risks of hacking because its structure remains the same for everyone. Whether your WordPress website is big or small, known or not, white or pink Floyd — you have folders called “wp-admin”, “wp-content”, “wp-includes”, etc. And the hackers know it! This is why it is important to recall some tips to protect WordPress website from hacking.

Newbie WordPress users often imagine that you need to be well-known and influential to be a victim of hacking. It is also sometimes thought that hacking is caused by competitors who wish to harm you.
In reality, most of the hacking attacks are large-scale serial attacks. For example, hackers often target websites that use a particular plugin that presents a security flaw like Slider Revolution Plugin vulnerability, which they try to exploit the flaw to get into WordPress websites.

To do what? Most of the time, WordPress will allow these hackers to use a website to send spam. In short, they will exploit installation and resources to send thousands of emails or spread any propaganda message. Users understand that what counts for these hackers is not the identity but rather the prospect of hacking as many websites as possible to serve their final goal.

Therefore, in this guide, I am discussing the following topics about WordPress security and most importantly, how to protect it!

1. Backup WordPress Website
2. Update WordPress Version
3. Change Default Username and Password
4. Restrict Admin Access (wp-admin)
5. Use Security Plugins and Tools

1. Backup WordPress Website

Backup your WordPress website

Before trying to protect WordPress, it is important to take regular backups of the website.
Do you know, why does WordPress hacking do so much damage? It is primarily because it can cause you to lose weeks or even months of work. A hacked website can be cleaned, but it is sometimes impossible to restore its contents if a recent or healthy backup is not available.
Backing up WordPress website must cover two aspects:

1. The database of the website: it is in the database that store the comments, the text of articles, and customized settings, etc.
2. The website files: these are, for example, the images or videos that users put online, the theme files, etc.

However, there have several methods at your disposal to perform a WordPress backup.

2. Update WordPress and Installed Plugins

Update WordPress and Installed Plugins

WordPress plugins, like WordPress itself, are regularly updated. WordPress users must keep up with these updates.

Sometimes newer versions only fix small bugs that users do not concern, but sometimes those versions also fix security flaws that have been previously reported by users. Always remember, continuing to use an outdated version means exposing yourself to what a hacker uses to exploit WordPress website.

Users can wait a day or two to install the updates to see if some other users report a problem, but it is better to do so quickly. Similarly, do not keep a plugin on WordPress website that no longer in use, even if it is inactive.

3. Change Default Username and Password

The easiest way to take control of a WordPress website is to know username and password.

By default, when installing WordPress, the username is “admin”. Therefore, it is important to change it, preferably by choosing a different name from the website to make it difficult to guess. It is also important to choose a complicated password.

The brute force attack is one of the most common forms of WordPress hacking. The hacker uses software to test different passwords automatically. To give you an idea, a personal computer can test up to a few million passwords per second with this type of attack and:

  • For a password of 6 lowercase letters, there are nearly 309 million possible combinations.
  • For a 6-letter password that mixes uppercase and lowercase, can switch to more than 2 billion possible combinations.
  • For a 6-character password that mixes lowercase letters, uppercase letters, and numbers can switch to 56,000,000,000 possible combinations.
  • If a punctuation is added, a password becomes almost impossible to hack into it.

From the outside, a brute force attack can be totally invisible. To see it, it is necessary to go in the logs of WordPress website. The logs are files that record all activities that happen on the website. For example, which pages are viewed, which files are downloaded, and so on?

Most of the time, users do not read the logs because they are rather indigestible. However, when one suspects a problem on the website, the logs can help to understand the origin of the malfunction. During a brute-force attack, here’s what the logs look like:

Brute force attack log

The same IP address (, that is repeatedly trying to access the wp-login.php file to connect to the website administration. If a password is very complex, it will be almost impossible to guess with this type of attack. You can set a new password by going to the Users > Your Profile section of your website.

Renaming the Admin Account

If rename the default administrator account, it will complicate the task even more for hackers. The easiest way to do this is to go to the “Users” menu of WordPress and then “Add”. Create your new hard-to-guess ID, a complicated password, and give it the role of administrator.

Then reconnect to WordPress with the new ID. Go to the Users > All users menu. Check your old “Admin” account and choose “Delete”.

However, there are other ways to know the administrator account ID, but they often involve manually looking at the WordPress website code, which rarely happens in common hacking situations

4. Restrict Admin Access (wp-admin)

When a user sign into the WordPress, he typically enters the address (or /wp-login/). It is possible to make this a restricted page for users with unidentified IP access using .htaccess file.
Use the following code to protect your admin page using .htaccess file:

AuthUserFile /Custom Folder/null
AuthGroupFile /Custom Folder/null
AuthType Basic
order deny,allow
deny from all
# whitelist IP address
allow from
# whitelist IP address
allow from

Note: Don’t forget to replace and xxx values with your own IP address.

5. Use Security Plugins and Tools

Use Security Plugins and Tools

There are many security plugins for WordPress available in the market and one of them is, Hide My WP. It not only provides monitoring and attack detection capabilities but also a powerful anti-spam shield for WordPress website. And, above all, it completely hides the fact that it is a WordPress-based website.

Hide My WP plugin is so powerful that when testing a website with a tool like Wappalyzer, which detects the used CMS, Wappalyzer is unable to indicate that the website uses WordPress.
The following 2 plugins can also be used for WordPress security.

  • Wordfence Security: This plugin monitors WordPress website in real time. It can notify about changes in administration files, detect suspicious code, automatically block repeated attempts to connect to administration or spammers, allow dual authentication with mobile. It also makes it possible to carry out a complete scan of the websites to detect a possible piracy.
  • iThemes Security: This plugin is a good alternative to Wordfence Security. It also monitors a website to detect suspicious changes and block intrusion attempts, change the address of login pages, and rename the administrator account.

To take stock of WordPress website, I recommend 2 sites:

  • Nature Digital: This site offers a good WordPress security test that identifies the most common problems on your website.
  • Dareboost: Dareboost is a very powerful tool that goes far beyond safety. As such, it can be complex for a novice but will give web developers valuable tips to optimize the security of a WordPress website.

Going Further: Managed Cloud Hosting for WordPress

While considering the above factors for WordPress security, users must not forget that WordPress hosting is the first step for a secured website. Knowing that over 41% of hacking attempts are caused by flaws in hosting platforms, it is recommended to choose a managed cloud hosting for WordPress like Cloudways that offers the following options:

  • Support for the latest versions of WordPress
  • Structure optimized for WordPress
  • Firewall designed specifically for WordPress
  • Daily backups of your WordPress website

If your WordPress requires a maximum level of security, do not opt for shared hosting or VPS hosting because these type of hosting solutions are vulnerable for your website.

Do not wait before putting in place these effective and simple to implement measures in order to enhance the security of a WordPress website. If you have any other strategy to share about WordPress security, feel free to share in the comment section below. That’s all!

Share this Story
Load More Related Articles
Load More By Editorial Team
Load More In Tutorials

Leave a Reply

Your email address will not be published. Required fields are marked *

Join Over 50,000+ Subscribers

Interested In


WordPress Plugins and Themes