How to Protect a WordPress Site from Hackers

Inka WibowoRobert Brandl

By Inka & Robert

wordpress security tips

There is a saying: “If you build it, they will come.” And in the online world, this means hackers.

But what do you do to stop them?

Security is important, and taking a proactive approach is the best way to protect your site. Just like with your house or business, you want to keep your assets secure.

Most WordPress websites are infected due to lack of updating files, breaking one of the logins, or a brute force attack.

The hardest part is the realization that a malware infection can happen to any site. I have seen a brute force attack on a test site that was not even indexed by Google and had no visitors.

While nothing is ever 100% full proof, there are ways to avoid the worst. Here are simple steps a small business owner can take to keep their online business secure that require no developer or coding on your part.

The Importance of Passwords

A great password is the first line of defense to keep unwanted people out of your websites.

When a bot comes to try to get into a WordPress dashboard, the first thing they try to use when logging in is “admin” and “password” as that combination is the most widely used login. Changing it around to be “Pa$$w0rd” does not make it more secure either, due to the fact it still reads “password”.

Names or anything that will still read as a legible word are the easiest to hack passwords.

Typically, any password should be at least 12 characters that are illegible, containing upper and lowercase letters, numbers, and special characters. The more characters in the password, the harder it is to break.

If you want to test how secure your passwords are, check the How Secure Is My Password checker. This will show you how long it would take a computer bot to break your password.

The checker told me that it would take a desktop PC about 377 billion years to crack my password.

That is when you know you have a great password!

Security Plugins Do Help

There are many types of security plugins that fulfill a range of functions. You can use more than one security plugin on your site, as long as you do not have them set to do the same things.

Here is a list of some great WordPress security plugins that are available.

But for this article, here is how I set up all of my sites for maximum security:

Jetpack – I use the multi-fictional plugin Jetpack on all of my sites. They have a few features built-in for security measures that I turn on.

  • Monitor – Jetpack will notify you when your site goes down and when it comes back up again. Always be in the know when your customers can not access your website.
  • Protect – Protect used to be a stand-alone plugin called BruteProtect. It was one of the highest used plugins to block out brute force attacks. Automattic acquired it last year and now has it built into Jetpack.
  • Manage – Jetpack’s Manage lets you update your plugins, themes, and core of all of your self-hosted websites from one dashboard and gives you the opportunity to have automatic updates.

iThemes Security (formerly Better WP Security) – While iThemes Security is NOT a security firewall, it does give great benefits to securing a website without having to change the code yourself. They do have a free and a Pro version.

Here are the features that should be turned on with this plugin while using Jetpack.

  • Always allow iThemes Security to write to wp-config and .htaccess. This is how the plugin tells the website how to harden the security.
  • Enable Blacklist Repeat Offender
  • Enable 404 Detection
  • Take advantage of the Away Mode when you know no one should be logging into your dashboard. Leave off if you work on your website at all hours of the day.
  • Enable the ban users and HackRepair.com’s blacklist feature. This will keep known malicious IP’s away from your website.
  • Enable file change detection and split the file checking into chucks. iThemes will notify you if any of the files have changed and do not match what is in the repository’s original files.
  • Enable the hide backed feature. This will change your login from YourSite.com/wp-login to a custom page of your choice. Do not put it as a current or future page or post. Great examples are enter, main, or secure.
  • iThemes Security now offers Sucuri SiteCheck scans for all plugin users.
  • Enable strong passwords for all users, including subscribers.
  • Check all boxes in the System Tweaks.
  • In the WordPress Tweaks area, do not completely disable XML-RPC when using Jetpack as this could cause Jetpack to no longer work properly.
  • The Pro version gives you the option of using a two-factor authentication to login among other features.

WordFence – While I do love WordFence’s scanner, I typically only have it downloaded to a site when I am double-checking to make sure all malware has been deleted.

If you feel like your site has been infected, WordFence can detect any WordPress file that has been changed from its original. WordFence does offer a caching tool as well.

If you do choose to use WordFence, you can enable all options but do not run it with iThemes Security, Jetpack’s Protect, or the Sucuri Security as they can cause conflict with each other.

Sucuri Security – Sucuri has both a Firewall and an AntiVirus that can help block the bad guys out of your website. Sucuri has the most widely used WordPress firewall in the industry.

You can run the Sucuri CloudProxy Firewall with iThemes Security but get the list of the CloudProxy IP’s from Sucuri to put in your IP WhiteList in the iThemes Security settings.

Two-factor Authentication

Any login that you can have a two factor authentication on, it is always advisable to use.

There are different ways this can be set up. There can be a CAPTCHA, a Google Authorization code, or a simple math question to prove that you are a human.

If you choose to use any of these, make sure that each person accessing the dashboard has their own login. Shared logins can cause issues especially if using the Google Authorization code that is sent to a cell phone.

  • iThemes Security Pro – has multiple two-factor options, including CAPTCHA, Google Authorization, and simple math.
  • Clef – Using your cell phone, Clef offers a no-password approach to logging into your WordPress dashboard.
  • Google Authenticator – Uses two-factor authentication by the Google Authenticator app for Android/iPhone/Blackberry.

Always Update

The biggest reason malicious code gets into a website is due to a found vulnerability in code for a plugin, theme, or website.

This is easily remedied by having your website on an update cycle. Some owners will have a set day of the week to update their website, while others will update every time they login.

There are also plugins that can help keep your sites updated.

  • Jetpack – Handle all of your Jetpack connected sites in one WordPress.com dashboard
  • iThemes Sync – Sync up to 10 sites for free, so there is one dashboard to update, run BackupBuddy, and unlock iThemes Security lockouts.

Have a Backup System

There is very little that is more important with a website than having a backup system in place.

As long as there is a full backup of the website including the database, you will never lose your website.

There are numerous ways to backup a website, some are automated, some are manual. Always send your backups somewhere other than your server.

  • Updraft Plus – They have a free and premium version to backup your website.
  • BackupBuddy – A premium backup plugin that integrates with iThemes Security and Sync.

Miscellaneous Security Tips

While these do not fit into a bigger category, they are just as important to remember:

  • Always use SFTP when using a file manager.
  • Keep directories at 755 and files at 644. Never have them at 777 or 666 as that leaves them executable by everyone.
  • Makes sure your database username and password are complex.
  • Do not send passwords in an email. Attach them as a zipped text document.
  • Use a password manager to keep track of your logins. LastPass and 1Password are great tools that can be used on any browser and on your mobile devices.
  • Keep an antivirus on your machine to stop an automatic download from a malicious website.

Following these steps will help you and your online business to stay safe. Remember, being proactive is the best approach to WordPress security!

Inka Wibowo

Content Manager

Hi, I'm Inka! I started using website builders and content management systems over 10 years ago, when I managed websites for clients in my first marketing role. Since then, I've worked on hundreds of web and digital projects. Now, at Tooltester, I'm happy to be able to use my experience to help users like you find the right website builder for your needs.

Robert Brandl

Founder and CEO

Hi, my name is Robert Brandl! I used to work in a digital marketing agency where I managed website and email marketing projects. To optimize my client's campaigns, I always had to find the optimal web tools. Tooltester offers this knowledge to you, hopefully saving you endless hours of research.

Learn more about us


This article has been written and researched following a precise methodology.

Our methodology


website creation ebook cover page

The Step-by-Step Guide to Website Creation

Are you keen to learn the basics before you get started? In our ebook, “Website Creation for Absolute Beginners” we’ll show you the steps you need to take to create your own business website.

Note: We will never share your email address with anyone except our email service provider. Of course, you can unsubscribe at any time.