How to secure WordPress website from hackers

November 30, 2023

It is true that WordPress software goes through many types of attacks on a daily basis; however, it is able to handle most of these attacks due to its top-notch security features. It is a fact that WordPress is the most widely used CMS in the world and powers 33% of the websites today.

Any WordPress website that you access in your web browser has multiple working components that include – hosting, WordPress core, themes, plug-ins, and more. From a security standpoint,, a breach can occur at any of these working components. The below Pie chart will help you understand the key vulnerable areas and what you need to focus on in order to achieve optimum security.

  • 40% of the websites are hacked by vulnerabilities in their hosting platform
  • 30% due to an insecure theme
  • 21% due to vulnerable plug-ins
  • 9% due to the use of weak passwords

So let’s dive deeper into each aspect and learn how you need to prevent your WordPress website from hackers.

Hosting company

Always be super cautious while choosing your website hosting company. Never opt for cheap hosting services just because they suit your budget. Choose a hosting company keeping in mind your long-term goals and how serious you are about your business. When it comes to hosting services you would want to check on the following points.

  • Check if your website is hosted on a Shared Server

In case you are hosting your personal blog as a hobby and not looking for serious commercial returns then an unmanaged shared hosting service may work well for you. But if you are hosting a business website then you should always look for managed hosting services. Look for hosting providers who provide you with complete hosting solutions that take care of the following:

  1. Hosting
  2. Backup
  3. Regular Updates
  4. WordPress (Core, Theme, and Plugins) Updates
  5. Security Checks
  6. Last but not least provides some sort of reports on a regular basis
  • Uptime guarantee
  • Support is very important both Chat & Phone. Specially check the promptness of the support, you would not want to keep listening to that Symphony for a long time.
  • Check if your website is hosted on a Shared Server
  • Check if your website is hosted on a Shared Server

Once you have the right hosting provider in place, it’s time to look into the inner areas of WordPress Software which is its most important selling point but at the same time to look at it very carefully from a security standpoint which is Its themes and Plugins.

Never use Nulled Themes

If you are unsure of what that means then check with your developer/company who provided you with the website that they have not used any Nulled Theme to create your website. The way to check this is to see if your website was built by using some readymade/premium theme and check if your site uses the proper license key for the same. This will ensure your website has all the best codes in it and will also help developers of the theme to continue doing good work after all it’s not that costly even to buy a license for such premium themes.

Why not to go after Nulled themes?

Though It may look tempting as it can save a few dollars in the first place avoid downloading/using null themes as it can cause big harm to your website. Premium themes look additionally skilled and have more customizable choices than a free theme. Premium themes are coded by extremely virtuoso developers and are tested to pass multiple WordPress checks right out of the box. There are no restrictions on customizing your theme. Most of all you may get regular theme updates. But, there are some sites that offer nulled or cracked themes. A nulled or cracked theme could be a hacked version of a premium theme, on the market via illicit. They’re additionally terribly dangerous for your website. Those themes contain hidden malicious codes that might destroy your website and log your admin credentials.

Themes & Plugins check

Themes:

If you are not using any of the default WordPress themes or have not purchased one from premium marketplaces and someone has developed a custom WordPress theme for you than it becomes really essential for you to check that your WordPress theme is clean and follows all the standards laid out by WordPress community. Prior to making your website live you should always have local or live development environment and have done a few basic following checks, this will ensure your site was developed by reliable hands.

  • It should not have any deprecated code/function either from WordPress or PHP
  • It should have been checked by enabling WP_Debug mode
  • It should have WP_DEBUG_LOG enabled and checked periodically to ensure its smooth functioning.
  • It should have been tested with WP’s Theme unit test data to ensure the theme doesn’t break with a heavy load of content, comments, images, or any other type of content when added.
  • For more deep checks you can try the steps mentioned on the Custom WordPress theme development standards page.

Plugins:

Through Plugins, you can really take your WordPress website to the next level. For example, within a few clicks, your simple website can turn into a fully functional e-commerce store. Having said that after themes plugins are the third most important place you should always be careful of. For a hacker, a weak coded plugin can easily give them a key to your website, or database and sometimes it can infect other sites hosted as well. Paying attention to a few of the following points will help you make the right choice from a security standpoint.

  • You should avoid downloading plugins from external sources unless it’s paid one and coming from reputed developers like Gravity Forms or some paid stores…etc.
  • While downloading plugin from the WordPress backend as well you should consider looking at some of the points such as:
  1. Number of active downloads
  2. Number of stars received
  3. Last updated
  4. Compatible with your WordPress version
  • Most importantly google if that plugin or its version doesn’t contain any known vulnerabilities.
    Compare other similar plugins providing the same functionalities

In general:

Always keep your themes, plugins and WordPress core updated with its latest versions.

Hide login page

It’s a good idea to change the default WordPress login URLs. This gives some extra security against brute-force attacks. It also helps in preventing from spam user registrations, If your site allows users to create a free subscription account.

Login lockdown feature

You can make unlimited failed login attempts by default but this feature can expose your site for brute-force attacks. By implementing a lockdown feature to your site, you can restrict users for a given interval of time after a number of failed login attempts.

Don’t use weak password

I would recommend implementing a strong password policy in place for your WordPress site because weak passwords and login data are chargeable for an honest range of hacks. This is very true for brute force attack that permits them to check uncountable login combos during a short quantity of your time. As stupid as this sound, it works!

TERRIBLEGOODEXCELLENT
AdminSomename111^7om@6Z3un3$
PasswordName@123EWS3@a6GCQ67
123456&mhesuqv;5$m>()))*5`r)6#
Letmein&mhesuqv;5$m>()))*5`r)6#

You can check the list of most common passwords on Wikipedia

As a first line of defense, adhere to the following best practices for WordPress login information:

  • Avoid using the “Admin” as username (which used to be the default in older WordPress versions and is therefore often targeted first)
  • Create a strong password
  • Oblige other users to do the same Force strong passwords.

Disable directory listing with .htaccess

Add the following snippet to .htaccess

Disable trackbacks and pingbacks

WordPress introduced Trackbacks and Pingbacks to enable blogs to send notifications saying they have been linked. Today it is mostly being used by spammers to spam the sites therefore Disabling it is a good idea.

Add Recaptcha to forms

Google Recaptcha or any type of captcha will ensure that your forms are being submitted by actual humans. It will save you from Spam submissions and for poorly custom-coded forms from SQL Injections as well.

Disable XML-RPC in WordPress

Xmlrpc.php file allows you to post content remotely. Example from your mobile devices, but lately these feature is mostly being used by hackers to execute mass attacks on your website. Therefore if you are not utilising this feature of WordPress then it’s a good idea to disable it altogether. It will take down your resource usage to a great extent.

Check directories & file permissions are set correctly

This belongs to the most important checks, it becomes more vulnerable if your site is hosted on shared hosting. As a best practice, all your directories should have “755” and files should have “644” level permissions.

Change the default database prefix

Changing the default database prefix from WP_ to something difficult to guess gives protection against SQL Injections.

Setup SSL and have proper redirects in place for SSL

Adding an SSL Certificate to your website not only adds great security but also provides SEO benefits to your website. Having SSL with proper redirects will ensure your site being served from port 443 and not port 80 which is not an encrypted port.

  • https: //example.com
  • https: //www.example.com
  • https: //www.example.com

That all must go to https: //www.example.com

Note: Your site falling back to www or non-www is your preferred choice, nothing better here.

Consider protecting your site against DDoS attack

In a DDoS (Distributed Denial of Service) attack your site becomes unavailable, mostly multiple infected sites get used to target one site so that it becomes unavailable. You can subscribe for a free Cloudflare account they sit between the Client browser and your server and provide great protection from this type of attack.