How to Protect Your WordPress Website from Hackers: 12 Simple Measures11 min read

How to Protect Your WordPress Website from Hackers: 12 Simple Measures11 min read

10/02/2019 42 By Vasyl Tsyktor

WordPress is a simple and easy-to-install content management system (CMS) preferred by numerous users. It’s the most popular blogging platform worldwide. 30% of all websites on the Internet use this solution. However, its popularity also has the other side of the coin: it attracts hackers from all over the world. So if you consider deploying WordPress for your website or have already been using this CMS for your blog, online store, or corporate resource, you should know how to keep your WordPress site secure.

WordPress security

According to a report by Sucuri, the company focused on website security, WordPress is the most hacked CMS. 83% of all hacked CMS-based websites refer to WordPress compared to Joomla, which has the second place in its rating, with its 13.1% and following Magento with 6.5%. This statistics can form the misconception that WordPress is highly vulnerable and has many cybersecurity holes.


Although, Sucuri claims that their report doesn’t mean that WordPress is less secure than others. In most cases, the weak protection, which had led to cyber infections, had nothing in common with the system itself but with improper installation, configuration, and maintenance. In other words, the common reason for WordPress websites have been hacked is in that site owners or webmasters haven’t taken proper steps towards ensuring the protection from hacking attacks rather than in the platform vulnerability.

Is WordPress secure enough for Ecommerce?

Woocommerce is the most popular plugin for WordPress online stores. With more than 4,000,000 installations, it allows users to create Ecommerce websites with categories, products, payments, and email notifications. However, users wonder whether it is safe to use WordPress for their online store since they may think they put their business at a bigger risk by developing an Ecommerce website with this platform than when creating a blog or corporate site.


In fact, there hardly is the difference between securing a WordPress-based online store or blog. To convert an ordinary WordPress website into an online store, you just need to install and configure Woocommerce while taking into account that your theme should be compatible with this plugin. Despite it’s open source, you can trust its developers since the plugin has been approved by a dedicated team of developers.


Everything you install in addition to the core, standard themes, and Woocommerce is your responsibility. You should remember that your online store remains secure as long as the overall WordPress website is secure. So all the cybersecurity measures mentioned below are applicable for both Ecommerce and corporate websites.

The best WordPress cybersecurity practices

There are a number of important measures you have to apply in order to secure your WordPress website. Below, we will cover the simplest ones which won’t break your website if improperly configured.

Practice #1: Conduct regular updates

With each new update, WordPress becomes more and more secure. Since the release of the version 5, Wordfence, a cybersecurity company, has reported about a few vulnerabilities fixed with the next update 5.0.1. You should always keep your site up-to-date thus ensuring the protection from hacking attacks focused on older system versions.


However, you shouldn’t rely solely on core security. Both plugins and themes also get regular updates. By updating them, you ensure their compatibility with the latest core version as well as get better protection from cyber threats. Moreover, clicking on the update button is easy and everything you have to do in order to conduct an update. You need no copying any files.

Practice #2: Protect your passwords

The best and easiest thing you can do to secure your WordPress website is to avoid simplifying a hacking attack for cybercriminals. This includes reliable passwords. In short, use long complicated passwords containing no personal information like your name or address. In addition, it may sound obvious but you should keep your admin login data in secret. Don’t share it or write it down.


Here’s a full list of practices on how to protect passwords from hackers:

  • Use a complicated password
  • Avoid using your personal information in a password
  • Avoid using words in passwords
  • Use long passwords
  • Don’t share your login details
  • Update your passwords once per two months
  • Use a different password for WordPress admin panel and other online services
  • Don’t enter your credentials on computers or networks you can’t control
  • Use a password manager if you use many different online services
  • Don’t write your password down on paper or anything else
  • Doubt all unusual information you receive via email, SMS, or phone


The last measure also can protect you from phishing attacks aimed at making you disclose your sensitive data or encouraging you to click on malicious links. Don’t open emails from unverified senders and don’t follow suspicious links because you may accidentally download and install malware.

Practice #3: Don’t use the Admin username

WordPress login page

I often faced people using Admin as a means of a username of the WordPress admin panel. It’s short and easy-to-remember since associated with a website administrator. According to Gizmodo, it’s also one of the most popular passwords. It has the 12-th place in their 2018 rating. So its popularity makes it easy to guess. Your username should be as secure as your password. So choose a unique username to prevent hackers from unauthorized access. Consider using your email address in the case you don’t want to remember another long and complicated set of symbols.

Practice #4: Limit login attempts

“Any password can be hacked with enough time”, SANS Institute

One of the common types of attacks is a brute force attack aimed at guessing your password. To do so, hackers generate massive automatic logging attempts. In addition to creating a strong password, you can limit these attempts and block hosts sending such requests.


According to the Global Information Assurance Certification (GIAC), there are no unbreakable passwords. So limiting login attempts will dramatically minimize the risk of hackers to compromise your credentials. You can do it by installing a special security plugin like iThemes Security. With its free version, you can set a suitable number of unsuccessful login attempts after which the plugin will block the host and it will no longer be able to try to sign in.

Practice #5: Change the login page URL

To try to guess your password, hackers first need to visit your login page where you usually enter your credentials to access the WordPress admin panel. They can conduct the above-mentioned brute force attack, dictionary, or rainbow table attack. Rainbow attacks rely on special databases of password hashes while dictionary attacks refer to cyber threats aimed at simple passwords consisting of common words.


So you can disorientate cybercriminals and prevent them from initiating an attack focused on compromising your sensitive data. To do so, you can hide your login page by changing its default URL from to something like Thus, they won’t be able to visit your login page and launch their malicious algorithms.

Practice #6: Use HTTPS

SSL Certificate https

Using special hacking measures, cybercriminals can try to intercept sensitive information which your website visitors interchange with your resource. This data can include emails visitors enter to fill in your contact form or payment information like credit card number, its expiry date, and CVV2 they share with your site to make a payment.


To prevent compromising user data, you should install an SSL certificate and establish the safe HTTPS connection instead of the standard HTTP. This will also make your website more attractive to search engines. When configured, you can make sure your site is safe by visiting it and checking the URL (it should start from https:// but not http://) and presence of the lock icon before the URL.

Practice #7: Enable automatic backups

Regardless of any active cybersecurity measures, you always have to have a plan B in case of emergency. So you should enable automatic backups on your website. Once hacked, you will be able to easily recover your website with the previously saved backup data. You won’t lose your posts, categories, tags, images, or products if you have a backup stored on your computer or in the cloud storage. To enable regular automatic backups, you can install the free Duplicator plugin. With this add-on, you won’t need to manually create backups with each next update like adding a new post or product.

Practice #8: Use two-factor authentication

In many cases, when hackers compromise your credentials, nothing can’t stop them from accessing your admin panel. So you should create another barrier for cybercriminals and make their attack much more difficult to conduct. You can make them enter data they can’t guess to hack your site. Enable two-factor authentication (2FA).


This is a feature that adds an additional step towards signing in. Besides a username and password (something you know), you will have to enter some data taken from something you have. In addition to entering your credentials, this feature usually requires you to enter a one-time password sent to your mobile device via push-notification or SMS. To enable 2FA on your website, you can use special plugins like Google Authenticator or iThemes Security Pro.

Practice #9: Don’t install unverified themes and plugins

woocommerce wordpress

Since WordPress is an open source platform, anybody can create themes and plugins for the system. So when installing an add-on, you entrust your website security to third-party developers. By downloading files from unverified websites, you put your site at risk since these files can contain bugs or even malicious code that can damage your resource.


That’s why you should use those themes and plugins placed in the official WordPress repository. This measure will minimize a risk to install a virus along with an add-on. Furthermore. it’s much easier to click on the Install button rather than download files and copy them to the file system on your hosting server.

Practice #10: Disallow new user registrations

You might have wondered why you’ve have been often receiving email notifications about new user registrations on your website. Why would anybody sign up on your blog if you have enabled comments without the need for registration? In most cases, those are spammers. It’s worth noting that visitors have no need for becoming users to receive newsletters. If you don’t accept guest posts, then disable new user registrations on your website. Instead, let your visitors submit posts via email. Go to the Settings section and choose the General menu option. Then uncheck the Anyone can register checkbox and save your changes.

Practice #11: Set the right permissions

If you still need certain users to sign up in order to publish or edit your posts, make sure they don’t get higher permissions than they need. Set the corresponding permissions for your editor instead of granting this person with the admin role. Thus, you will avoid damaging your website design or functionality.

Table of permissions for different roles in WordPress
Permissions/Role Administrator Editor Author Contributor Subscriber
Visit a site
Edit posts
Delete posts
Edit published posts
Upload files
Publish pages
Edit pages and posts published by others
Delete pages and posts published by others
Visit private pages
Edit private pages
Delete private pages
Edit categories
Delete categories
Moderate comments
Install plugins
 Delete plugins
 Add new users
 Delete users
 Install themes
Configure themes
Delete themes
Edit files
Export/import content
Update the core, plugins, and themes

Practice #12: Disable XML-RPC

The WordPress core has the xmlrpc.php file that enables the remote connection to your admin panel. This file allows you to edit posts using, for example, a specific mobile app. However, this feature is a significant security drawback since it simplifies for hackers to conduct brute force attacks.


To try 100 different passwords on your site, attackers usually need to make 100 login attempts. If you have a security plugin installed, it will block their host after the first few unsuccessful attempts. With XML-RPC, hackers can try these 100 passwords with a single request. That’s why you should disable XML-RPC on your website if you don’t need any remote connections.

How to disable XML-RPC in WordPress

You can either use a specific plugin or manually insert the code in the .htaccess file stored in the public_html folder on your hosting server. If you prefer using a plugin, then install the one called Manage XML-RPC. With this add-on, you can totally disable XML-RPC or allow it for specific IP address including yours.


If you don’t want to overload your admin panel with another plugin, just insert the following code in the .htaccess file:

# Block XML-RPC and protect your site from brute force attacks

<Files xmlrpc.php>

order deny,allow

# Blocking all requests

deny from all

# Allowing requests from a specific IP

allow from


Replace with your IP. You can find your IP address on the admin page of your hosting server. Make sure you don’t have a dynamic IP address that can change over time. If you don’t need XML-RPC at all, just remove the “allow from” line.

In case of emergency

Few of us start looking for security measures until we face a threat. If this is your case too, don’t panic. In the case where your WordPress website has been hacked, you have two simple ways out. The first one is to fully recover your website from scratch using your previously generated backup. If you don’t have backup data, then you can approach a dedicated cybersecurity team like Sucuri that will help you retrieve access to your website back. They will also share a tip on how to clean your hacked WordPress site on your own.