10 Ways to Keep Your WordPress Site from Getting Hacked

Posted on November 11, 2017 at 2:52 am

Tags: , ,

1 Comment

Keep your WordPress site from getting hacked with the following tips and instructions. With thousands of websites getting hacked every day, the chances of your WordPress website being the next victim are very high. 

If your website gets hacked, you will lose all the time and money you have spent building your website. Not only that, if your site gets hacked, Google will remove it from their index. They blacklist over 30,000 hacked websites every week.

While WordPress itself is very secure, there are a few ways you can improve the security of your website. In this article, we will share a few easy and simple ways you can protect your WordPress website from hackers.

Let Us Handle Fixing Your Hacked WordPress Site

Why Do WordPress Sites Get Hacked?

WordPress itself is a very secure platform and receives regular security updates from its developers. When a WordPress site gets hacked, most of the time, it is the fault of the user running the site. The Security team behind WordPress fixes security issues as soon as they find them. Many times they fix these issues in less than 24 hours.

One of the most common reason why WordPress sites get hacked is because they are running an out-of-date version of WordPress. When your site is running an out-of-date version of WordPress, it becomes vulnerable to hackers.

WordPress Security team releases new security updates for the software as soon as they find new bugs. And all the WordPress sites running a version of the software below the latest become vulnerable to hackers.

The hackers can easily find sites that are vulnerable. They only have to look for websites that are running WordPress version that is out-of-date and vulnerable. Once they find a site that is vulnerable, they will go through all the documented vulnerabilities of the out-of-date version of WordPress and use those vulnerabilities to hack the website.

If you don’t keep your WordPress core up-to-date, your site will become vulnerable to hackers sooner or later.

Running an outdated version of WordPress on your site is not the only reason why your site can get hacked. There are a lot of other reasons as well.

The themes and plugins you use can also make your website vulnerable to hackers. Running an out-of-date version of a theme or plugin can also make your WordPress site vulnerable.

It is really important that you choose your theme and plugin providers carefully. Keep your WordPress site from getting hacked by purchasing themes and plugins from trusted developers who release new updates for their themes and plugins on a regular basis.

Let Us Handle Fixing Your Hacked WordPress Site

10 Ways to Keep Your  WordPress Site from Getting Hacked

Now that you know why WordPress sites get hacked, let’s get started:

Keep The WordPress Core Up-to-date

This is one of the most basic and the most important tips you will read in this guide.

If you don’t keep WordPress up-to-date, none of the other tips in this guide will matter. You need to update WordPress as soon as a new update is released by the WordPress team. Not doing so will sooner or later make your site vulnerable to hackers.

While you can enable auto-updating in WordPress, we do not recommend doing that. Because doing so can a lot of times result in your themes and plugins not working properly. If a plugin or theme doesn’t support the latest version of WordPress, updating your site to the latest version will break your site.

Updating WordPress regularly can be a hassle. You can instead use a WordPress management service like ours and leave it to the service to update and maintain your site.

Regularly Backup Your WordPress Site

If your site gets hacked, you will lose the countless hours of work you have put into building your website. Regular backups will give you the ability to restore your site as soon as it gets hacked.

If you are running your site on a managed WordPress hosting service, your hosting company will take care of backing up your site. But if you are not on a managed WordPress hosting service, do not rely on the regular backups offered by most web hosts. These regular backups only work in certain situations and in most cases will break your website.

The best way to backup your WordPress site is by either doing it manually or using a plugin. You can use a plugin such as Updraftplus or BackupBuddy to automate the task of creating regular backups of your WordPress site. These backups will be available to restore with just one click.

Don’t Use admin Username

This is a mistake I see almost all beginners make. They use the admin username. You are not the only person who knows the default WordPress username. Hackers know it too. And when you use the default username, admin, hackers only have to guess your password which makes the task of hacking into your website easier.

Instead of using the default username that comes with WordPress, use a username that is relatively difficult to guess. Try including numbers in your username. The more difficult you make your username to guess, the better.

Rename The wp-admin Directory

The wp-admin directory is where your WordPress site’s dashboard exists. The default URL looks something like this:


This URL is the default and hackers know that too. You need to make your login URL difficult to guess for hackers. Once a hacker gains access to your WordPress dashboard, she can delete all your data or change the look of your website or even inject invisible malicious code into your themes and plugins.

Renaming your WordPress site’s admin directory will make it much harder for hackers to guess where they can log in or locate the admin dashboard. The wp-admin directory is not the only URL that you should change. The wp-login.php file is another file that you will have to rename.

keep your wordpress site from getting hacked with rename wp-admin directory

To rename the URL, use the free Protect Your Admin plugin. Once you install it, you will be able to customize the URL and change wp-admin with your own custom string. It will also allow you to rename the wp-login.php file. Try using a combination of random words to make it difficult to guess for hackers.

Password Protect The wp-admin Directory

The wp-admin directory contains some of the most important files of your WordPress website. This directory is where your admin dashboard is located. If a hacker gains access to your dashboard, she can do anything she wants to your website.

Using Apache’s (your server) built-in directory password protection, you can easily add an additional layer of security to this directory.

To do this, you can use the free AskApache Password Protect plugin. Once you install it, the plugin will generate a .htpasswd file which will password protect your admin directory. To login after that, you will have to enter an additional username and password:

AskApache password protection

Use a Unique Name For The Table Prefix

Every table in WordPress database follows a prefix you set when installing WordPress.

To manipulate the data in your database, a hacker needs to know the exact names of the tables. And if you are using the default prefix, it will be really easy for them to guess the names of your database tables.

Keep your WordPress site from Getting hacked  by using a unique default table prefix, one that isn’t an acronym for your blog, and contains both letters and numbers.

Keep your WordPress site from getting hacked with WP DB Manager

The next time you install WordPress, remember to change the default table prefix. If you have already installed WordPress on your site, you can use a free plugin like WP DB Manager to rename the default table prefix. It’s completely free and very easy to use.

Disable File Editing In WordPress Dashboard

The file editing feature offered by WordPress allows you to edit your theme and plugin files directly from the dashboard. While this functionality can be helpful at times, it can be really dangerous if a hacker gets access to your WordPress dashboard.

File editing in WordPress

A hacker can use this helpful feature to inject malicious code into your themes and plugins. Disabling File Editing in WordPress is a preventive measure that will only allow you to edit your WordPress files via FTP. This will add an additional layer of security to your site.

To disable file editing, you will have to place the following code at the end of your wp-config.php file:

define('DISALLOW_FILE_EDIT', true);

Prevent Brute Force Login Attempts

If the hacker doesn’t know your username and password, they will try to guess both of these to log into your WordPress dashboard. While guessing these manually is impossible, it is really easy when using a password guessing (brute force) tool. These tools try hundreds of random username and password combinations every second until they find the one that actually works.

By default, WordPress allows unlimited login attempts. This makes it vulnerable to brute force attacks. Keep your WordPress site from getting hacked by preventing these brute force login attempts.

brute force attacks login lockdown

To prevent this, you can use the free Login Lockdown plugin. It blocks a visitor once they have made a specific number of failed login attempts. This will at the very least slow down the brute force attack rendering them fruitless.

Use a Complex, Long Password to Keep Your WordPress Site from Getting Hacked

This is one of the most basic and the most important tips in this article. It’s common sense to use a complex password. But not many of us do it.

Weak passwords are one of the top reasons why accounts (WordPress, Facebook or Twitter) get hacked. Weak passwords are easy to guess. Even if you think your password is impossible to guess for a human being, it’s probably not so much for a computer. Hackers can use brute force tools to try hundreds of random username and password combinations per second to find the one that works.

Use a password that is long and contains special characters. If you can’t come up with a good password yourself, give this free password generator tool a try.

The best way to do this is to use a password generator tool to generate a complex, long password that is nearly impossible to guess. These random passwords will almost always be really difficult to remember and guess as they will contain multiple special characters. You can use an app such as LastPass to save the password in your account and be able to use it across devices without even knowing it.

Related Post: WebShell Backdoor Attacks

Hide Your wp-config.php File

Wp-config is one of the most important files of your WordPress site. It contains important information such as database name, database username and password. Hackers can use this file to do anything they want to your website. They can change the contents or delete everything on your website.

While wp-config.php file is very secure, it is always better to have some preventive measures in place.  To keep your WordPress site from getting hacked, the best and the easiest way to secure your wp-config file is to move it out of the public directory.

The public directory of your website contains all the files that are accessible by users. These files include but are not limited to your login page, your posts and pages, and your images.

In most cases, the public directory that contains your website will be named “public_html.” This folder contains all the files and folders that are supposed to be accessible by the general public.

When you move the wp-config file one folder above the public directory, it becomes virtually impossible for a hacker to get access to the file.

The process is really simple. Here’s a simple, detailed tutorial on how to do it.

Use Two-Factor Authentication

You have probably seen and are using two-factor authentication every day. It’s basically a way to add an additional security layer

Here’s how two-factor authentication works: You enter your username and password, and then get a randomly generated code sent to your phone. You will only be able to login once you enter this code.

Instead of just entering a username and password, you have to enter a dynamically generated code or scan a randomly generated barcode (depending on which app you use.)

Two-Factor Authentication acts as an additional layer of security. It is possible for a hacker to guess a username and password with brute force. But it is virtually impossible for her to guess a randomly generated dynamic code.

Keep your WordPress site from getting Hacked Using Two-Factor Authentication 2FA

You can use the free (unofficial) Google Authenticator plugin for WordPress to enable two-factor authentication.

Invest In a Trusted Web Hosting Service to Keep Your WordPress Site from Getting Hacked

Most cheap website hosting services aren’t as secure as they might appear from the outside. Most web hosting services like to boast they are the best when it comes to security. But the truth is that most of these web hosting services aren’t as secure as they would like to say. Numerous web hosting companies get hacked every week. When this happens, all the sites on the hacked web hosting services are accessible by the hackers.

If a hacker hijacks your web hosting service’s server, he can access data for all the websites on the server and manipulate it as she pleases. He can also delete all the files and data from the server.

So, it is really important that you invest in a trusted web hosting service.

Related: Visit our sister site, HostMyWP for premium hosting services and free, fast migration, starting at $40/month.

Disable PHP Error Reporting

PHP Error Reporting functionality is nothing less than “god send” for developers. It allows them to easily detect bugs in their applications. But the problem with PHP Error Reporting is that it reveals too much information about how an error happened. This information can be very useful to a hacker. The hacker can use this information to devise the best ways to gain access to your servers. Keep your WordPress site from getting hacked by making these changes-

A production server environment should not have PHP Error Reporting enabled.

There are a lot of web hosting services who disable this by default. But most services don’t do this by default. You will have to enable it manually.

The easiest and the fastest way to is to create a php.ini file (or edit one if it already exists) in the root public directory of your website.

Place the following one line of code into the file:

error_reporting = off

This one line of code will disable PHP Error Reporting on your server.

Don't use email as login to keep your WordPress site from getting hacked

By default, WordPress allows you to login with both your email and your username. Usernames are relatively easy to guess than email addresses. An email has more characters than a username making it much more difficult to guess.

Keep your WordPress site from getting hacked. You can use the free WP Email Login plugin to enable this on your website. Once you activate the plugin, you and all the other users on your WordPress site will only be able to login with email.

Hide Your WordPress Version

If your website is running an older version of WordPress and a hacker figures out the version, it will become much more easier for him to hack your website. All he will have to do is find all the documented vulnerabilities there were in the old version your site is using.

Even if you keep your WordPress site up-to-date, it is recommended that you hide your WordPress version to keep your WordPress site from getting hacked. 

Related Posts: WordPress Hacked Redirect, How to Detect and Clean it

To hide your website’s WordPress version, you can use the following code from WPMU DEV:

/* Hide WP version strings from scripts and styles

* @return {string} $src

* @filter script_loader_src

* @filter style_loader_src


function fjarrett_remove_wp_version_strings( $src ) {

    global $wp_version;

    parse_str(parse_url($src, PHP_URL_QUERY), $query);

    if ( !empty($query['ver']) && $query['ver'] === $wp_version ) {

         $src = remove_query_arg('ver', $src);


    return $src;


add_filter( 'script_loader_src', 'fjarrett_remove_wp_version_strings' );

add_filter( 'style_loader_src', 'fjarrett_remove_wp_version_strings' );


/* Hide WP version strings from generator meta tag */

function wpmudev_remove_version() {

return '';


add_filter('the_generator', 'wpmudev_remove_version');

Place the above code at the end of your theme’s functions.php file.


All the tips we shared in this article are fairly easy to implement and most of them will not take more than a few minutes to implement. Keep your WordPress site from getting hacked, stop waiting before you improve its security, and implement these tips today to make your website secure from hackers.

Has your website ever got hacked before?

Do you have any of your own tips and tricks to share?

Let us know in the comments below.

Comments (1)

  1. Sreehari Sree Reply

    March 6, 2018 at 4:11 pm

    Thanks for the detailed list…
    As a beginner to WordPress, I really enjoyed the post and implementing them one by one.
    Again, Thanks for this post

Leave a Reply

Your email address will not be published. Required fields are marked *