How to Protect a WordPress Site from Hackers

A WordPress security guide for small businesses & entrepreneurs. Learn how to protect your WordPress website from hackers with these proactive steps.

WordPress security tips

There is a saying “If you build it, they will come.” And in the online world, this means hackers. But what do you do to stop them? Security is important and taking a proactive approach is the best way to protect your site. Just like with your house or business, you want to keep your assets secure. Most WordPress websites are infected due to lack of updating files, breaking one of the logins, or a brute force attack. The hardest part is the realization that a malware infection can happen to any site. I have seen a brute force attack on a test site that was not even indexed by Google and had no visitors. While nothing is ever 100% full proof, there are ways to avoid the worst. Here are simple steps a small business owner can take to keep their online business secure that require no developer or coding on your part.

The Importance of Passwords

A great password is the first line of defense to keep unwanted people out of your websites. When a bot comes to try to get into a WordPress dashboard, the first thing they try to use when logging in is “admin” and “password” as that combination is the most widely used login. Changing it around to be “Pa$$w0rd” does not make it more secure either due to the fact it still reads “password”. Names or anything that will still read as a legible word are the easiest hacked passwords. Typically any password should be at least 12 characters that are illegible, containing upper and lowercase letters, numbers, and special characters. The more characters in the password, the harder it is to break. If you want to test how secure your passwords are, check the How Secure Is My Password checker. This will show you how long it would take a computer bot to break your password. The checker told me that it would take a desktop PC about 377 billion years to crack my password. That is when you know you have a great password!

Security Plugins Do Help

There are many types of security plugins that do a range of functions. You can use more than one security plugin on your site as long as you do not have them set to do the same things. Here is a list of some great WordPress security plugins that are available. But for this article, here is how I set up all of my sites for maximum security.

Jetpack – I use the multi-fictional plugin Jetpack on all of my sites. They have a few features built in for security measures that I turn on.

  • Monitor – Jetpack will notify you when your site goes down and when it comes back up again. Always be in the know when your customers can not access your website.
  • Protect – Protect used to be a stand alone plugin called BruteProtect. It was one of the highest used plugins to block out brute force attacks. Automattic acquired it last year and now has it built into Jetpack.
  • Manage – Jetpack's Manage lets you update your plugins, themes, and core of all of your self hosted websites from one dashboard and gives you the opportunity to have automatic updates.

iThemes Security (formerly Better WP Security) – While iThemes Security is NOT a security firewall, it does give great benefits to securing a website without having to change the code yourself. They do have a free and a Pro version. Here are the features that should be turned on with this plugin while using Jetpack.

  • Always allow iThemes Security to write to wp-config.php and .htaccess. This is how the plugin tells the website how to harden the security.
  • Enable Blacklist Repeat Offender
  • Enable 404 Detection
  • Take advantage of the Away Mode when you know no one should be logging into your dashboard. Leave off if you work on your website at all hours of the day.
  • Enable the ban users and's blacklist feature. This will keep known malicious IP's away from your website.
  • Enable file change detection and split the file checking into chucks. iThemes will notify you if any of the files have changed and do not match what is in the repository's original files.
  • Enable the hide backed feature. This will change your login from to a custom page of your choice. Do not put it as a current or future page or post. Great examples are enter, main, or secure.
  • iThemes Security now offers Sucuri SiteCheck scans for all plugin users.
  • Enable strong passwords for all users including subscribers.
  • Check all boxes in the System Tweaks.
  • In the WordPress Tweaks area, do not completely disable XML-RPC when using Jetpack as this could cause Jetpack to no longer work properly.
  • The Pro version gives you the option of using a two-factor authentication to login among other features.

WordFence – While I do love WordFence's scanner, I typically only have it downloaded to a site when I am double checking to make sure all malware has been deleted. If you feel like your site has been infected, WordFence can detect any WordPress file that has been changed from it's original. WordFence does offer a caching tool as well. If you do choose to use WordFence, you can enable all options but do not run it with iThemes Security, Jetpack's Protect, or the Sucuri Security as they can cause conflict with each other.

Sucuri Security – Sucuri has both a Firewall and an AntiVirus that can help block the bad guys out of your website. Sucuri has the most widely used WordPress firewall in the industry. You can run the Sucuri CloudProxy Firewall with iThemes Security but get the list of the CloudProxy IP's from Sucuri to put in your IP WhiteList in the iThemes Security settings.

Two-factor Authentication

Any login that you can have a two party authentication on, it is always advisable to use. There are different ways this can be set up. There can be a CAPTCHA, a Google Authorization code, or a simple math question to prove that you are a human. If you choose to use any of these, make sure that each person accessing the dashboard has their own login. Shared logins can cause issues especially if using the Google Authorization code that is sent to a cell phone.

  • iThemes Security Pro – has multiple two-factor options including CAPTCHA. Google Authorization, and simple math.
  • Clef – Using your cell phone, Clef offers a no-password approach to logging into your WordPress dashboard.
  • Google Authenticator – Uses two-factor authentication by the Google Authenticator app for Android/iPhone/Blackberry.

Always Update

The biggest reason malicious code gets into a website is due to a found vulnerability in code for a plugin, theme, or website. This is easily remedied by having your website on an update cycle. Some owners will have a set day of the week to update their website, while others will update every time they login. There are plugins that can help keep your sites updated.

  • Jetpack – Handle all of your Jetpack connected sites in one dashboard
  • iThemes Sync – Sync up to 10 sites for free so there is one dashboard to update, run BackupBuddy, and unlock iThemes Security lockouts.

Have a Backup System

There is very little that is more important with a website then having a backup system in place. As long as there is a full backup of the website including the database, you will never lose your website. There are numerous ways to backup a website, some are automated, some are manual. Always send your backups somewhere other than your server.

  • Updraft Plus – They have a free and premium version to backup your website.
  • BackupBuddy – A premium backup plugin that integrates with iThemes Security and Sync.

Miscellaneous Security Tips

While these do not fit into a bigger category, they are just as important to remember

  • Always use SFTP when using a file manager.
  • Keep directories at 755 and files at 644. Never have them at 777 or 666 as that leaves them executable by everyone.
  • Makes sure your database username and password are complex.
  • Do not send passwords in an email. Attach them as a zipped text document.
  • Use a password manager to keep track of your logins. LastPass and 1Password are great tools that can be used on any browser and on your mobile devices.
  • Keep an antivirus on your machine to stop an automatic download from a malicious website.

Following these steps will help you and your online business to stay safe. Remember being proactive is the best approach to WordPress security!

About the author

  • Michele Butcher
  • Michele is a seasoned guru in WordPress Security. She is founder of 13Core and She is also a speaker and contributor for WPSecurityLock. Furthermore, Michele is also the lead organizer of the Southern Illinois WordPress Meetup and teaches WordPress classes for John A Logan College.
Please help us stay funded. Purchase a product through our site and we may receive a commission for the referral! Learn more.