8 Steps To Protect Your WordPress Website From Hackers

protect wordpress from hackers

  • Has your WordPress website ever been hacked?
  • If so, did you have it backed up?
  • Is your current WordPress website secure from hackers?

Last year while on vacation at the beach my clients’ WordPress sites got hacked. The hackers substituted the home page with an offensive graphic. Nobody wants to receive phone calls or emails from angry clients while on vacation. Fortunately my web hosting provider kept backups of all the sites so I was able to restore them to their original state within a few hours.

The WordPress platform is currently used by 48% of the top blogs in the world. This means it’s becoming an increasingly popular target for hackers. No longer should you ever use WordPress as a content management system without first making it secure.

Here are 8 steps to protect your WordPress Website from hackers

1. Always upgrade to the latest version of WordPress

Staying with an old version of WordPress is like keeping your door unlocked when you leave for vacation. It invites hackers to take advantage of your site’s vulnerabilities.

WordPress constantly releases new security updates. Usually a notification is automatically displayed at the top of your administration panel. As soon as these updates come out make sure you update your WordPress blog to the latest version. It only takes a few seconds (one click)

2. Remove outdated themes

With each new version of WordPress comes a new theme. Even though you may upgrade WordPress to the new version your old themes remain vulnerable to hackers. This is how hackers disabled my own sites. I hadn’t removed old themes that still existed in the themes folder after upgrading.

3. Keep your plugins updated

Plugins make it easy to customize your blog however you need to constantly keep them updated to prevent hackers exploiting outdated code. Before purchasing a new plugin ask the software creator if they always release new versions of their plugin when WordPress is updated. Often they will charge a fee to do this.

Free plugins usually notify you inside the WordPress administration panel when a new version becomes available.

4. Use strong passwords

Avoid using the default username “admin” when you first install WordPress. For the login password use a mixture of upper and lower case letters, numbers and symbols. The more complex they are the harder it will be for hackers to crack them.

To change the default administrator username log in to the admin area, go to Users and create a new user with Administrator role. Once the account is created, log out from your admin area, log in with the new account you created and delete the old one.

5. Backup your database

When a hacker takes down your site you’ll lose all the content stored in your database. This could be especially frustrating if you’ve invested years adding new content to your blog. Ask your web host if they make backups of your site on a regular basis. If not look for a web hosting provider that does.

You can also create your own backup of the database and all your WordPress files in cpanel. Simply login in to cpanel and click the backup/restore link.

Under Backup/Restore you’ll see this:


This feature allows you to download a zipped copy of your entire site or parts of it onto your computer.

The following are backed up and included in a zip file for your convenience:

Home Directory
MySQL Databases
Email forwarders configuration
Email filters configuration

Click Backup to save a copy of your database and WordPress files on your computer.

Backup Buddy Plugin: This is one of the best backup plugins for WordPress. It enables you to schedule WordPress backups (widgets, themes, files, plugins, database), quickly restore your site or easily transfer it to a different domain.

6. Install security plugins

Here’s a list of the best security plugins to install:

  • Better Security plugin
    This plugin hides the locations where vulnerabilities are located thereby keeping an attacker from learning too much about your site and preventing them from accessing sensitive areas like login, admin, etc.
  • WP Security Scan Plugin
    This plugin regularly scans your blog settings for any security loopholes. It can also help you change your database prefix from wp_ to a custom prefix.
  • Wordfence Security Plugin
    This is a paid plugin that scans websites for malware, trojans, viruses, and malicious links. It also provides protection from scrapers, aggressive bots, imitation Googlebots, and more.

7. Deny access to bots using htaccess file (case study)

If you know of a specific threat affecting WordPress users you can prevent this attack on your own site by adding a few lines of code to your .htaccess file then upload the edited file to your server.

Case Study

Here’s the reply I received from my web host regarding a large scale attack on the admin logins for thousands of WordPress sites.

“We could see that bingbot attack to the WordPress accounts has caused the serious issue in the server. The attackers are using the User Agent ‘Bingbot’. There large scale attack on the admin logins for thousands of WordPress sites. We have made certain firewall rules to restrict attack to the WordPress sites. We have found that attack with wp-login.php is too heavy. You can restrict the attack to wp-login.php from your end by adding the following rule to .htaccess file. This will prevent others from accessing wp-login.php. Only you are be eligible for accessing it.”

SetEnvIfNoCase User-Agent “.*bingbot” badbingbot

order allow,deny
allow from all
Deny from env=badbingbot

order allow,deny
allow from all
Deny from env=badbingbot


8. Spam prevention

Many bloggers forget to secure their blogs from comment spam. It doesn’t take long before spammers exploit this vulnerability and you have 1000s of spam comments. This may cause you to lose readers , ruin your site’s reputation or get your blog hacked by a malicious hacker.

Here’s how to prevent comment spam

  • Install Akismet plugin. This plugin checks your comments against the Akismet web service to see if they look like spam or not and lets you review the spam it catches under your blog’s “Comments” admin screen.
  • Adjust comment security settings. Login to your dashboard and go to Settings – Discussion and enable these settings:
    “Comment author must fill out name and e-mail”
    “An administrator must always approve the comment “
  • Use the WordFence plugin to scan your comments for suspicious URLs.
  • Don’t approve non-relevant comments. Beware of backlink seekers leaving comments unrelated to your post content. If you don’t examine them closely you’ll let them through and add irrelevant comments to your posts.

    Here’s an example of a spam comment I recently received:

    “Hurrah, that’s what I was looking for, what a information! existing here at this blog, thanks admin of this web page.”

How to Mass Delete Comments From WordPress Using phpMyAdmin

Warning: Inaction will leave your site vulnerable to hackers so protect your WordPress website by taking action NOW on the steps mentioned above. You can thank me later.

If you’re currently using other methods or plugins to secure your site or blog please share them in the comment box below.

How to Stop WordPress Blog Comment Spam
Comment Spam – Ways to Remove Blog Spam Comments
How To Remove Malware (Antivirus Suite) From Your Computer
How to Install and Configure Master Form v4
How to Stop Form Mail Spam
How to Stop Email Spam with SpamAssassin
WordPress Security Tips
WordPress Security Checklist (Interactive Version)