21 Ways to secure your wordpress website from hackers

ways to secure wordpress website

21 Ways to secure your wordpress website from hackers : Harden Your WordPress Security

Revealing some important ways to secure your WordPress website from hackers? I know what you are searching for? You need a complete guide on how to secure your wordpress website from hackers and how to prevent your website. If you are searching this problem then harden your seat belts because today in this article I will teach you 21 ways to secure your wordpress website from hackers.

Also Read:  Anonymous Blogging with WordPress & Tor-Post Anonymously

ways to secure wordpress website

You very well know why bloggers chooses WordPress as their blog platform when compared to  Jhoomla, drupal. Due to lot of professional themes and plugins WordPress comes at priority while choosing a platform. This is a big advantage of using WordPress over Drupal and Jhoomla. Many pro bloggers tell WordPress blogs are good for SEO. WordPress is developed with security in mind, so it is considered quite safe and secure to run any website. However, just like the real world, the internet can be an uncertain place.

Also ReadGet the Best computer security combination

Why we need to secure wordpress website/blog?

  • -You owe it your customers and clients who trust you with sensitive personal information to keep it safe.
  • -Your site gets hacked by which you lose money as well as time.
  • -Your site gets hacked and your search engine rankings falls which in short take a nearly one way trip to hell.

Do you Know?

According To Hacked WordPress website Survey:

41% where hacked via their hosting provider. This means that the hackers exploited a vulnerability, or took advantage of insecure hosting provider configuration to be able to hack into the WordPress blogs and websites hosted by the vulnerable hosting provider.

29% where hacked via a vulnerability in the WordPress theme they were using. This means a hacker identified a vulnerability in a theme that was installed on the WordPress installation and by exploiting it, the attacker managed to gain access to the WordPress website.

22% where hacked via a vulnerability in a plugin that was installed on WordPress. The same as above, this means that a hacker exploited a vulnerability in an installed plugin.

8% where hacked because an account on that WordPress installation was using a weak password.

21 Ways to secure your wordpress website from hackers:

1) Using WordPress Security Plugins (Free):

It’s not possible to have any site 100% hack proof. You can use multiple plugins like WordFence, Anti Malware, BulletProof and Firewall to prevent hacking but you need to keep a tab and backup everyday to see all is working fine. Below is a list given of wordpress plugins which will secure your wordpress website:

secure your wordpress website using free wordpress plugins-blacklisthackers
Secure your wordpress website using free wordpress plugins

Wordfence is a great plugin that will block any IP address that tries to flood or spam your website. It will limit the number of login attempts and monitor all live traffic. It gives real time security updates for you to act upon. I use it for some clients. It’s being updated and maintained regularly, so you can count on it being on top of all your security issues.

Better WP Security is another great plugin that will allow you to sleep a little better at night. It’s really a full package, but you should read the FAQ section first before activating it, as it makes some significant changes to your database that you should be aware of.

BackWPUp is a free plugin that backs up both your WordPress files and database. I can recommend this plugin because I use it on many websites and I’ve never had any issues with it. There are, of course, a lot of other free and paid backup plugins out there and you are welcome to try them all until you find the one which suits you, but please put one to use.

2) Configure .htaccess file in WordPress:

.htaccess also known for Hypertext Access. It’s a configuration file in WordPress database which controls the directory in which it is placed in sub-directories. Here I am talking about configuring .htaccess for Apache webservers and Linux.

Editing .htaccess file is a serious matter and you should not play with it unless you have at least basic php coding knowledge. If you don’t feel comfortable editing .htaccess, you can download and install a WordPress plugin from repository called WP htaccess Control. It provides an easy interface for editing the file, but also for configuring WordPress permalinks, categories, archives, pagination and custom taxonomies.

You can easily become overwhelmed by the number of options this plugin offers, so just go straight to “htaccess Suggestions” tab once you get to the plugin configuration page. You can then check all the options and your .htaccess will become configured for security.

3) Using Free CDNs (Content Delivery Networks):

There has been a lot of talk whether FREE CDN (Content Delivery Networks) actually do good job or do they only exist to lure you into one of their paid services. Well, I’ve tested the two most popular free CDNs which is used commonly and I can honestly recommend both, even without the paid add-ons.

secure your wordpress website using free CDN
Secure your wordpress website through CDN

CloudFlare is a free content delivery network that filters all your traffic and minimizes the risk of your WordPress website from becoming a target.

-PageSpeed Service by Google does something similar and we can all presume that Google takes online security seriously.

4) Make sure you have a Updated Malware Tool for quick identification of Malwares:

Oftentimes, website owners do not realize that their site has been hacked until weeks or months later. By the time they get to know, they don’t have a backup left behind. You can read more about the Difference between Anti-Viruses VS Anti-Malwares as state in my last article.

5) Use smart advertisement-management WordPress Plugins to secure AdSense and other Ads on your website:

While advertisement can be a great source of revenue from your website, they can also be exploited by various methods – such as hacking attacks that swap out your ‘real’ AdSense ads for irrelevant pharmaceutical ads, or clickbombing attacks that overload AdSense with a flood of clicks to shut your AdSense account down.

Selectively using security plugins like ‘Who Sees Ads’ or ‘Better WP Security’ to control your ads displays, and ad-related settings can help to prevent such embarrassing incidents. However, you shouldn’t install plugins willy-nilly, either. Some plugins, such as AdSense Integrator, have a history of enabling the very types of attacks that they’re supposed to protect against, which will send your potential ad revenue stream straight into criminal hands.

6) Change admin username in WordPress:

By default you get admin as username in WordPress. If you still use admin as username in WordPress blogs then it’s time to change it right now. Hackers use brute force methods to hack your website or blog by using a default username “admin“. So don’t give them a chance. Create new account in WordPress, give admin rights to this account and now delete your admin account. Always try to use uncommon username such as blackquat or blackput so that it become hard to crack the username for hackers.

7) Create new admin account in WordPress :

From WordPress dashboard, Migrate to Locate users , click on Add New. Fill details and ensure you have selected “Administrator“. Save and switch back to Users profile and delete your old “admin” account.

8) Limit login attempts in WordPress:

Apart from using “Limit Login Attempts” WordPress plugin, I have to point out another important plugin named “Chap Secure Login” WordPress Plugin which is known for best encrypted login plugin. This plugin uses SHA-256 algorithm to protect your username and password.

Download Chap Secure Plugin

Other alternate for Limit login is Login Lockdown which is very useful for blocking IP  address that are recorded for repeated logins. So thinking of many WordPress site security plugins, there are many to ways to secure login attempts and login errors.

Download Login Lockdown plugin

9) Use updated WordPress versions:

You very well know that how important an update is. WordPress keeps on providing updates to increase it’s security and make WordPress to fix there all bugs,issues and moreover its performance. A new update comes only when something need to be fixed or to add new features. This also happens in WordPress. When a new version is released you get notified from WordPress panel. This would be advantage for hacker to target your blog if you are using old versions of WordPress.

New version shows all the bugs fixed in old version and hacker knows how to use bugs present in old versions to hack your website. This is also considered to be a security tip so don’t give them chance. Also note never see updates bubbles in your WordPress dashboard. Always have a updated version of plugins and WordPress.

10) Check WordPress theme for malicious codes:

As I told earlier WordPress deals with php codes and if you don’t have a basic knowledge in php, how could you manage to find malicious code in your WordPress themes? Many bloggers uses cloned WordPress themes which look like premium theme and after you think, you got a premium version for free (Let me remind you my friend that “Nothing is FREE in this World”) You just download free theme and start using it. One day, you notice your head settings in front your computer and searching for ” How to recover hacked WordPress website?” or “My WordPress site is been hacked what to do?“. So it takes few minutes to check your theme for malicious codes by using Theme Authenticity Checker (TAC) WordPress Plugin

11) Enable 2nd Verification in WordPress:

Probably in Gmail and many other emails, it has been recently introduced to enable 2nd verification system. Now why not in WordPress? You can now enable second verification in WordPress for mobile phones. WordPress is not providing this but you have always a boom, I mean plugin to use them for step two verification. I recommend you to use Authy WordPress Plugin which is more popular plugin for enabling second factor authentication. You also have Google Authenticator which is Google Official Authenticator App.

12) Remove powered by WordPress:

Hacker have many methods to hack WordPress site. It is our duty to take care of each and every point to prevent WordPress site from them. So you need to hide/remove powered by WordPress from your blog. Mostly different theme has their own specification. Mostly it is located in footer.php  Migrate to Appearance >> Editor. At left side find for footer.php and check when “powered by WordPress is located there or not” If located then remove that piece of code. Take care guys, do it carefully. Don’t try to remove the code if you don’t know how to do it.

SO, I thinks these are best security tips to secure your websites from hackers. I have not discussed some basic tips like using high security password with characters, numbers and symbols. Not sharing your password with others. Don’t include people whom you don’t trust as admin of your blog. So you might now be able to manage all WordPress site security.

13) Have a regular backup of your WordPress Blog:

Creating backup to your WordPress blog helps to reset everything if you got affected by hacker. So backup to WordPress site is always recommended and never neglect backup. You get the importance of WordPress blog backup only when your site gets affected.

14)Install All In One WP Security & Firewall WordPress Plugin:

WordPress itself is a very secure platform. However, it helps to add some extra security and firewall to your site by using a security plugin that enforces a lot of good security practices. The All In One WordPress Security plugin will take your website security to a whole new level. This plugin is designed and written by experts and is easy to use and understand.

It reduces security risk by checking for vulnerabilities, and by implementing and enforcing the latest recommended WordPress security practices and techniques.

15) Don’t forget to keep your computer up-to-date:

Sometimes hackers gain access to your site due to security vulnerabilities on your computer. The best way to secure from this is to keep your computer up-to-date. When software patches are released, install them. When a new operating system is released, do your best to upgrade as soon as possible.

Likewise, make sure you use an anti-virus software on a regular basis. You can run a free antivirus software like AvastPanda Free AntivirusComodo, or AVG to see if there are any viruses or malware on your computer and to eliminate them.

16)Set a Secure Password to secure your wordpress website:

Don’t just use a word that is common for every body. Use your own imagination such as including numbers, special characters, and switch between uppercase and lowercase letters. Random strings of letters and numbers are best to secure your wordpress website. If you don’t feel like coming up with something manually, you can use a password generator to accomplish the task like Norton Password Generator or Strong Password Generator.

One of the best suggestions for a password is to string together the first letters from each word of a sentence. Sentences are easy to remember, especially if they relate to something obvious, like your birthday.

Here’s an example—I was born on the 07th of July 1993.

From this sentence the password becomes Iwbot07oj1993.

Add a couple of special characters such as (&^ to either end, and you have a solid, easy to remember password that’s tough to guess. You can read more about passsword hacking tricks.

17)To secure your wordpress website use Secret Keys:

Secret Keys are used in the WP-Config file which stores every detail like the name and password of the MySQL database. You can restrict access to these files by using Secret Keys. These are encrypted keys that protect the information in the MySQL database. These keys are long, complicated and random. You don’t have to remember it.

Some Secret Keys examples are:



‘I6`V|mDZq21-J|ihb u^q0F }F_NUcy`l,=obGtq*p#Ybe4a31R,r=|n#=]@]c #’)

18)  Do not use the default “admin” as your user name:

If you’ve already installed WordPress using “admin” as your username or something else very simple, you can change it by inputing an SQL query in PHPMyAdmin .

19)  Make sure your WordPress, your theme and all your plugins are kept up to date:

If the hacker knows your WordPress version, he can easily know the functions and hack them accordingly. Thus, hide it. When you install Wordfence, it will inform you when WordPress or a plugin needs updating.

Take care when implementing third-party scripts and code, such as widgets, plugins, free templates and themes.  You don’t know the people writing these codes, so why throw the future of your site to them on a whim?  Mistakes happen and you don’t want to risk using an older plugin with holes any hacker can sneak into.  A simple Google search on the code will educate you on the positives and negatives so you know which ones to download and which ones to stay away from.

20) Change file permissions in WordPress file manager (httpsdocs):

To secure your wordpress website do avoid configuring directories with 777 permissions. You should opt for 755 or 750, instead, according to While you’re at it, set files to 640 or 644 and wp-config.php to 600. You can change file permission by going through setting of a Hosting panel.

21) Don’t Download Premium WordPress Themes and Plugins for Free:

Though I totally prefer to download free stuff from internet to remain in budget if you are in a business, it’s just a bad idea overall to try to download premium WordPres Plugins from any other unofficial site where other than you can buy Premium Plugins which are in Sale else you can try Trial Version from Official sites only.


Basically Illegal versions of premium plugins usually contain malicious code  which means plugins are often corrupted with malware by the time they hit these illegal download sites. That means what was once a great premium plugin with excellent code is now a hacker’s direct line into your site’s backend. And Guess what? You looses all your money, time and most importantly website all because you wanted to save a quick buck.

Skip the illegal downloads and torrents, people. Just don’t do it if you want to secure your wordpress website.


Securing a WordPress site is much more than installing a security WordPress security plugin as mentioned above. The above 21 ways will help you to secure your wordpress website from hackers. Some you might’ve known before but it is my hope that some were new spotting ways.

What are some things you do to secure your WordPress blog ? Did I miss any detail here that you think is vital? Feel free to comment below, I am always here to help you.

Also Read:


Aditi Rawat
the authorAditi Rawat
Aditi joined blacklisthackerts as a post editor. She has always been passionate about writing and the enthusiasm she shows is commendable. Her enamoredness has brought her to us as she loves writing hacking related articles.

1 Comment

Leave a Reply