How do I secure my WordPress site against hackers?

by ·

Applies to: WordPress.org (self-hosted)
Last updated: May 2025

Problem

WordPress sites are common targets for hackers due to their popularity. If your site isn’t properly secured, it could be vulnerable to attacks like malware injection, brute-force login attempts, or unauthorized file changes.

Solution

Securing your WordPress site requires a multi-layered approach that includes strong credentials, regular updates, backups, and security tools. Below is a checklist of best practices to protect your site from common threats.

1. Keep Everything Updated

  • Regularly update:
    • WordPress core
    • Themes
    • Plugins
  • Outdated software is a major security risk

2. Use Strong User Credentials

  • Use unique, strong passwords for all users
  • Avoid using “admin” as a username
  • Enforce strong password policies with a plugin like Password Policy Manager

3. Limit Login Attempts

Prevent brute-force attacks by limiting failed login attempts.

Use a plugin like:

  • Limit Login Attempts Reloaded
  • Loginizer
  • Wordfence

4. Enable Two-Factor Authentication (2FA)

Require a second verification step for logins using:

  • WP 2FA
  • Google Authenticator
  • Wordfence 2FA feature

5. Use a Security Plugin

Install a plugin to monitor and harden your site:

  • Wordfence (firewall, malware scanner, login protection)
  • Sucuri Security (activity auditing, file integrity checks)
  • iThemes Security (login lockdown, 2FA, site hardening)

6. Change the Default Login URL (Optional)

Bots commonly target /wp-login.php. Change it using:

  • WPS Hide Login
  • iThemes Security

Example: Change yoursite.com/wp-login.php to yoursite.com/login123

7. Set File Permissions Correctly

In your hosting file manager or via FTP:

  • Folders: 755
  • Files: 644
  • Never set any file or folder to 777

8. Disable File Editing in the Dashboard

Add this line to your wp-config.php file:

define('DISALLOW_FILE_EDIT', true);

Prevents attackers from injecting code via the built-in theme/plugin editor.

9. Use HTTPS (SSL)

Install an SSL certificate and force secure connections:

  • Most hosts offer free SSL via Let’s Encrypt
  • Use a plugin like Really Simple SSL to enable site-wide HTTPS

10. Regularly Back Up Your Site

Use a reliable plugin (like UpdraftPlus) to back up:

  • Your database
  • Your site files

Store backups offsite (e.g., Dropbox, Google Drive)

11. Monitor Site Activity

Use plugins that:

  • Log user activity
  • Alert you to suspicious file changes or login attempts

Examples:

  • Activity Log
  • WP Security Audit Log

12. Use a Web Application Firewall (WAF)

A WAF can block malicious traffic before it reaches your site:

  • Built-in with Wordfence or Sucuri
  • Or use a cloud-based WAF like Cloudflare (free plan includes basic protection)

Bonus Tips

  • Delete unused themes and plugins
  • Rename your WordPress database prefix (wp_) for obscurity
  • Restrict access to the wp-admin area with IP whitelisting (advanced)

You may also like...