Secure Your WordPress Website

How To Secure Your WordPress Website From Hackers: The Complete List

WordPress being an open-source platform, it’s quite vulnerable. Although there is not much technical knowledge required developing and running a website through WordPress platform but you’ve to be aware of certain technical topics, if you wish to completely harden your WordPress driven website. Here I’m writing a tutorial guide on how to secure your WordPress website from hackers and I’ll try to provide the complete list of working methods and tools you can rely upon to deliver much-needed security.

If WordPress wasn’t available with an open-source attribute then it could have never been so popular (debatable? Discuss in comments) and since it comes at no cost so you can’t expect any tough support and security from the developers, although basic protection is provided from their side which includes blinking a notification to upgrade website to latest available version of WordPress with every newly released version.

Also read:


Secure Your WordPress Website from Hackers

To avail the basic protection, upgrading and keeping website always with latest available stable version is good enough but still there are lots of vulnerabilities which you should take care of. Here are the fixes one by one and they require a level of technical knowledge to be worked upon.

#1 User ID and Password

WordPress provides a standard protection to every website developer on its platform by keeping the Dashboard area secured with a User ID and password combination. These credentials are required to get login into Dashboard area where all controlling options are available for the developer.

So this is the first thing you’ve to take care of. Make sure that the password combination you’re using is unique and good enough to be extremely hard for anyone to guess. Try a combination of Upper letter, Lower letter, numbers and special symbols to create the best password for your beloved website.

Also, delete the admin user ID which is created automatically when WordPress script is installed. Deleting this profile is very easy. Simply move onto User section through Dashboard and create a new user ID with admin privileges. Once a new one is created then you can easily delete the admin ID with few simple clicks from the same section.

Deleting default user and keeping hard password which isn’t that easy to be guessed further increases the level of security being offered to your website through this basic protection offered by the platform.

#2 Limit Login Attempts

WordPress by default offers unlimited number of trying User ID and password to crack into Dashboard area. Now you’ve to somehow remove that unlimited attribute and make it limited. Simply install a plugin named Limit Login Attempts and it will do the work pretty well.

Once it’s installed and activated, you can set number of attempts provided to hit and try credentials to login into the control center of your website.

There are many software and algorithms generated (commonly known as Brute Force Attacks) to work automatically and guess the password for any website created on WordPress. You’re simply blocking all such methods by limiting the login attempts.

#3 Staying Updated with Latest Versions

As already mentioned during initial statements above, staying updated with latest available versions of WordPress script can minimize the chances of getting hurt. But the core script isn’t the only thing to be updated. You need to keep plugins and themes updated as well.

Also, use plugins which are used and recommended by users around the community and also check their reviews before buying. When it comes to theme selection then I’d always recommend using premium ones not only because they are secured but also offers a lot of better features and user experience.

#4 Updating File Permissions

Login into hosting account and move into File Manager section, before changing anything as illustrated beneath take a complete backup of all files and folders.

Folders there like wp-admin and wp-includes should be writable only by your user account. Except wp-content folder and .htaccess file, make sure every other folder and file are writable by only your account on the hosting server.

You can do that by changing file permissions of folders to code 755 and of files to code 644.

This is an easy way to protect files and folders running the WordPress website for you from being exposed and rewritable by the world. This particular step here requires you to be aware of handling server well otherwise ask support system of the host to do it for you.

#5 Securing wp-config.php

Inside file manager, a wp-config.php file can be found. Now if the WordPress script is installed in the root folder of your server then you need to move this particular file outside that root folder. Make sure you just move only a single folder out and keep the file over there.

Also update the file permissions for this particular file to 440 or 400 which means that only you can read and edit this file.

Securing this particular file by these two ways can bring minimum changes to security level but still it’s going to make a difference at the time of urgency.

#6 Choose a Known and Popular Host

When it comes to getting a premium service, we should not be thinking too much at the time of paying for it. The same case is applied here. I recommend every one of you to choose host wisely where you wish to store files and folders of your WordPress website.

Make sure you check on their reviews and ask users who are already with them or had been their customers. This is how you’ll come to know actual review before buying their services. Hosts like HostGator, BlueHost, InMotion, etc are popular players in this industry and they have a well-known reputation for providing secured interface since years.

#7 Scan for Malwares

WordFence plugin when installed, is going to scan through every files and folder behind the existence of your WordPress website to look for the presence of any kind of malware. Cleaning a website and keeping it safe before an attacking attempt is always better than messing around with the cleanup after getting hurt.

Wrap up

Please note down that even following all these methods to secure your WordPress website from hackers doesn’t guarantee that it’s completely protected. Hackers are always attempting to display their capabilities by cracking websites which are hardened completely.

But that doesn’t mean that you should be serving your website’s future to them with a glass of wine. So, keep the website protected and hope for the best. Also keeping backup is always a better call. Stay updated with vulnerabilities and security measures going around the world for WordPress. See you all in comments.

*last updated 02/27/2019

Editorial Staff

Editorial Staff at 85ideas is a team of WordPress experts led by Brian Harris. Here to share amazing tuts, guides and collections.

  • Robert Issell
    Posted at 19:28h, 22 February Reply

    Will wordfence plugin slow down wp rainmeter tech site?

    • Brian H
      Posted at 10:10h, 23 February Reply

      Hi Robert,

      I have not test how it affects the speed of your website but I didn’t notice any major slowdown when I tested it on my test site. If you want to know how it will affect your sites performance then check out by Godaddy. P3 profiler will let you know how it affects your sites speed.

  • Iori Yagami
    Posted at 11:12h, 27 August Reply

    As well delete ID ?? Automatically generated ID in the installation of wordpress ?, where is this ID? because so know we created the User and the password you created when installing wordpress .. is there any other kind of Chavel beyond the login protected by a User name and password? this ID is somewhere in the directory that I can are deleting? I never knew that part ID .. sorry my english

Post A Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.