Protecting your WordPress website from hackers

Products mentioned
Under lock and key

WordPress is one of the most popular content management systems (CMS) in the world. Over 33% of websites currently run on WordPress. That means many hackers focus their efforts on sites running on this platform. The good news is that WordPress features robust security and your site should be safe, so long as you take the necessary precautions.

Here are some tips on protecting your site against WordPress hacks.

  1. Use strong passwords & management

Many WordPress websites are hacked because hackers find a way to discover the website credentials, which is called brute force attacks. The risks of suffering from brute force attacks significantly decrease when you use strong passwords.

Creating complex and difficult passwords is a great way to prevent this from occurring.

Multiple services and applications require a username and password, for example, wp-admin logins, databases, FTP/sFTP, etc. It can be daunting to remember dozens of passwords without either writing them down or using the same password across the board (neither of which is recommended).

Fortunately, you can use a password manager to store and encrypt passwords safely. Though there are several, one password manager we recommend is LastPass.

LastPass – Password Generator

LastPass is an app/extension that both creates and remembers your passwords, so you don’t have to. It will even alert you if some of your passwords are too weak.

  1. Use the Principle of Least Privilege

Don’t delegate access to users/developers you don’t 100% trust. If you absolutely must give access, be sure to restrict it. Grant the lowest set of privileges allowable for each user’s tasks.  And once their task is complete, we highly recommend that you remove their access immediately. These are the actions behind the principle of least privilege.

  1. Keep WordPress plugins secure & updated

WordPress at its core is secure, with developers who constantly update the CMS, as well as a broad community who help further secure it by publishing plugins to assist in these efforts. Installing too many plugins without being certain they are secure can lead to WordPress vulnerabilities or your WordPress site being hacked.

The community built around WordPress  is entirely open source, meaning anyone and everyone has access to the code/content of plugins and themes. If you are interested in plugin security, we have hosted a webinar on how to know for sure if a WordPress plugin is secure.

Think of each plugin you install as an extra door into your WordPress site. If you have the best security methods only deployed on the front and back door but forget about securing the ‘side entrances’, you are essentially inviting hackers to exploit these areas too.

Though installing certain plugins can help alleviate the load of some tasks and even add cool and snazzy functionality to your WordPress site, ultimately these plugins can be used against you. Here’s a recent exploit we found within a WordPress Live Chat Plugin.

  1. Use a WordPress hardening method

You can use hardening methods to protect WordPress from hacking, such as:

  • Adding additional allow/deny rules via your .htaccess file,
  • Restricting login URLs to specific IP range(s),
  • Protecting your wp-config file,
  • Preventing image hotlinking, as well as preventing directory browsing,
  • Not logging in on public WiFi or not using VPN on public WiFi,
  • Deleting unused WordPress plugins and files,
  • Keeping your server clean.

Most website firewalls apply these methods for you by default.

  1. Prevent a WordPress hack with a website firewall

In 2018, among all hacked websites we worked with, WordPress accounted for over 90% of all CMSs hacked.

A common issue we stumble upon often, is that users sometimes cannot update their WordPress version due to incompatibilities with plugins or themes. This can leave a WordPress site vulnerable to hacks.

A great option to protect your WordPress website from hacks is enabling a Web Application Firewall (WAF).

A WAF is essentially a pass through for traffic that visits your site, filtering out bad requests (hack attempts, exploits, DoS, etc.) and allowing the good ones to go through.

How a Website Application Firewall (WAF) Works

A WordPress firewall:

  • Prevents a future hack by detecting and stopping known hacking methods and behaviours to keep your WordPress site protected against infection in the first place.
  • Adds a virtual security update. Hackers quickly exploit vulnerabilities in WordPress plugins and themes. A good website firewall will patch holes in your WordPress website software even without security updates.
  • Blocks brute force attacks. A WordPress firewall should stop any unwanted visitors from accessing your wp-admin or wp-login page and using brute force automation to guess your password.
  • Mitigates Distributed Denial of Service (DDoS) attacks which attempt to overload a server or an application resource. By detecting and blocking DDoS attacks, a WAF makes sure the WordPress site is available even if attacked with a high volume of fake visits.
  • Optimises WordPress performance. Most website firewalls will offer to cache for faster global page speed in order to keep your visitors happy and to lower bounce rates while improving website engagement, conversions, and search engine rankings.

The WordPress firewall Sucuri offer is a cloud-based WAF that both stops and prevents website hacks and attacks. Simultaneously, it speeds up your site by using our Content Delivery Network (CDN). No installation is needed—with a simple switch of your DNS A Record, it is enabled.


Implementing these five ways listed above will not perfectly secure and make an impenetrable system from hacks—nothing can. Consider them useful tips on risk reduction/elimination.

Remembering these basic concepts when creating or working on your WordPress website can help you prevent WordPress hacks from occurring. If you are looking for peace of mind and professional help, sign up for our website security  platform and let us take care of your website security for you.


Image by: