How to Secure WordPress from Hackers

Kick A Marketing / WordPress  / How to Secure WordPress from Hackers

How to Secure WordPress from Hackers

How to Secure WordPress from Hackers

If you want to secure WordPress from hackers, here are some things you can do. If you’re technically challenged, you may not want to read this article. But you SHOULD before you lose your website. Knowledge is power, right?

Using WordPress to design your site is great because it gives us small business owners flexibility to update it easily without hiring a coder or web developer. But it is vulnerable to attacks. So, what can you do to secure WordPress from hackers? Here are six ways on how to secure WordPress from hackers. Note, there are a lot of other ways you can secure your site as well.

How to Secure WordPress from Hackers

Keep Several Backups

Your hosting company usually keeps some backups for you. But what happens if the stars align perfectly and you happen to lose your site (guilty) and don’t have a backup? You can lose everything. And yes, as hard as it is for me to admit, I lost my site once when those beautiful stars aligned perfectly and never recovered  100 pages – but that is another story and it won’t ever happen again. So don’t just rely on your hosting company for your website backups.

Don’t just rely on your hosting company for your website backups especially if they are just backing up once a week.Click To Tweet

You can run your own backups with Duplicator, but it is somewhat technical although it has great reviews. VaultPress for business costs between $99/year and $299 and you’ve got 30 days of backups. You must go into your backup and download it to your computer on many of the options. There are other plugins as well that you can use to backup.

Have your hosting company run a backup for you and keep it on your computer and on your own backup system. If you host your site on SiteGround (they’ve been great so far), purchase or upgrade to their Grow Big package and you’ll have 30 days of archived backups. GoDaddy also has 30 days of backups for WordPress installations, although I don’t use them for hosting WordPress.

Oh and before you make any changes to your WordPress website’s backend, make sure you do what? Backup!

Don’t Use Admin for Your Username

Oh my gosh, I’ve seen this so many times: many web developers or do-it-yourselfers use admin. Make your username difficult and NEVER, ever use admin. Use a random password generator like Norton, Comparitech, or  LastPass. Use a combination of numbers, symbols and capitalization and make it longer. Same goes for your password. Make them difficult.

Make your WordPress username difficult and NEVER use admin as your username. Click To Tweet

Check All Plugins Before Installing

You may have read in 2015 about the WordPress plugin vulnerabilities that opened up websites to being hacked. Be cautious when installing plugins for your WordPress website – check them out. Use the WordPress plugin search to find out information and ratings.


Is it compatible with your version of WordPress? What do the comments say about the particular plugin? How many positive ratings does the plugin have? And how many reviews does it have?

And checking them out, doesn’t guarantee that they won’t eventually be open to vulnerability, but it does help. In 2015 even one of my favorite and highly regarded plugins –  Yoast SEO had some problems. But they immediately addressed them and created a patch. But I’ve even purchased plugins where the developer does not update them and eventually I’ve had to delete them.

Oh and note that plugins may slow your site down.

When considering plugins for your WordPress site, check out ratings and compatibility with your version of WordPress before installing. Click To Tweet

Update Your WordPress Version

WordPress releases new versions and you should be updating yours. You’ll be notified when you are logged into your admin panel or by your hosting company. Make sure you backup your site before you update. I’ve also run into problems with some sites that I’ve taken over from other web developers. I quit updating one of my customer’s website because we had to change so much of the coding after each WordPress version update as the site wasn’t coded properly to begin with. So, I’m in the process of creating a new WordPress site for them. What a shame because they paid a fortune for it.

Update Your Plugins

From your admin, you’ll see a notification number if your plugins need updating. First backup and then I suggest that you update one at a time and check everything out. If you don’t check things out, then you’ll have to test each plugin individually should something break. Once I updated a plugin and I lost part of my toolbar, so it does happen.

Also, if you update some plugins, you may have things “break” in your site. Which means that you may have to restore one of your backups should the plugin not be compatible or remove it. And again yes, it happens. Notice I have a few that need updating noted by the “5” right next to “Plugins”.

Change Database Prefix

Your database stores your posts, pages and media files and is vulnerable to being hacked. You should change this when installing your website or before you publish. Here’s a step-by-step tutorial and video from WPBeginner on how to change your database prefix. It’s technical, so contact Kick A or have your web developer do this.

And Finally

There are additional things you can do including securing the .httaccess, adding a login lockdown , adding SiteLock,  Sucuri or Wordfence. And yes, Kick A can help you secure your site.

How have you secured your site? What have you found that works? Have you had any problems with WordPress security? How have you secured your WordPress from hackers? Comment below please!

Jo Guerra

  • Yesssss … thank you! Thank you for writing about this. One of the easiest ways for hackers to get into your site is through out of date plugins and out of date WordPress installations. It’s super easy to keep things up-to-date. It’s much easier than trying to fix a hacked site!

    January 16, 2017 at 4:02 pm
  • Excellent tips, Jo! I recently changed my WP password to use 12 random characters due to the more characters, the less likely you site will be hacked. Takes too long to get in and hackers move on to the easier sites.

    January 16, 2017 at 4:26 pm
  • Wow. Like I’ve told Terry I feel like I’m learning a new language. Some I’ve done, but I haven’t backed up my site. I just got a new one, but now’s the time. If I update plugins can I assume they’re safe, or I have to go research again? Whew. My brain is tired today. Thanks for sharing this in the blog challenge!

    January 16, 2017 at 4:38 pm
  • Yes! Such an important topic. As someone who got her site hacked and all users using a smart phone (including my dad) were forwarded to a porn app, I can 100% affirm how important this is.

    Based on that experience, I have one more tip.

    I was using all the techniques that you have listed above for my current site. However, on my hosting server, I had an old word press site that was for a program I was no longer offering. I had let the site go on maintained for quite a while. Hackers got into my current site by using a back door through a very old website I wasn’t maintaining! I didn’t even know that was possible. Fortunately, I had a resource that was able to help me figure it out pretty quickly.

    January 17, 2017 at 6:14 am
  • Kathleen Tucker

    Awesome article! I’m new in the WordPress world and it is good to know that my website can be easily backed up using a plugin. My web host offers free weekly backup which is awesome, but it is really good to have my own backup. I will definitely try the Duplicator plugin on my site.

    Thank you Jo!

    January 22, 2017 at 5:44 am
  • Linda

    Hello Jo, really nice tips. I just like to share one tip that I learned while researching. I found at that keeping XML-RPC enabled all the time is a serious security risk. Many hackers exploit XML-RPC. Hope you will find this information useful.

    January 23, 2017 at 10:13 am

Post a Comment