Protect WordPress Site from Hackers in 7 Ways

Protect WordPress Site from Hackers. As the #1 blogging platform on the planet, WordPress is a favorite target for hackers.
Protect WordPress Site from Hackers

As the #1 blogging platform on the planet, WordPress is a favorite target for hackers. While WordPress is reasonably secure when you install it, there are some easy steps you need to take to make it hacker-proof.

In this blog post you will learn how you can protect your WordPress site from hacking attempts. Some steps are easy, but a few require some advanced technical knowledge to implement.

1. Don’t Use the Default User Name

The default username given during WordPress installation is ‘admin’. You shouldn’t use the default username as hackers are aware of this and can easily manipulate your site.

If you’re already using the default username, create another WordPress user id with a username which is difficult to guess and an equally strong password. Give this new id ‘Administrator’ status. Credit the published posts to the new user id and delete the ‘admin’ user details.

Moreover, to ensure that you’re not booted out of the WordPress admin access, create another user id with administrative access and save the details somewhere. Now you have two ids to access the site.

Lastly, keep changing the passwords often.

2. Use the Login Lockdown Plugin

Hackers use brute force to break into WordPress sites. To prevent this, use the Login Lockdown plugin which bans a user from logging into the WordPress sites after a certain number of failed attempts.

Suppose you configure the plugin for three attempts and if I try to login with wrong password and username thrice, I will be banned from accessing your site. The IP address will get blocked and I will be unable to view the site’s login page.

This is a must-have plugin to protect WordPress site.

Of course, it may also happen that a genuine user gets locked out because the user lost the username or password. In such cases, you can remove the IP ban from within the dashboard and send the genuine user new login details.

3. Update Your Plugins & Theme

This is a basic security measure which many WordPress users sideline. Bug or security flaw fixes are the main reason why developers update their themes and plugins.

If you don’t update them on your WordPress site, you’re exposing the site to hackers. Forget hackers, updating plugins and themes to recent versions ensure smooth working of the site. Otherwise, it can lead to plugin and themes incompatibility issues either with each other or with core WordPress.

4. Scan Your Website Weekly

WP Security Scan is a recommended plugin to protect WordPress site and detect malicious codes. Whenever you run the plugin, it scans the whole site to detect any injected malicious scripts and codes. If any is detected, the scan result will show a list of problems and state “You do not have a stable version of WordPress”. Get rid of the errors immediately.

5. Deactivate Directory Browsing

It is easier for hackers to manipulate your site if they know the WordPress site directory structure. You need to deactivate directory browsing by modifying the .htaccess file. Add this code in the root directory:

# protect wp-config.php<files wp-config.php>Order deny,allowDeny from all</files>

Add the code and save. No one will be able to access the wp-config.php file.

6. Don’t disclose Your Plugins

You should not display the list of plugins used on the site to anyone. The first step is to check whether the list of plugins is on display or not. To do this, use either of the paths:


Replace with the real URL. You are safe if either of the above paths don’t display anything. If they do, there are two solutions:

Solution 1: Use cPanel to De-Index the File

  • Login to cPanel
  • Click on Advanced
  • Choose Index Manager
  • Choose the domain and folder you wish to de-index
  • Select No Indexing
  • Save

Check out both the paths again. It should solve the issue.

Or, try the second solution.

Solution 2: New .htaccess File

Login to cPanel and choose the relevant domain. Navigate to /wp-content/themes and create a new .htaccess file. Paste the following code.

# BEGIN WordPressRewriteEngine OnRewriteBase /RewriteCond %{REQUEST_FILENAME} !-fRewriteCond %{REQUEST_FILENAME} !-dRewriteRule . /index.php [L]# Prevents directory listingIndexIgnore *# END WordPress

Save the file and refresh. Check the wp-content paths. Your plugins visibility access is restricted.

7. Hide Your WordPress Version Details

Never reveal the WordPress version details. Go to header.php and modify the following code:

<meta name=”generator” content=”WordPress <?php bloginfo(’version’); ?>” />


<meta name=”generator” content=”Powered by WordPress”/>

and save.

The WordPress version details will be hidden.

Make Backups & Save Them!

Never ever forget to backup your WordPress site. It might happen that despite initiating preventive measures, the site gets hacked and all your data vanishes. In such a circumstance, having database and file backups are important to restore the hacked WordPress site.

You can either use the WP Backup Buddy plugin or backup manually with the cPanel. Some hosting providers automatically email blog backups according to a preset time interval.

No matter if you are just starting out with WordPress, you should protect WordPress site from malicious intents at all times.

Share this post

Other Posts

Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Scroll to Top