13 Ways to Protect your WordPress from Hackers and Attackers

It’s still a misconception that when you pay for a web domain and a hosting service, you’re set up in your own little private corner of the internet— as if you were buying physical property. But just like you are at risk of break-ins in your home or work, as the owner of a website you are also at risk of security breaches.

Did you know that 73% of all Americans have fallen victim to some type of cybercrime, and 47% have had their personal information exposed by hackers (Stopthehacker.com)? That’s a lot of Americans who have been victims of online security breaches.

Everyone is at risk— big corporations, small businesses, individuals, even governments. That became evident in the recent US election when Russians broke into both the DNC and the RNC. The FBI now considers cybercrime as one of its top priorities.

No one is immune to cybercrime. So as a website owner, you are responsible for keeping your site safe from hackers. This can seem like a very daunting task considering how skilled hackers are becoming. But there are still steps you can take to securing your site, particularly as a WordPress site owner.

The following are some critical methods of securing your WordPress site from hackers:


1. Use email as login

An email address is far more secure than a username. Hackers have an easier time predicting usernames, whereas email IDs are more unique. In any case, every WordPress user account is always created with an email address that can be used to validate the login.

Use email as login - WordPress Security

2. Set up website lockdown

Have you ever tried to log into an account where you couldn’t remember the correct user ID or password and then been locked out after too many failed attempts? It may be annoying when you’re on the receiving end of a lockdown, but this is an important measure for protection. Establishing a website lockdown for your site is a handy feature because it prevents brute force attempts. Not only is the intruder locked out, but you receive notification of the unauthorized activity.

There’s a plugin that can assist you with setting up lockdown measures for your site called iThemes Security. It allows you to set a limit on failed login attempts and then bans the intruder’s IP address.

Change your URL - WordPress Security

3. Change your URL

Hackers have an easier time brute forcing their way into your system when they know the direct URL of your login page. The hacker will try to log in using their Guess Work Database (GWDb), which is full of millions of combinations of usernames and passwords.

Replacing the login URL prevents an unauthorized user from gaining access to the login page altogether. All you have to do is change “wp-login.php” to something more unique such as “login_now_admin.” This will remove the threat of almost all direct brute force attacks.

Make use of 2-factor authentication - WordPress Security

4. Make use of 2-factor authentication

This is becoming a popular method for protecting logins, and you may already have some familiarity with it for accounts like Google or your online banking site.

As the website owner, you decide which two login details a user must provide to log into their account— email address and phone number, password and security question, etc.

Keep WordPress up to date - WordPress Security

5. Keep WordPress up to date

As WordPress is an open source code, there are always improvements being made to remove bugs and fix security issues. It’s important that you stay on top of the latest version of WordPress by always updating when prompted. An un-updated site is a vulnerable site.

Delete the plugins and themes you don’t use - WordPress Security


8. Delete the plugins and themes you don’t use

Logically speaking, if you’re not using a plugin or theme, you’re not going to update it. That means you’re leaving yourself vulnerable. So instead of taking that risk, delete the plugin altogether. Note that “deactivating” is not the same as “deleting.”

Backup your site regularly - WordPress Security

8. Backup your site regularly

If something ever happens to your live site and you lose data, you’ll be kicking yourself for not backing it up. Do yourself a favor and keep an off-site backup that you update on a regular basis. There are several plugins to help you with this.

Remove your WordPress version number - WordPress Security

9. Remove your WordPress version number

If hackers know the version of WordPress you’re using, it gives them a significant advantage on attacking your site. There’s an option to hide the version number, and the same plugins that can be used to backup your site can also help you do this.

Encrypt data using SSL - WordPress Security

10. Encrypt data using SSL

SSL stands for Secure Socket Layer. An SSL certificate will safeguard the transfer of data between the server and user browsers, which complicates a hacker’s ability to interfere.

Not only are SSL certificates easy to purchase for your WordPress site from your hosting service, but Google’s algorithm ranks SSL certified sites higher in the SERPs. It’s a win-win.

Change the admin username - WordPress Security

11. Change the admin username

You make it very easy for hackers when you leave your username as “admin.” It’s at the top of the list on GWDbs. Change it to something more unique.

The iThemes Security plugin mentioned above comes in handy for this particular issue because it will immediately ban any IP address that attempts to log in with the “admin” username.

Adjust your passwords - WordPress Security

12. Adjust your passwords

It may be easier on you (and your memory) to leave a password as something simple and easy, so you don’t have to look it up every time you want to log in, but if it’s easier for you it’s also easier for hackers.

Change your passwords regularly, using both uppercase and lowercase letters, numbers, and special characters. If you want some help coming up with unique passwords, this password generator is a nifty solution.

Download a security scanner plugin - WordPress Security

13. Download a security scanner plugin

It will put your mind at ease to know just how secure your site is by being able to monitor everything that happens on your website. WordPress offers a free security plugin called Sucuri Scanner which will track failed login attempts, malware scanning, and other file monitoring.


It’s not difficult to put proper security measures in place to protect your WordPress site from cybercrime. Make sure you put all of these tips into effect so that you can minimize your risk of attack. If you need any assistance in securing your WordPress site, Bright Vessel is here to help.

We also offer WordPress Hosting Management and WooCommerce Hosting Management and take care of all the above so you do not have to worry. Give us a call today at 561-935-6418.