How to Secure WordPress Site from Hacking Attempts

How to Secure WordPress Site from Hacking Attempts
Image by TheDigitalWay from Pixabay


The most popular content management system, WordPress, has 64% of the CMS market share, more than all other systems like Drupal, Joomla, etc. combined. Over 75,000,000 websites use WordPress or we can say that almost 40.3% of the internet is powered by them. WordPress is known for its unprecedented impact on web standards, usability, and the internet as a whole. It has spread like wildfire and continues to grow but how to secure wordpress site.

However, its widespread reach and growth has also left WordPress websites vulnerable to security breaches. Statistics show that WordPress accounted for 90 percent of all CMS sites hacked in 2018! This article explains how you, as a WordPress user, can protect your website from hacking attempts.

Main reasons for successful hacking attempts

Before we dive into tips on how to secure our WordPress site, let’s take a look at statistics that reveal the vulnerabilities that hackers are targeting.

  • 41% are attributed to security vulnerabilities in the hosting platform
  • 29% came from vulnerable WordPress themes
  • 22% used security problems of the WordPress plugins
  • 8% were caused by poor credentials

secure wordpress site.

Security checklist to secure WordPress site.

Our technical experts recommend some of the best practices that have been shown to protect a site from the above threats.

  • Strengthen your computer security

    The presence of a virus and malware scanner on your computer that is scanned frequently does not have to be negotiable. Install a reliable firewall – possibly the one that came with your operating system.

  • Change the WordPress table prefix

    All tables in the WordPress database of a standard installation start with the naming convention for prefixes wp_. This vulnerability can be addressed by changing it to anything, such as: 8uh7dsgakm_.

  • Reliable and highly rated themes and plugins

    When choosing plugins and themes, go for the ones that have a high rating and appear reliable. Also, be aware of when they were last updated. If there hasn’t been an update for a long time, chances are it is more vulnerable due to unpatched security holes.

  • Protect important files from being accessed

    .htaccess is an important server configuration that contains the code that enables the use of neat permalinks in WordPress. It can also set redirects and increase WordPress security.

    For added security, the first thing to do is to access the file, which is located in the root directory of your server and is hidden by default. So to edit, make sure your FTP client is set to show hidden files (go to Server> select Force Force to show hidden files in FileZilla). Then take the following measures.

    Use the following code to prevent access to critical files like wp-config.php, php.ini, error logs, and .htaccess itself.

    Deny order, allow

    Rejected by everyone

  • Keep WordPress and its components up to date

    Keep WordPress versions and plugins up to date. Updated versions of WordPress not only bring new features, but also fix security vulnerabilities that were found in previous versions.

  • Use strong credentials

    A very common method of protecting your WordPress account is to use strong and secure credentials instead of the standard username. Make your password as secure as possible.

  • Change the login failure warnings

    If someone tries to log into your website with incorrect credentials, WordPress will notify them whether the problem is related to the username or password. This shares half of the information and makes it easy to hack into an account.

  • Activate two-factor authentication

    Two-factor authentication is an additional step for users to sign in to your site. One example may be the need to enter a validation code that is sent to the cell phone. While this could add to the effort, it helps block automatic attacks.

  • Change the WordPress login url

    Another way to keep the WordPress login page secure is to hide it. You can usually reach the login page via or Move it to a different url address instead of wp-admin.

  • Disable XML-RPC

    This acronym is the name of a feature that can be used to remotely connect to WordPress. For example, blogging clients use it, and it’s also used for trackbacks and pingbacks. Unfortunately, it is sometimes also the target of hackers, which is why you should protect it with a plugin. Disable XML-RPC pingback.

  • Keep your site up to date automatically

    Automatic updates should be enabled to keep the site up to date.

  • Add security key

    WordPress Security Keys (SALTs) encrypt information stored in browser cookies. In this way, they protect passwords and other confidential information. These keys are phrases that are used to randomize this information and are stored in wp-config.php

  • Deactivate the theme and plugin editor

    WordPress includes an internal editor for theme and plugin files that you can use to make changes to your site. While it can be useful in some situations, it also comes with a risk. The reason for this is so that someone who gets access to the back end of your website can use the editor to remove your website without accessing your server.

  • Turn off PHP error reporting

    If plugins or themes cause errors on your site, WordPress will display a message on your front end. This message may contain the path to the file that is causing the problem. Hackers can use this information to better understand the layout of your server and attack your site.

  • Restrict administrator access to a specific IP address

    Changes in .htaccess allow you to restrict access to your WordPress login page to limited IP addresses. That way, only you can access it.

  • Block certain IP addresses

    A similar technique is available to block IP addresses trying to break into your website. If you notice such incidents (e.g. in your server logs), you can lock them down for your site by configuring the .htaccess file.

  • Pay attention to file permissions

    The following file permissions should be noted on the WordPress site

    • 755 or 750 for directories
    • 644 or 640 for files
    • 600 for wp-config.php


If you want to keep your website safe from hackers, the tips mentioned in this article are a step in the right direction. In addition to the important security measures mentioned above, it is also very important to keep your website up to date and to keep abreast of the latest vulnerabilities related to WordPress in order to protect yourself from attacks in the best possible way.

1 thought on “How to Secure WordPress Site from Hacking Attempts”

Leave a Comment