WordPress is a popular content management system (CMS) that constantly receives security updates. However, it’s still vulnerable to hacking attacks. Whether you have an ecommerce site or a blog, it’s important to learn how to secure a WordPress website from hackers.
The good news is that you don’t need to hire a security expert for that task. By taking a few precautions and using the right tools, you can stop hackers from gaining access to your website and stealing your data. 🛡️
Common WordPress hacking attacks
WordPress powers 43.1% of sites on the web, making it a popular target among hackers .
🐱👤 Some of the most common attacks include:
- Cross-Site Scripting (XXS). This is when hackers are able to insert malicious code into the site because the website in question does not properly validate or sanitize user input. XXS attacks typically target sites that accept user-generated content through forums, comment sections, and forms.
- Brute-force attacks. Hackers may try breaking into your site by generating multiple username and password combinations until they guess the right login credentials. Most of them use specialized software or scripts to automate brute-force attacks.
- Structured Query Language (SQL) injection attacks. Malicious actors can exploit vulnerabilities in a website (or the plugins it uses) to insert harmful SQL commands. They do this to gain access to the website’s database and steal sensitive information, such as credit card details.
Some WordPress sites are more vulnerable than others. For example, if you have a lot of plugins on your website, it provides more potential entry points for hackers.
Additionally, if you have an online store, your website might be a more attractive target than a personal blog. This is because many hackers are after sensitive data like credit card numbers and login credentials. 💳
How to secure a WordPress website from hackers (5 strategies)
A hacking attack can have devastating effects on your business. Therefore, it’s important that you learn how to secure a WordPress website from hackers.
Fortunately, it’s not that difficult to protect your site. Let’s look at some effective precautions.
- Enable two-factor authentication
- Change the WordPress login URL
- Limit login attempts
- Make sure core, plugins, and themes are always up to date
- Choose a secure web host
1. Enable two-factor authentication 🧑💻📱
Two-factor authentication (2FA) is a security procedure that’s used on many websites with user accounts. Once you’ve entered your username and password, a site may ask you to enter the code that was sent to your mobile phone or email address:
This adds an additional layer of security, making it even more difficult for hackers to carry out a successful brute-force attack. This is because guessing the username and password wouldn’t be enough to access a site.
As a website owner, you can add 2FA to the WordPress login page. If you use a plugin like WP 2FA, you can even enforce it on other users on your website, such as editors and authors:
Users can choose to have a one-time code sent to their personal email address or generate the code with their app of choice (such as Google Authenticator or Authy).
Plus, the plugin integrates with WooCommerce and other ecommerce and membership tools, so you can also set up 2FA for your customers and members.
2. Change the WordPress login URL 🖱️
Another way to prevent brute-force attacks is to change the WordPress login URL of your site. By default, the user can access the WordPress dashboard by adding /login/, /admin/, or /wp-login.php to the site’s URL. However, this makes it easy for hackers to find your login page.
You can change the WordPress login URL with a plugin like WPS Hide Login:
This tool enables you to create a custom login URL, using random letters and characters to make it difficult to guess. Just remember to bookmark the login page or make a note of the new URL!
3. Limit login attempts 🚧
As mentioned earlier, hackers will try a multitude of password and username combinations to break into your site. You can stop brute-force attacks by limiting the number of login attempts a user can make.
For example, you might only allow two failed login attempts. After that, users will be locked out of the admin area (don’t worry – genuine users will be able to reset their passwords).
Limit Login Attempts Reloaded enables you to limit login attempts on the default WordPress login screen, as well as WooCommerce and any custom login page on your site:
The plugin will block an IP address and username from making further login attempts after a specified number of retries has been reached. To be on the safe side, you may want to limit the number of login attempts to three per user.
4. Make sure core, plugins, and themes are always up to date ⚙️
Hackers may gain entry to your site through a vulnerability in a plugin or theme. For this reason, developers regularly release security patches for their plugins and themes.
This means it’s super important that you update your plugins and themes as soon as a new version becomes available. The same goes for the WordPress software, which is another essential part of how to secure a WordPress website from hackers.
You can check your site for updates by navigating to Dashboard > Updates. Here, you’ll see any software that needs updating:
You’ll want to check this page regularly to keep your site safe. Alternatively, you can set up automatic updates. To do this, simply navigate to the Plugins page and click on the Enable auto-updates option next to the plugin:
You can do the same thing for themes.
Note that minor WordPress updates are typically done automatically by default on most installs. Minor updates are focused on security and maintenance updates and denoted by two dots – e.g., WordPress 5.6.1 or 5.5.3.
However, major updates may need to be initiated manually. This isn’t a problem because you can wait to apply major core updates. This is because major updates are exclusively focused on adding new features rather than making security fixes. Major updates only have one dot – e.g., WordPress 5.6 or WordPress 5.5.
5. Choose a secure web host 🔒️💻️
If you’re looking for more ways how to secure a WordPress website from hackers, you can migrate to a more reliable hosting provider. A good web host should have several security measures in place to protect their clients.
For example, they should monitor their servers for suspicious activity and regularly update their software and hardware. If you opt for a managed WordPress hosting plan, your host will likely perform daily backups and scan your site for malware.
If you’re on a shared hosting plan, your site is sharing server resources with many other websites. This means that a security breach on another website could also impact your site if your host isn’t properly isolating different accounts.
Therefore, you might want to consider switching to a more secure service, like dedicated hosting or virtual private server (VPS). This way, your site is hosted in an isolated environment and is less likely to be affected by security issues on third-party websites.
Secure your WordPress website today 🛡️
WordPress is a popular platform for building websites, but it’s also a common target for hackers. Malicious users could exploit vulnerabilities in plugins and themes to gain entry into your site and steal sensitive information.
They could also gain access to this data by carrying out brute-force attacks.
👉 To recap, here’s how to secure a WordPress website from hackers:
For some more general tips, you can check out 🎁 our full collection of WordPress security tips.
Do you have any questions about how to secure a WordPress website from hackers? Let us know in the comments section below!