8 simple steps to protect your wordpress site from hackers


This post is all about the best way to protect your wordpress site from hackers. Let’s get started.

If you’ve just set up your wordpress site and you’re looking for ways to make it more secure, pull a seat. If you’ve been using wordpress for a while and need  a way to up your security, please also grab a seat.


Having a site to share news and ideas you’re quite passionate about is quite fun and exhilarating till it gets hacked.  So, It’s important to pay attention to the best practices for wordpress security. I know that wordpress installation can be super easy and can be said to be secure at times, but it’s also easy to get carried away and have things  installed that make you more vulnerable to hackers.

So, let’s quickly move on to why you need to up your wordpress security to a higher level.

Why is WordPress Security is important

An insecure wordpress site can be dreadful and can cause serious damage to both your website and even your reputation. Imagine seeing  a ‘Hacked by Anonymous’, plastered all over your website when you visit it. Also picture yourself trying to login to your website for several hours and unable to gain access because you’ve been locked out. Harsh right? I know.


The cost to rebuilding or restoring your site after a hack to  a moderately safe level is usually extremely high and daunting,

But no worries, it’s not that hard to set up a moderate or pretty good level of security for your wordpress site. All you need are some of the most basic security practices.

How to Know if your WordPress Account has been Hacked?

In this step, we would highlight some key things to look out if you suspect your wordpress account has been hacked.

1. Website has been defaced

The Most obvious sign of having your once cool website hacked, is seeing a large ‘HACKED’ typed boldly over your site. That’s the most scariest feeling ever. But that rarely happens to individuals who are not the targets of political fury or top organizations like schools, banks, etc. But don’t fret, the measures listed below would not just provide tips on how to protect your wordpress site but how to bounce back from hacks

2. You can’t login to your wordpress site anymore

The second most common sign to tell if  your wordpress site was hacked is when you you don’t have access to it. But then the site is still active. No matter how many times you try to login with your username or with the users who were once signed in to the site. Nothing works. You also notice that when you try to do a password reset, the email to reset the password has been changed to an email you have no idea about. That’s shocking.

Signs that your wordpress site has been hacked

3. Unknown user accounts on your wordpress site

This is definitely a red flag. If you see even just one unknown user account on your site get help!! What this means is that those users have all the permissions you have from writing posts to deleting posts and pages, to adding users , to kicking  you out of your own site. Literally everything.

4. WordPress site starts slowing down

If your wordpress site loads up really fast, and all of a sudden you notice that it’s crawling. There is a possibility that your wordpress site has been hacked. All websites on internet can become victims of random denial of service attacks. These attacks use several hacked computers and servers from all over the world using fake ips. Sometimes they are just sending too many requests to your server, other times they are actively trying to break into your website. Any such activity will make your website slow, unresponsive, and unavailable. You will need to check your server logs to see which ips are making too many requests and block them. It is also possible that your WordPress site is just slow and not hacked.

Signs that your wordpress site has been hacked

5. WordPress site keeps redirecting to unknown sites and Ads

 This is the last most common sign on our list to know if your wordpress site has been hacked. What happens here, is whenever people visit your site it redirects to an unknown and weird site or to an ad page. That totally sucks!! Although, there are times when your site may redirect to an unknown site but it hasn’t been hacked. When this happens reach out to your hosting company so they can help you sort it out.

8 easy steps to  protect your wordpress Site from Being Hacked

Getting to know your wordpress site has been hacked can be really scary. In this session, we would be dealing with ways on how to protect your wordpress site from being hacked.

The following tips are some of the best practices we recommend you use in protecting your wordpress site.

1. Never use Admin or admin as your wordpress login username

One of the default user ids that comes with wordpress is Admin. This makes it easier for hackers to start guessing right away even without using automated scanning tools. We recommend users to start using an email ID instead of a username to log in. It is a more secure approach as usernames are easy to predict, while email IDs are not.

2. Enable 2FA authentication

If your password got compromised, the user would still need to have the verification code from your phone.

3. Limit login attempts.

Brute force attacks generally target login forms. Limiting login attempts will clear off this vulnerability. You can use security plugins like the iThemes Security Plugin to specify a certain number of failed login attempts after which the plugin bans the attacker’s IP address.

8 easy steps to protect your wordpress Site from hackers

4. Update WordPress and Plugins every time a new release is available

This is pure logic. WP core developers and collaborators are already doing a great job for all of us, working day and night to patch any security hole that might emerge. It would be such a pity to waste their effort. It would be expensive to pay the price for it (and there always additional fees when a website is breached). Furthermore, it would be a catastrophe to have your IP address blacklisted because your website became a phishing lair and send spam to zillions of people.

5. Install Security Plugins

The plugin feature of WordPress websites allows for an expanding amount of customization. There are plugins for almost any feature someone might think of. But a plugin type you really should have is one for security.  Using a security plugin is a smart step to prevent threats from becoming a breach. They can aide security by scanning for malware, password attacks and malicious code. And they may include a firewall to block unwanted guests. There are many options available, but I’d recommend Wordfence and Securi.

 8 simple Steps to protect your wordpress Site from being hacked

6. Backup your website Regularly

No matter how well secured is your website; a backup is a must for any valuable business information. We can never know what disaster may the world bring, and how a simple backup could save your whole business. Use an automatic backup solution like BackupBuddy, VaultPress, BlogVault, UpdraftPlus etc. to ensure scheduled backups so you are always prepared for any bad situations.

7. Scan for malwares and anything suspicious

Automatic Scan of your Entire site for malware should be done regularly and not just when something goes wrong. You shouldn’t be forced to scan your site for malware each time you are suspicious of its presence.

A couple of applications you could use for this include the wordpress security scan from hackertarget or Wpscans. Both are available online.

If you have a good flair for linux terminals then you can perform your scans there.

8. Enable SSL (Secure Socket Layer)

The SSL certificate is a feature every website owner should have in 2018. Enabling SSL simply means moving your site from HTTP to HTTPS, sometimes having a padlock on it. Get an SSL (Secure Sockets Layer) Getting it will secure your browser’s communication with servers by encryption, so no third party can understand it, even if they are intercepting the conversation. Basically, it’s like inventing a secret language that will never again be used after this conversation is over. 

Now if you suspect your wordpress Site Was Hacked. What Can you do?

My WordPress site has been hacked. What Can i do?

Suspecting that the wordpress site you run has been hacked, here are a few things to do before you giving up

1. Stay calm and don’t panic

Panicking only makes things worse as you’re bound to make irrational decisions. At this period, as a website owner, you’re likely experiencing an undue amount of stress.  It’s often the most vulnerable you have found yourself since being online and it’s contrary to what everyone told you, “Hey, WordPress is Easy!!” The good news is that all is not lost! Yes, you might lose some money. Yes, you might take a hit against your brand. But Yes, you will recover from this.

2. Note down everything you noticed

Write in details everything that occured from time to the signs.

What to do when your wordpress site gets hacked

 3. Contact your hosting provider

Report the issue to your hosting provider so they can work with you to restore your site. Sometimes, the hack may have affected more than just your site, especially if you are using a shared hosting. It is worth checking with your hosting provider in case they are taking steps or need to. Your hosting provider might also be able to confirm if a hack is an actual hack or a loss of service, for example.

 4. Use the last backup of your website

It’s assumed here that you have made  a backup at some point. Maybe not recently but at least a month before the hack happened is quite manageable. Backups are a critical piece of your continuation of operations, and should be something you actively plan for moving forward. You should also ask your host what their policy is as it pertains to backups. If you do have a backup, you should be able to perform a restore and skill right into the forensics work

Found this post helpful? What are you waiting for? Hit the like or share button. Also, leave a comment if you have suggestions that we might have missed.


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.