How to Protect WordPress from Hackers

How to Protect WordPress from Hackers

Unfortunately, there's nothing you can to do stop the most determined hackers. But you should try to make sure that you're not an easy target. Unless somebody is specifically targeting you, most hackers will look for easy targets. If you make their job more complicated, there is a good chance that they will give up and move on to the next website.

Default Settings

When installing WordPress, make sure that you don't use the default username and password. Hackers will always look for websites which have the default settings as these websites are the easiest to hack. Create a unique username and password which contains numbers, letters, and special characters.

Also, change the default database tables prefix. The default is "_wp" and is easily exploited by hackers. Knowing the table prefix makes SQL Injection attacks much easier. Choose another prefix, but not the domain name.


Update WordPress and plugins as soon as possible. Updates often contain security fixes which repair known flaws. Hackers can use these flaws to gain access to your website. Don't use nulled versions of themes and plugins as these often can't be updated and sometimes contain malware.

Secure Hosting

Use an SSL certificate to enhance the security of your website. SSL certificates will encrypt data transferred to and from your website and will prevent hackers from intercepting this data. Such certificate has been installed on MoozThemes website, as well as on our Gadget blog here for example.

Delete Unused Plugins

Unused or unsupported plugins can pose a security risk. If you're not using a plugin or the developer stops supporting it, you should remove it. Hackers can find a hole in old plugins and gain access to your website. Plus, keeping unnecessary plugins that are not actually used, will only slow down your website.

Use Security Plugins

There are many plugins dedicated to enhancing the security of your WordPress website. Popular plugins include BulletProof Security, WordFence, Securi, and iThemes. These plugins have many options which will also add another layer of protection to your website.

Use Trusted Plugins

Don't assume that every plugin listed on the WordPress directory is safe. Read reviews and comments from other users and research each plugin before you install and activate them.


Ensure that passwords are not easy to guess and are changed regularly. Moreover, don't use a password that you use for something else. For example, if your Facebook account is compromised and you use the same login information for your website, there's a good possibility that your website will also be compromised. Use a free tool such as LastPass to generate unique passwords and keep track of logins.

Two-Step Authentication

You can also add another layer of security to your login page by utilizing two-step authentication. This will add a requirement to the login page where you must type an authentication code that is sent to an email address or a phone number. This will secure your website from brute force attacks.

Login Page URL

Hackers will use automated tools to scan websites and look for default URLs. Change "wp-admin" and "wp-login" URLs to something else. Many of the popular security plugins offer this functionality. It is possible to change the login page URL without a plugin, but this method is only for advanced users.


A backup is the last resort in your defense against hackers. If your website has been compromised, then you can at least restore it from a backup and get it back online.

Hackers use automated tools to search for easy targets and there are many things you can do to increase the security on your website and reduce the chances of being hacked. As WordPress has become the most popular content management system in the world, it has also become a big target for hackers.

WordPress has become such a huge target for hackers, that there are free tools available that are designed to circumvent WordPress security and gain access to your website. They are easy to use and even a novice hacker can easily gain access to an unsecured WordPress website.

Disclosure: This post contains external affiliate links, which means I receive commission if you make a purchase using this link. The opinions on this page are my own and I don't receive additional bonus for positive reviews.

Albert Author

The author is Albert, a tech guy from EcigsUK. His passion is not only to manage a JV project of his but every now and then writes something about WordPress with an aim to help others make their websites less vulnerable from potential exploiters. If he ever gets some spare time, you’ll find him on his tiny fishing boat.


I Agree
We use cookies to enhance and personalise your experience with us by collecting information about the pages you visit and actions taken on the site. More details