14 Security Hacks To Lock Down Your WordPress Website

We only partner with brands that we know and trust, and if you use our links to buy a product we may make a commission at no extra cost to you. Thank you for supporting HHT!

So, you're curious about this whole security business and you're worried about your WordPress website getting hacked?

Well, you're in the right place.

Hackers love WordPress.

The main reason is pretty simple: WordPress has been around forever, which means there are a handful of well-known vulnerabilities they can exploit.

But, worse than that, hackers rely on WordPress users to not pay attention to security and leave certain settings or configurations overlooked.

But, you won't be one of those people. Not on my watch.

Let's look at 14 ways to secure your WordPress website and keep it safe from hackers.

1. Upgrade Insecure Hosting

Another reason (besides fast page-load speeds) to invest in proper, high-quality hosting: security features.

With insecure hosting, you're running the risk of your files being more accessible to malicious software.

On top of that, cheap hosting providers won't give you any additional security benefits that more comprehensive packages do.

  • Save

An example of a hosting provider's security dashboard that offers extensive protection features

Things like web application firewalls (WAFs), hotlinking protection, automatic SSL upgrades, and more are typically bundled with good hosts.

If you choose to invest time and energy in one thing (before looking at any other security solutions), it should be hosting.

In the long run, this will provide you with the most peace of mind for your site's security, and is the one thing that simply can't be replaced with cheaper options.

Pro Tip
Check out my in-depth hosting guide, or visit my top pick.

2. Change Your Weak Passwords

This isn't just important for WordPress security, but also for general online security: passwords really matter.

Things like password1234 just don't cut it anymore, so it's best to create unique, long, and complex passwords for each of your accounts, especially your WordPress admin.

If juggling lots of complex passwords sounds overwhelming, I totally understand.

In that case, I'd highly recommend looking into a password manager.

These nifty tools can help you generate and store passwords, as well as your credit card info (in a secured digital wallet).

When you need to fill out forms, checkout pages, or login details, your password manager will find the right info and auto-complete the fields.

3. Regularly Update Plugins And Themes

Plugins can quickly become outdated when the developer decides to stop updating the source code, and in those cases, it can become a point of vulnerability that hackers can use.

It's always a good idea to perform routine maintenance on on your plugins and make sure they're all up to date.

I like to do this by enabling automatic updates whenever I can.

All you need to do is navigate into your plugins page by going to Plugins > Installed Plugins.

There, for each plugin entry, you'll see the option to Enable auto-updates, as seen below:

  • Save

Note: you can enable auto-updates for multiple plugins through bulk actions

I recommend enabling automatic updates for each of your plugins except for ones that handle a lot of functionality on your site, such as Elementor (seen in the above picture).

For page builders and other heavy-lifter plugins, those updates should be performed manually as they can lead to your site breaking.

Themes should also be updated regularly, and just like plugins, they support automatic updates.

Navigate to your themes page by going to Appearance > Themes, and then select your site's active theme. Mine looks like this:

  • Save

Click the button that says Enable auto-updates and you'll be good to go!

4. Enable Hotlinking Protection

Hotlinking is when someone steals links to your images and other media and puts them on their website – hence the term hotlinking.

Not only is this copyright infringement (if you create your own artwork or images), but it can also piggyback your site's bandwidth, causing slowdowns and general performance decreases.

Let's fix this with some code.

If you know your way around WordPress config, this should be a relatively quick-n-easy fix. Otherwise, I'd recommend scrolling down to Option Two for a less technical version!

For the techie folks out there, navigate to your .htaccess file and add the following code:

RewriteEngine On
RewriteCond %{HTTP_REFERER} ^http://(www\.)?example\.com(/.*)*$ [NC,OR]
RewriteRule \.(jpeg|JPEG|jpe|JPE|jpg|JPG|gif|GIF|png|PNG|mng|MNG)$ - [F]

Quick note: be sure to replace ?example with your actual domain name.

I'd recommend installing this change on a staging site first, just as a testing precaution. In general, I find this good practice when messing around with config files.

If everything works fine on your site after testing, the above code should prevent images or media from your website from loading on other domains.

Option Two – Using A CDN

If you're not super keen on coding, you could sign up for a CDN provider that includes hotlinking prevention as an option.

My go-to CDN and site-security recommendation is Cloudflare.

Here's what it looks like to set up Hotlink protection with Cloudflare:

  • Save

One setting, and you're good to go!

If you're interested in learning more about the benefits of Cloudflare, and how to set it up for WordPress, check out my quick-start guide:

You'll learn how to set up everything from page caching to firewalls, all using Cloudflare's free plan.

5. Don't Use Admin As A Username

This one's pretty self-explanatory, but needs to be said all the same.

It's a good idea to use either an email address or a unique username, instead of the default admin.

To change this in your WordPress Dashboard, you'll need to create a new administrator, and attribute all the posts and pages from your old profile to the new one.

Navigate to Users > Add New, and fill in the info for your new Profile:

  • Save

Next, once your new admin role is created, you need to attribute your old posts and pages. Go to your old admin role (the one that has the username admin), and delete it:

Attribute all content to new user
  • Save

Image from WP Beginner

Once you transfer ownership of all your old posts, your new admin will be ready to go!

6. Install An SSL Certificate

An SSL certificate is an absolute must, not just for bloggers, but for everyone on WordPress.

Without it, your users with usually see a Not Secure message in their browser, or a missing lock icon (for Safari users).

Plus, if you ever plan to sell products on your website, most payment gateway plugins (think Stripe, WooCommerce, et cetera) will require the presence of an SSL certificate to function properly.

It's essential, but also easy to set up, thanks to plugins like Really Simple SSL.

To get it all set up, first, install Really Simple SSL:

  • Save

Once it's installed, all you need to do is follow the installation wizard, which will guide you through all the steps.

Simple! As advertised.

7. Keep WordPress And PHP Up To Date

Just like we saw with plugins and themes, it's important to update your WordPress and PHP versions as well.

For updating your WordPress version, first navigate to Dashboard > Updates:

  • Save

Here you can see all your necessary updates at a glance.

For PHP verion updates, this is a bit more tricky, since it's usually handled by your hosting provider.

If you use a host that offers CPanel, you need to select the app called MultiPHP Manager from your dashbaord, and then it should look like this:

MultiPHP Manager Select Domain
  • Save

Image from Host Gator

From there you can select which sites you want to upgrade, and to which PHP version they should be upgraded.

For managed hosting solutions without CPanel, it's best to just get in touch with hosting support, as they can do any necessary PHP upgrades for you.

8. Secure Your WP-Admin Folder

Your wp-admin folder contains a lot of important files and is one of the first places a hacker might try to access.

Luckily, this can be fixed in several ways.

If you have access to CPanel from your hosting provider, all you need to do is navigate to the Security section and click on Directory Privacy:

Password Protect Directory in cPanel - Interserver Tips
  • Save

From there, you'll be able to set a password for any folder on your site.

Option 2 – Without CPanel

A quick heads up – this solution is fairly technical, so if that makes you nervous, I'd recommend just skipping this step altogether.

Don't worry! It won't make a huge difference as long as you've implemented the other security recommendations in this article.

If you don't have access to CPanel, your only other option is to directly alter folder privacy settings in an htpasswds file.

An .htpasswds file contains a set of permissions for specific files or folders on your website. The folders or files to which those permissions are attributed are defined in an .htaccess file, as we'll see below.

First, you'd need to create a password file using an online generator. Once you've done that, put it aside for now (we'll use it in just a minute).

Next, we need to specify where that passwords file will go.

A good path for your file would be home/user/.htpasswds/public_html/wp-admin/passwd/, or something similar. It just has to mirror the typical file structure you use on your site, without being in the public_html folder.

Once this is all set, create an .htaccess file in your /wp-admin/ folder with the following code:

AuthName "Must Be An Admin To Access"
AuthUserFile /home/yourdirectory/.htpasswds/public_html/wp-admin/passwd
AuthType basic
require user insertyourusername

Dont forget: under AuthUserFile you'd need to insert the file structure you choose in the previous step, instead of yourdirectory as it appears in the code.

This also applies to the username – replace insertyourusername with the username you want.

The last step is to actually upload the username-password pairing that you generated before.

Usually the output looks something like:


That will end up in your passwd file, at the end of the file structure we laid out in the .htaccess file above.

Now, your wp-admin directory will be password protected, and whenever anyone tries to access it, they will have to enter the credentials you specified in the code above.

9. Delete Any Deactivated Plugins

Deactivated plugins are a security risk because they aren't consistently updated with patches.

This can expose known vulnerabilities that would otherwise be fixed if the plugins were kept up to date.

The tl;dr is this: if you're not using a plugin at this exact moment, it's best to just delete it until you actually need it.

It's not worth the security risk!

10. Disable File Editing

File editing is a way for Administrators to modify or delete critical files for a WordPress website, but is also a huge security vulnerability.

  • Save

Editing theme files in the WordPress backend

Under the Appearance > Theme Editor, if you're logged in as an Admin you can make changes to any of your theme's files.

This is a big no-no, since you should ideally only edit your files using a secure FTP client.

You can easily disable this by adding a the following snippet of code in your wp-config.php file:

// Removes file editing permissions
define('DISALLOW_FILE_EDIT', true);

Alternatively, if you don't want (or know how) to access your wp-config.php file, you can add a site-wide Code Snippet to your website using the Code Snippets plugin.

In general, this is a great way to add code to your website if you're less techie-inclined.

The folks over at WP Beginner have a great tutorial on how to use the code snippets plugin – you can check it out here.

11. Set Up 2FA For Your Login Page

Login pages are a great place to enforce a bit of extra security for your website.

Apart from changing the URL for your login page, setting up 2-factor authentication (2FA) can dramatically decrease your risk from brute force login attacks.

For 2FA, the best way to set this up is with a plugin.

Navigate to Plugins > Add New, and type in “2FA” :

  • Save

Once you install 2FAS Light, you'll need to download the 2FAS Auth app on your phone.

This is what will generate the login codes every time you try to access your WordPress dashboard.

Next, follow the install wizard:

Configuring the two-factor authentication in the 2FAS Light plugin
  • Save

Once it's all set up, you'll see a green shield at the bottom of your WordPress login page, like so:

  • Save

Now, your 2FA is enabled and every time you try to access your login page it will prompt you to enter a unique 6-digit code (this is what you'll grab from your 2FAS app):

2FA WordPress Plugin FAQ (2FAS) - Logging In
  • Save

The great thing is, you can ask 2FAS to remember browsers and devices if you tend to login from the same computer or phone over and over.

13. Change Your Default Login URL

Another login page security measure, but one that has a large impact.

By default, WordPress websites use wp-login.php as the main login page.

To prevent large scale login hacks (and just to make it generally more difficult for hackers), it's a good idea to change your login page's URL.

Here's how you do it.

First, install Change WP Admin Login:

  • Save

Once this is done, navigate to Settings > Permalinks in your Dashboard, and you should see a new setting that allows you to redirect the login page to a new URL:

  • Save

Don't forget to store your new login URL in a safe place so you don't forget!

If you go to wp-login.php after updating your settings, it'll give you a 404 error because that page won’t exist anymore.

As far as I can tell, there’s no way to recover your login URL if you change its path but then forget it – I’d recommend storing the URL in a secure digital note!

14. Implement Firewalls (WAFs)

Web application firewalls, or WAFs for short, are a series of security measures that filter traffic to and from a website and are specifically designed to target suspicious activity.

It's an essential service to have, especially if your website gets a decent amount of pageviews.

For most people, I'd recommend using Cloudflare's firewall services, given that they are among the best in the business.

  • Save

Cloudflare is a great option because it's free, easy to set up, and industry-trusted as some of the best website protection you can get.

If you're unsure of what Cloudflare is, or want to learn how to set it up for your website, I wrote a quick start guide to help you out – check it out here!

Otherwise, some hosts (like the one that runs this blog) offer WAF services built in.

15. Protect Against SQL Injection

SQL is the database language that runs WordPress and has been around since the early days of the internet.

SQL injection is the practice of inserting malicious database query statements into input fields (think contact forms, newsletters, etc) to access, alter, or delete a website's code.

It's not just a WordPress problem – SQL injection is a huge nuisance pretty much every where in the tech world.

Luckily for WordPress users, there are a few ways to prevent SQL injection attacks.

Here's some code you can add to your .htaccess file to clean any data that enters your input fields:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^(.*)$ - [F,L]
RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR]
RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
RewriteCond %{QUERY_STRING} tag\= [NC,OR]
RewriteCond %{QUERY_STRING} ftp\:  [NC,OR]
RewriteCond %{QUERY_STRING} http\:  [NC,OR]
RewriteCond %{QUERY_STRING} https\:  [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|ê|"|;|\?|\*|=$).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*("|'|<|>|\|{||).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127\.0).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare).* [NC]
RewriteCond %{HTTP_COOKIE} !^.*WordPress_logged_in_.*$
RewriteRule ^(.*)$ - [F,L]

These rewrite rules will ensure that if a visitor enters any data that will eventually reach your databases, that it won't cause problems or expose any of your sensitive information.

The Bottom Line

Hackers love WordPress because of how popular it is, and also because most users forget (or don't want) to implement security measures.

If this sounds like you, just know: you're not alone!

To get started, it's best to ensure you have solid hosting, and have covered a few basics like changing your username from admin, redirecting your login page to a unique URL, and things of that nature.

Once those basics are set into motion, then you can dive a bit deeper into WordPress security and implement things like 2-factor authentication, SQL injection protection, web application firewalls, and more.

How is your WordPress security set-up going so far? If you have any questions or have run into problems, let me know in the comments! I respond within 24 hours 🙂

  • Save

Leave a Reply

Share via
Copy link