6 Essential Steps To Keep WordPress From Getting Hacked

4 minute read

These 6 steps will prevent 99% of hacking attempts on your WordPress website, and most of them only require a click or two, and aren’t very technical.

Of course, we all want to keep our website secure and not get hacked. It’s not fun when a hacker takes control of your website… But we also have a life and might not understand all the technical jargon. So let’s skip the fluff and get your website secure.

1. Don’t Use Easy-to-Guess Usernames and Passwords

The easiest way for a hacker to take control of your website is to guess your username and password. This may account for 8% of hacked WordPress websites. So do you have a good username and password?

Is your username “admin”? 😭. That’s super easy for hackers to guess. Change your username.

You can’t just rename your “admin” user’s name because WordPress doesn’t allow you to change the user’s login. You need to create a second admin, then delete the old “admin” user. This video shows how.

And what password do you use? Does it look like “password”, “12345”, or one of the other top 1000 most-commonly-used passwords? Yes? 😡. Hackers make programs that automatically try all those when hacking into your website. That’s called a “brute force” attack. Change your password.

If you have an obvious password, here’s how to change it.

2. Make Regular Website Backups

Do you have a backup of your website? (The database and files?)

Before doing the next changes, you need to make a database backup. It’s possible things might break. If so, you need a backup to restore to.

Also, if you get hacked, you’ll probably need to restore to a backup from before you got hacked. If you have no backups, you’ll need to recreate your website from scratch. Have fun. 😈

If your hosting company doesn’t provide automatic backups, you can try the UpDraft Plus plugin (or search for others). It’s pretty easy to set up and the basic version is free.

3. Keep WordPress, Plugins and Themes Up-to-Date

Periodically, security problems are discovered in all software. That’s the main reason there are frequent updates to Windows, Mac OSX, and WordPress. If you don’t keep WordPress, its plugins, and themes up-to-date, you may be using an older version with publicly-known security issues. Not doing this may account for over 50% of hacks to WordPress.

But realize it’s possible that when you update, things will break. That’s why you made a backup earlier!

Simple video showing how to update plugins. Updating themes is basically the same.

WordPress should actually get security updates automatically. Every few weeks you should get an update saying “You have successfully updated to…”. If not, ask your host or developer if you’re getting automatic updates.

4. Install a Security Plugin

Here are a few ways security plugins can help keep your WordPress website secure:

  • limit login attempts. This prevents a hacker from trying a “brute force” login attack mentioned earlier
  • prevent suspicious requests using a firewall. Most hackers set up programs to automatically try to hack your websites. Well, security plugins can likewise detect when they’re doing that and prevent them.
  • scan for suspicious changes to files. If your website gets hacked, usually the hacker’s program will change WordPress to suit their needs. Security plugins can detect when this has happened and alert you.

Wordfence and Sucuri are the two most popular security plugins. I prefer Wordfence mostly because I met the owner once at a WordCamp and he bought dinner for a bunch of us 😋… And I use it and found it pretty slick.

5. Use HTTPS instead of HTTP

Does your website URL start with http:// or https://?

Eg, http://mysite.com or https://mysite.com?

That little “s” stands for “secure”. Meaning that when someone visits your website, the data sent between the user’s browser and your server (eg a password when logging in, or personal information stored on the server) is transmitted securely so no one else can see it.  If you’re just using http:// it can be intercepted and read by others. (If you’d like an explanation so simple a child can understand it, I wrote and illustrated a children’s story explaining how that all works!)

In order to have your website work on https://, you need to get an “SSL certificate”. Most hosting companies can install it for you for around $40 a year, but some will give it to you one for free.

For example, here’s a short video showing how to enable HTTPS on your website (ie, get and install an SSL certificate).

6. Upgrade PHP

WordPress isn’t the only software you need to keep up-to-date. You should also update PHP.

Currently, WordPress can work with PHP version 5.2 or higher. But older versions of PHP have security issues, and the only way to fix them is to upgrade PHP to at least version 7.0. Version 7.2 would be better, if possible.

Many hosts allow you to simply flip a switch to upgrade PHP. So it’s easy. The only trick is that some of your plugins or themes might not be compatible with newer versions of PHP…

If you upgrade and find something is broken, your host should make it equally easy to revert to the old version of PHP you were using, which will resolve the errors.

For example, here is how to update PHP on Bluehost.

That’s It

If you’ve done these 6 steps, your WordPress website is really pretty secure. This is all the things I’ve done on my sites.

If you want to spend more time securing your site, read these (ordered from least technical to more technical):


6 thoughts on “6 Essential Steps To Keep WordPress From Getting Hacked

  1. FYI episode 26 of Think Like a Hacker mentions out-of-date WordPress, plugins, and themes, and easy-to-guess passwords, as being the biggest security problems. Ryan also mentions that if you have a security plugin active, they will usually make it very difficult to automatically detect vulnerabilities.
    I find it interesting that PHP version never comes up in reasons for why WordPress sites get hacked. People wanting to justify the necessity to upgrade PHP always cite security as the reason, but they seem to always base it theory, not experience. I think upgrading PHP helps efficiency, and is nice for developer happiness (especially when integrating with other newer software), but I have yet to be convinced that it **actually** helps with security.

Leave a Reply