Every website owner should prioritize security. It is truth universally acknowledged that an unprotected WordPress website will sooner or later be hacked. And hacker attack survivors sure know how agonizing it can be to restore an entire site and salvage the damage done to business.
That’s why it’s very important to make extensive efforts to protect your website, especially if it’s a WP site: Hacker attack reports always mention WordPress websites among favorite targets for hackers.
Why hackers target WordPress websites
The most obvious reason is the extreme popularity of WordPress. Hackers can use the same vulnerability to hack thousands of websites.
WordPress is an open source project, and every update log is available. Hackers can exploit the vulnerabilities of past versions that were fixed in the newest release.
Same goes for thousands of plugins and themes, some of which have millions of active installs and, often enough, significant security issues.
Yet another reason is that WordPress is a quick-setup and an easy-to-use CMS platform which makes it the preferable choice for non-tech-savvy users.
They often forget to secure their WordPress websites and start thinking about security only after the sites have been hacked.
How and why WordPress sites get hacked
Hackers don’t always target a particular site; many hack whichever websites happen to be around. Hackers don’t always care about the prominence of your site: being a newly launched blog won’t save your site.
Most of the attacks are made automatically. Hackers use bots to crawl and find known vulnerabilities, and the bots let them attack many sites at once.
Here are the main reasons why hackers hack:
1. Steal your data, credit card information, mailing list, etc.
2. Use your website resources to send out spam emails or perform DDoS attacks on other websites;
3. Redirect visitors from your website to other sites to get money from ads.
4. Install malware (adware, backdoors, keyloggers, ransomware, viruses, etc.) on your server and infect your visitors’ computers with them.
Given the recent bitcoin boom, hackers can also try to infect your website with cryptocurrency mining malware. This type of malware will likely become more popular in the future. Check out the most discussed mining malware case here.
How to protect your WordPress website
Security is a continuous process. No matter how much you reduce the risk of being hacked, it will always exist. Here are some tips, both basic and more advanced, on securing your WordPress website.
Follow as many tips as you can to minimize the chances of being hacked.
1. Don’t use “admin” as a username and choose a strong password.
When a script is trying to login to your admin panel by guessing your username/password, the first option for the username is “admin” because it’s the most popular one on WordPress.
By using “admin” as username, you reduce permutations needed to find your administrator credentials by half.
Hackers can skip to trying out different passwords as they already know your username. They’ll be thankful if you leave “admin” as your username, but you don’t want to do them a favor, do you?
If you use “admin” as administrator username, you should create a new user with complete administrator permissions and delete the “admin” user.
Also, please don’t use the website domain name or your name as administrator username, because hackers can just visit your blog and look up the authors.
After finding the username, a hacker’s script will attempt to guess your password. It will start with the most common and simple ones like “123456” or “password.” So, if you use such a password, a script will find it very fast.
That’s why it’s important to pick complicated and strong passwords.
You can use an online password generator to generate a secure one and store it in a safe place like
Change your password regularly. Same goes for your FTP/SFTP and MySQL database accounts.
2. Use two-factor authentication for login
Even if you have a unique username and a secure password, a strong brute force attack can still crack it. A brute force attack is when a hacker uses a script to guess your password by trying different (sometimes millions or more) combinations of username and password.
Using two-factor authentication on the login page is an excellent way of protecting your site from brute force attacks.
Two-factor authentication adds an extra layer of login security by requesting additional single-use security code, such as mobile-generated code, physical token, etc.
WordPress doesn’t have inbuilt settings for adding two-factor authentication, but you can add it to your login page by installing one of these plugins: Google Authenticator, Rublon Two-Factor Authentication, Two Factor Authentication.
3. Hide your login page
In case you don’t want to install a plugin, you can do it manually by following these instructions.
4. Limit login attempts
WordPress doesn’t limit login attempts by default which makes the login page an easy target for brute force attacks, as a hacker can try out any number of combinations to find out your username and password.
You can limit login attempts by using plugins like this one. It will block the IP address after several failed attempts.
This is a simple, yet very effective way to block hackers’ IPs.
5. Keep WordPress core, plugins, and themes up-to-date
The most common way to hack a website is by exploiting vulnerabilities in plugins, themes, and WordPress core.
Hackers find a vulnerability in a plugin or theme, scan the net to locate sites that use the compromised plugin/theme, and hack the website by exploiting that vulnerability. By using an old version of a plugin that has known security issues, you open your site to hackers.
That’s why it’s vital to regularly update plugins, themes, and WordPress core.
Also, make sure that you do not use abandoned plugins.
If a plugin hasn’t been updated for 2 years, it probably has security issues, so you better find an alternative and replace it.
Manual updates are easy but take a lot of time. You can configure automatic updates for themes and plugins by inserting the following lines of code into wp-config.php.
add_filter( ‘auto_update_plugin’, ‘__return_true’ ); add_filter( ‘auto_update_theme’, ‘__return_true’ );
Keep in mind that automatic updates always risk to crash the website so you better backup the website first.
In case you don’t want to mess with code, 10Web lets you set up automatic updates and backups for your website with more ease.
6. Delete unused themes and plugins
Every installed plugin/theme increases your risks of being hacked. Unused themes and plugins carry a higher risk because users rarely update them.
That’s why you should make sure to delete all themes and plugins not in use from your website.
Besides, getting rid of unused stuff you also increase the speed of your website and reduce storage use.
7. Never download premium plugins/themes for free
Unless it’s the official trial or some other official offer from the plugin owner, it’s not a good idea to pirate a WP product.
Sometimes inexperienced WordPress users try to save money and illegally download premium plugins/themes for free from third-party sites.
These plugins/themes are usually corrupted by malware.
Is the saved money worth the risk? Of course not! If you want to use premium plugins, always download them from official websites. Oh, and make sure the author looks trustworthy before downloading.
8. Change your WordPress database table default prefix
Those who have installed WordPress more than once know that wp_ is the default table prefix. If you use default prefix, your site database is more vulnerable to SQL injections because hackers know tables’ names.
Set a random prefix (like “6fgjsd”) when installing WordPress. If you still have wp_ as table prefix, you can change it through a security plugin.
9. Backup your website regularly
Backups are a critical part of your website security. No matter how secure your site is, the risk of losing data always exists, so better backed up than sorry.
If your website has been hacked, the restoring process will be challenging; in these cases, backups are priceless.
When setting up a backup frequency, you need to take into account the characteristics of your site. Say, if you are updating your website on a daily basis, you will need to perform daily or more frequent backups.
Read our detailed guide on determining your perfect backup schedule to, well, find out how to determine your perfect backup schedule.
There are a lot of free and premium backup plugins.
10Web offers an exceptional backup service which not only lets you set up a custom backup schedule but also restore your site from available checkpoints with a single click.
Managing an entire WP website on your own can be tough. It requires a lot of time and effort. 10Web has a package of solutions to relieve your burden. One of the solutions is our security service. Here’s how it works:
Scanning for vulnerabilities
Remember point 5? We already told you how dangerous old versions of software can be. Well, new ones can have vulnerabilities, too. 10Web scans your WordPress core, as well as your plugins and themes for known vulnerabilities and suggests updates.
File change scanning
Our software tracks and scans all the changes in your website files. It compares the changes files to their old/original versions and if there’s anything suspicious, it will let you know.
Original file restore
Is there something wrong with the changes we’ve tracked? You can restore your files at any moment in a couple of clicks.
How often do you want to scan your website and your files? Once a month? Twice a month? Every day or every hour?
Save your time for website improvement; with the coming update, 10Web security service will perform Scheduled scans with the frequency you prefer.
The service also offers Unlimited scans so feel free to perform them as often as you think you need. No one should put a limit to your WordPress site security!
Hopefully, this article was helpful in arming you with a few tips and tricks aimed at securing your site. It’s important to take some time to strengthen your website security so you don’t end up spending more time and other resources trying to figure out what you can restore and what is gone for good.