WordPress Security Tips And Tricks To Protect Website From Hacker

wordpress security tips and tricks
wordpress security tips and tricks

Theft is not the only thing in the mind of a hacker, Sheer destruction is a major motivator. Hackers may want to destroy all your records, put a sick message on your customers’ screens.
You can never undo the damage done by a hacker, But you can take steps to prevent it.

Improve WordPress Security
Improve WordPress Security

Today I will share some WordPress Security Tips And Tricks that I implemented it on my personal blog to protect my website from a hacker.

The first thing, I always like to tell website owners is that security is about risk reduction, not risk elimination. There is Nothing like a 100% solution to staying secure.

The second thing is to organize secure coding training sessions to bring awareness in the developers and the coders about how to write a secure code and protect the websites or pages from hacking attempts or at least avoid being hacked an losing all the data.

Almost all the tools, Plugins you employ within your environment aim to reduce your overall risk posture, whether it’s continuous scanning the website or a more proactive approach.

WordPress Security Tips And Tricks

Here is a list of the WordPress security tips and tricks, that I tend to offer everyone to managing his/her website security. For better Understanding, we can divide the WordPress security into the basic setting.

But, For better Understanding, here I divide the WordPress Security Tips And Tricks list into the basic setting.

  1. One Time Setting and
  2. Regular CheckUp

One Time Setting means we have to close all the open door in the website. Once it’s close, you do not need to check it again and again. In Regular Checkup Setting, we daily scan our website to ensure that our website is virus free and up-to-date.

So, In this way, we skip the Onetime Setting next time and save our time.

One Time setting

The most basic protection will discourage many hackers enough to make them go looking for easier pickings elsewhere.


Thieves are like to steal from people who leave their doors unlocked. Implement this Onetime setting help you to close the open door and also provide a layer of protection to your site.

So here is a list of OneTime WordPress security tips and trick  Setting.

  • Use Strong Passwords
  • Rename Your Default “Admin” Account
  • Limit Login Attempts
  • Don’t allow uploads
  • Use Captcha
  • Remove Unused Plugin And Theme
  • Don’t Allow Bots To Check Your Plugin List
  • Add User Account With Care
  • Install Security Applications

1. Use Stronger Passwords

Did you know 73% of the popular sites that use WordPress were considered “vulnerable” in 2013?

There is so many Programs are made to hack the password of the website. One of them is Brute Force, It is automated software to crack the password.

Brutal force attack plugin
Brutal force attack

This Program, use the combination of different number, words and string of symbols to match your password. It tries to unlock your website again and again until your website password is not broken.

The best passwords are always random strings of upper and lower case letters with numbers and symbols. If you need help, go to a secure password generator site to generate a strong password for your site.

Strong Password generator
Strong Password

Note: – Another thing to keep in mind is that your password should be changed before every six months. Because if your website hit by brute force attack, can crack any password within 6 months. If you do not apply any protection layer on your site.

If you are using multiple computers to login your site, then you can use Two Step Authentication. It is a good way to stay secure. If another person tries to login your site then you will receive a message to verify. After your approval, another person can login your site.

2. Rename Your Default “Admin” Account

A maximum number of people leave their administrator account labeled as Admin, they do not change their Username because they don’t know. If hackers can guess your username that means half of his job is done.

User Name on WordPress login page
User Name

To make their life a little more complicated, you should prefer any other username over “admin” and pick one with capital letters. I will explain how you can Change WordPress Admin Username in my next article.

Note: –  Never make your website author name as your username. This is the big mistake when we select the username.

3. Limit Login Attempts

Set a Limit on Login, so that either bot or Human can not access your website by trying different-different password. This prevents the hacker from using guessing software(brutal force) to figure out what your password is.

Limit the login in wordpress
Limit the login

For example, we all use ATM. But if we enter the wrong password more than 3 times then our ATM block for next 24hr. Similarly, if a user enters the wrong password  (set a limit according to your choice) it will be blocked to access your website for 24hr (you can block it for 2, 3, 4 days).

You can do this job with Login Lockdown Plugin. Limit the login attempts is my favorite WordPress security tips and tricks because it prevents my website from Automated hacking tools.

4. Don’t allow uploads

Allowing users to upload files ( like a screenshot, pdf, media ) to your website directly is a big website security risk.

Upload file option

The risk is that, Any file uploaded however innocent it may look could contain a script that when executed on your server completely opens up your website door for the hacker and hacker can easily attack your site.

This security breach trick is a specially used by the hacker. When they target the e-commerce website. During, when customer contact to support center by using a contact form.

Check your contact form or another page where your place upload file option on your site.

Note: – If you don’t have a good security Team working for you, do not allow guests to upload things to your site directly. But if you still want to do than make an account into dropbox and provide a path to upload a file there.

5. Use Captcha On Comment

Use captcha to sure your website from a fake comment by the automated bots. SI CAPTCHA Anti-Spam plugin can do this job very easily. It adds Captcha on your comment, contact page and also where every you want to add.

captcha on comment

Adding a simple captcha to your WordPress login page is another great way to minimize the chance of a bot/script gaining access to your site via a brute force attack.

Note: –  If you don’t want to place captcha on the comment the Akismet plugin to put a comment into spam box for moderation.

6. Remove Unused Plugin And Theme

Sometime Unsued or too Many plugins become the reason of hacked. Hacker is not always hacked your site, sometimes they hack the plugin and check if your website has that plugin, that means your website is on the top of his list.

wordpresss plugin and theme infography

Always use important and less number of plugins to reduce the risk of hacking.

Delete all the unnecessary and deactivated plugin from your site. Don’t forget about the theme. Delete the theme that you are not using on your site.

Delete unnecessary plugin and theme from your site not only reduce the risk, it also increases the speed of your site and reduces the size of your database. Here is a list of most use plugin for a website that every blogger should have.

8. Don’t Allow Bots To Check Your Plugin List

By default, google and all other bots can read your website data and index it. Your whole website is open for a hacker to check which plugin, theme and another security layer you are using on your blog.

Block Bots to access website
Block Bots

As I already explain above, a hacker can hack your site through a weak plugin. So it is the best practice to hide your more confidential information from bots.

Just add these line to your Robots file directory.

User-agent: *
Allow: /wp-content/uploads/
Disallow: /wp-content/plugins/
Disallow: /wp-admin/
Disallow: /cgi-bin/
Disallow: /trackback/

By Default WordPress have the following lines in robots file.

User-agent: *
Disallow: /wp-admin/
Allow: /wp-admin/admin-ajax.php

Note: –  Before editing your Robots file please read Robots.txt file because sometimes people’s accidently block the google bots to assess the site.

9. Add User Account With Care

If you are working in team/Group, hire someone to write a content for you. Be sure they are suing strong password to login.

You can’t contact with all team member to check which password they are using, is it strong or not? especially, if you allowed people for guest posting.

Strong Password plugin wallapaper
Strong Password

You can use a plugin like Force Strong Passwords for your users if you want to make sure that whatever passwords they use are secure. This is just a precautionary measure.

10. Install Security Applications

You can handover your website security to trusted company that will make life a bit more difficult for hackers. There are so many companies that are providing free plugins such as Acunetix WP Security, Better WP Security, and Bulletproof Security. This plugin provides an additional level of protection to your site.

But I recommended iThemeSecurity for web security.

Note: –  Into- Add your IP address to the Whitelist of iThemesecurity to keep yourself out of the block list.

Security plugin
Security plugin
  • Click on Security and the click on Global Setting.
  • Now click on configure and add your and your team IP address into the white list and save the setting.
Add IP address in plugin
Add IP address

Like an Antivirus for computer, Sucuri Sitecheck, CodeGuard, and Theme Authenticity Checker also are an Antivirus for the website. A security scanner will check for malicious code in your plugins, core files, and plugins to ensure nothing has been tampered with.

A security scanner will check for malicious code in your plugins, core files, and plugins to ensure nothing has been tampered with.

Not aways hack done through the web, sometimes it down tough your PC. So keep your PC neat and clean and use firewall protection for PC.

So this is the list of one time WordPress security tips and tricks, to close all open door and add a layer of protection to your site.

Regular Checkup

Onetime Setting is only for one time to close the open door and add a layer of protection to your site. But Placing a layer on your site reduce the risk but not eliminate it. You need to Regular checkup your site to stay secure. It is not difficult to perform a Regular checkup, it hardly takes 5min.

Regular Check up of wordpress
Regular Checkup

1. Keep Platforms and Scripts up-to-date

One of the best WordPress security tips and tricks, you can do to protect your website is to make sure any platforms or scripts you’ve installed are up-to-date.


Because many of these tools(like WordPress) are created as open-source software programs, their code is easily available, both to good-intentioned developers and malicious hackers.

Hackers can pour over this code, looking for security loopholes that allow them to take control of your website by exploiting any platform or script weaknesses.

2. Back-up Frequently.

Just in case the worst happens anyway, keep everything backed-up. Backup on-site, backup off-site, one time a day. Backing up once a day means that you lose that day’s data when your hard drive fails.

backup plugin wallapaper

Updraftplus is a free plugin and best backup plugin. You can also go with Pro and save your backup to multiple locations. Most interesting feature of this is that you can restore your website with just one click.

3. Stay Updated with Hacking Threat.

You need to stay up to date with hacking threats. If you have at least a basic knowledge of what is possible then you can protect your website against it.

Follow updates at a tech site such as The Hacker News. To get the latest threat

4. Keep Track On Activity

If you have many users on your site, it might be a good idea to keep track of what they’re doing on your dashboard. When you have a lot of people involved in your site, a simple misstep can cause something to break. That’s why logging dashboard activity is so useful

When you have a lot of people involved in your site, a simple misstep can cause something to break. That’s why logging dashboard activity is so useful.

Active log, WP Security Audit Log and simple History is free plugin maintains a log of everything that happens on your site’s backend, so you can easily view both what users and hackers are doing. This plugin keeps track of everything from when a new user is created to file management to published post changes.

This plugin keeps track of everything from when a new user is created to file management to published post changes.

5. Stay on top to Security Releases

Subscribe to the WordPress Development blog for a security update. When WordPress patches a security hole or releases a new version, they announce it on that blog.

If you see a security patch released, you need to update or apply the patch on your site. If you do not update your blog that means, you inviting hacker to hack your site.

5. Be Alert and Be Aware of your Vulnerability

Strange things suddenly appear on your site like automatically redirect to another website, Ads appear on your site, or your site simply stops working completely means something gone wrong with your site.

Keep an eye out for things like a slowing of your website’s speed. If your website is not behaving correctly, find out why as soon as you can!

It’s hard to tell what types of web pages are going to be targeted by hackers. It’s all up to what the hacker wants to do. Stay Update with WordPress Security Guide Line.

Simply use this WordPress security tips and tricks to protect your website, and make it difficult for hackers.

Recommended Post


Security does not mean installing so many plugins and walking away. Security means daily checkup your site and stays up to date with the latest threat. What are some things you do to secure your WordPress sites? it just a part of security to keep hacker away from your site.

Did I miss a detail here about” WordPress security tips and tricks” that you think is vital? Feel free to sound off in the comments below.

If you have any suggestion or problem about WordPress security tips and tricks please feel free to comment below.