Hacking is one of those things that people think will never happen to them. Unfortunately, sites get hacked every day, and even those who think their site is protected can be vulnerable to the threat.

Fortunately, there are a number of steps you can take to protect against WordPress site hacking. From the use of a random password generator to the installation of a backup plugin, there’s much you can do to fight the good fight.

In this post, we’ll begin by explaining what site hacking is and describe some of the most common tactics utilized by hackers. We’ll then guide you through four easy steps you can take to knock out any vulnerabilities and protect your WordPress site from those with malicious intent. Let’s get cracking!

How WordPress Sites Get Hacked

As the most popular content management system available, it’s no wonder that so many hackers come knocking at the backdoors of WordPress sites. However, the WordPress development team do a wonderful job of keeping it secure; the reality is that most successful hacks are effected due to a failure on the user end. With that in mind, in order to understand how to protect against hackers, it’s first important to understand what a hacked site looks like and which tactics are commonly used.

So, what does it mean to have your site hacked? ‘Hacked’ is really a catch-all term, but in brief, a ‘hacked’ site is one that has been breached in some way. This breach can lead to the loss of sensitive user data, as seen in Yahoo’s latest hacking scandal. Alternatively, it can be done in such a way as to disrupt service (known as a DDoS attack). This was seen in 2016 when major websites, including Netflix, Spotify, PayPal, Pinterest, and CNN, were temporarily spammed with fake traffic.

Guardian hacking article headline Just one of many headlines regarding hacking ‘scandals’ in recent years.

As you can see, no site is safe from hacking, which is largely because hackers employ a variety of tactics. Brute-force attacks – where hackers test every possible combination until access is granted – is one common method. Others include the exploitation of source code vulnerabilities, and cross-site request forgery.

Even WordPress sites have fallen victim to recent hacking attempts. This is largely because many users fail to keep their sites updated as recommended (as we mentioned above, user error is often the cause of successful WordPress site hacks).

With the above in mind, what can users do to reasonably protect against WordPress site hacking?

How to Protect Your WordPress Website from Hackers

While website hacks aren’t 100% preventable, there is much you can do to secure your WordPress site against malicious intent. To get started, take a look at the four simple steps below.

Step #1: Back Up Your Site

While no one likes to imagine the worst, it’s always best to be prepared. So, to protect your site’s files against any possible hackers, the use of a backup plugin like WPBackItUp can ensure minimal damage and make restoration easy should the worst happen.

WPBackItUp Plugin for WordPress

WPBackItUp has both free and premium versions. For many users, the expansive functionality offered by the free version is more than enough. Features include one-click backups, downloadable .zip backup files, and customization options that enable you to choose which aspects of your site you’d like to back up (though we do recommend you back up everything as a general rule).

WPBackItUp One-click backup Back up your WordPress site using WPBackItUp’s one-click backup feature.

For users looking for a bit more, however, the premium version of WPBackItUp has all you need – with access to one-click restores, background-running backups, and scheduled backups.

To get started, follow our simple guide for backing up your site with WPBackItUp.

Step #2: Update Your Site

You can take every precaution there is to protect against hackers, but if your site isn’t updated then you’re only temporarily plugging the holes.

When we talk about updates we’re referring to WordPress ‘core’, in addition to any themes and plugins you have installed (whether they’re active or not). Updating WordPress manually is easy enough, but you can also work with plugin solutions to automate the process.

Easy Updates Manager WordPress Plugin

Easy Updates Manager is one such plugin. It enables you to fully customize which updates you would like to automate (including core updates, major releases, plugins, and themes). Best of all, it’s completely free!

Alternatively, if you use Calypso to manage your self-hosted WordPress site, it enables you to update WordPress with relative ease. (It also has a bunch of other handy features and is well worth exploring further.)

If you do choose to update your site manually, be sure to keep on top of things – as a rule of thumb, we recommend that you take the time to update all aspects of your site no less than once per week.

Step #3: Strengthen Login Credentials

Default login credentials are a goldmine for hackers. Basic usernames such as “admin” and passwords such as “password” make it easy for hackers to break into your back end and take over your site. Even those with less predictable but still ‘crackable’ passwords are at risk. With this potential security flaw in mind, consider the following when picking a username and password for your WordPress website.

It’s best to create a unique username from the get-go, especially since WordPress doesn’t (by default) allow you to change your username once an account is created. If you’re already up and running with WordPress and have an obvious username (which could be defined as anything predictable – from “admin” to “yourname”), there are still a few techniques you can use to make the necessary change.

Next, you want to focus on your password. Creating a secure password doesn’t need to be difficult. In fact, there are various tools available that make this very task simple. WordPress, for example, provides their very own random password generator on the back end:

WordPress account management options You’ll find this option by navigating to Users > Your Profile.

If you’d rather not use the WordPress option, a viable alternative is Norton’s generator.

Keep in mind that the above tips apply to all administrator accounts. This means that if one account gets hacked, the whole WordPress site is in jeopardy. To minimize risk, consider setting user requirements for usernames and passwords. And of course, always be wary of who you give administrator access to.

Step #4: Protect WordPress Admin Access

While changing your site’s login credentials from ‘crackable’ combinations to something more formidable takes you a huge step closer to having a truly secure site, it’s possible to go the extra mile. In terms of further protecting WordPress admin access, you have a couple more particularly effective options.

1. Require Two-Factor Authentication

Two-factor authentication is a great way to further protect your WordPress site from intrusion. Essentially, this form of authentication requires an extra step, separate from providing your login and password, to verify your identity.

Google Authenticator

There are a few free plugin options available when it comes to enabling two-factor authentication on your WordPress website, but our pick of the bunch is Google Authenticator. It offers a variety of options for authentication, including email, phone call, QR code, and even smartphone push notification.

Using a plugin such us this can boost security dramatically, and better yet, make the login process easier than it might otherwise be. (For example, users can login by simply entering their username and scanning a QR code, rather than having to remember their password.)

If for any reason you’re not keen on Google Authenticator, we’d recommend the Two Factor Authentication plugin as a viable alternative.

2. Limit Login Attempts

This method tracks the IP address of any machine attempting to log in to your site. If the user fails to enter the correct credentials too many times, the admin screen becomes unavailable to that IP for a pre-set amount of time.

Login LockDown WordPress Plugin

To add this feature to your WordPress website, consider the Login LockDown plugin, which enables you to fully customize ‘lockdown’ options. These include how many times a user can fail before they’re locked out, as well as how long to keep an IP blocked. Activation and setup is simple, so you’ll be up and running in no time at all.


Site hacks are an everyday occurrence across the web. While no one is ever truly safe from hacking attempts, there are still steps you can take to minimize the odds of a successful hack and protect your WordPress site.

To get started, take note of the advice above and implement these four steps immediately:

  1. Back up your site.
  2. Update your site.
  3. Strengthen login credentials.
  4. Protect WordPress admin access.

Do you have any questions about how to best protect your WordPress site from being hacked? Let us know in the comments section below!

Image credits: Pixabay.