Here you can find 16 easy ways to protect your WordPress website from hackers. You can easily protect and secure WordPress by applying little techniques. As we all know hacking attempts and unwanted penetrations are on the peak but a little effort can make your website safe and secure from potentials attempts.

In my last article, I discussed the 8 easy ways of domain protection from hackers and in continuation today, we are discussing 16 super easy ways to protect your WordPress website from potential hackers.

In real time, hacking is the most common technique to stolen websites. The online world is full of some examples so we need to be cautious as vulnerabilities are high! So every website needs to follow proper security procedures to keep away from hackers list. WordPress open source platform is widely used by developers so it’s a right time to share information to protect WordPress website to enhance security.

In my practice, many people don’t pay much attention to website security and when something happens they become worried and look around to get a solution. I recommend my clients to implement security solutions right after developing their site. It will keep them safe and secure to work online.

Protect WordPress Website by Following below Steps

Here are the extremely simple, more rapid and super easy ways that you can follow to protect your WordPress website in long run.

1) Protect your Website with SSL

Now it’s been recommended by Google to use https not only with the sensitive website but also with all website that lives in an online world. Google also boost the ranking of SSL implemented websites. So it’s important to have it now!

What exactly the SSL is?

SSL – Secure Sockets Layer is basically a way of encrypting the traffic that comes to and from your site to keep your visitors’ personal data secure. The use of SSL security is vital for any website that handles sensitive visitor information, such as credit card data.

After installing SSL, your website address shows like this:

Actually, ‘s’ added to the hyper text transport protocol (HTTP).

HTTPS prevents intruders from being able to passively listen to communications between your websites and your users.

How to Add SSL in my WordPress Website?

It’s simple! You can easily install SSL just by asking with your hosting service. They will charge you to add the certificate and it will hardly take an hour to reflect it on your WordPress website.

2) Keep Your Domain Name Registrar Separate from Hosting Company

It’s a good practice if you deal with several domain and websites. I recommend all my clients to keep their website separate from hosting company and the reason is security. As you know the security threat is on the peak so we need to follow some security procedure to keep safe from potential hazards. Many hosting companies offer a free domain with hosting services and people move towards them due to free service but you know it’s a security hazard like if your website host gets hacked then your domain will remain safe if it’s not linked to the same account.

Think, you have a website and domain in the same place and your website got hacked so you have lost each and everything but if your domain is registered with another registrar then you can point the domain to other server and easily place backup there. So, it’s a good practice to keep your domain registrar separate from hosting service.

3) Use Trustworthy Hosting Service 

Yes, your hosting service has the big influence on your WordPress website. A good hosting service not makes a website secure and protected but also play a vital role to improve website performance.

So choose your WordPress website host wisely!

Here are few best web hosting services that you can take if you are going to start your website:

Above web hosting companies has a good record to deal with customers. You can also review their feedbacks just by googling their name. I always recommend my clients to do personal research to get satisfied.

Need Ready WordPress Website

4) Protect wp-config.php file

The wp-config.php file carries sensitive information about your WordPress website. Securing the wp-config basically, enhances the security of your website and makes it difficult for hackers to catch secure information about your site especially the information of your database. You can easily protect wp-config.php file just by moving it to a higher level of your root directory.

Follow below link to get an idea to do this. The link also contains a video that you can watch to get a quick idea.

How to secure your website wp-config file

5) Don’t allow File Editing

File editing can be risky for your website so it’s better to disable file editing option. You can easily do this by adding the following code in your wp-config.php file.

// Disallow file edit
define( 'DISALLOW_FILE_EDIT', true );

6) Take care of Directory Permissions

File permissions are important to discuss to protect your WordPress website. It basically specifies who and what can read, write, modify, and access. It’s important to understand the proper WordPress permission mechanism because WordPress may need access to write to files in your wp-content directory to enable certain functions.

Simply setting the directory permissions to “755” and files to “644” protects the entire system including directories, subdirectories, and individual files. You can do this through File Manager inside your hosting Cpanel.

Here are 5 recommended WordPress files to change permission settings from unsecured to secured:


644 -rw-r–r– /home/user/wp-config.php (unsecured)

600 -rw——- /home/user/wp-config.php (secured)


644 -rw-r–r– /home/user/cgi-bin/.htaccess (unsecured)

604 -rw—-r– /home/user/cgi-bin/.htaccess (secured)


644 -rw-r–r– /home/user/cgi-bin/php.ini (unsecured)

600 -rw——- /home/user/cgi-bin/php.ini (secured)


755 -rwxr-xr-x /home/user/cgi-bin/php.cgi (unsecured)

711 -rwx–x–x /home/user/cgi-bin/php.cgi (secured)


755 -rwxr-xr-x /home/user/cgi-bin/php5.cgi  (unsecured)

100 —x—— /home/user/cgi-bin/php5.cgi (secured)

7) Manage User Role Carefully

If you are using more than one administrator in your website then security risk is high. To deal with this situation you need to make sure the password is unique. It’s better to get connect with w email address with associated id. You can also avail super user facility if you are working on the muli-site network.

Here in this article, you can review user roles in more detail to improve WordPress website security at user level: Use WordPress User Roles for Improved WordPress Security

Here you can find: 5 useful WordPress plugins to manage user roles

8) Set Strong Database Password

A strong password for the main database user is a must – the one WordPress uses to access the database. From wp-config file, you can review the database password in case you forget and you can change it.

You can easily reset it from PHPMyAdmin by accessing through cPanel.

Always use the strong password with a combination of letters, numbers and special characters.

Here you can watch to reset database password using Phpmyadmin

9) Take Regular Backups

It’s also important to take regular backup of your entire website to keep your current data with you. You can take backup in multiple ways like;

10) Mask the Admin Username

It’s a simple trick that you can use to avoid hacking attempts. Mostly the WordPress backend access using the default URL like or wp-login. You can just change this to any other convention like wp-adminlogin or something else. It’s all up to you!

You can easily do this by following below steps. I also recommend you to take the backup first:

  • Download WPS Hide Login plugin
  • Installed & activated the plugin
  • Go to Settings > General to configure the options.
  • Scroll down & at the bottom, you will see the option to configure the “WPS Hide Login” plugin.
  • Change the login name here.
  • Done!

You can also the most popular plugin iThemes Security, however, it’s not highly recommended as this plugin offers much more than just customizing the URL of your WordPress registration & login page.

11) Protect wp-admin

You can create more sophisticated protection to your wp-admin panel by installing WordPress firewall plugins. Sucuri is one of the best plugins among the list so you can use it. Mostly recommended for website security and monitoring services. Another way is to enhance security using a strong password of WordPress Admin directory. To do this, just follow the below steps:

  • Login to WordPress hosting Cpanel dashboard
  • Find ‘Password Protect Directories’ or ‘Directory Privacy’ icon. and click on it
  • Select your wp-admin folder, normally located inside /public_html/ directory.
  • Mark check on Password protect this directory option and name it.
  • Click Save to set permissions.
  • Now create ‘User’ and save the button

By doing this, when somebody trying to connect with your website from back-channel or admin channel it will require adding userid and password to login.

12) Add ReCaptcha

Stopping spam registrations is a big issue, especially for WordPress membership sites. One way to avoid them is by using ReCAPTCHA which effectively blocks spam bots on login, registration, forms and comment system.

Here is the video to add ReCaptcha in WordPress login and registration.

Watch Video

13) Use 2-factor Authentication

Two-factor authentication is a simple and at the same time most effective process that requires two modes of authentication before you’re logged into a site. Introducing the 2-factor authentication (2FA) at the login page is another good security measure to protect your website from potential hazard. In this scenario, the user provides login details for two different components. The website owner decides what those two are. It can be a regular password followed by a secret question, a secret code, a set of characters, etc.

I prefer using a secret code while deploying 2FA on any of my websites. Here are some effective plugins that you can use:

14) Limit Login Attempts

To avoid possible brute force attacks, it’s recommended to limit login attempts. And you can easily do this through login lock down plugin. By activating this plugin, you can limit the login attempts to keep your system secure from potential attacks. The plugin basically records the IP address and timestamp of every failed login attempt. Let’s follow the steps to enable the plugin:

  • Download the login lockdown plugin
  • Install and activate
  • Configure the plugin settings like below picture

limit wordpress login attempts

15) Keep Your WordPress and Plugins Updated

Yes, it’s recommended to be updated with latest changes to provide any single moment to hacking attempts. Most of the hackers use this technique and track old and non-updated websites. To get updated you need to focus on following things:

  • WordPress should be updated to latest version
  • WordPress theme needs to be updated. Keep an eye if you are using third party WordPress theme.
  • All plugins should be updated with the latest version
  • Delete plugins that are not under used.

To get rid with potential hacking attempts, now app companies providing more security prone plugins and other tools but it mainly focused on paid version.

16) Automatic Logout when being Idle on WordPress Website

This is good if you are working in a group environment to logout inactive users to avoid possible hacking attempts.  For this, you can simply use idle user log out plugin. This plugin detects idle user and executes the action that is being specified in Admin End. You can install and activate the plugin. In the setting area, you can mention the logout duration.

So above the few techniques or simple and most recommended ways to protect WordPress website from spammers and potential attacks by hackers.


Below articles might be helpful to you: