9 Ways to Keep your WordPress Site Secure from Hackers

Oct 16, 2017 | HOW WE MAKE IT

Web security is arguably the least fun aspect of managing your own online business. Like all safety measures, web security is easy to overlook until something disastrous happens to your site, such as a customer data breach or other hack.

But, fear not– we’ve rounded up some best practices that all bosses should implement to protect their website, customer data and your company’s reputation.


Use complicated username and password combinations


It’s such a pain to use complicated username and password combinations, but you must! Avoid using “admin” as the main username that you use to access your WordPress dashboard. Follow the password guidelines in this article for even more instructions.

Having a hard time getting creative? Websites like Strong Password Generator can help you come up with long, complicated combinations for your passwords. Just make sure to keep your passwords somewhere accessible and secure (we like using Last Pass).

Keep WordPress and plugins updated at all times


WordPress is constantly updating its platform to improve performance, use and security. It’s crucial that you always keep your WordPress updated to keep your site secure and stable. Follow the instructions in this article to automate updates for major WordPress releases.

Before adding a theme or plugin, know what to look for. 

WordPress is an open-source technology, which allows for incredible innovation and options from developers all over the world! With that, it’s important that you look for reputable, trusted products when installing themes or plugins. A few things to check for before you install:


  • Number of installs vs. number of reviews – this will give you an idea of how many people have not only installed the plugin, but how many approve of its performance.
  • Last updated date – an engaged and reliable plugin developer will likely update its plugin once a week. If its been months or years since the last update, don’t install.
  • Support center – look through the plugin developer’s Support/Help section (be sure that there is a Support/Help section) to see how robust and responsive their customer service is.

Most plugins and themes will be updated by its developer once a week. To update, you’ll follow the instructions from your WordPress dashboard when you login. You can also follow these instructions to allow certain plugins to automatically update.

Minimize the number of plugins installed on your website. 


It’s arguable whether or not adding too plugins can harm your website, but we recommend keeping plugins to a minimum. Adding too many plugins or insecure plugins can lead to slow website speed, crashes or hacks.

We know it can be tempting to add new plugins to your website for added functionality, but choose wisely before installing. Be sure to remove any unused plugins from your site, and before adding new plugins, be sure that one of your existing plugins doesn’t already offer the functionality you’re looking for. We recommend this article which provides a ton of detail regarding plugin best practices.

Change your WordPress login URL (don’t use /wp-admin). 


One of the first things that you do when setting up your self-hosted WordPress site is to define the URL that you’ll use to login to your WordPress dashboard. By default the login page will look like www.example.com/wp-admin. We know this, and so do hackers. There are a number of ways to change the “wp-admin” URL string. The plugin WPS Hide Login is a lite plugin that offers this option.

Implement an SSL certificate. 

A few definitions: HTTP (HyperText Transfer Protocol) and HTTPS (HyperText Transfer Protocol Secure) are both protocols, or languages, for passing information between web servers and clients. HTTPS is a secure connection, whereas HTTP is unsecure. To migrate your site from HTTP to HTTPS, you’ll need an SSL (Secure Sockets Layer) certificate.

Implementing an SSL certificate on your website is not only good for security, it’s good for your search rankings. A few things to consider:

Implementing an SSL certificate can be laborious so it’s best to do so right from the launch of your website, if possible. Click here for more detailed instructions on how to enable HTTPS on your website.

Update the .htaccess file to block IPs from all except your site’s administrators. 


This gets slightly technical, but a great way to block your WordPress dashboard from unwanted hackers-to-be is to update your .htaccess file to block IPs, groups of IPs or better yet, only grant access to specific IPs, which is what we recommend– no plugin needed! This editing is done through your main File Manager files found in your web host. Here’s a step-by-step instruction guide:

1) Login to your website’s cpanel

Typically accessible via www.example.com/cpanel

2) Click on File Manager

3) Be sure to display Hidden Files (this might be accessed under “Settings”)

Find the Settings dialogue box to display hidden files.

4) Click on the .htaccess file and click Edit

5) Add the following code at the top

<Files wp-login.php>
order deny,allow
Deny from all

# whitelist Jane’s IP address
allow from 99.999.99.99



Add CAPTCHA for Contact Forms and WordPress Login Forms

Have you ever had to tap that “I’m not a robot” box when completing a Contact Form on a website? This is a great way to block insecure bots and other malicious hackers from accessing your forms. Use the Google Captcha WordPress plugin or Better WordPress Recaptcha plugin on your site.

Add a double-login


Another way to protect your WordPress dashboard is to implement a double login, also known as two-factor authentication. Yes, it’s another username/password for you to remember, but one more layer of security from bots designed to hack into your site. Wordfence is a WordPress security plugin that allows you to setup a secondary WordPress login page, and also automatically blocks IPs with too many failed attempt to login to your website. Other recommended security plugins include Ithemes and Login Lockdown.

This post is part of our series 11 Essential Steps to Launching Your Online Business. We invite you to join the Digital Dame Collective by signing up for our emails to be the first to know when our new posts go live.

Most Read
How to Setup Conversion Goals in Google Analytics 4

How to Setup Conversion Goals in Google Analytics 4

With the new version of Google Analytics 4 (also known as GA4), the way that you report and view your data is now made easier! In today's video, we will show you how you can set up your conversion goals. Need help with your analytics setup? 👉 Reach out to us for a...

How to Update Google Analytics 4 with Google Tag Manager

How to Update Google Analytics 4 with Google Tag Manager

In today's Lunch & Learn video, we will talk about the things that you need to know about the new Google Analytics 4, released in October 2020. We will cover many topics that will help make it easier for you to get to know and set up Google Analytics 4 with Google...

Discover What’s New About Google Analytics 4

Discover What’s New About Google Analytics 4

In today’s Lunch and Learn video, let’s talk about the recent massive update that Google announced in October 2020. We will explore and look closely at all the interesting new features Google Analytics 4 has to offer versus Universal Analytics. Unsure how to set up...

Pandemic Accelerates Digital Economy

Pandemic Accelerates Digital Economy

The world today is more digital because of the Coronavirus. Most of us are now working from home, purchasing most of our products online and even experiencing entertainment and social connections digitally because of social distancing. What are the implications of all...

Jaclyn Hawtin

Jaclyn Hawtin

Senior Data Architect

Over a decade of experience in product management, devops, startups, and agile methodologies. Track record of simplifying complex technical processes for cross-functional teams. Proficient in user centered design, UX, IX, UI, IA, user research and data analytics for responsive web, mobile and tablet applications. Incredibly adaptable, fluent with both people and machines.
More From Dames