DEV Community

Cover image for 5 Tips to Protect a WordPress Site from Hackers
Lokesh Chandke
Lokesh Chandke

Posted on

5 Tips to Protect a WordPress Site from Hackers

WordPress is undisputed the most popular CMS and the backbone of several successful online businesses including eCommerce and online learning portals. This popularity, however, makes it the preferred target of hackers. An estimated 90,000 attacks are carried out every minute on WordPress websites.

A hacked website damages more than just your website – it undoes all your website development, impacts your SEO rankings, risks your customers’ data, drives traffic away, lowers your brand value, and affects your bottom line. A big part of running a successful online business is knowing how to protect a WordPress site from hackers.

In this article, we share five of the most effective tips to protect your WordPress site from hackers and malware. Let’s get started.

How to protect a WordPress site from hackers?
While there are no methods guaranteed to protect a WordPress site, each of the WordPress tips this article talks about comes trusted and recommended by security and WordPress experts. The best part is that all of them can be performed by novice users, without necessarily relying on external WordPress support.

Let us look at each of these 5 tips in detail:

  1. Ensure WordPress login protection. WordPress protection from hackers is not complete without securing your WordPress login page. Hackers typically target WordPress login accounts — especially those of WordPress administrators — using brute force attacks. How do brute force attacks work? They deploy automated bots to try and infiltrate WordPress accounts by guessing their login credentials. Once they gain access, hackers can take control of the backend files and infect them with malicious code or scripts.


You can protect your login page by executing a few easy measures like:

Strong login credentials

Two-factor authentication

Limiting login attempts

Let us check out each of these measures in detail.

Use strong login credentials
While this may seem like the most obvious step recommended to protect WordPress sites from hackers, you’d be surprised by how many website owners still miss it. Strong login credentials comprise both username and password that is hard to guess.

Here are some practical tips to configure strong login credentials for each user:

Use unique usernames for every user including admin users. Avoid generic usernames like “user01” or “admin1” that are easy to guess for automated bots.

Strengthen user passwords by making a minimum of 12 characters long – and including a combination of the upper-case alphabet (at least one), lower-case alphabets, numbers, and special characters.

Use password management tools like LastPass or Dashlane, which can automatically generate strong passwords and store them securely in their database.

Change user passwords regularly every three or six months.

Use Two-factor Authentication (2FA).
Two-factor authentication or 2FA is an industry-recognized method of authenticating users trying to log into their WordPress accounts. This method makes it easy to stop unauthorized entry. It achieves this by basically implementing the following 2-step process for signing in users:

Users need to enter their correct username and password on the login page

Then, they need to enter a unique and one-time validation code sent to their mobile phone.

Once users have entered the correct validation code, only then are they allowed entry into their account. For WordPress sites, 2FA can be easily implemented by installing and activating 2FA plugins like Google Authenticator or Duo.

Limit login attempts.
Brute force attacks depend on multiple attempts to infiltrate WordPress accounts and trying different combinations of usernames and passwords. The best guard against this would be to limit the login attempts to a maximum of 3 to 4. After the specified attempts, users are temporarily locked out of the account.

How do you implement this login protection measure? You can install a plugin like Login LockDown. Alternatively, you can install a CAPTCHA plugin like reCAPTCHA, which displays the popular CAPTCHA protection page after the failed attempts. This is also effective in identifying if an automated bot or a genuine user is attempting to sign in to the account.
Read More about WordPress Security

Top comments (0)