Having a professional WordPress website created
Written by Finn Ruijter, 26 March 2024

Securing WordPress: 12 tips to stop hackers

More than 40% of all websites on the Internet run on WordPress. So for that reason, it is a popular target for hackers. For some companies, not much customer data lives in the WordPress website. For e-commerce and recruitment websites, it is different.

How do you make WordPress secure? That does involve a bit more than just using a complex password or updating an outdated version. We tell you more about the different attacks that are most common and how you can easily protect against them.

Good WordPress security is important

Strong security is important to protect your website and your customers’ data from unauthorized access and data breaches. The last thing you want is for your customer data to be on the street. Applying proper security to your WordPress website will save you as a business a lot of hassle.

As a WordPress agency, we work daily on 250+ of our clients’ websites. When taking over websites, we often come across things that pose a risk. Unfortunately, we often see that WordPress security is not always in order. But, most hacks can be well prevented!

How can my WordPress website be hacked?

Hackers use various ways such as brute force attacks, SQL injections and cross-site scripting to exploit weaknesses in your website. These errors can arise from your website not being built properly from the beginning, plug-ins and themes not being updated properly or poor hosting. By understanding how these attacks work in the basics, you can better protect yourself. Securing your WordPress is often a neglected issue among website owners.

But how do I secure my WordPress website? Well, like this:

1. Choose a good hosting party

Insecure hosting, without even realizing it, can cause many problems. It is important that good hosting protects your website. Some hosting parties have not properly separated websites on the same server. If one website is hacked, all the others can be compromised as well.

As an example, take a WordPress hosting company like Kinsta. Their infrastructure uses all WordPress standards. All websites have their own locked container. As a result, your data is private and not shared with other websites.

Another option is to choose a real WordPress agency that configures, secures and manages the hosting for you. So ask about this too when choosing your new party. We have created a checklist on how to choose a party that suits you best.

Kinsta hosting infrastructure - wordpress website good security

2. Strong passwords, separate accounts and two-factor authentication

This is one of the most common mistakes made in securing your WordPress website. Also, of other types of software. Note a few points when creating an administrator account:

  • Create separate accounts for all users.

  • Provide unique usernames (no “admin,” “administrator” or “wordpress”).

  • Use strong passwords. To avoid forgetting them, you can store them in a password vault such as 1Password.

  • Do not grant unnecessary
    to users. If someone only posts pages and blogs, consider giving a lower role.

There is also a good additional security that can be added. You know the drill: 2FA, or two-factor authentication. In addition to your password, the system asks for a second code or proof that only you have. This can be a code sent to your phone (Google Authenticator) or a code generated by an app. It ensures that even if someone has your password, they still can’t just get into your account. That’s how you make it harder for hackers.

There are quite a few free plug-ins available that can solve this for you. Wordfence Security has a more comprehensive free plugin available that helps you do this. Google Authenticator can be connected to this.

Using wordfence security 2fa to secure for wordpress

3. Always use the latest version of the CMS, plug ins and themes

Securing WordPress doesn’t always have to be difficult. You can update your CMS automatically or manually. Both options are available within WordPress. Using the latest version of WordPress, including the latest updates to plugins and themes, is hugely important. It makes your website more secure, as well as faster. WordPress is updated frequently to add new features, fix problems and improve security. When your website is up-to-date, everything works better and you have access to the latest features.

Old versions may have vulnerabilities that hackers can exploit. If there are any leaks, they are made public so that everyone knows about them. On the website WPScan, you can see an overview of all known vulnerabilities in plugins and themes. They have more than 49,000 vulnerabilities online. However, this source of information also makes it easy for hackers to find weaknesses. By updating everything, you make it harder for them to get in. This keeps your website secure, fast and up-to-date with the latest Internet developments.

Wpscan helps a wordpress site find weaknesses

4. Back up your website

Backups are simply a copy of everything around your website. Currently, WordPress does not do it itself. If something goes wrong, such as if your website is hacked or you accidentally delete something important, you can use that copy to restore your website immediately. That way you won’t lose anything.

It may sound complicated, but many hosting parties have this baked in by default. It is smart to make new backups regularly, say every week or every month. We do this daily, but for some clients it is even hourly. Especially for e-commerce and community websites, this is very handy to have behind you. Then you can be sure you always have a recent copy, in case something happens. This way, your website will always be protected and you can continue to make updates without any problems!

A good WordPress plug in to install in your website is UpdraftPlus. This plug in does this in WordPress itself and can upload your back up to different locations. Updates for this plug-in appear regularly, adding multiple features. We also use it to upload a back up to Google Cloud.

Updraftplus backs up

5. Don’t call the login page “wp-admin”

Almost all WordPress websites have ‘wp-admin’ as the login page to get into the CMS. This is not a bad thing, provided the proper security is in place. If you have not taken additional measures for this, it is better to change the URL. With a WordPress plug-in such as Wordfence Security, you could quickly overcome this.

Changing the name of the login page makes it harder for hackers to find and attack your website. It’s like giving your home a secret entrance that only you know about. By choosing a unique name for your login page, you provide extra protection.

Wordpress site admin security

6. Limit the number of login attempts

In a brute force attack, hackers attempt to gain access to websites, including WordPress sites, with frequent password attempts. In such an attack, someone tries lots of different passwords to guess what your password is. They do this automatically with programs that enter many possible passwords in rapid succession.

Limiting the number of times someone can try to log into your WordPress website prevents this. It means you set how many times someone is allowed to try to log in. If someone tries the wrong password too often, they can temporarily stop trying to log in.

You can set this restriction using plugins. There are several plugins available that can do this for you. They are often easy to set up. If you are a client of 2manydots, this is included by default in your WordPress environment.

7. Use additional security like Cloudflare

Using additional security for your website such as Cloudflare or Fastly is good to go. Cloudflare is a service that helps make your website faster and protect it from outside attacks such as hackers. It puts a kind of extra layer between the visitor and your Web server. This ensures that your server’s IP address is shielded. When someone wants to visit your website, it goes through Cloudflare first. They will then see if it is safe. If it’s a good visitor, such as a potential customer, they can quickly get onto your website. But if it’s someone who wants to harm your website, Cloudflare stops it. They also provide pieces of code from their own server to make the website faster. On all 2manydots websites, this is automatically activated and the IP address is shielded.

In the free package, they protect you from DDoS attacks, among other things. These are attacks where a website is flooded with a lot of traffic at once, causing the website to become very slow or even stop working altogether. Cloudflare can recognize these types of attacks and stop them before they reach your website. They themselves have a WordPress plugin to improve security.

In addition to protecting against DDoS attacks, Cloudflare also helps make your website faster. They have computers all over the world that can keep a copy of your website. When someone wants to visit your website, they are shown the page from the nearest computer. This means your website will load faster for visitors no matter where they are.

Cloudflare ddos protection osi layers outline. Securing wordpress: 12 tips to stop hackers

8. Provide an SSL certificate

Part of good security in your WordPress website is, of course, an SSL certificate. These days, chances are slim that you don’t already have this, since all modern browsers force it. This ensures that the data is secure between the visitor and your Web server. It’s like a lock on your website that helps keep information safe and encrypted. Many hosting providers give you an SSL certificate for free, however, you can also buy an extended one. However, this is not required.

To make your website secure, you must first activate the SSL certificate with your hosting company. Then set your WordPress site to always use “https. This means changing the link to a safe link in your website settings. Sometimes you also need to ensure that all visitors automatically go to the secure version of your site, however, your hosting often does this itself.

Hasn’t this been done yet? Then you can do this in your WordPress site with the“Really Simple SSL” plugin. Install, activate and done!

Wordpress site plugin to activate https

9. Security plugins

To make your WordPress site even more secure, you can also use security plugins. These plugins help you protect your website from malicious and other online dangers. They look for weaknesses on your site and fix them, such as shielding your “wp admin” environment. They can also alert you if something is wrong, so you can act quickly to avoid problems.

There are many different security plugins, and some are free. One well-known plugin is Wordfence Security. This plugin checks your website for viruses and blocks outside attacks. It’s smart to do a little research and choose a plugin that fits what you need. Of course, this also depends heavily on your budget. If you have a larger budget, they can even guarantee the security of your website or help if it has been hacked.

Wordfence security

10. Hiding WordPress version number

Your WordPress site has a certain version number. From this you can find out if your website, plugins and themes have not been updated for a long time. Hackers use this information to find vulnerabilities in certain versions of WordPress and target attacks. By not making the version number visible, you make it harder for them to target your website.

You can hide the WordPress version number in several ways. A simple way is to add a small piece of code to your theme’s functions.php file. Note that should you update your theme it will be overwritten. This ensures that the version number is no longer visible in the source code of your pages. The WPBeginner website has more information and comprehensive details. It can also possibly be done in a WordPress plugin such as Wordfence Security.

11. Disable WordPress’s public API.

Disabling WordPress’s public API, known as the REST API, can be a good additional way. The REST API allows external services to talk to your WordPress site, which can be very convenient, but it can also pose a potential risk if not properly secured.

If you don’t use the REST API or want to restrict access to certain parts of it, you can do so by making some changes to your website’s htaccess file or by using specific plugins that provide this functionality. For example, you can add rules to your htaccess file to restrict access to the REST API to only logged-in users, or you can even block all external access.

Be careful what you do. Some plug-ins rely on the REST API. Do you turn it off? Then I can try to cause this. So always test this properly on a staging environment first, or have a specialist look at this.

12. Old PHP versions

PHP is a programming language used to build and run websites. WordPress, the system you use to create your website, is written entirely in PHP. That means that every time someone visits your website, the server uses PHP to build and display the pages. Think of it as the engine behind your website. That’s why PHP is so important to WordPress: without PHP, your site won’t work. Using old PHP versions is risky for your WordPress site because you miss important updates, leaving your site vulnerable to attacks. Moreover, old versions can make your site slower, which is not pleasant for your visitors.

Of course, simple way is to immediately update the PHP version to the latest version. Usually this can be done in the portal at your hosting provider. It is very important that you first check if your themes and plugins are compatible with the new PHP version to avoid problems. Do this on a staging. You are not the first to make the mistake of doing this right away. A small error can take the entire website offline.

Securing WordPress includes much more….

These are just 12 of many tips for securing your site, but implementing these steps is already going to make a world of difference. Perhaps the above steps can seem overwhelming, but as a WordPress-only agency, we’re ready if you have questions. Also, if you want us to take a look at how secure your site is.

Every week we keep everyone updated with the latest developments in online marketing. Security also plays a big role in this. Sign up for 2md Pulse. From marketing professionals, other agencies, partners and sometimes some input from ourselves. Every Wednesday in your mailbox!