WordPress is a flexible, easy-to-manage platform for developing websites. Its utility combined with its free price point has made it popular with developers of all skill levels.
However, that popularity has also made WordPress an attractive target for malicious bots and hackers. One Security firm, Wordfence, says that they block around 20 million brute force attacks per day.
Combined with other methods of attack, there are a lot of avenues by which a hacker can get into your website.
Luckily, there are a few key things you or your developer can do to help prevent your site from being compromised. Remember, no one measure by itself will protect your website. However, by following these five steps and staying vigilant, you’re less likely to see your site pop up on a user’s malware list.
1. Keep WordPress (And Everything In It) Up To Date
This is number one with a bullet, and for a good reason. According to Sucuri, more than half of compromised WordPress sites in 2016 were out-of-date. Using an older version of WordPress means that attackers have had more time to hone exploits existing in your code.
They’re also betting on the fact that if you’re not updating your core WordPress files, then you’re likely not using other methods of keeping your site secure.
What To Do
Whether it’s you or your developer, make sure WordPress is updated as soon as possible after a new version is released.
In most cases, you can usually do so with a single click from the dashboard. Likewise, you’ll need to maintain updates for all themes and plugins that are on your website, even if they’re disabled.
2. Only Use Trusted Themes and Plugins
WordPress has a rich ecosystem of premium themes and plugins to discover, and most of them work exactly as you’d think. However, there are also plenty of bad actors who disguise themselves as real developers, and they may add malware into third-party themes and plugins.
This is one of the easiest ways for someone to compromise your WordPress site.
What To Do
A quick rule of thumb to keep you safe: was this theme/plugin developed by someone else at a price and this site is offering it to you for free? If so, then it’s likely a scam, and installing it will open you up to vulnerabilities.
In the long run, that will require a lot more money to fix than whatever the price of the theme or plugin is.
Make sure you are getting your theme or plugin directly from WordPress or from a top theme marketplace like ThemeForest to avoid those headaches.
3. Limit The Number of Logins
As mentioned in the Wordfence article above, brute force attacks are among the most popular ways of gaining access to your site. WordPress websites are exposed to hundreds of millions of brute force attacks per month.
In a brute force operation, the attacking bot uses as many combinations of characters as it can in an attempt to guess your password, and often it will be able to grant access even before you’re aware that the attack is underway.
What To Do
The first line of defense against this type of attack is to have as strong of a password as possible.
But why give the attacker unlimited opportunities to try and guess it?
There are several trustworthy plugins that let you put a limit on the number of login attempts, with too many failures locking the offender out for a set period of time. It is also good to change your default username from “admin” to something else, in order to add another layer of security.
4. Don’t Skimp On The Hosting
You can add as many layers of protection to your WordPress installation as you want, but if your host isn’t secure, then you’re helpless to defend against somebody who wants access to the inner workings of your website.
According to Sucuri, shared servers are a common entry point for attackers to get into your system, so it pays to go with a Hosting provider that has secure dedicated hosting services like and, that has a history of preventing attacks.
We have recently reviewed WPWebHost, a dedicated WordPress hosting provider, which offers some great and very affordable hosting plans for all type bloggers and WordPress professionals.
phoenixnap also offers dedicated servers and security.
What To Do
WordPress themselves recommend a few in an article over on WordPress.org. Regardless of who you choose to manage your hosting, it’s worth it to avoid hosting solutions that are “free” or that have a history of security issues.
Sometimes, no matter how well-researched you are or how many layers of security you apply, someone will find a way to compromise your WordPress website.
In those cases, unless you want to undergo an expensive security review, your best course of action is to simply have a backup handy that you can use to restore your site to the last time it was in working order.
What To Do
Some hosts have services that will take care of this for you if you ask, but if yours does not, there are plenty of methods by which you can restore your website to its former self.
Even the most hardened security professionals will tell you always make sure you have backups available. No one will be able to keep a site perfectly secure, 100% of the time.
Steps Towards A Secure Site
Even if you are new to WordPress, these five steps should keep your site safe and your sanity intact.
A security expert has other tools for protecting your website, but by following these steps, you are less likely to need one in the near future.
The post Protect WordPress Site From Hackers: 5 Simple Tips appeared first on JustLearnWP.