How To Prevent Your Site From Getting Hacked?

Web skimmers

In the current COVID-19 situation, your business is now more dependent on your website than ever before.  The crisis, on the other hand,  also has hackers trying to make the most of the chaos and anxiety. This has led to an unprecedented spike in cyber crimes and website security breaches in the last few months. Phishing attacks,  diversion of website traffic to spurious websites, or even crashed websites – these are just some of the ways hackers are wreaking havoc online.

While there is no such thing as 100% safety from hackers, the best solution is to be informed and better prepared. In this article, we share ten effective safety measures that you can implement for your WordPress site. Let’s get started.

10 Ways to Secure Your WordPress Site

1. Take Regular Website Backups

In these critical times, website downtime can severely affect your brand image and credibility,, not to mention the revenue losses. That apart, there are dangers of data loss from hackers looking to steal your customer and financial data.

A website backup is your safety net in this scenario. What you need is regular and periodic backups of your complete website including website files and database records. This way, even if your site is breached on any day, you can quickly restore your website with the available backup files.

How do you perform a website backup? If you have the technical know-how and time, you can opt for manual backups. However, an easier alternative is to use backup tools like BlogVault or Backupbuddy. Easy to use, these plugins can create multiple backups of your website and store them at safe and independent locations. However, the backup process can sometimes slow down your site. The BlogVault backup plugin takes care of this by running these backup operations on its own dedicated server so your site is not affected. It also provides a 1-click restore that can speed up your restore process and minimize downtime.

2. Keep Your Website Up-to-Date

According to 2019 statistics, 70% of the top WordPress sites are vulnerable to successful hacks. This is primarily because these websites are still running old or outdated WordPress versions. WordPress versions, sometimes, have security bugs and vulnerabilities that hackers exploit.

website upto date

WordPress developers periodically release updates with fixes or patches to plug these issues. However, if WordPress site owners do not download new versions and update their site, these vulnerabilities obviously continue to exist in their installations.

As a rule, keep these three WordPress components – Core WordPress, Plugins, Themes – updated to their latest version because outdated versions could leave your website vulnerable to hacks like SQL Injection attacks, WP-VCD PHP Malware, website redirecting to spam, etc.

 3. Enforce Strong Login Credentials

Weak user credentials are among the leading reasons why hackers target WordPress login pages. They deploy brute force attacks on login pages to gain access to the account by guessing the login credentials.  Once they gain unauthorized access, they can infect your backend files or steal data.

To make things easier for hackers, WordPress users, including admin users, use weak usernames like “admin” or “admin123” or passwords like “password” or “123456.”

As a simple rule of thumb, use unique usernames for each user, including admin users. Also, enforce the use of strong passwords that are at least 8-10 characters long and use a combination of alphabets, numbers, upper- and lower-case characters, and special characters.

 4. Use Two Factor Authentication

Also referred to as 2FA, Two Factor Authentication has been an effective mechanism against login page breaches. 2FA offers double-layered protection to WordPress accounts, where users first need to enter their username and password, followed by a unique code that is only sent to the user’s smartphone. Implementing this measure makes it hard for hackers to gain access to your WordPress account.

mini orange
(Image Source: miniOrange)

To implement this measure for your website, you can use 2FA plugins like MiniOrange or Google Authenticator that are easy to install and configure.

5. Use SSL Certification

Take a quick look at your website URL in any browser. Does it show the “locked” icon or start with “https”? If yes, then your website is SSL certified. What is SSL certification? Short for Secure Socket Layer, this encrypts and secures data being transferred between the browser and your website server.

https ssl security

Why do you need to secure this data? Because hackers often try to intercept the data while it is being transferred. This can include sensitive data like credit card numbers or any personal details entered in an online form.

SSL certification secures this data through the latest encryption techniques, so hackers cannot utilize the data even if they manage to steal it. You can obtain an SSL certificate from your web host provider, or install a third-party tool like Let’s Encrypt.

6. Install a WordPress security tool

WordPress websites are hackers’ favorites thanks to the platform’s undisputed popularity. The ever-evolving nature of these attacks needs security solutions designed especially for WordPress. Fortunately, you will find a number of both free and paid tools in the market. However, we recommend that you invest in security plugins such as MalCare and Sucuri that integrate malware scanning and removal with updated WordPress security measures.

These plugins are easy to install, just like other WordPress plugins, and periodically scan your site without any manual intervention. You are instantly alerted of any issues so you can perform an emergency clean-up and restore your website without losing time.

7. Set up a Website Firewall

As a website owner, increased traffic is great news, but only if it is authentic. You can keep hackers away from your site by setting up a website firewall. A firewall monitors every request made to your site and blocks suspicious requests while allowing requests from good and safe IP addresses to go through to your site. In short, a firewall is your website’s first line of defense against malware attacks like DDOS attacks, SQL Injection & HTML injection attack.

We’ll cover how you can set it up in the next section.

8. Implement country blocking.

Hackers operate from different countries around the globe. Some of the leading countries for hackers include the United States, Russia, China, and Brazil. Country blocking is a preventive measure where you can block all IP requests originating from a selected country. This means that in addition to hackers, other users based in this country or geographical area cannot access your website.

Security plugins like MalCare have an inbuilt firewall that blocks suspicious traffic from reaching your site. In addition, they also let you implement WordPress country blocking or geo-blocking in a few clicks from their dashboard.

9. Limit the Number of Admin Users

Hackers often try to gain illegal access to accounts of WordPress site administrators or users with “admin” privileges. This is because these accounts have the highest privileges and can be used to inflict maximum damage on the site.

WordPress allows you to configure 6 different user roles – Super Administrator, Administrator, Editor, Author, Contributor, and Subscriber. Apart from the administrator roles, the other roles have fewer privileges.  As a safety measure, limit the number of admin users for your website or only offer this privilege to your most trusted users.

10. Harden Your Website

Website hardening is a set of safety measures recommended by WordPress. It comprises 12 methods such as disabling the file editor, blocking PHP execution in untrusted folders, and changing the security keys.

However, implementing them manually requires considerable WordPress know-how and an investment of both time and effort.  Most security plugins allow you to easily enable these hardening measures through a few clicks on their dashboard.


Today, the internet is quite simply the only way to market your business during these critical times. Besides the pressures of running a business, securing your website can be another major cause of worry. We hope that you are able to integrate these measures into your website maintenance strategy to manage your website and improve business.

Here’s a quick summary of these tips for you.

    1. Take regular website backups.
    2. Keep your website up to date.
    3. Enforce strong login credentials
    4. Use Two Factor Authentication.
    5. Get an SSL certificate for your site.
    6. Install a WordPress security tool.
    7. Set up a website firewall.
    8. Implement country blocking.
    9. Limit the number of admin users.
    10. Harden your website.

Fortunately, WordPress security plugins like Sucuri and MalCare integrate most of these measures into their packages. This way, you can avoid installing too many tools for each of these safety measures.  Let us know what you make of these 10 security tips. Are there any other tips that we have missed? Let us know your thoughts in the comments below.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.