WordPress Security and Maintenance: How Not to Get Hacked

  • How Tos

We have already done several posts on WordPress security and maintenance, still, we think it’s too little from our side. Because WordPress security is a topic of utmost importance for every website owner and will continue to be the most discussed one in the coming years. WordPress is a natively secure platform, but individual sites can have vulnerabilities, and attackers are relentless. Incorporating multiple on-site security measures helps to prevent your website from getting hacked, saving you the time and trouble it takes to clean up and rebuild.

So, this entire post is dedicated to WordPress security, we will share all our best tips and guides to help protect your site against WordPress hacking in 2023. 

Why is WordPress Security important?

Security of the website is a very important aspect for both WordPress site owners and users. For many marketing sites or any business site, vulnerabilities are like a nightmare. If users’ information is stolen or their passwords are seized by any hacker because of the vulnerabilities within the website, it will damage the image of the site owners. In an even worse scenario, you may have to hire an expert to get your website back, in case you lose control of access to your website.

That being said, there are many measures that can be taken personally to keep your website safe from hackers. Even if WordPress software is managed by hundreds of developers every day, some still try to damage websites, negatively affecting the user and website owner. 

Also, there may be many smaller business owners who think their site is in no danger as they do not consider their business big enough to be at threat from hackers. Given that there is money to be made from selling personal information, hackers typically don’t care how big or small your business is. As you never know when or how your business is going to be attacked, it is essential you protect your site by using the necessary measures.

Hints to identify that your site has been hacked

  • A Google alert appears on the website which notifies that the site has been hacked.
  • In most cases, your website is redirected to another URL, in many instances to a pornographic website.
  • The site is no more accessible by Google.
  • Strange looking JavaScript appears in the source code of the site.
  • Spam advertisements and pop-ups on the website due to malicious codes.
  • Newly created admin, database and FTP users which were not created by you.
  • Your website has been defaced.

Also read: How to Check if your WordPress Site is Attacked?

Preventive measures that can help you not to get hacked

1. Keep WordPress Updated

As you know, WordPress is a free software that is updated regularly. It is a content management system that is installed automatically with consecutive minor updates. However, for the main versions, we must manually start the update. The best way to keep your WordPress site safe is to make sure it’s always up-to-date. This means updating the core WordPress software, along with any themes and plugins you have installed. Making this a regular maintenance task is one of the most crucial parts of running your site.

When a new update comes, hackers can directly go to check the Security and Maintenance Release notes. Unfortunately, each WordPress update brings along with the uncovering of several WordPress security vulnerabilities in older versions. With every new WordPress update, we get new features and upgrades, along with a page listing the security flaws in the previous version and their fixes. So, if you fail to update the WordPress on time, those flaws will be used by hackers to take over your sites on older versions. 

2. Secure your Admin login with strong passwords

Hackers often try to get access to your WordPress site through the admin login panel because website owners don’t always choose strong passwords. Hackers use automated tools to “brute force your website”, which let them try limitless combinations in order to guess your password.

The more complicated your password, the more difficult it will be for them to crack it, so it’s always great to use a password that is a combination of letters, numbers and symbols with a minimum of 12 to 20 characters. Another step in securing your admin login is to use a unique administrator username. The default WordPress username is usually admin. Hackers know this and so can focus their efforts on cracking the password only. Changing the username requires them to guess this as well. So, it’s best to set your custom username when you install WordPress. It is also better to add the Two-factor authentication technique where users are required to log in by using a two-step authentication method.

Also read: What is Website Security Audit and how to do it?

3. Clean your Site and System

Though WordPress keeps your site safe from many vulnerabilities, hackers could still find ways into it. You may not even notice anything wrong with your site at first, even after someone has broken in and stolen information or posted their own content. A WordPress security scanner such as Sucuri, Malcare Security can help you spot hidden problems, and take action to address them right away. Before starting any cleanup process, take a backup of your site because despite being hacked up it might contain much valuable information for you. 

The hackers in their attempt to hack some site mostly infect your computers with malware, Trojans, viruses, spyware, etc. Workstation protection is even more essential when you are conducting transactions and have a website because all it takes is a keylogger to knock out the most hardened of websites. Regularly update the OS, software, and browsers on your computer.  If your computer starts acting strangely, popping up ads and other stuff, check it out before accessing your website. Use a secure and trusted commercial antivirus software such as F-secure for cleaning the system.

4. Select a secure WordPress hosting

Your WordPress hosting service plays a vital role in the security of your WordPress website. A good shared hosting provider like Bluehost or Kinsta take the extra measures to protect their servers against common threats. They will continuously monitor your site for any suspicious activity. They keep the software and hardware of their servers up to date to prevent hackers from exploiting any known security vulnerability in an earlier version. 

However, using a managed hosting plan is even more secure because unlike shared hosting you don’t have to share the server resources with any other websites. Managed WordPress hosting companies offer automatic backups, automatic WordPress updates, and more enhanced security settings to safeguard your website.

Also read: 15 Best Managed WordPress Hosting Providers

5. Install a Backup and Security Plugin

A security and backup plugin can be effective to ensure the security of your WordPress CMS. Backups are your first defence against any WordPress attack. It allows you to quickly restore your WordPress site in case something bad was to happen. There are several free and paid WordPress backup plugins that you can use. Always remember to save full-site backups to a remote location and not on your hosting account.

After backups, the next thing you have to do is to install and activate a security plugin that audits and monitors your site and keeps track of everything that happens on your website. This includes file integrity monitoring, failed login attempts, malware scanning, etc. Security plugin is one of the good ways to harden WordPress security by adding features that are not available in the basic version of WordPress: protection administration (back office) of WordPress, blocking of suspicious IP addresses, customization of the .htaccess file, protection against attacks XSS or Malware, etc.

6. Add a Web Application Firewall (WAF) to your site

A Web Application Firewall (WAF) looks after your website’s traffic and filters out potential attacks, while still allowing regular traffic through. This additional layer of protection works well in combination with your security scans, to detect any threats not dealt with by the latest WordPress updates. DNS Level Website Firewall route your website traffic through their cloud proxy servers. This allows them to only send genuine traffic to your web server. Whereas Application Level Firewall such as Sucuri examine the traffic once it reaches your server but before loading most WordPress scripts. This method is not as efficient as the DNS level firewall in reducing the server load.

7. Move your site to SSL/HTTPS

Secure Sockets Layer (SSL) is a protocol which encrypts the data transfer between your website and a users browser. This encryption makes it harder for someone to look into and steal information from your site. Once you enable SSL, your website will use HTTPS instead of HTTP, you will also see a padlock sign next to your website address in the browser.

Now, it is easier than ever to start using SSL for all your WordPress websites. Many hosting companies are now offering a free SSL certificate for your WordPress website.

Also read: How to get Free SSL Certificate for your Website

8. Disable Directory Indexing and Browsing

Directory browsing can be used by hackers to find out if you have any files with known vulnerabilities, so they can take advantage of these files to gain access.

It can also be used by other people to look into your files, copy images, find out your directory structure, and other information. This is why it is suggested that you turn off directory indexing and browsing.

For disabling directory browsing and indexing, you need to connect to your website using FTP or cPanel’s file manager. Next, locate the .htaccess file in your website’s root directory. After that, you need to add the following line at the end of the .htaccess file: Options -Indexes

Don’t forget to save and upload .htaccess file back to your site. 

9. Disable File editing and PHP File Extension

WordPress comes with a built-in code editor which allows you to edit your theme and plugin files right from your WordPress admin area. But, this feature can be a security risk which is why we recommend disabling it. You can easily do this by adding the following code in your wp-config.php file:

// Disallow file edit

define( ‘DISALLOW_FILE_EDIT’, true );

Another way to harden your WordPress security is by disabling PHP file execution in directories where it’s not needed such as /wp-content/uploads/. Paste the following code in a text editor like NotePad and save this file as .htaccess and upload it to /wp-content/uploads/ folders on your website using an FTP client. 

<Files *.php>

deny from all


You can also do both of these with a click by using the Hardening feature in the free Sucuri plugin. 

Also read: Guide to Cleanup your Malware Affected WordPress Sites

10. Automatically Log out Idle Users in WordPress

Logged in users can sometimes drift away from the website, and this poses a security risk. Someone can hijack their session, change passwords, or make alterations to their account.  This is why many banking and financial sites automatically log out an inactive user. You can implement similar functionality on your WordPress site as well.

You will have to install and activate the Inactive Logout plugin. Upon activation, visit Settings > Inactive Logout page to configure plugin settings. Simply set the time duration and add a logout message. Remember to click on the save changes button to store your settings.


To summarise, keeping your website secure is not at all an intimidating task. WordPress security comes first and foremost with prevention and common sense. You have to set up various shields because attacks can come from any corner. Also, there are plenty of tools to help you make sure your site stays up and running. We hope this article helped you learn the top WordPress security best practices. If you have some worthwhile security advice please add it in the comments. We will go ahead and add it to the post. 

The WP Week Newsletter

A weekly newsletter covering updates from the WordPress ecosystem that are relevant and helpful for WordPress agencies, developers, and enthusiasts

Leave your comment

Your email address will not be published. Required fields are marked *