How to Protect WordPress Website from Hackers (Easy Ways)

Protect WordPress Website from Hackers.Pin

WordPress is the most powerful and the easiest Self-hosted Content Management System around the world. As it is a powerful Open source tool, the attackers are waiting to find the vulnerability and the bugs to destroy it. Even though it is very protective, the hackers are destroying the Websites created using WordPress. So, today in this article we are looking to see “How to secure Login Page and the WordPress directory”.


  • Keep Updating WordPress as each update will sort out the issues and make your WordPress more Secured.
  • Backup your Website at least once a week.
  • Don't forget to update your Plugin and themes on WordPress. Updating will help your WordPress more secure.
  • Always use a VPS host rather than using Shared hosting. As VPS host will come with lots of secured rather than comparing with Shared host.
  • Add Users carefully. As the number of users grows, then your WordPress becomes vulnerable for attacks.

Note: Don't buy or purchase any third-party Plugins and Softwares for your WordPress.

Secure your Login Page and WordPress directory

1. Don't Expose your WordPress Version 

Remove your WordPress Version from the public. If it is visible then that will be a loophole for the Hackers to enter into your Website easily.

To do that you don't have to change anything on the directory, just delete the readme.html file from the WordPress installation directory.

2. Change your WordPress Table Prefix

The hackers will try so many guessed attempts in the Login page for entering into the WordPress Dashboard. So the first thing you have to do is change the DB prefix. The Change Table Prefix plugin helps to change the WordPress table Prefix.

3. Stop others to “write” on your WordPress directory

Change the file permission on the server.

Log in to your Wordpress Linux shell and run the command to get the list of others having permission to write on the directory.

find. -type d -perm -o=w

Execute the commands below to stop the permission to write on the WordPress directory.

find /your/wordpress/folder/ -type d -exec chmod 755 {} \;
find /your/wordpress/folder/ -type f -exec chmod 644 {} \;
  1. The first command will allow only the owner to write or modify it in the directory.
  2. The second command will allow only the owner to read and write in the files.

4. Don't allow others to browse your directories

Open the .htaccess file from the WordPress directory and add the following command,

options -Indexes

This command will prevent others from seeing the list of files in the directory.

5. Monitor Unwanted login activity and allow logins from your country only

Use “Limit Login Attempts Reloaded” plugin to monitor unwanted login activities. Then use Download
Login IP & Country Restriction” plugin to restrict login based on a particular country (your country).

6. Disable Xmlrpc.php to avoid fake login attempt

With Xmlrpc you can remotely interact with your site. But hackers use this gateway to enter your site. So disable this feature.

To do that add the following code in the .htaccess file.

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from

Important: Here is an IP address you want to allow. Change the with your IP address (If you don't you will get an error from the server). But if you want to block all IP addresses. Then remove the line “allow from” from the code.

If you want to edit the .htaccess file inside your WordPress dashboard, use the Htaccess File Editor WordPress plugin.

7. Strengthen your WordPress using Strong Passwords

Always remember to use Strong Passwords for your WordPress login and as well as admin wp-directory. Weak passwords are easy to guess. So use signs, symbols, capital letters and numbers in your Password.

Sample Password

Instead of using the regular and the weak password, try to think of using this kind of one.

  1. Password  – Pa$$WorD!!123

8. Secure your wp-config.php file by hiding it

Securing wp-confiq.php is another way to protect your WordPress. This file contains very sensitive information about WordPress installation like the security keys and the database connection details. To secure this file,

  1. Open your hosting site and tap on the File manager.
  2. Then search for .htaccess file and choose Edit.
  3. Now at the end of the .htaccess code, type the following and tap on Save changes.
<files wp-config.php> 
order allow, deny 
deny from all 

9. Don't allow “Spam” comments into your WordPress

Comments are one of the loopholes for the attackers to do some kind of rogue activities on your WordPress and as well as the attackers can send some malware for the users and the readers when we accept the spam comments. To stop that,

  1. On your WordPress tap on Settings -> Discussion.
  2. Then on “Before, any comments appear” menu, check whether “Comment must be manually” option is being TIcked. If not Tick it.  
  3. If this is enabled, the admin has to approve the comment before it appears in the blog. 

10 . Disable PHP execution

Another way to improve WP security is by disabling PHP execution.

Firstly, create a blank .htaccess file on your PC and type the following command.

<Files *.PHP>
deny from all

Save this file and then upload it to your /wp-content/uploads and /wp-includes/ directories.

If you want to hide some other files in your directories, you can use the above commands and modify them accordingly.

Secure your Login Page with Plugins

1. WordFence Security (Best Security Plugin)

Hackers enter your WordPress admin panel by adding malicious code to your theme and plugin. WordFence plugin has the option to scan your entire site, including themes and plugins, and show you if it find any suspicious code in your theme file.

It is a very powerful plugin which scans your WordPress to protect from malicious and malware attacks. This will block the IP address of the user trying to log in several times. It detects the issues happening in the core files and will notify you.

2. Sucuri Security

Sucuri Security monitors the changes that happen in the core files on your WordPress. It helps to track and notify the Login activity on WordPress. Let us see the set of security features available on this plugin.

  • WAF (Web Application Firewall) Protection Protects your Website from Malware, hacks and performs DDOs (Distributed Denial of Service) attack mitigation.
  • Monitoring – It scans and monitors the website for malware, hacks, and blacklist status. It has a few alerts like Website Malware Scanner, SSL Certificate Monitoring, Website Server Side-scanner, SEO Spam Scanner, Blacklist Status, DNS Monitoring, and Website Uptime Monitoring. These will notify you if there is any change in your WordPress.
  • Incident Response – Remove, Repair and Restore your Website before it is fully damaged.
  • Boost Performance – This makes your site faster with CDN.

3. Google reCAPTCHA

This helps to stop Spam comments from entering into WordPress. It uses reCAPTCHA technology and protects from robotic activities on your WordPress comments.

4. Google Authenticator

This Plugin provides Google Authentication while logging in to your WordPress.

  • Monitors the login regularly.
  • Prevents from force login attempt and blocks the user's IP address.
  • It provides a variety of login methods:  Google, Authy, LastPass Authentication, QR Code, Push Notification, Soft Token, and Security Questions.

5. WP-DB manager

This plugin helps to Improve, Repair, Backup, Restore or Delete WordPress Database.

These are the security ways to secure your WordPress from the attackers or hackers. These are a few plugins that scan and protect WordPress from the malicious threat. If you have any doubts or suggestions leave that in the comment box below.

About The Author

Scroll to Top
Share to...