How to secure your WordPress website from hackers

3 September 2020

WordPress is a popular Content Management System used for creating websites. According to various surveys, over 25% of current websites have been created using WordPress. One of the reasons for its popularity is that this CMS is free to install and use.

Furthermore, WordPress websites are highly customisable, easy to use and mobile-friendly. One of the downsides is that its massive popularity makes it an easy target for hackers. Here are a few tips on how to secure your WordPress website from hackers.

Keep WordPress updated and upgrade to WordPress 5

The developers of WordPress are aware of the threat posed by hackers. For this reason, updates are regularly released to fix bugs and improve the security of this platform.

Some releases are automatically installed, while others require you to manually initiate an update. In order to prevent any attack, it is advisable to keep your WordPress updated to the latest version.

Updates protect you against newly identified vulnerabilities and you should do them as often as possible. The latest version of WordPress was launched last month. Read our thoughts on the new WordPress 5.5

Use strong passwords, usernames and login URLs

Most attempted attacks often involve the use of stolen login credentials. Fortunately, this is easily preventable. You may protect your website by using strong passwords, only giving user access where necessary, and limiting login attempts to your FTP accounts, custom email addresses, and databases.


Make sure the password is not easy to crack, by using different character combinations not related to your website.

Things you can implement right now:

  • Use a plugin to force your users to choose a strong password.
  • Turn on 2 factor authentication
  • Choose the best security plugins you can afford.


Make sure to change your username. According to MotiveSense most commonly targeted usernames are:

  • administrator
  • Administrator
  • User1
  • admin

Login URL

Change or hide your login URL to make it hard for potential hackers to find.

Ben Payne’s tip: “Change your login URL. Don’t use the default admin password and default login page URL – it’s easy to change!”

At Mash, we’ve tried and approved WPS Hide plugin for WordPress which easily allows you to change the login URL of your website for added security.

Update WordPress plugins and themes

WordPress comes with hundreds of themes and plugins that help create efficient and impressive websites.

However, while the core of your WordPress website might be updated, these themes and plugins might create a leeway for hackers to breach your site. For this reason, it is important to update your themes and plugins as well.

Install a web application firewall

You can easily protect your website by installing a web application firewall. It works by filtering online connections, allowing only genuine traffic to connect to your website.

You may also install a system firewall to protect your server from online threats. For example at Mash we use a lot of security plugins such as the Wordfence plugin to help keep our sites secure.

Install a WordPress backup solution

Backing up your website data to a safe, remote location is the simplest way of securing your site. It allows you to restore your website in case anything goes wrong.

The good news is that the web has so many free and premium backup solutions that site owners can use to store their data.

Remember that backups are only useful if they can actually be used to restore your site if something goes wrong. So whichever backup solution you have chosen for your website, make sure you test them!

You can also invest in a paid solution for peace of mind. Most hosting providers will likely offer daily or weekly website backups as part of their basic services.

Last but not least: get an SSL certificate for your website

If you haven’t already got an SSL certificate, get one. We wrote a piece about why SSL is required.

Seemingly, no one is safe from the threat of hackers, considering the fact that no system is foolproof. However, by implementing the above-mentioned measures, you can easily secure your WordPress website from malicious attacks by a significant percentage.

See all articles >>

Check out our other blogs