Guide to Secure WordPress from Hackers

If your WordPress website is hacked it can cause a serious damage to your business’s image and business revenue. Hackers can easily steal all the information, passwords, install software with malware and even distribute malware to other users.

The worst out of all is that you may find yourself paying ransomware to the hackers just gain the access to your website. If your website is related to your business, then you need to pay special attention to your WordPress security.

It is similar to how business is responsible for protecting their own physical stores. An online business owner will be solely responsible to protect their business website.

WordPress is one of the most popular and user-friendly content management systems with which you can do almost anything. If you are new to blogging then WordPress is an ideal choice for you. However, there are some downsides to it as well.

WordPress security is an important aspect of every website owner. Every week, Google blacklists around 20000 websites for malware issues and 50000 websites for phishing. If you have a concern about your website, then you need to look at some of the best practices for WordPress security.

If you are starting a blog and want to secure your WordPress from hackers and cyber criminals, you must read this blog. In this post, we will discuss all the tips to make WordPress secure from hackers and malware.

WordPress Backup

It totally depends on how your website gets updated, but it is suggested to backup your website once in a week. You can do this either by using the WordPress plugins or can do it manually. There are many free as a well paid alternative for your WordPress backup. These plugins allow you to create automated backups, send to local storage or Dropbox and restore them quickly.

Therefore, it is advised to you to download the backup plugin in case your website gets hacked and you have no backup available.

Update WordPress Version

WordPress is an open source content management software which is updated and maintained regularly. WordPress regularly installs the updates by default for minor updates. For all the major updates you need to install it manually.

WordPress also comes with 1000s of plugins and best WordPress themes which you can install on your website. All these plugins and themes are maintained by third-party developers who regularly sends the new updates as well.

All these WordPress updates are important for stability and security of your website. Moreover, you need to make sure that your WordPress website plugins, themes, and cores are updated.

Use Two-Factor Authentication

By introducing Two-factor authentication on the login page is another good step to avoid hacking your website. In this case, users provide their login details for 2 different components. The owner of the WordPress website decides what those 2 components are. It can consist of a regular password followed by a secret code, a secret question, a sequence of character etc.

Some of the best WordPress plugins like Google Authenticator helps users in authenticating their website with just one click.

Install MalCare Security and Firewall

MalCare Security and Firewall plugin is a huge deal. This tool is pretty simple and automates all the stuff you require. If you are new to blogging it will scan your WordPress blog for vulnerabilities and informs you if it finds any malware related codes etc. If the text is green in the Admin panel then you are good to go ahead. However, they are not always green sometimes you have to work on it. Therefore, install it to find issues and malicious code on your blog.

Blocking Search Engine Spiders from Indexing the Admin Section

There are search engine spiders who crawl over your entire blog and index each and every content until they are told not to do so. There are times when we do not want to index the Admin section as it contains various type of sensitive information. The simplest way to prevent crawlers from indexing the Admin section or directory, create robots.txt file in your root directory. Then enter the following code in that file:


robots.txt- sample

Protect your .htaccess

After making changes to your .htaccess to protect your blog from hacking, you cannot simply leave the .htaccess file open itself to various kind of attacks. The code below prevents the external access to any files with .hta extension. Simply write the code in your domain’s root .htaccess file. The code for it is given below:

No Directory Browsing

It is not a very good idea to allow your visitors to have a go through in to your entire directory. It is one of the easiest ways to find out about the directory structures and it makes it easier for hackers to look for security holes in your blog.

If you are new to blogging and want to stop this, simply add two lines of code to your .htaccess file in the root directory of your WordPress blog.

#disable directory browsing

Options All -Indexes

Secure wp-config.php

Wp-config.php file is important as it contains all the information, sensitive data, and configuration of your blog. Moreover, it can be secured via .htaccess file. It can be done by adding few lines of codes in the .htaccess file in the root directory.

Here is the code for the same given below:


#protect wp-config.php

<files wp-config.php>

Order deny ,allow

Deny from all



The above code denies the access to wp-config.php file.

Limiting the Access to wp-content Directory

Wp-content file contains everything. It is a very important folder and you should secure it. You don’t want your users to browse and get the access to your sensitive data. Users can only view and access certain files like Javascript, image file formats(jpg, png, gif), XML, and CSS.

Write the following below-mentioned code in the .htaccess file contained within the wp-content folder:


Order deny,allow

Deny from all

<files ~ “.(xml|css|jpeg|png|gif|js)$”>

Allow from all



Protect WordPress Admin Files

Wp-admin should only be accessed only by you and your fellow bloggers. You may use .htaccess file for restricting access and allow IP addresses which are specific to this directory.

If you are using static IP address and you are always blogging from your computer system, then this can be a good option for you. However, if you are running the multiple user blogs then either you can opt for the same or allow the access from different IPs.

Just copy and paste the below-mentioned code in the .htaccess file in wp-admin folder:

# deny access to wp admin

order deny, allow

allow from xx. xx. xx. xx # This is your static IP

deny from all

The above-mentioned code will prevent browsers to access any file in these directories other than “xx.xx.xx.xx” which is your static IP address.

Another way you can restrict the access to the directory which is by using the password in the .htaccess file.


Securing the WordPress website is much more than installing the plugins and just walking away. There are some subtle ways which complete a full strategy. Some of you might have known about it before and some of them have their new discovery. Besides this tips, you should review web host because most of the hacking take place due to poor hosting management. Implement these above mentioned strategies in order to make your WordPress website secure.

Add Comment