How to Protect Your WordPress Website From Hackers

The growing popularity of WordPress has also created more interest among hackers. Statistics show that out of the 80 million websites powered by WordPress, a large portion of them (70%+) are vulnerable to attacks.
If you think that your website is not part of the 70%, you are wrong. If you also think that nobody cares about your small business website or blog, you are again wrong. Attacks can happen because your site is vulnerable to attacks and not because a hacker decided to ‘break-into’ your business.
When your website is hacked, a lot of bad things can happen besides damaging your website’s reputation. You can lose customers, traffic, money, confidential information and not to mention the time, stress and effort that it will take to clean your website and get it back to a normal state.
Those that experienced this at least once, know exactly what I mean. It’s those times that you wished you have taken preventive measures instead of trying later to recover from the damage, especially when your income and business depends on your website.
To tell you truth, I didn’t bother about security, I was thinking like most people that this would never happened to my websites. But it did. And it was a terrible experience.
A few of my clients had faced similar issues and they lost money and business but at least we all now learned our lesson. When it comes to security issues, “Prevention is the best cure”.
If you have a WordPress website but did not take any measures to improve security, it’s now the right time to take action. Don’t delay it any longer but set this as your first priority above SEO or anything else you might be doing.
9 ways to protect your WordPress Website
#1 – Use strong passwords – One of the things you definitely need to check right now is your wordpress passwords and especially the password you use for the administrator.
Don’t use simple, letter only passwords, but create strong passwords that include letters, numbers and symbols.
Here are a few examples of simple and strong passwords:
SimpleStrongSimplePassword$1mpLePas$$w0rd!WordPress123W0rD!!Pr3$$123JaniebrownJAN1E$Br0wN
You can change the password of any users by selecting USERS / ALL USERS from the left menu. From the list of users, select EDIT and scroll down to the password field.
#2 – Change the default admin user names – The first thing hackers will try and do is find out the administrator username so usernames like admin, administrator and host are too obvious and you need to change them to something more difficult to identify.
Also, review your user roles and make sure that there is only one administrator to the site. Other users (guest authors, writers) can be set as ‘Contributor’. Delete any other users that are not valid or set their role to ‘None’.
#3 – Protect your wp-login, wp-config, .htaccess and wp-admin folder – This is perhaps the most important step of all measures you can take to secure your wordpress website.
By protecting and restricting access to your wp-config, .htaccess, wp-login and wp-admin folder, you already made a huge step towards the right direction.
It does not require any technical knowledge, you only need access to FTP and to follow the steps below:
Step 1: Login to your website with FTP and locate the .htaccess file on the root folder (usually public_html or www). If you have installed WordPress on a directory then you will find the .htaccess file there.
Step 3: Use any text editor (notepad, brackets etc) to open the file
Step 4: Add the following lines at the top of the file:

Important: You should add your Public IP in the orange shaded area above otherwise you will not be able to login to your own website!
Step 6: Upload the file back to your server and replace the existing one.
The role of the above lines is to restrict access to ALL ips trying to either access your .htaccess file, wp-config.php or your login page. In case your Public IP changes frequently you need to edit this file and type the correct IP in the orange shaded area above. If you type a wrong IP there, you will not be able to login to your WordPress dashboard. You can add more than one IPs (one per line, preceding by the words ‘ allow from’).
I know that for some this is too much BUT it’s the best and most efficient way to keep everyone (besides allowed IPs) from getting access to your website. This does not affect the functionality of your website or SEO but it re-enforces security.
The next step is to protect unauthorized access to your wp-admin folder. You can do this by following the steps below:
Step 1: Login to your website with FTP and locate the .htaccess file inside the wp-admin folder. If there is no .htaccess file then create one (using any text editor), add the lines shown below and update it to your wp-admin folder.
Step 3: Use any text editor (notepad, brackets etc) to open the file
Step 4: Add the following lines at the top of the file:

Important: You should add your Public IP in the orange shaded area above otherwise you will not be able to login to your own website!
Step 6: Upload the file back to your server and replace the existing one.
The same rules apply as explained above i.e. To be able to login to your website you need to add your public IP in the orange shaded area.
#4 – Protect xmlrpc.php (optional but recommended) – Besides protecting the above files, a common way to hack into WordPress websites is through xmlrpc. Xmlrpc.php is a file used for communicating remotely with WordPress.
Hackers can make use of xmlrpc (which is enabled by default from WordPress 3.8) to execute DDoS (Distributed Denial of Service Attacks), that can cause server problems and bring a website down.
You need to keep XMLRPC enabled if you are using services like JetPack, the official mobile wordpress app, pingbacks & trackbacks.
To make sure that no programs can access and execute the file, add this to your .htaccess (like you did in point 4 above)

#5 – Update WordPress and Plugins to the latest versions – Most of the times hackers can gain unauthorised access to your website through plugins. Free and paid plugins have vulnerabilities and it’s always a best practice to upgrade them to their latest versions.
Software companies (especially for paid plugins) have started to look into security matters more seriously and they try to close any security holes in order to protect their customers and of course their reputation.
Besides upgrading, review the list of installed plugins and if you find that some have not been updated for several months then consider deactivating them, replacing them with other plugins that are updated more frequently or deleting them.
#6 – Check your ‘comments’ and forms settings – When you have comments open on your posts check your ‘Discussion’ settings and make sure that all comments are manually approved. This may add more administration work from your part but it’s the best way to ensure that no spam comments are entered.
Also check that you have akismet activated and that you use a Captcha on all your contact forms.
#7- Check your server settings – Besides your WordPress installation another way that hackers can break into your system is through your web server.
What you can easily do is to use a strong password for the administrator account and FTP, and also enable email notifications to get notified every time someone is logged-in to the server. You may need to check with your hosting provider on how to do this since it is different for each type of hosting server.
#8 Move to a reliable VPS host - Any serious blogger or business should be using a VPS for their website. If you are still on shared hosting then it’s time to reconsider and move to your own VPS. The cost is not that much per month but the benefits, especially when it comes to security, are priceless.
There are many hosting companies offering VPS for wordpress, take some time and find a VPS host that is reliablewith good and fast support. When you get into security troubles, you will need the support of your hosting company and they need to respond to your requests fast but also in an effective way.
#9 – Take Full Backups of your Website – While this may not be a security measure as such, the first thing that you will need after an attack is a clean backup of your website to use it to recover to the previous good state.
Make sure that you take a backup of both your WordPress files and Database (at least once per week)
That you keep the backup files in a safe location (other than your website’s server)
That you know how to use the backup to restore your website. This is a critical step and you need to allocate some time to make a test and document the procedure so that you know exactly what you need to have to do when in need and under a lot of stress.
I use the BackupWordpress Plugin which comes free and has the options to schedule backups for both the files and database.
The bottom line: When it comes to security, prevention is always better than cure
You need to take measures to protect your WordPress website from hackers. You don’t necessarily have to pay for a monthly service if you currently cannot afford it but for sure you need to review and configure correctly the other setting suggested above