Harden WordPress

Jun 24, 2021

How to harden your WordPress Site in 7 Steps, so Hackers Stay

Why is harden your WordPress important?

We all want to keep hackers away from our WordPress site, and in this post, you will learn how to harden WordPress in 7 steps. It is a practical guide that will help you make sure that your website is safe from hacking attacks. You can also find out what the most important things are for preventing hacks on your website and how to prevent them from happening!

Hackers and malware are a significant threat to any website. WordPress sites with a market share of over 42% are especially at risk.

In this blog post, I will discuss the top seven actions you take to keep hackers away, but first what are the top vulnerabilities to harden WordPress.

WordPress Vulnerabilities

  1. The first threat is that hackers can steal your website’s data. That means they will access all of the information on it, including passwords and credit card numbers if you have them stored in the WordPress database.
  2. The second threat hackers can take control of your website, so you will not access it. It’s widely known as a “hack.”
  3. The third threat hackers pose against WordPress websites is that they can use your site for malicious purposes, such as spamming or sending malware-infected links in emails and messages on social media sites like Facebook.
  4. The fourth threat hackers present against WordPress sites are called “DDoS attacks.” These happen when a hacker uses many computers or bots (computers controlled by software) to overload the server and make it unavailable for legitimate users.
  5. The fifth threat hackers pose against WordPress sites is called “brute force attacks.” Hackers attempt to guess your password by trying many different combinations of letter, number, and symbol combinations.

7 steps to harden WordPress site

The following steps will help you secure WordPress against the threats mentioned above.

Always stay up-to-date

The first step you need to do is always keep your WordPress installation up to date and all plugins. That will ensure that all of the latest security patches are applied, and it also helps keep hackers from exploiting vulnerabilities in WordPress versions and plugins.


Another step you could take is not using a standard username, such as Admin or Administrator, or any name similar to your website’s domain name. Also, do not use your first name or last name as your username.

Strong passwords

To reinforce the security of your login account, you can set up a strong password. In this way, hackers will have difficulty attacking your account. It would be best if you constantly change passwords every few months as well. Protect with a strong password, upper and lower-case letters, numbers, symbols. That’s not easy to figure out or crack. The password length should be at least 12 or better 15 characters.

Use the HTTPS protocol for your site

Nowadays, it goes almost without a saying to use the HTTPS protocol for your WordPress site. An SSL certificate is using the HTTPS protocol. All hosters are offering a free Let’s Encrypt SSL certificate. The certificate is issued for your domain name, valid only for 90 days, but your hosting company has an automatic renewal process in place. 

Hackers can quickly attack a WordPress site that is only using the standard protocol (not SSL). They will identify all of your vulnerabilities and exploit them to steal your password or personal information stored on your website. If you are a business, then this could put you in severe financial jeopardy!

Harden security wp-config.php, .htaccess

You can harden WordPress site security by adding symlinks. Move the files wp-config.php, .htaccess to the directory above your WordPress install. The root of your web space is where you build your site. You can store both files outside the webroot directory. Creating symlinks from there will allow WordPress to find the files.

harden WordPress

Use a security & Firewall plugin

Use a security firewall and a plugin, such as Wordfence or All in One WP Security (both free) or WP Cerber (free and paid). Those plugins will help protect your site against brute-force attacks with an IP lockout mechanism after some login attempts ( 3 trials, for example). Also important is to change the login URL for the WordPress dashboard and use a login captcha. Failed login attempts from an IP address will be blacklisted and banned for a specific time (you can specify it) or deny the IP address permanently from your WordPress website.

harden WordPress

Backup WordPress regularly

Back up your website daily. I recommend the plugin Duplicator Pro. It is not only a backup plugin; it perfectly helps you to restore your WordPress website to another host without first installing the WordPress core installations.

Frequently asked questions about WordPress hardening

How do hackers gain access to your website?

Brute-force attacks, such as guessing usernames and passwords, attempting generic passwords, using password generator software, social engineering/phishing emails and connections, and so on, are commonly used by hackers.

Protect against these by using a strong password with upper and lower-case letters, numbers, and symbols that are not easy to guess or crack

What is the activity of a web application firewall?

WAFs are the first line of defense in securing web applications. They filter and monitor malicious HTTP/S traffic and block any unauthorized data from leaving behind a compromised app. By adhering to set policies that determine what kind of behavior constitutes as safe or malicious, it can effectively protect against future threats.

Which version of PHP are you currently on?

Use the SiteHealth tool, which you find under Tools on the left navigation pane.

What about all these security plugins? I think they will affect the site speed?

You should only install one security & firewall plugin on your WordPress website. Run a Google page speed insight test before installing and after installing. Good security plugins should have a minimal impact on the web speed unless it is outdated. Look at the release date to get an idea of how current the plugin is.

Please be aware that some plugins might be incompatible or less ideal with your security plugin.

Conclusion: How to harden WordPress website

You should now understand how to keep your WordPress site hardened and secure after reading this article. You may also be wondering what the next steps are in hardening your website. A significant first step would be to install one or more security plugins like All in one Security & Firewall (free) or WP Cerber (free and paid) onto your site.

These tools will protect against the threats mentioned that could compromise your WordPress website, such as malware, spam brute force attacks, data theft, etc. 

Additionally, if you do not wish to do it yourself, I offer a gig on Fiverr that will enable you to secure WordPress using a powerful free WAF plugin.

Can you please share some of your other cyber-security tips for WordPress sites? Let me know by leaving a comment below!


Submit a Comment

Your email address will not be published. Required fields are marked *