How to Protect & Secure Website From Hackers (Step by Step Guide)

Jan 1, 2020

How to Protect & Secure Website From Hackers (Step by Step Guide)

Jan 1, 2020

Are you worried about hackers attacking your website? You’re right in doing so. There are around 90,000 hack attacks on WordPress sites every minute! Hackers prey on websites to run malicious activities which could include stealing customer data and money or selling illegal products on your site, or sending spam emails (read – phishing attacks). So you should be thinking about how to protect your website from hackers.

Repairing a hacked website is very difficult. It’s time-consuming and expensive. On top of that, hackers usually create hidden entry points. This allows them to keep coming back and re-hacking your site. Detecting hidden entry points is hard.

Moreover, things can snowball further and your website can be blacklisted by Google or suspended by your hosting provider.

But luckily, there are various simple web security measures you can take to protect your site from hackers and bots.

Today, we’re going to take you through WordPress security measures to secure your website like Fort Knox. Once you implement these measures, hackers will have a really tough time trying to break into your site. And more importantly, your mind can be at peace knowing your site is secured.


If you want to secure your website from hackers without any hassle, install MalCare security plugin on your WordPress website. It will put up a firewall to actively defend your website against attacks. Its security scanner will comb through your site regularly and alert you if it finds anything suspicious. Plus, if your website is hacked, you can clean it up instantly and get back to business.

Protecting your website is easy! We’ve categorized the measures you can implement on your website into three levels. Some are basic security measures that every single website should have, while others are more advanced protocols if you want to make your website extra strong.

Good to know: Hackers generally look for easy pickings. This means if you have even the most basic website protection, chances are they’ll bounce to a site that’s easier to hack.

It’s worth noting that while we strongly recommend taking those measures, do run a complete WordPress security audit to learn what sort of security measures your website requires.


Level 1 – Basic WordPress Security Tips

For those who are just starting out on WordPress or are still getting the hang of their own website, here are a few basic measures you need to implement on your website:

1. Install a Security Plugin

The first thing we recommend doing when you set up a WordPress website is installing a security plugin right away.

This is because your website resides in a world that is plagued with hackers who are constantly on the prowl. A new website without any security measures could be more prone to attacks.

Plus, as you set up and run your site, you’ll need to install themes and plugins for design and functionality. While most plugins are safe to use, some may develop vulnerabilities that open up your site to common hacking attacks.

To protect your site, we recommend installing a security plugin like MalCare. It will proactively block any malicious IP address or bad bots.

Once you install it, you can access it from your wp-dashboard or log in through the official MalCare website.


use malcare scan from wp-admin dashboard


Apart from being able to scan the site when you want, it will automatically scan your entire website every day on its own. It alerts you if it finds any suspicious activity or malware on your site. In the rare case, a hacker manages to get through, you can clean up your site using the same plugin.

2. Install an SSL Certificate

SSL stands for Secure Sockets Layer. In simple terms, an SSL certificate keeps the data transferred between your website and its users safe. For example, when a customer shares credit card information and personal contact data, SSL will encrypt the data so hackers cannot read it even if they get their hands on such sensitive information.

When you install an SSL certificate, your site will move from HTTP to HTTPS. You’ll see a padlock appear in the address bar.


padlock at beginning of the URL


You can get an SSL certificate for your website from your web host or any SSL provider online. This will ensure your user’s data as well as yours is encrypted and safe from getting hacked.

3. Update Your Website

Your WordPress installation and its themes and plugins get regular updates. You might see updates available in your dashboard like so:


WordPress update notification


Many of us site owners tend to put off updates for as long as possible. Updates bring new features and enhanced functionality, but they also carry security fixes.

Running your website on outdated software can make it vulnerable. One of the major causes of hacked WordPress sites is outdated software.

Remember to always update your WordPress website regularly. This will also help you protect your website from hackers.

4. Use a Secure Username & Password

Many people tend to leave their login credentials as ‘admin’ and ‘password123’ because it’s easier to remember. But simple usernames and passwords are easy to guess. This allows hackers to gain access to your site. Also, there is a possible way of inserting SQL injections throw these queries.

Now there is a misconception among WordPress site owners that a hacker coming across your site and trying to guess your password is rare. In reality, hackers target any WordPress site using a method called brute force attacks. They use bots to comb through the web looking for sites to attack. Next, with just a single command, they can make hundreds of guesses in just a second.

It’s recommended to always use unique usernames to easily ward off such hacking attempts. Also, use strong passwords such as a passphrase in combination with numerals and symbols.


insert strong wordpress password


Your username and password is your lock and key to the gate of your website. Recommended Read: How to Choose a Strong Password that’s Easy to Remember.

5. Invest in a Reliable Backup Solution

As we mentioned, fixing a hacked website is difficult and could take a long time. A backup copy of your website would enable you to restore it back to normalcy. You can then take time to fix the hack and seal any website vulnerabilities that allowed a hacker to get in.

There are many backup solutions available in the market. Your host may offer a backup but we don’t recommend relying solely on host backups.

This is because many times, these backup copies don’t work or you may have to figure out a long restore process to get your site back.

To get a backup copy that always works and is easy to restore, you need a WordPress plugin like BlogVault.

It’s easy to set up and you can rest assured your automated backups will come to your rescue when you need it.

Once you have the basics down, we can move on to the next level of measures you need to put in place so that your website is more secure.


Level 2 – Intermediate WordPress Security Tips

These measures might require a bit more understanding of WordPress websites. Once you get the hang of it, we recommend implementing the following steps:

1. Restrict File Uploads

If your website has an option for users to upload files such as a profile picture or images in the comments section, you need to take precautions.

This feature is usually enabled by using a plugin. These uploaded files usually get stored in your website’s database. If there is a flaw or a bug in that plugin, hackers can upload any file they want and find their way into your database.

To avoid this, you need to reset where these uploaded files are stored and put them in a folder that doesn’t affect your site’s database and other important files.

You also need to restrict the type of file your users can upload. Hackers may try to upload PHP files that are capable of executing commands on your website. So, for example, if it’s a display picture, you can restrict file type to PNG and JPEG.

A person uploading files of any other type of file that could be harmful would receive error messages like so:


error uploading files in wordpress


Your web hosting company can help set this up for you or you can contact a WordPress developer.

2. Implement 2 Factor Authentication

2-Factor Authentication has gained popularity over the years. This method enables the website to verify the user in real-time by using a password that is generated at the time of login.

You might’ve noticed this on many sites like Gmail, Hotmail, and Facebook to name a few. You are required to enter your username and password, and then provide an additional verification through an OTP (one-time password). This would be sent to your mobile number or alternate email.


two factor authentication


You can set this up for your website using a plugin like Two-Factor or Google Authenticator.

3. Limit Login Attempts

In a brute force attack, hackers try thousands of username and password combinations to try and gain access to your dashboard. By limiting the number of failed login attempts, you can block such attacks.


unsuccessful login attempts notification


If you used MalCare to secure your website, you have access to this feature too. Your website will automatically have limited login attempts implemented. In that case, MalCare can become very useful plugin to protect your website from hackers and their attacks.

4. Set up Google Analytics and Search Console

Google offers two important tools all website owners should have. Analytics gives you insight into your website’s traffic and conversions. You can see where your traffic originates from.

In Search Console, you can see which pages rank on Google’s search results, and which keywords you are ranking for.

These tools can help you spot hacks quickly. For example, in an SEO spam hack, you would suddenly see your website ranking for keywords like ‘buy cheap brand online’:


keywords in google search console


There is also a tab for you to check if there are any security threats on your site.


security issues option in google search console


To get access to these tools, you need to add your website as a property using these steps.

Now that you’ve implemented these website security measures, you can be sure most hackers will be kept at bay.

Next, we’ll look at more advanced measures you can take to make your website extra strong. These are more technical in nature and are difficult to implement if you aren’t tech-savvy. Luckily, there are plugins available that make it much easier for anyone to carry out.

If you wish to implement it on your own using manual methods, we advise proceeding with caution. The slightest misstep could render your website broken. We strongly recommend taking a backup of your website so that you can restore your site in case anything goes wrong.


Level 3 – Advanced WordPress Security Tips

These measures will make your site much more secure. Note, you need to carry out the following steps immediately if you’ve been attacked.

1. Block PHP Execution in Untrusted Folders

PHP is a type of computer language used in WordPress that enables the execution of commands.

PHP codes are used only in certain files like the wp-config file, and doesn’t need to be present anywhere else. So the presence of PHP files in other files and folders is often a sign of a hack. By having a PHP file in a folder, hackers are not only able to control the folder but all other WordPress folders. Thereby gaining complete control over your website.

You can change these file permissions and block PHP execution in other folders. Here too, you can implement this measure using the same BlogVault backup plugin. The feature is brought to you by its sister concern MalCare – WordPress Security Plugin.

On the MalCare dashboard, you can visit the shield icon which takes you to security. Here, you’ll see the option to ‘apply website hardening’.


malcare site hardening


On the next page, you’ll see three levels of hardening you can implement.


malcare essential site hardening options


2. Disable the File

Editor WordPress has an option to edit a theme or plugin directly from the dashboard. If you log in to your wp-admin and visit ‘Appearance’, you’ll see an option called ‘Editor’. The same with plugins.

It allows you to directly edit the code of a theme or plugin from your wp-admin dashboard.


plugins in wp-admin dashboard


This feature might be useful to developers as the theme and plugin files are directly accessible from the dashboard, But the option is rarely ever used by WordPress admins. But if a hacker gains access to your WordPress dashboard, they can edit these files and wreak havoc on your website. This gives them a door to your website’s files on the backend.

It’s recommended to disable this option. You can do so using MalCare’s website hardening option. Follow the steps detailed in the point above.

3. Change Security Keys

You might have noticed that you needn’t enter your credentials every time you want to log into your WordPress dashboard. Your credentials are pre-filled for you. This is possible because WordPress uses security keys. These keys help store login information in your browser. It is stored in an encrypted manner so that even if anyone manages to steal them, it’ll be hard for them to read the actual login credentials.

But if by chance, a hacker finds these security keys, they can use it to decipher your login details. Your security keys are stored in the wp-config file.

Just like you should change your password regularly, it’s also recommended you change these keys on a bi-annual basis. If you’ve been hacked, you should change them immediately.

You can change these keys using the same MalCare plugin under ‘Apply Website Hardening’.


malcare site hardening options


You can also do this manually. However, we don’t recommend the manual method as it’s risky making changes directly to your WordPress files. If you wish to proceed, you need to edit your wp-config file. To find this file by accessing your hosting account > cPanel > File Manager.


file manager in cpanel


Here, you need to access your root directory which is usually called public_html.


wordpress folders in file manager


In this folder, you will find your wp-config file. You can right-click and choose ‘Edit’. Here, you’ll see your security keys like so:


wp-config file


You need to replace ‘put your unique phrase here’ with your own keys. You can generate a set of keys using this link.

Next, all you need to do is copy and paste the code in the wp-config file (replacing the old ones). Save the file and exit your hosting account. We recommend visiting your website to make sure everything is working fine.

4. Disallow Plugin Installations

If you run a website that has many users orchestrating it or if you manage websites for clients, you may not want someone mindlessly installing a plugin. Installing a plugin from an untrusted source could open up vulnerabilities on your website.

Further, installing a plugin without checking its compatibility could break your website. You can disable plugin installations as well using a WordPress security plugin like MalCare.


malcare block plugin/theme installation


If you want to block plugin and theme installations manually, you need to add a line of code to your wp-config file.

Access your wp-config file using the same method as detailed above. Once you’ve opened the file, you need to add the following line:


Save and exit cPanel and the changes will be implemented. To remove this block, you can simply go back to the wp-config file and delete this line of code.

5. Auto Logout Inactive Users

Many times, users of your website may leave their accounts open and their systems unattended. If someone gets unauthorized access to their accounts, they can use it to create new admin logins for themselves and carry out other such harmful acts.

Auto-logging out your users who have signed in but not been active for a while would help mitigate the risk of unauthorized access.

There are ways to implement this manually but we don’t recommend it. Apart from being complex, we find it to not be a secure way to do it. It could create more vulnerabilities on your website if not implemented correctly.

We recommend using a WordPress plugin for this. You can use BulletProof Security or Inactive Logout to enable auto-logout on your website. The above tips to protect your site will help fortify it and keep it safe from the hands of hackers. For more you can follow our WordPress security guide.


Conclusion: Stay Protected From Hackers

If we could equate creating a website to having a child, then going live in the digital world is like sending your child out into the real world. It’s full of dangers and risks which your website is exposed to!

Taking security and website hardening measures on your site is an absolute must to keep hackers out. But security is not something you can set and forget. These measures need to be reviewed or re-implemented from time to time.

But this means you have additional tasks to add to your already-long list of things to do. To avoid the hassle and still stay protected at all times, we strongly recommend installing a simple yet powerful tool like MalCare on your website.

Your website will be constantly monitored and defended against malicious traffic. You can have peace of mind that only the good traffic gets through.


Try our MalCare Security Plugin Now!

how to protect your WordPress website from hackers
Share via
Copy link