How to Secure WordPress Blog From Being Hacked?

How to Secure WordPress Blog From Being Hacked

Back in 2003, when WordPress was developed by Matt Mullenweg.

It was meant to be an easy to use platform for bloggers to share their thoughts over the internet.

But, the easy to use interface and extreme scalability of the program got the attention of a lot of webmasters around the world.

And, Just in a few years of its launch,

WordPress became the most popular CMS in the world.

Now ways the WordPress we use is,

Actually far more advanced than what it was before.

In fact, though they kept the name of the program the same as before,

WordPress is now so advanced that you can build almost any kind of website you can think of using WordPress.

But Still, you need to secure a WordPress blog from Hackers.

Because Nothing is secure 100% in this tech world.

As WordPress is so popular CMS for building a new website for both newbies as well as tech nerds,

Hackers all around the world spend a lot of their time to find new loopholes within WordPress websites,

And constantly tries to hack them.

In fact, nowadays this is one of the major concerns among new businesses,

And, some of them try to avoid using WordPress for this hack phobia.

But today in this post I’m going to share 10 tips with you which can make your site super secure and almost impossible to hack.

I’ve been using these tips on my own site and my client sites for 4 years now,

And, in these 4 years none of these sites gets ever get hacked for once.

Get a fast & secure web hosting

When it comes to hosting people always look for the unlimited plan accounts with unlimited space, unlimited bandwidth, and unlimited domains.

Because they think that it will be cheaper that way.

But what they never understand is that what a trap they are falling into.

In short, there is nothing unlimited in this universe.

Not even sunlight!

It is also going to run out one day one way or another.

Big brand companies use the “UNLIMITED” tag to lure newbie users to get them online,

And after that provide such a pathetic service,

That they will almost feel forced to upgrade to a more costly VPS server.

If you are looking for a blazing fast full SSD based hosting solution,

I will suggest you try out these top Web Hosting services.

Because always remember this as a thumb rule of the web,

No matter how much you make your website secure from the code level,

A major part of the security responsibility lies on the servers where your sites are hosted.

Never use the default “admin” username

Nowadays installing WordPress in any server has become so easy that most people just overlook these minor things at the installation process.

No matter whether you use the default WordPress installer or any one-click installer that comes with your server control panel,

Make sure you change the primary admin username to anything else from the default “admin”.

This is very important.

The reason it is most important is that,

Most hackers use Brute Force Attack tools to randomly guess your username and password for a successful login.

Now if your admin username is actually “admin”,

Then you already have made the life of the hacker extremely easy,

As now they only have to crack your password.

Always use a super-strong password

I know this is a very basic thing and everyone on the internet already knows this,

But trust me,

Not everyone uses this when it is needed most.

Make sure your WordPress admin password contains a combination of…

  • Uppercase,
  • Lowercase,
  • Alphanumeric (e.g. @, #, ?),
  • Number and
  • Is at least 9 characters long.

In this way, you can give the hacker a real pain to actually decrypt your password.

Always keep your WordPress core, themes & plugins updated

Trust me this is one of the most common things I find on almost every client website I work on.

Some just keep WordPress updated.

But not the themes and plugin as the fear that it may break their well operational site.

And, some just update the WP core and plugins.

But not the themes in the same fear.

Though it is true that updating WordPress core, theme or plugins may break your site sometimes.

But it only occurs for 0.001% of the website who uses badly coded themes and plugins.

The reason things get broke after the update is that,

Sometimes the developer of the theme you are using or some plugin in your site has stopped supporting and updating its code.

So, when WordPress deprecate any function,

Those themes/plugins still try to access it and end up having lots of PHP error.

This is why I always suggest to use a backup system like UpdraftPlus Premium or BackupBuddy and create a backup of your entire site before updating.

This way if things get messed up you can restore back to your previous working version of your site.

And then, you can either hire a developer to look for what things are causing the breakdown,

Or can investigate it by yourself in your localhost if you are comfortable with coding.

No matter what the case is,

Always keep your site updated with the latest version of WordPress, installed themes and plugins.

Developer releases patch every other day to fix the vulnerabilities in their software as soon as they get spotted or notified.

Delete the themes & plugins that you don’t use

I’ve seen many WordPress sites full of installed themes and plugin which they don’t even use on their site.

They just keep these things disabled and thought they are not gonna hard anyway as they are disabled.

This is completely the wrong idea.

It is much easier for any hacker to target old themes/plugins or things that are installed.

But disabled to get pass the security of your website by targeting the vulnerabilities in those themes and plugins.

As these things are already disabled in your site,

So you are not gonna notice any subtle change in the code of those themes/plugins.

And, hackers use this as their advantage.

Also, many times when you install a plugin in your site and then disabled it over time,

The actual developer of that plugin stops updating that plugin.

And, hackers use vulnerabilities within those old theme/plugins to hack your site.

So, always keep the things that you actually use in your site,

If there is a list of plugin and themes which are installed in your WordPress installation.

But you don’t use it,

Just DELETE them.

Whether it is a theme or plugin that comes with the default installation of WordPress or something you have separately installed earlier.

This same rule applies to them all.

Only keep the things you need and get rid of the rest.

Use Jetpack Protect filter

That’s right.

I know many people think that Jetpack plugin is a very resource hogging plugin.

But let me tell you that all of you are wrong about this plugin.

Jetpack is actually an amazing plugin that has been made for WordPress.

The problem is that,

People use it in the wrong way and end up with a slow website.

And, they point the finger to this plugin.

After installing the Jetpack plugin,

Most people just enable all the filters available within the plugin, which is not a good thing to do.

Instead what you should do is,

Go to Jetpack Settings in your WordPress dashboard.

And, enable specifically those filters you truly need for your site and disable the rest.

But don’t forget to enable the “Protect” filter of Jetpack.

As it will help your site from getting attacked by Brute Force attackers.

And, also safeguard your site from a fake login attempt.

This is a really useful filter which will not only protect your site from hackers.

But also safeguard your site from server slowdown due to multiple random requests by hackers.

Use Advanced noCaptech reCaptcha plugin

The Google noCaptcha reCaptcha is the predecessor of the original Google reCaptcha (v1),

Which used to show up annoying illegible captchas to do a simple task.

But noCaptcha reCapcha doesn’t show any annoying captcha.

Instead, it just asks you to click a checkbox.

And, if Google thinks that your IP is suspicious,

Then it asks you to select some specific picture from a list of the picture.

This is really great and makes solving captcha a painless process.

In WordPress,

There is an awesome plugin named Advanced noCaptcha reCaptcha,

Which will allow you to enable noCaptcha reCaptcha in your WordPress login page, signup page and even in the comment form,

Which is great,

As now hacker bots cannot just keep trying to guess the proper login credential of your site.

Because they can’t get pass the captcha.

Also as noCaptcha reCaptcha is a Google project.

So you can always expect that their fraud detection algorithm is also getting improved on par with the latest hacking trends.

I will suggest you enable this plugin for your comment form to which will not just reduce the number of your spam comment,

But also save your site from hacker bots who try to do SQL injection via comment forms.

Only install trusted themes and plugins

Never install themes or plugins from some marketing video or spoofy marketing websites.

Because in most cases though provide completely built a free website,

There is a high chance that those themes and plugin have malicious code which can compromise your website security.

If you are installing free themes or plugins,

Only install them through your WordPress plugin installer or download them from the WordPress plugin repository.

Purchase or download themes and plugins only from a trusted website like ThemeForest, Codecanyon, etc.

Disable directory listing

On most web servers directory listing has been enabled by default for much good reason,

But after your website development has been completed,

Just open the .htaccess file present in the root directory or under the public_html directory of your server,

And add this following code at the top of your existing .htaccess code.

Options -Indexes 

This will disable the directory listing feature of your server,

And, anyone who tries to access a server directory that doesn’t have an index.html or index.php file will return a 403 Forbidden error.

The above code will work for Apache as well as Lightspeed servers.

But if you have an Nginx server, contact your server admin to enable this on your website.

This is very important because,

If you do not disable this feature on your website,

Hackers can easily follow along with your directory structure,

And, find out what exact files you have in your server and how they are arranged.

This gives them an advantage of knowing your site perfectly.

So, you must enable it.

Set the proper permission for files and folders

If you have cPanel access log in to your file manager,

Make sure all the files of your site has permission set to 644,

And, all the directories have permission set to 755,

Unless some plugin especially asks you to set some special permission to some special folders.

Like some cache plugin asks users to set the permission to /wp-contents/cache/ folder to 777.

These are an exceptional case,

But for the rest of the file follow the above permission structure.

What about plugins like Sucuri Scanner or Wordfence?

I know many people use plugins like Sucuri, Wordfence in their website.

Because they think that these plugins will save their site from getting hacked,

But I personally don’t use these on my website or my client’s site,

And will not recommend anyone to use these plugins on their WordPress site either.

The reason behind it is that,

These plugins will not save your site from getting hacked,

Besides, these will just show you some malicious activities and might help you to recover some core WordPress files after your site is already been hacked.

There is no point in installing these plugins on any WordPress site whatsoever.

Also as these plugin constant scan your site,

These plugins are actually very resourced consuming.

And, in my opinion,

They actually waste your server resources instead of properly utilizing it.

Besides using these plugins,

If you just follow the above 10 Thumb Rules that I’ve shared,

I can assure you that you don’t have to worry about getting your WordPress site hacked,

And moreover, none of my above tips is a resource hogger.

What if I use Hide WordPress plugins?

Yes, there are a few plugins available (bother free and paid) which claims that it will hide your WordPress site.

But trust me!

It only hides it from newbie or noob users.

If any hacker or anyone with good knowledge in WordPress and its structure,

Can still identify your site as a WordPress site.

So, there is no actual benefit of using plugins like these.

Besides these plugins has quite a few downsides,

Like in future,

If you decide not to use these plugin anymore,

The change URL structure might back your site,

And, it can be really hard to get your site back to its own track.

Also, I’ve seen these plugin causing a lot of issues while migrating the site to other hosts or locations.

So, I will suggest everyone not to use these plugins ever in your life.

Why didn’t you said anything about blocking default WordPress meta tags?

I know many sites out there deliberately ask their users to disable the default WordPress meta tags,

Which shows your site using WordPress along with the version number.

And, also claims that this will help their site from getting hacked.

But as I said above that,

You cannot hide your site’s CMS from hackers or knowledgeable programmers,

So, this is nothing!

But a waste of code.

Besides I think as it will not help you from your site getting hacked,

Why blocking the good words about WordPress?

Developers around the world spend countless hours from their valuable time to keep the WordPress project running,

And, fix the issues that still offer it free of cost.

So, shouldn’t we have a minimum responsibility to spread the good words about the CMS?

You are not providing any backlinks, just a few meta tags, what’s the harm in this?

I do not use this on my own site and will not suggest anyone do so either.


If you are really worried about getting your WordPress site hacked (which you should be),

You better follow the 10 tips that I’ve described above besides installing a bunch of plugins and slow down your site for no good reason.

As I said, in the beginning,

I’ve been using these tips on my own site along with my client’s site from 4 years now and none of them get hacked ever.

Not for a single time.

But no matter what you don’t forget the importance of point 1,

Because always remember that,

Fast and secure hosting is the base of your site’s speed and security.

And, please never ever use hosting services like GoDaddy, JustHost, Hostdime, etc.

These companies are just a bunch of crap who sells crappy hosting at an extremely cheap price.

But you will end up having a slow and insecure hosting experience.

The list that I’ve provided above all of them are great hosting providers with a fast and secure server like my own server and hosting plans.


  • Has your site ever gets hacked before? What you did to restore your site back?
  • Do you already follow all of my above instructions?
  • Is there any other method you use to protect your site?

Let me know your thoughts in the comment section below where we can carry on this conversation.

Written by Vishal Rana

Founder and Editor-in-Chief of 'PresentBlogging'. Grey Hat Hacker, Cyber Security Consultant, Information Security Researcher, Programmer, Developer, Social Engineer, Penetration Tester, Professional Blogger and SEO expert.


Leave a Reply

Your email address will not be published. Required fields are marked *





Enable DNS Prefetching in WordPress For Faster Loading

How to Enable DNS Prefetching in WordPress For Faster Loading?

Why You Should Avoid Disqus Comment System

Why You Should Avoid Disqus Comment System?