skip to Main Content
9 Ways To Keep Your WordPress Site Secure From Hackers (How-to Guides)

9 Ways to Keep your WordPress Site Secure from Hackers (How-to Guides)

Post Series: Online Business Launch

Web security is arguably the least fun aspect of managing your own online business. Like all safety measures, web security is easy to overlook until something disastrous happens to your site, such as a customer data breach or other hack.

But, fear not– we’ve rounded up some best practices that all bosses should implement to protect their website, customer data and your company’s reputation.


1. Use complicated username and password combinations

How to keep your WordPress secure from hackers (step-by-step guide)

It’s such a pain to use complicated username and password combinations, but you must! Avoid using “admin” as the main username that you use to access your WordPress dashboard. Follow the password guidelines in this article for even more instructions.

Having a hard time getting creative? Websites like Strong Password Generator can help you come up with long, complicated combinations for your passwords. Just make sure to keep your passwords somewhere accessible and secure (we like using Last Pass).

2. Keep WordPress and plugins updated at all times

How to keep your WordPress secure from hackers (step-by-step guide)

WordPress is constantly updating its platform to improve performance, use and security. It’s crucial that you always keep your WordPress updated to keep your site secure and stable. Follow the instructions in this article to automate updates for major WordPress releases.

3. Before adding a theme or plugin, know what to look for

How to keep your WordPress secure from hackers (step-by-step guide)

WordPress is an open-source technology, which allows for incredible innovation and options from developers all over the world! With that, it’s important that you look for reputable, trusted products when installing themes or plugins. A few things to check for before you install:

  • Number of installs vs. number of reviews – this will give you an idea of how many people have not only installed the plugin, but how many approve of its performance.
  • Last updated date – an engaged and reliable plugin developer will likely update its plugin once a week. If its been months or years since the last update, don’t install.
  • Support center – look through the plugin developer’s Support/Help section (be sure that there is a Support/Help section) to see how robust and responsive their customer service is.
Installation screen for Caldera Forms WordPress Plugin

Installation screen for Caldera Forms WordPress Plugin

Most plugins and themes will be updated by its developer once a week. To update, you’ll follow the instructions from your WordPress dashboard when you login. You can also follow these instructions to allow certain plugins to automatically update.

4. Minimize the number of plugins installed on your site.

How to keep your WordPress secure from hackers (step-by-step guide)

It’s arguable whether or not adding too plugins can harm your website, but we recommend keeping plugins to a minimum. Adding too many plugins or insecure plugins can lead to slow website speed, crashes or hacks.

We know it can be tempting to add new plugins to your website for added functionality, but choose wisely before installing. Be sure to remove any unused plugins from your site, and before adding new plugins, be sure that one of your existing plugins doesn’t already offer the functionality you’re looking for. We recommend this article which provides a ton of detail regarding plugin best practices.

5. Change your WordPress login URL (don’t use /wp-admin)

How to keep your WordPress secure from hackers (step-by-step guide)

One of the first things that you do when setting up your self-hosted WordPress site is to define the URL that you’ll use to login to your WordPress dashboard. By default the login page will look like We know this, and so do hackers. There are a number of ways to change the “wp-admin” URL string. The plugin WPS Hide Login is a lite plugin that offers this option.

6. Implement an SSL certificate

How to keep your WordPress secure from hackers (step-by-step guide)

A few definitions: HTTP (HyperText Transfer Protocol) and HTTPS (HyperText Transfer Protocol Secure) are both protocols, or languages, for passing information between web servers and clients. HTTPS is a secure connection, whereas HTTP is unsecure. To migrate your site from HTTP to HTTPS, you’ll need an SSL (Secure Sockets Layer) certificate.

Implementing an SSL certificate on your website is not only good for security, it’s good for your search rankings. A few things to consider:

Implementing an SSL certificate can be laborious so it’s best to do so right from the launch of your website, if possible. Click here for more detailed instructions on how to enable HTTPS on your website.

7. Update the .htaccess file to block IPs from all except your site’s administrators

How to keep your WordPress secure from hackers (step-by-step guide)

This gets slightly technical, but a great way to block your WordPress dashboard from unwanted hackers-to-be is to update your .htaccess file to block IPs, groups of IPs or better yet, only grant access to specific IPs, which is what we recommend– no plugin needed! This editing is done through your main File Manager files found in your web host. Here’s a step-by-step instruction guide:

1) Login to your website’s cpanel

Typically accessible via

2) Click on File Manager

Steps for blocking IPs via htacess file

Steps for blocking IPs via htacess file

3) Be sure to display Hidden Files (this might be accessed under “Settings”)

Find the Settings dialogue box to display hidden files.

Find the Settings dialogue box to display hidden files.

4) Click on the .htaccess file and click Edit

5) Add the following code at the top

<Files wp-login.php>
order deny,allow
Deny from all

# whitelist Jane’s IP address
allow from 99.999.99.99



.htaccess file example

.htaccess file example


8. Add CAPTCHA for Contact Forms and WordPress Login Forms

How to keep your WordPress secure from hackers (step-by-step guide)

Have you ever had to tap that “I’m not a robot” box when completing a Contact Form on a website? This is a great way to block insecure bots and other malicious hackers from accessing your forms. Use the Google Captcha WordPress plugin or Better WordPress Recaptcha plugin on your site.

9. Add a double-login

How to keep your WordPress secure from hackers (step-by-step guide)How to keep your WordPress secure from hackers (step-by-step guide)

Another way to protect your WordPress dashboard is to implement a double login, also known as two-factor authentication. Yes, it’s another username/password for you to remember, but one more layer of security from bots designed to hack into your site. Wordfence is a WordPress security plugin that allows you to setup a secondary WordPress login page, and also automatically blocks IPs with too many failed attempt to login to your website. Other recommended security plugins include Ithemes and Login Lockdown.

This post is part of our series 11 Essential Steps to Launching Your Online Business. We invite you to join the Digital Dame Collective by signing up for our emails to be the first to know when our new posts go live.

Are your struggling to launch your online business?

Build and launch your online business with the Digital Dames at one of our hands-on workshops!
Digital Dames Tech Boot Camp for Bosses

If you’re serious about finally launching your online business, join us for our TECH BOOT CAMP FOR BOSSES where you’ll build and launch your online business in 2 days! Get hands-on, personalized instruction to launch your website, get professional headshots, learn the secrets of digital marketing and meet like-minded lean entrepreneurs.

Learn More Here

Leave a Reply

Your email address will not be published. Required fields are marked *