6 Essential Steps to Keep Your WordPress Website from Getting Hacked

website security

Happy Internet Security Month!

These 6 steps will prevent 99% of hacking attempts on your WordPress website, and most of them only require a click or two and aren’t very technical.

Of course, we all want to keep our website secure and not get hacked. It’s not fun when a hacker takes control of your website… But we also have a life and might not understand all the technical jargon. So let’s skip the fluff and get your website secure.


1. Don’t Use Easy-to-Guess Usernames and Passwords

The easiest way for a hacker to take control of your website is to guess your username and password. This may account for 8% of hacked WordPress websites. So do you have a good username and password?

Is your username “admin”? ?. That’s super easy for hackers to guess. Here’s a video showing how to change that.


And what password do you use? Does it look like “password”, “12345”, or one of the other top 1000 most-commonly-used passwords? Yes? ?. Hackers make programs that automatically try all those when hacking into your website. That’s called a “brute force” attack. Here’s a video showing how to change your password.


2. Make Regular Website Backups

Do you have a backup of your website? (The database and files?)

Before doing the next changes, you need to make a database backup. It is possible things might break. If so, you need a backup to restore to.

Also, if you get hacked, you’ll probably need to restore to a backup from before you got hacked. If you have no backups, you’ll need to recreate your website from scratch. Have fun. ?

So here’s a video showing how to install and set up a popular WordPress backup plugin, UpdraftPlus.


3. Keep WordPress, Plugins and Themes Up-to-Date

Periodically, security problems are discovered in all software. That’s the main reason there are frequent updates to Windows, Mac OSX, and WordPress. If you don’t keep WordPress, its plugins, and themes up-to-date, you may be using an older version with publicly-known security issues. Not doing this may account for over 50% of hacks to WordPress.

But realize it’s possible that when you update, things will break. That’s why you made a backup earlier!

Here’s a video showing how to update WordPress plugins.


WordPress should actually get security updates automatically. Every few weeks you should get an update saying “You have successfully updated to…”. If not, ask your host or developer if you’re getting automatic updates.

4. Install a Security Plugin

Here are a few ways security plugins can help keep your WordPress website secure:

  • limit login attempts. This prevents a hacker from trying a “brute force” login attack mentioned earlier
  • prevent suspicious requests using a firewall. Most hackers set up programs to automatically try to hack your websites. Well, security plugins can likewise detect when they’re doing that and prevent them.
  • scan for suspicious changes to files. If your website gets hacked, usually the hacker’s program will change WordPress to suit their needs. Security plugins can detect when this has happened and alert you.

Wordfence and Sucuri are the two most popular security plugins. I prefer Wordfence mostly because I met the owner once at a WordCamp and he bought dinner for a bunch of us ?… And I use it and found it pretty slick.

Here’s a video showing how to set up Wordfence.

5. Use HTTPS instead of HTTP

Does your website URL start with http:// or https://?

Eg, http://mysite.com or https://mysite.com?

That little “s” stands for “secure”. Meaning that when someone visits your website, the data sent between the user’s browser and your server (eg a password when logging in, or personal information stored on the server) is transmitted securely so no one else can see it.¬† If you’re just using http:// it can be intercepted and read by others. (If you’d like an explanation so simple a child can understand it, I wrote and illustrated a children’s story explaining how that all works!)

In order to have your website work on https://, you need to get an “SSL certificate”. Most hosting companies can install it for you for around $40 a year, but some will give it to you one for free.

Here’s a video showing how to set up a free SSL certificate on Bluehost, but our recommended hosts can do this too.

6. Upgrade PHP

WordPress isn’t the only software you need to keep up-to-date. You should also update PHP.

Currently, WordPress can work with PHP version 5.2 or higher. But older versions of PHP have security issues, and the only way to fix them is to upgrade PHP to at least version 7.0. Version 7.2 would be better, if possible.

Many hosts allow you to simply flip a switch to upgrade PHP. So it’s easy. The only trick is that some of your plugins or themes might not be compatible with newer versions of PHP…

If you upgrade and find something is broken, your host should make it equally easy to revert to the old version of PHP you were using, which will resolve the errors.

Here’s a video showing how to change PHP versions on BlueHost.

That’s It

If you’ve done these 6 steps, your WordPress website is really pretty secure. This is all the things I’ve done on my sites.

If you want to spend more time securing your site, read these (ordered from least technical to more technical):

This post originally from my personal blog.?

Related Articles

Share a Reply or Comment

Your email address will not be published.

Need help with Event Espresso? Create a support post in our support forums

Event Espresso
[gravityform id=116 title=false description=false]
<script type="text/javascript">var gform;gform||(document.addEventListener("gform_main_scripts_loaded",function(){gform.scriptsLoaded=!0}),window.addEventListener("DOMContentLoaded",function(){gform.domLoaded=!0}),gform={domLoaded:!1,scriptsLoaded:!1,initializeOnLoaded:function(o){gform.domLoaded&&gform.scriptsLoaded?o():!gform.domLoaded&&gform.scriptsLoaded?window.addEventListener("DOMContentLoaded",o):document.addEventListener("gform_main_scripts_loaded",o)},hooks:{action:{},filter:{}},addAction:function(o,n,r,t){gform.addHook("action",o,n,r,t)},addFilter:function(o,n,r,t){gform.addHook("filter",o,n,r,t)},doAction:function(o){gform.doHook("action",o,arguments)},applyFilters:function(o){return gform.doHook("filter",o,arguments)},removeAction:function(o,n){gform.removeHook("action",o,n)},removeFilter:function(o,n,r){gform.removeHook("filter",o,n,r)},addHook:function(o,n,r,t,i){null==gform.hooks[o][n]&&(gform.hooks[o][n]=[]);var e=gform.hooks[o][n];null==i&&(i=n+"_"+e.length),gform.hooks[o][n].push({tag:i,callable:r,priority:t=null==t?10:t})},doHook:function(n,o,r){var t;if(r=Array.prototype.slice.call(r,1),null!=gform.hooks[n][o]&&((o=gform.hooks[n][o]).sort(function(o,n){return o.priority-n.priority}),o.forEach(function(o){"function"!=typeof(t=o.callable)&&(t=window[t]),"action"==n?t.apply(null,r):r[0]=t.apply(null,r)})),"filter"==n)return r[0]},removeHook:function(o,n,t,i){var r;null!=gform.hooks[o][n]&&(r=(r=gform.hooks[o][n]).filter(function(o,n,r){return!!(null!=i&&i!=o.tag||null!=t&&t!=o.priority)}),gform.hooks[o][n]=r)}});</script> <div class='gf_browser_unknown gform_wrapper gform_legacy_markup_wrapper' id='gform_wrapper_116' ><form method='post' enctype='multipart/form-data' id='gform_116' action='/2018/10/6-steps-keep-wordpress-website-from-getting-hacked/' novalidate> <div class='gform_body gform-body'><ul id='gform_fields_116' class='gform_fields top_label form_sublabel_below description_below'><li id="field_116_5" class="gfield gfield_contains_required field_sublabel_hidden_label field_description_below gfield_visibility_visible" ><label class='gfield_label gfield_label_before_complex' >What is your first name?<span class="gfield_required"><span class="gfield_required gfield_required_asterisk">*</span></span></label><div class='ginput_complex ginput_container no_prefix has_first_name no_middle_name no_last_name no_suffix gf_name_has_1 ginput_container_name' id='input_116_5'> <span id='input_116_5_3_container' class='name_first' > <input type='text' name='input_5.3' id='input_116_5_3' value='' aria-required='true' placeholder='First name' /> <label for='input_116_5_3' class='hidden_sub_label screen-reader-text'>First name</label> </span> </div></li><li id="field_116_1" class="gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible" ><label class='gfield_label' for='input_116_1' >What is your email address so we can follow up with you?<span class="gfield_required"><span class="gfield_required gfield_required_asterisk">*</span></span></label><div class='ginput_container ginput_container_text'><input name='input_1' id='input_116_1' type='text' value='' class='medium' placeholder='hello@example.com' aria-required="true" aria-invalid="false" /> </div></li><li id="field_116_2" class="gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible" ><label class='gfield_label' for='input_116_2' >Tell us about your concerns below<span class="gfield_required"><span class="gfield_required gfield_required_asterisk">*</span></span></label><div class='ginput_container ginput_container_textarea'><textarea name='input_2' id='input_116_2' class='textarea medium' placeholder='What kind of events are you planning?' aria-required="true" aria-invalid="false" rows='10' cols='50'></textarea></div></li><li id="field_116_6" class="gfield field_sublabel_below field_description_below gfield_visibility_visible" ><label class='gfield_label gfield_label_before_complex' >GDPR Agreement</label><div class='ginput_container ginput_container_checkbox'><ul class='gfield_checkbox' id='input_116_6'><li class='gchoice gchoice_116_6_1'> <input class='gfield-choice-input' name='input_6.1' type='checkbox' value='I consent to have this website store my submitted information so they can respond to my inquiry.' id='choice_116_6_1' /> <label for='choice_116_6_1' id='label_116_6_1'>I consent to have this website store my submitted information so they can respond to my inquiry.</label> </li></ul></div></li><li id="field_116_3" class="gfield gform_hidden field_sublabel_below field_description_below gfield_visibility_visible" ><div class='ginput_container ginput_container_text'><input name='input_3' id='input_116_3' type='hidden' class='gform_hidden' aria-invalid="false" value='' /></div></li><li id="field_116_4" class="gfield gform_hidden field_sublabel_below field_description_below gfield_visibility_visible" ><div class='ginput_container ginput_container_text'><input name='input_4' id='input_116_4' type='hidden' class='gform_hidden' aria-invalid="false" value='https://eventespresso.com/2018/10/6-steps-keep-wordpress-website-from-getting-hacked/' /></div></li><li id="field_116_7" class="gfield gform_validation_container field_sublabel_below field_description_below gfield_visibility_visible" ><label class='gfield_label' for='input_116_7' >Comments</label><div class='ginput_container'><input name='input_7' id='input_116_7' type='text' value='' autocomplete='new-password'/></div><div class='gfield_description' id='gfield_description_116_7'>This field is for validation purposes and should be left unchanged.</div></li></ul></div> <div class='gform_footer top_label'> <input type='submit' id='gform_submit_button_116' class='gform_button button' value='Send my message' onclick='if(window["gf_submitting_116"]){return false;} if( !jQuery("#gform_116")[0].checkValidity || jQuery("#gform_116")[0].checkValidity()){window["gf_submitting_116"]=true;} ' onkeypress='if( event.keyCode == 13 ){ if(window["gf_submitting_116"]){return false;} if( !jQuery("#gform_116")[0].checkValidity || jQuery("#gform_116")[0].checkValidity()){window["gf_submitting_116"]=true;} jQuery("#gform_116").trigger("submit",[true]); }' /> <input type='hidden' class='gform_hidden' name='is_submit_116' value='1' /> <input type='hidden' class='gform_hidden' name='gform_submit' value='116' /> <input type='hidden' class='gform_hidden' name='gform_unique_id' value='' /> <input type='hidden' class='gform_hidden' name='state_116' value='WyJbXSIsIjBiNjdjZjkyMDUzOWUxOWY5Y2NiZjIwMzM4YjA1Mjk4Il0=' /> <input type='hidden' class='gform_hidden' name='gform_target_page_number_116' id='gform_target_page_number_116' value='0' /> <input type='hidden' class='gform_hidden' name='gform_source_page_number_116' id='gform_source_page_number_116' value='1' /> <input type='hidden' name='gform_field_values' value='' /> </div> <p style="display: none !important;"><label>&#916;<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_2" name="ak_js" value="183"/><script>document.getElementById( "ak_js_2" ).setAttribute( "value", ( new Date() ).getTime() );</script></p></form> </div>