6 Essential Steps to Keep Your WordPress Website from Getting Hacked

website security

Happy Internet Security Month!

These 6 steps will prevent 99% of hacking attempts on your WordPress website, and most of them only require a click or two and aren’t very technical.

Of course, we all want to keep our website secure and not get hacked. It’s not fun when a hacker takes control of your website… But we also have a life and might not understand all the technical jargon. So let’s skip the fluff and get your website secure.


1. Don’t Use Easy-to-Guess Usernames and Passwords

The easiest way for a hacker to take control of your website is to guess your username and password. This may account for 8% of hacked WordPress websites. So do you have a good username and password?

Is your username “admin”? ?. That’s super easy for hackers to guess. Here’s a video showing how to change that.


And what password do you use? Does it look like “password”, “12345”, or one of the other top 1000 most-commonly-used passwords? Yes? ?. Hackers make programs that automatically try all those when hacking into your website. That’s called a “brute force” attack. Here’s a video showing how to change your password.


2. Make Regular Website Backups

Do you have a backup of your website? (The database and files?)

Before doing the next changes, you need to make a database backup. It is possible things might break. If so, you need a backup to restore to.

Also, if you get hacked, you’ll probably need to restore to a backup from before you got hacked. If you have no backups, you’ll need to recreate your website from scratch. Have fun. ?

So here’s a video showing how to install and set up a popular WordPress backup plugin, UpdraftPlus.


3. Keep WordPress, Plugins and Themes Up-to-Date

Periodically, security problems are discovered in all software. That’s the main reason there are frequent updates to Windows, Mac OSX, and WordPress. If you don’t keep WordPress, its plugins, and themes up-to-date, you may be using an older version with publicly-known security issues. Not doing this may account for over 50% of hacks to WordPress.

But realize it’s possible that when you update, things will break. That’s why you made a backup earlier!

Here’s a video showing how to update WordPress plugins.


WordPress should actually get security updates automatically. Every few weeks you should get an update saying “You have successfully updated to…”. If not, ask your host or developer if you’re getting automatic updates.

4. Install a Security Plugin

Here are a few ways security plugins can help keep your WordPress website secure:

  • limit login attempts. This prevents a hacker from trying a “brute force” login attack mentioned earlier
  • prevent suspicious requests using a firewall. Most hackers set up programs to automatically try to hack your websites. Well, security plugins can likewise detect when they’re doing that and prevent them.
  • scan for suspicious changes to files. If your website gets hacked, usually the hacker’s program will change WordPress to suit their needs. Security plugins can detect when this has happened and alert you.

Wordfence and Sucuri are the two most popular security plugins. I prefer Wordfence mostly because I met the owner once at a WordCamp and he bought dinner for a bunch of us ?… And I use it and found it pretty slick.

Here’s a video showing how to set up Wordfence.

5. Use HTTPS instead of HTTP

Does your website URL start with http:// or https://?

Eg, http://mysite.com or https://mysite.com?

That little “s” stands for “secure”. Meaning that when someone visits your website, the data sent between the user’s browser and your server (eg a password when logging in, or personal information stored on the server) is transmitted securely so no one else can see it.¬† If you’re just using http:// it can be intercepted and read by others. (If you’d like an explanation so simple a child can understand it, I wrote and illustrated a children’s story explaining how that all works!)

In order to have your website work on https://, you need to get an “SSL certificate”. Most hosting companies can install it for you for around $40 a year, but some will give it to you one for free.

Here’s a video showing how to set up a free SSL certificate on Bluehost, but our recommended hosts can do this too.

6. Upgrade PHP

WordPress isn’t the only software you need to keep up-to-date. You should also update PHP.

Currently, WordPress can work with PHP version 5.2 or higher. But older versions of PHP have security issues, and the only way to fix them is to upgrade PHP to at least version 7.0. Version 7.2 would be better, if possible.

Many hosts allow you to simply flip a switch to upgrade PHP. So it’s easy. The only trick is that some of your plugins or themes might not be compatible with newer versions of PHP…

If you upgrade and find something is broken, your host should make it equally easy to revert to the old version of PHP you were using, which will resolve the errors.

Here’s a video showing how to change PHP versions on BlueHost.

That’s It

If you’ve done these 6 steps, your WordPress website is really pretty secure. This is all the things I’ve done on my sites.

If you want to spend more time securing your site, read these (ordered from least technical to more technical):

This post originally from my personal blog.?

Share a Reply or Comment

Your email address will not be published. Required fields are marked *

Need help with Event Espresso? Create a support post in our support forums

Event Espresso