The first things you should do to secure your website are actually the easiest and most effective ways to keep WordPress from getting hacked. These following items should always be done for every site, regardless if you’ve been hacked before or not. No coding, developer, or special knowledge beyond using the basic WordPress admin is needed.

Keep your plugins and WordPress updated

The #1 simplest and most effective way to avoid getting hacked is to keep all of your plugins and WordPress itself updated as soon as possible. If your website is built properly, and the plugin developer hasn’t changed the plugin drastically, keeping your site updated shouldn’t effect the  front end, but will prevent almost all hacks. Most hacks on WordPress are due to security flaws found in old versions of plugins or the core, and from website owners not updating to the more secure versions. It takes a few seconds to update plugins. WordPress now also provides automatic updating for minor and security updates since version 3.7.

Secure passwords

Making sure ALL users on your website have secure passwords is also a quick and easy way to make sure your site is guarded against hacks. Secure passwords include letters, numbers, and symbols like “f5|Gkh[ZvCEQ4DjB01@s!n>3TXlb” or long pass phrases that are hard to guess like “i like to skip in the parking lot on the way to grocery shop!”. Using a password manager like 1Password will help you securely remember these harder passwords.

Remove ‘admin’

You should never, ever, have a user with the username of “admin”. That’s easily the most hacked account, since it’s the most widely used username. Use your email or some other unique username instead. Delete the username ‘admin’ as soon as possible.w.

SSL certificate

SSL certificates are now free, and essential to creating a more secure website. It makes your website more secure by encrypting the data being passed between your server and the user’s browser. Modern Browsers like Firefox and Chrome will now show a user a warning if they visit a website that doesn’t have a SSL certificate, making it likely that the user will refuse to visit your website. If your host doesn’t already offer free SSL certificates, you can find them at Let’s Encrypt.

Good hosting with automatic backups

A good host, such as WPEngine, should provide several of the things you need out of the box: automatic backups, SSL Certificates, and extra security features. They also manage only WordPress sites, so custom service and tech support are usually fantastic, and they don’t pack their shared servers with so many sites that your own site runs slow.

Thoroughly vet & limit the plugins you use

Before you install that fancy plugin, be sure it’s safe to use. Only install plugins from legitimate sources like WordPress’s plugin area or a paid service like the Envato Market. Read the reviews and make sure the plugin is compatible with your version of WordPress and that there hasn’t been any security flaws. Limit the amount of plugins you use as well – the less plugins you have, the less chance you have of one of them having a security flaw and being able to be hacked. More plugins also mean a slower loading website that introduces other problems.


The next steps are slightly more difficult to set up, and something I usually only recommend if your site deals with sensitive data, or has already been hacked before.

Security plugins

There are multiple security plugins you can install, depending on what you’re looking for. They range from the super simple and free, like a limit login attempts plugin, which will only allow a certain amount of login attempts before it shuts a user out, preventing brute force attacks. You can go with a more extensive freemium plugin like, WordFence, which offers multiple services in addition to limiting login attempts. WordFence can check your site for security flaws, stop malware attacks, add two-factor authentication to your logins and more. It’s worth the time setting up if you’re truly concerned with getting hacked.

Third party services

There are also paid third-party services that can help keep your site secure. Some of our clients use Sucuri, which monitors and defends your website against hackers. Depending on the package you choose, it can monitor, defend, and even remove hacked code.

Limit third party tracking & JS code

Another way to help avoid getting hacked, is to limit the amount of third-party Javascript and tracking codes you use on your site, especially code that injects things into your site like advertisements. Hackers can target these codes and inject their own malicious-ware into them.


These last steps require a good deal of coding knowledge, as well as proficiency in databases and file management. I usually don’t recommend going to these lengths unless your website deals with a lot of sensitive data and/or has been hacked multiple times despite taking the above steps.

Hide your directories

Disabling access to your directories is a great step to take to deter hackers. They’ll be unable to see what files and folders you have on your server, and hide information hackers would need (like what plugins you have installed, etc) to get into your site.

You can  disable directory browsing by editing your .htaccess file. On a new line add

Options -Indexes

And now users should get a 404 error if they try to access a path in your directory, such as

Change the wp_ database prefix

Anything that is common between all WordPress websites will be an easy target for hackers, since most people don’t think to change these things. That’s why we recommended above to never have an account named “admin”. The same goes for your database table prefixes. By leaving it as the default wp_, a hacker knows all the names of your database tables, because they are all the same across every WordPress site. Simply changing the prefix means that they can’t easily target your database.

Changing the default database prefix when installing a new website is easy, because WordPress gives you that option when you go through the setup. But did you know you can still change the prefix, even on your old site? Here’s a great tutorial on how to go into your database and change the prefixes to something unique.


It’s impossible to make any site “unhackable”, but with a little bit of work, you can deter hackers and make it a lot more harder for them to get to your website. Just by doing the basic beginner steps, you’ve already stopped the majority of hackers – and I highly recommend every site following those simple steps in order to avoid the most common hacks. If your website has been hacked before, or has a lot of sensitive data, it would be prudent to go a bit farther and install some security software as well. But all the security software in the world won’t help you if you don’t keep up with the basics of updating your plugins and keeping secure passwords!

More Resources