Welcome to Silicon Overdrive!

How to Secure Your WordPress Site


How do you secure your WordPress site? This can be done through various methods including installing security plugins, using a strong username and password, activating multi-factor authentication, and so much more. And since there’s so much info floating around, here’s an easy guide on how to secure your WordPress site against hackers.

WordPress is one of the most widely used website platforms in the world, making up over 30% of websites today. Because of its popularity, and its ecosystem of free plugins and themes, WordPress makes an ideal target for hackers.

Currently, over 455 million websites use WordPress. This means that 35% of all the websites in the world make use of the CMS platform. Unfortunately, this also means WordPress is popular among hackers as well. Once hackers gain access to a site, they can steal information, make changes to the site, redirect visitors to another URL, the list goes on! Recently security experts have seen a rise in ransomware as a popular tactic among hackers.

  • Around 85% of attacks target Windows operating systems.
  • It’s estimated that by 2021, an attack will take place every 11 seconds.
  • In the last year, 51% of businesses have been affected by ransomware.65% of ransomware infections occur via phishing.

Phishing is a cybercrime where an individual is contacted via text message, email, or phone by a person who poses as a legitimate organisation asking for personal information such as passwords or credit card details.

Signs of a Hacked WordPress Site

If you’re not familiar with hacked websites, here are a few clues to let you know what’s up:

  • You can’t log into your site. We know sometimes people tend to forget their username or password, but if you’re 100% sure yours is correct, something is going on. Some of the first things a hacker does is remove admin accounts.
  • Your site is showing different content. Some hackers might replace your homepage with something new, or add a redirect to a new site with inappropriate content.
  • Your website might be slow. When hackers take over your site, they usually start executing malicious activities like sending spam emails. With both your processes and the malicious activities, your server must handle a ton of activity making it slower than usual.
  • There might be an unknown user among your usual list. Be sure to keep an eye on users that have access to your site.
  • Warning ads letting you know your computer may be infected (Scareware).
  • There are links to spammy websites. Some hackers will gain access to your WordPress site and add bad links in the footer or other areas of your site.

How to Secure Your WordPress Site [10 Tips]

Use a Strong Username and Password

To access the backend of your WordPress site, all someone needs is a username and password. To ensure your security, avoid using easy-to-guess passwords for your admins like your birthday, middle name, etc.

If your site has a blog that displays the author’s name, best practice would be to not have these users be admins. Instead, make them contributors, so that if their login details are compromised, the perpetrators cannot edit the base code, and will have no access to the plugins.

The most common way a hacker might try to guess your password is by going to the login page on your WordPress site and repeatedly trying to guess your password by entering your username and password and clicking the login button. This is called ‘brute-force hacking’.


To ensure the safety of your site, ensure that all passwords are strong. WordPress has a password generator that can create a strong password for you. Instead of trying to remember your password, store it in a password locker.

If you don’t want to use the password generated by your WordPress site, you can use free online password generator tools like passwordgenerator.net.

Strong password tips:

  • Create a long password with 8 to 16 characters.
  • Use numbers, uppercase letters, lowercase letters, and symbols.
  • Avoid using personal info as a password like your name or birthday.
  • Use a different password for each website.

Multi-factor Authentication

Most WordPress sites do not use MFA. We strongly recommend that in addition to securing your site, you should install Wordfence and activate the MFA option within the security plugin.

In general a good firewall includes the following features:
  • Malware scanning – The product should include detection for malware installed by a hacker on your website including the ability to see changes and fix them.
  • Brute-force login protection
  • Protection against hacker reconnaissance techniques. For example, protection against the WordPress author=N scan that hackers use to find out your usernames.
  • A full-featured WAF or Web Application Firewall with a regularly updated rule-set.
  • Rate based throttling and blocking to prevent aggressive crawlers while ensuring Google’s crawlers have unlimited access to your site
  • Two-factor authentication – the ability to sign-in using your cellphone or another physical device to verify your identity.
  • Password auditing. The product you choose should help you verify you and your site members are using strong passwords.
  • Country blocking – if you are being targeted by a specific country you should be able to block access to various parts of your site or the whole site.
  • Advanced blocking techniques including blocking IP ranges and blocking user-agents.

Install Security Plugins

Installing and configuring security plugins can help provide an extra layer of security for your WordPress site. These plugins usually help block users trying to gain access to your site, scan your site for vulnerabilities and potential malware, etc.

WordFence is one of the best security plugins available for WordPress and includes a free and premium version.

“Wordfence includes an endpoint firewall and malware scanner that was built from the ground up to protect WordPress.”
You can also use Wordfence to receive email alerts when a theme, plugin or WordPress core needs an upgrade.

Install WordFence. You can also install the plugin by searching for it within the WordPress plugin directory.

Ensure you Have a Valid SSL Certificate for HTTPS

HTTPS needs to be enabled on your web server. If you are using a WordPress hosting provider, your host will include detailed instructions on how to enable HTTPS on your website. They may require that you buy an SSL ‘certificate’ or they may sell you one themselves or provide them for free.

What is an SSL Certificate?

SSL is a protocol that establishes an encrypted link between a web server and a web browser. Aka, it authenticates, encrypts and decrypts data sent over the Internet.

How to get an SSL certificate for your site:

  • Your hosting provider usually provides you with a free SSL certificate.
  • If the hosting provider doesn’t provide you with one, simply go to one of these free online tools:
  • sslforfree.com
  • Zerossl.com

Change Your WordPress Login Page URL

Once you create your WordPress site, the default login address is yoursite.co.za/wp-admin. Consider updating the URL to prevent brute force attacks or hackers trying to figure out your username and password.

Keep Your WordPress Version, Theme & Plugins Up to Date

Keeping your WordPress installation up-to-date is the most important thing you can do to keep your WordPress site secure. Developers always make changes with updates which can also include updates for security.

Only Install Trusted Plugins

Unfortunately, some malicious people take a perfectly safe and secure plugin or theme and turn it into something malicious. This is called a nulled script.

A nulled script is one where a hacker has taken a plugin and has modified the source code to do something malicious. Nulled scripts are usually distributed from a third party website rather than the original distributor of the plugin or theme.

The way to avoid nulled scripts is to only download add-ons for your site from reputable sources. The following is a list of sites you can visit for plugins and themes:


You should remove unused/deactivated themes and plugins as hackers can use them to access your site.

Only use SSH and SFTP, Avoid Plain FTP

When transferring files and administering your website, most admins use FTP or sFTP (also called secure-FTP). Plain old FTP is a very old protocol that dates back to the beginning of the Internet. It does not use any kind of encryption for your login credentials. It also does not encrypt files and so all files are sent over the Network as plain-text.

Moving your wp-config.php File above your Web Root

You can move your wp-config.php to a directory one level higher than the root of your WordPress installation. If your WordPress installation is your webroot directory, then this moves your wp-config.php file out of your publicly accessible web directories.

Protect Yourself from SQL Injection Attacks

The other major way that hackers can access your website database is by performing a SQL injection attack. This attack involves sending SQL commands to your database via a vulnerable application that is not properly cleaning and escaping the SQL commands it sends to the database.
That is why it is critically important to keep your plugins, themes and WordPress core up-to-date.

Prevent RPC or API calls

WordPress has inbuilt features that allow you to interact with your website remotely; the traditional solution was to use a file named xmlrpc.php.

This file enables a remote device like your smartphone to send data to your WordPress website. If you want to publish using the WordPress Smartphone application, the xmlrpc.php file enables you to do that.

An attacker will try to access your site using xmlrpc.php by using various username and password combinations. They can effectively use a single command to test hundreds of different passwords; allowing them to bypass security tools that typically detect and block brute force attacks.

Fortunately, you can block the xmlrpc.php on WordPress website using a plugin. Plugins are usually faster, simpler, and there is less risk of breaking your site. It also means you won’t need to hire a developer to do it for you.

Need Help Developing Your WordPress Site?

We have an expert team of WordPress developers ready to help you get started with the popular CMS platform. Give us a call on 021 448 5759 or send us an email.


Phishing – A common cyber-attack where users (often hundreds) are contacted via email, text, or phone call by a hacker which often poses as a legitimate business to retain sensitive information from the user such as their credit card details, passwords, etc.

Scareware – Hackers make use of scare tactics to trick victims of the attack to pay the ransom. For example, a fake message appearing on your computer screen saying your computer has a virus and online payment is necessary.

Wordfence – A WordPress security plugin which helps protect your site from hacks and malware.

If you liked this, you'll love these...

We use cookies to track visitors, measure ads, ad campaign effectiveness and analyze site traffic. We may also share information about your use of our site with 3rd parties. For more info, see, our Cookies Policy, our Privacy Notice. By clicking “Accept All” you agree to the storing of all cookies on your device. In case you don’t choose one of these options and use our website, we will treat it as if you have accepted all cookies.

We use cookies to track visitors, measure ads, ad campaign effectiveness and analyze site traffic. We may also share information about your use of our site with 3rd parties. For more info, see, our Cookies Policy, our Privacy Notice. By clicking “Accept All” you agree to the storing of all cookies on your device. In case you don’t choose one of these options and use our website, we will treat it as if you have accepted all cookies.