How to Harden Your WordPress Site to Keep Hackers Out

How to Harden Your WordPress Site to Keep Hackers Out

Do you want to make your website so secure that hackers will find it impossible to break in?

While no website security system is 100% hack-proof, you can take plenty of measures to prevent a hack and the devastating consequences that follow.

You can close vulnerable points and secure commonly targeted areas so hackers find it incredibly hard to attack your site.

We’ll show you the easiest way to harden your WordPress site. We’ll also give you best practices to follow to avoid making your website vulnerable.

Since this is a detailed guide, we’ve created a table of contents that you can use to easily navigate this post. You’ll find measures according to their level of difficulty and the level of security you want for your site.

The Easiest Way to Harden Your WordPress Site

WordPress hardening measures involve one-time steps as well as measures that need to be periodically checked.

Some hardening steps also need a fair amount of technical skills in WordPress. If you’re not tech-savvy, then we strongly recommend using a WordPress hardening plugin.

These plugins let you apply security hardening measures at the click of a button. This means you’ll never have to touch any code or modify any files on your own.

Our favorite security plugin is Sucuri. It has a robust firewall and a powerful scanner to monitor your site and block hackers.

Sucuri also comes with built-in hardening measures that you can apply right inside your WordPress dashboard. We’ll show you how to do that below.

Step 1: Installing Sucuri

Sucuri offers a WordPress security plugin for free to all WordPress users.

Sucuri in WordPress org

You’ll get access to:

  • Built-in security hardening
  • Security activity log
  • Blocklist monitoring
  • File integrity monitoring
  • Remote malware scanning
  • Security notifications
  • Post-hack security actions

If you want to install the complete security system that includes the Sucuri Firewall, then you’ll want to sign up for a premium plan that starts at $199.99 per year.

Once you install and activate the plugin, you can access and operate your security settings directly from your WordPress dashboard.

Step 2: Generate API Key

From your WordPress dashboard, navigate to the Sucuri » Dashboard tab. On this page, you’ll see a ‘Generate API Key’ button.

Sucuri generate api key

This will open a popup where your WordPress site and admin email are prefilled. You can change it if you like.

After that, check the boxes to agree to the terms of service and privacy policy. Then select the ‘Submit’ button to generate the API key.

Generate api key in Sucuri

You’ll see a popup that says your site is successfully registered. Now you can head over to the Sucuri dashboard.

API successful in Sucuri

With that, your site has a security scanner active on your site. It will show you if your site is clean or not, and if you’re on any blocklists.

Step 3: Enable Hardening Measures

Inside the Sucuri dashboard, you’ll find a whole list of hardening measures you can add to your site with just the click of a button.

Navigate to Sucuri » Settings » Hardening tab.

sucuri hardening tab

You’ll see all the available options here:

  • Website Firewall Protection: A firewall is the first line of defense to block hackers and bad bots. If you signed up for the pro version, you can link to your firewall account to view statistics in WordPress.
  • Verify WordPress Version: Checks when your WordPress installation, themes, and plugins are not up to date. You’ll see a prompt to update to the newest version to avoid software vulnerabilities.
  • Verify PHP version: Makes sure your server is running the latest version of PHP.
  • Remove WordPress Version: Allows you to remove the version of your CMS from being publicly displayed so hackers won’t be able to see if your WordPress version is outdated.
  • Block PHP Files in Upload Directory: Your uploads directory stores files that don’t need to use PHP to run. This will disable the execution of PHP files inside your uploads directory. Keep in mind that certain plugins do use PHP, so test this measure before you add it.
  • Block PHP Files in WP-CONTENT Directory: Places a .htaccess file inside the wp-content to block any external access.
  • Block PHP Files in WP-INCLUDES Directory: Places a .htaccess file inside the wp-includes to block any external access.
  • Information Leakage: Looks for any readme.html file on your site which contains your site’s WordPress version and deletes it.
  • Default Admin Account: Checks if the primary account uses ‘admin’ as the username. By changing this name, you can stop hackers from finding out which account has the highest privileges.
  • Plugin and Theme Editor: If a hacker has broken into your site, this is a very common target to access your website’s code. Enabling this option will disable the plugin and theme editor. That way other users cannot access and modify sensitive files through your WordPress admin.
  • Activate Automatic Secret Keys Updater: Refreshing your security keys will log out all users and delete existing cookies. This will reduce the chances of hackers misusing browser sessions.

To enable an option, select the ‘Apply Hardening’ button next to it. And if you want to undo it or remove the hardening feature, click on the same button that now says ‘Revert Hardening’.

apply and revert hardening

Below this list, you’ll also see an option to allow blocked PHP files.

allow blocked php files in sucuri wordpress hardening

Sometimes, plugins and themes need access to certain files and folders that you have blocked. This will allow you to selectively add file paths that are allowed so you can maintain security and provide access only to trusted sources.

That’s it. It’s that easy to harden your WordPress site with Sucuri.

Now aside from what Sucuri has to offer, there are certain measures you should take on your own to make sure your website is secure.

Best Practices to Harden Your WordPress Site

The most important step you need to take in protecting your site is to install a security plugin. These plugins will scan and monitor your website regularly so you’ll be alerted if they find anything suspicious. Here are the top plugins we recommend:

Added to this, you can follow the practices below to make sure your site is always secure.

1. Choose to a Secure Web Host

Your website lives on a server that’s run by your web host. If your host has not secured its servers well enough, hackers can find their way into your site.

Beginner website owners tend to choose cheap shared hosting plans to get started and rarely look at the security measures adopted by the host.

We recommend using a secured hosting platform from the get-go because hackers attack sites big and small. They find malicious ways to use any site they hack into.

Our go-to web host that’s also recommended by WordPress is Bluehost.

bluehost web hosting plans

You can get started for as low as $2.75 per month using our Bluehost coupon. Plus, you’ll get a free domain and SSL certificate for a year.

Another great secure option is Siteground.

These hosts have robust infrastructures and are always monitoring the network for threats. They also offer protection against DDoS attacks so you can be sure hackers are blocked from attacking your server.

2. Install an SSL Certificate

Your website is constantly sending data back and forth between browsers and servers. Hackers try to intercept this data while it’s in transit and steal it.

The best way to prevent this vulnerability is by using an SSL certificate. SSL (Secure Sockets Layer) will enable an encrypted connection. This means all data sent cannot be read or modified by anyone while it’s being sent between two systems.

When you use SSL, you’ll see that your website has a padlock in the address bar along with HTTPS and not HTTP:


You can get an SSL certificate with your web host. For instance, Bluehost offers a free SSL certificate with all its web hosting plans. If not, you can use a plugin like Really Simple SSL to install it on your site.

3. Secure Your Login Page

One of the easiest points of entry for hackers is your website login page. The username and password is often not enough to stop them. Hackers use a method called brute force attacks to guess your credentials and simply log in.

So this is one of the most important areas to secure. Here’s what you can do:

  • Enforce Secure Credentials at All Times: Make sure you use a unique username that isn’t ‘admin’ or your own name because hackers can guess them easily. As for passwords, we recommend using passphrases with letters, numbers, and symbols making it difficult to crack.strong password

    When you’re setting your password, WordPress will tell you if it’s weak, medium, or strong so you’ll know if you need to improve your password strength.

  • Expire Passwords Regularly: You should change your password regularly but we know how often we forget to do so.An easy way around this is to install the Expire User Passwords plugin.

    expire password example

    It will automatically force every user on your site to change passwords periodically before they can log back in.

  • Limit Login Attempts: In a brute force attack, hackers send bots to your site to try thousands of login combinations till they get the right one. If you limit login attempts, they’ll have to stop after 3 attempts.Lost password in WordPress

    You can enable this with security plugins like Sucuri and MalCare or you can use the Limit Login Attempts plugin on your site.

  • Use 2-Factor Authentication: This adds a 2-step verification process to your login where you need to provide a one-time passcode that is sent to you in real-time through an SMS, email, or authenticator app.


    This means a user will have to verify themselves in real-time making it extremely hard for hackers to gain access.

  • Add HTTP Authentication: HTTP authentication hides your login page and displays a blank page with a login box.You’ll need to enter your HTTP credentials to access the login page.

    http authentication

    This measure is more extreme and you’ll need to access your hosting cPanel to add it to your site. If you’ve never used cPanel before, don’t worry. We’ll show you how to do it in a few simple steps.

    Login to your web hosting account, access cPanel and find ‘Directory Privacy’.

    Directory privacy

    Inside, from the list of folders, locate the wp-admin folder and edit it.

    edit wpadmin privacy

    On the next page, first, enable the option ‘Password protect this directory’. Now cPanel will ask you to add a username and password.

    add password to directory

    Make sure you save your settings before exiting this page. Now your WordPress admin directory is password protected.

    When you open your wp-admin page, you’ll see a login prompt to enter the username and password you just created.

  • Restrict Access to Login Page: You can allow only trusted users access to your wp-admin URL. All other users will automatically be blocked from seeing this page, let alone trying to login. If you’re using Sucuri, under the Access Control tab of your dashboard, you can add whitelisted IP addresses.whitelist in sucuri

    By checking this box, Sucuri will automatically allow only your trusted users to access the login page.

4. Use Secure Forms

Unsecured forms are an easy target for hackers. They simply enter malicious code in your form fields.

When the form is submitted, the code is sent to your website database for processing. This will allow hackers to infect your site or gain entry to your database, and from there, they can create havoc.

You can make sure this doesn’t happen by using web forms that are secure. WPForms is the #1 WordPress form builder that has built-in security so you won’t have to do anything.

anti spam protection in WPForms

Every form you create comes with anti-spam protection already enabled.

And if you want to add extra layers of protection, WPForms lets you enable CAPTCHA on your forms.

Advanced noCaptcha and Invisible Captcha

This means a user will have to solve a little puzzle or tick a box to prove they’re human.

5. Set User Role Permissions

If you have multiple users working on your WordPress site, you can limit the permissions they have according to their role.

This doesn’t mean you don’t trust your team, it simply means that if hackers access their account, they’ll be limited in what they can do.

WordPress lets you create roles for:

  • Super Admin
  • Administrator
  • Editor
  • Author
  • Contributor
  • Subscriber

The most powerful roles with all-access passes are super admin and admin. We recommend having as few admins as possible.

6. Auto-logout Inactive Users

Another trick hackers use is to hijack browsing sessions and steal cookies. This lets them access your site through an active user account without you knowing it.

The best way around this is to periodically log out inactive users.

Many security plugins have an idle session logout feature or you can use the Inactive Logout plugin.

7. Update Your Website Regularly

Plugins, themes, and even your WordPress installation get updates regularly. You’ll see them inside your WordPress dashboard when they’re available:

updates in wordpress

Updates usually carry bug fixes, new features, and improvements to the software. And sometimes, they carry security patches.

This means a vulnerability was found in the software that hackers can use to attack your site. When developers spot these lapses, they fix them and release a new version that will remove the vulnerability.

All you have to do is update it on your end. You can see if an update carries a security patch by viewing the details of the update.

view version details of update

If you see it’s a security update, run it immediately to avoid any risk.

If you’re worried that updates may break your site, you can test the update on a staging site and then run it on your live site.

With that, you’ve tackled all the hardening measures that you can add to your site.

Despite the strongest security measures, there are chances that things can go wrong including human errors. The best way to be prepared is by keeping a backup copy of your site.

You can set up automated backups using a backup plugin like UpdraftPlus. For more choices, check out our list of the top WordPress backup plugins.

That’s all we have for you today. For more on WordPress security, see our resources on:

These posts will give you more opportunities to seal vulnerabilities and protect your site the best you can.

The post How to Harden Your WordPress Site to Keep Hackers Out first appeared on IsItWP – Free WordPress Theme Detector.

What’s My SEO Score?

Enter the URL of any landing page or blog article and see how optimized it is for one keyword or phrase.

Wordpress Expert

Leave a Reply