How to Protect & Secure Website From Hackers


Are you concerned about your website being targeted by hackers? In doing so, you’re right. There are nearly 90,000 hack attacks per minute on WordPress pages! Hackers run malicious operations on websites that may involve stealing consumer information and money or advertising unauthorised goods on the platform or delivering spam emails (read-phishing attacks). So you should be worrying about ways to stop hackers from your website.

It is really hard to patch a compromised website. It’s time-intensive and costly. Hackers typically build secret entry points on top of that. This helps them to keep going back to the site and re-hacking it. Hidden entry point identification is difficult.

In addition, this will snowball more and Google can block the website or suspend it from your hosting provider.

But fortunately, to secure your site from hackers and bots, there are various basic web protection steps you can take.

Today, to protect your website like Fort Knox, we’re going to take you through WordPress security measures. Hackers will have a very difficult time trying to hack into your web after you introduce these steps. Perhaps most importantly, knowing your web is safe, your mind will be at ease.

WordPress plugin

Install the MalCare protection plugin on your WordPress website if you want to protect your website from hackers without any hassle. It would set up a firewall to aggressively protect against threats on your website. The safety scanner will periodically browse through the site and warn you if it detects anything unusual. Plus, you can wipe it up quickly and get back to work if your website gets compromised.

It is quick to protect your website! On your website, we have grouped the steps you may introduce into three levels. Others are simple security mechanisms that any single website should have, and others, if you want to make your website extra strong, are more sophisticated protocols.

Nice to know: Usually, hackers look for easy pickings. This means that if you do have the most rudimentary security of the domain, odds are that they will bounce to a place that is easier to hack.

It is worth noting that while we highly recommend taking such steps, to discover what kind of security measures the website needs, run a full WordPress security audit.

Level 1- Simple Security Tips for WordPress

Here are a few simple steps you need to introduce on your website for those who are just starting out on WordPress or are only getting the hang of their own website:

Install a Security Plugin

When you set up a WordPress website, the first thing we suggest doing is to add a security plugin right away.

This is because the website exists in a world overrun by hackers who are on the prowl constantly. More vulnerable to threats could be a new website without any security controls.

Plus, you’ll need to add themes and plugins for design and features when you set up and run your platform. Although most plugins are safe to use, others can produce bugs that open up popular hacking attacks on your website.

We suggest downloading a security plugin like MalCare to secure your web. All malicious IP addresses or bad bots would be proactively blocked.

You can view it from your wp-dashboard after you update it or log in via the official MalCare website.

It will automatically search the entire website every day on its own, aside from being able to scan the site anytime you like. If it detects some unusual activities or malware on your site, it warns you. In the unlikely event that a hacker tries to break through, you can use the same plugin to clean up your web.

Install an SSL Certificate

SSL stands for Layer for Stable Sockets. Simply placed, an SSL certificate keeps the transmitted data between your website and its users secure. For starters, SSL can encrypt the details while a customer exchanges credit card information and personal contact information, so hackers can not read it even though they get their hands on such sensitive information.

Your site will switch from HTTP to HTTPS when you add an SSL licence. In an address bar, you’ll see a padlock appear.


You will get your website’s SSL certificate from your web host or other online SSL provider. It will mean that both the data of your customer and yours is protected and secure from being compromised.

Updating Your Website

Daily updates are provided to your WordPress installation and its themes and plugins. You might see updates on your dashboard as follows:


For as long as possible, all of us website owners appear to put off updates. Updates include new features and upgraded capabilities, but they also include fixes for stability.

You can make it insecure by running your website on obsolete tech. Outdated tech is one of the main sources of compromised WordPress pages.

Always note to frequently refresh your WordPress website. It will also help you stop hackers from your website.

Use a Secure Username & Password

Since it’s easier to recall, many individuals prefer to leave their login credentials as ‘admin’ and ‘password123’. But it is easy to guess basic usernames and passwords. This helps you to gain access to the site from hackers. There is also a potential means of injecting these questions into SQL injections.

Still, among WordPress domain owners, there is a myth that it is unusual for a hacker to come across the site and attempt to guess your password. In fact, using a technique called brute force attacks, hackers threaten any WordPress account. Bots are used to browse through the web in search of places to attack. Next, they will make hundreds of guesses in just a second with just a single instruction.

To quickly fend off such hacking attempts, it is advised to always use specific usernames. Often, use solid passwords in conjunction with numerals and icons, such as a passphrase.


The lock and key to your website’s gate is your username and password. Recommended Read: How to pick an easy to recall secure password.

Invest in a Reliable Backup Solution

As we mentioned, it is hard and could take a long time to patch a hacked website. A copy of your website backup will help you to restore it back to normalcy. Then you should take time to patch the hack and seal any holes in the website that allowed a hacker to get in.

In the industry, there are several backup options available. A backup can be provided by your server, although we do not suggest depending exclusively on host backups.

This is because these backup backups don’t work several times, or to get the site online, you can have to sort out a lengthy restore phase.

You need a WordPress plugin like BlogVault to obtain a backup copy that still runs and is simple to retrieve.

It’s easy to set up and you can be assured that anytime you need it, the automatic backups will come to the rescue.

We will move on to the next stage of steps you need to put in order to make your website more reliable once you have the basics down.

Level 2 – Intermediate WordPress Security Tips

Such steps through entail a little more awareness of WordPress websites. We suggest adopting the following steps until you get the hang of it:

Restrict File Uploads

You ought to take care if your website has an opportunity for users to upload files like a profile picture or photos in the comments section.

By using a plugin, this function is typically allowed. This uploaded files typically get saved in the archive of your website. Hackers will upload whatever file they like to find a way into your database if there is a defect or a flaw in the plugin.

You need to reset where these imported files are stored to prevent this and place them in a folder that does not impact the cache of your site and other relevant files.

You will need to limit the file form that can be submitted by your users. Hackers can try to upload PHP files to your website that are capable of executing commands. So, if it’s a display image, for instance, you can limit the file type to PNG and JPEG.

An person who uploads files of some other type of file that may be unsafe will receive error messages such as this:


You can have the web hosting provider set this up for you, or you can contact a developer for WordPress.

Implement 2 Factor Authentication

Over the years, 2-Factor Authentication has gained prominence. This method allows the website, using a password created at the time of registration, to verify the user in real-time.

You may have seen this on several pages, to name a handful, such as Gmail, Hotmail, and Facebook. You must enter your username and password and then, with an OTP, provide further verification (one-time password). This will be sent to an additional email or telephone number.


Using a plugin like Two-Factor or Google Authenticator, you can set this up for your website.

Limit Login Attempts

Hackers try thousands of login and password variations in a brute-force attack to try to obtain access to the dashboard. You can block such attacks by limiting the number of failed login attempts.

word-image-6You also have access to this role if you have used MalCare to protect your website. Your website would have restricted login attempts introduced automatically. Under that scenario, to protect the website from hackers and their attacks, MalCare will become a very helpful plugin.

Set up Google Analytics and Search Console

Google has two major services that all website owners can have. Analytics gives you insight into visits and conversions on your website. You can see where the root of the traffic is.

You will see which pages rank on Google search results in the Search Console, and the keywords you rank with.

These apps will easily help you spot hacks. For starters, you’d suddenly see your website ranking for keywords like ‘buy cheap brand online’ in an SEO spam hack:


There is also a tab for you to check if there are any security threats on your site.

You need to add your website as a property using these measures to get access to these resources.

You can be confident most hackers can be kept at bay now that you have introduced these website security measures.

Next, we’ll look at more sophisticated steps that you can take to make your website extra strong. They are more advanced in nature and, if you are not tech-savvy, they are difficult to incorporate. Fortunately, plugins are available that make it much easier for us to implement them.

We suggest continuing with caution if you intend to execute it on your own using manual processes. Your website may be destroyed with the slightest misstep. We highly recommend taking a copy of your website so that in case something goes wrong, you can rebuild your site.

Level 3 – Advanced WordPress Security Tips

This steps would make it much cleaner on your web. Remember, if you’ve been targeted, you need to urgently perform the following steps.

Block PHP in Untrusted Directories execution

PHP is a type of programming language used by WordPress that allows commands to be executed.

PHP codes are only used in such applications, such as the wp-config file, and are not needed elsewhere. In other files and folders, therefore, the inclusion of PHP files is always a sign of a hack. By getting a PHP file in a folder, not only can hackers monitor the folder, but also other files in WordPress. Gain full influence of the website by doing so.

These file permissions can be modified and PHP execution in other files can be blocked. Here, you can also use the same BlogVault backup plugin to enforce this measure. The functionality is brought to you by MalCare-WordPress Security Plugin, its sister business.

You can visit the shield icon on the MalCare dashboard which takes you to safe. Here, you’ll see the ‘apply website hardening’ option.


On the next page, you’ll see three levels of hardening you can implement.


Disable the File

The WordPress Editor option allows you to edit a theme or plugin straight from the dashboard. You can see an alternative called ‘Editor’ when you log into your wp-admin and visit ‘Appearance’. For plugins, the same.

It enables you to edit the code of a theme or plugin directly from your wp-admin dashboard.


This functionality could be beneficial to developers since the theme and plugin files are directly accessible from the dashboard, but WordPress administrators hardly ever use the option. But if your WordPress dashboard is hacked by a hacker, they will edit these files and wreak havoc on your website. This offers them a door on the backend to the files on the website.

Disabling this alternative is recommended. You can do so with the website hardening option from MalCare. Follow the measures detailed in the above paragraph.

Change Security Keys

You may have found that each time you try to log into your WordPress dashboard, you do not need to enter your credentials. For you, your certificates are pre-filled. This is practicable since encryption keys are used by WordPress. These keys allow your browser to store login credentials. It is kept in an encrypted form, so it would be impossible for them to read the real login keys even though someone tries to steal them.

But if a hacker discovers these security keys by mistake, they will use them to decrypt your login data. In the wp-config format, the security keys are stored.

Much like your password should be updated periodically, it is also advised that you update these keys on a bi-annual basis. You can alter them automatically if you’ve been compromised.

You will use the same MalCare plugin to adjust these keys under ‘Apply Website Hardening’.


You can also do this manually. However, we don’t recommend the manual method as it’s risky making changes directly to your WordPress files. If you wish to proceed, you need to edit your wp-config file. To find this file by accessing your hosting account > cPanel > File Manager.


Here, you need to access your root directory which is usually called public_html.


In this folder, you will find your wp-config file. You can right-click and choose ‘Edit’. Here, you’ll see your security keys like so:


You need to replace your own keys with ‘put your unique phrase here’. Using this link, you can generate a set of keys.

Next, all you need to do is copy and paste the code into the file wp-config (replacing the old ones). Save the file and exit the account for your hosting. To make sure that everything works well, we recommend visiting your website.

Disallow Plugin Installations

You may not want someone to instal a plugin mindlessly if you run a website that has many users orchestrating it or if you manage websites for customers. On your website, installing a plugin from an untrusted source could open up vulnerabilities.

In addition, your website could be broken by installing a plugin without checking its compatibility. Using a WordPress security plugin like MalCare, you can disable plugin installations as well.


You need to add a line of code to your wp-config file if you want to manually block plugin and theme installations.

Using the same method as detailed above, access your wp-config file. You need to add the following line once you have opened the file:

define(‘DISALLOW FILE MODS’,true);

Save and exit cPanel and the modifications will be applied. You can simply go back to the wp-config file and delete this line of code in order to remove this block.

Auto Logout Inactive Users

Users of your website may, many times, leave their accounts open and their systems unattended. They can use it to create new admin logins for themselves and perform other harmful acts if someone gets unauthorised access to their accounts.

It would help mitigate the risk of unauthorised access by auto-logging out your users who have signed in but have not been active for a while.

There are ways to manually enforce this, but we do not recommend it. We find it not to be a secure way to do it, apart from being complex. If not correctly implemented, it could create more vulnerabilities on your website.

For this, we recommend using a WordPress plugin. To enable auto-logout on your website, you can use BulletProof Security or Inactive Logout. The above tips for protecting your site will help strengthen it and keep it safe from hackers’ hands. For more, you can follow our security guide for WordPress.

Conclusion: Stay Protected From Hackers

If we could equate creating a website to having a child, then it is like sending your child out into the real world to live in the digital world. It’s full of risks and dangers to which your website is exposed!

To keep hackers out, taking security and website hardening steps on your site is an absolute must. Security, however, is not something you can set up and forget. From time to time, these measures need to be reviewed or re-implemented.

But this implies that you have extra tasks to add to your already-long list of things to do. We strongly recommend installing a simple yet powerful tool like MalCare on your website to avoid the hassle and still remain protected at all times.

Your website will be monitored and defended against malicious traffic at all times. You can have peace of mind that you only get through the good traffic.