Simple Steps to Protect WordPress Websites from Hackers

Purpose of the Article: A website’s security is the first concern, so we should take care of every aspect of it. As a result, I wrote this blog concerning security patches and some crucial plugins

Intended Audience: WordPress developers

Tools and Technology: WordPress

Keywords: Secure WordPress Website, secure WordPress website from hackers


  • WordPress has a password strength indicator to help users gauge how strong their passwords are.
  • Do not use real words, names, or birthdates. Make your passwords totally random.
  • Never use the same password across multiple logins/sites.
  • A password must be 12 characters long and contain letters (uppercase and lowercase) numbers, and symbols. Since version 4.3, WordPress can generate a password for you.

WordPress Username:

  • Use a different username than default-admin.
  • It provides hackers with half of the information they need to hack your website.

Disable PHP Error Reporting

  • WordPress works with a lot of PHP code, and users can add more PHP code via plugins and themes.
  • If the PHP code is incompatible with your web server, something can go wrong.
  • If you have enabled error reporting, you will see a PHP error generated, which can also be displayed.
  • Hackers can use this error message to determine the path to the server.
  • When the error reporting is disabled, unauthorized eyes will not be able to view potentially sensitive information.

Turn Error Reporting OFF

  • You need to add this code to your wp-config.php file: error_reporting(0).

Disable File Editor:

  • WordPress contains a file editor that allows you to edit files, plugins, and theme code directly from the dashboard.
  • When a hacker gains access to your site, this is usually the first place they go. From there, they can run any code they like on your server.
  • To disable the editor, place the following code in your wp-config.php file:
  • Define (‘DISALLOW_FILE_EDIT’, true).

Adding New Users:

  • Please make sure the ‘Anyone can register’ option is off (unless you need this feature of WordPress). It is turned off by default, so until you change it, you should be fine.

New User Roles:

  • Whenever you add a user to your WordPress site, you assign that user a role.
  • A WordPress Role assigns a ‘clearance’ level of security.
  • Each member has the following roles.
  • Super Admin, Administrator, Editor, Author, Contributor, Subscriber. A Super Admin can administrate WordPress sites. The feature isn’t available in normal WordPress installations.
  • The Administrator can manage every aspect of the site.
  • Author – Can publish and manage their content.
  • Contributor – Can write posts but cannot publish them.
  • Subscriber – Can only manage their profile.


  • When using plugins, take the following precautions.
  • Only trustworthy sources.
  • A repository of WordPress plugins.
  • Never use plugins that link to another site from your own.
  • Only purchase plugins from trusted vendors.
  • Make sure you are using fewest plugins .
  • Avoid poorly maintained plugins.
  • When deactivating a plugin, delete it altogether.

Comment SPAM:

Careful with comments:

A ZERO-DAY EXPLOIT allowed hackers to hack into WordPress sites by using WordPress   comments.

  • It is always a good idea not to follow links in the comments section of your site because it is out of your control where they point.
  • Make sure all comments are manually approved.
  • Approve only genuine, quality comments. This will add value to the conversation.
  • You can remove links from comments if they are not useful or if you don’t approve comments with links in the body.
  • Using cross-scripting attacks. You can add new administrative users, change passwords, etc.
  • Go to the dashboard admin panel Settings-> discussion.


  • A hacker might use a brute-force attack to gain access to your site.
  • A brute force method uses computer software to try  break a system. There are thousands of combinations of usernames and passwords. In addition, if you limit the number of logins attempts to a reasonable number, like three, then if the login fails, the user is locked out for a predetermined length of time before they can try again.
  • Thus, it prevents brute force attacks and “hobby hackers” from trying to access your site through trial-and-error.
  • Plugins can limit login attempts, and the ALL IN ONE SECURITY plugin can monitor login attempts.


Login page security:

  • The login page is the gateway to your WordPress Dashboard, so protecting it will reduce the possibility of your site getting hacked.
  • You can protect the login page in several ways, such as allowing access only from your IP address, moving the login page, and renaming it.



  • WordPress uses a MySQL database to store web page content, user data, etc. It is a vitally important part of your site, and you want to ensure that unauthorized users do not access it.
  • The default prefix for WordPress is wp_
  • A hacker would know the names of all your database tables if you didn’t change the prefix. That gives them an advantage.
  • Go to the wp-config.php file


  • $table_prefix = ‘edb_’;


  • In WordPress version 2.6, security keys were introduced to improve the encryption of cookie information stored on a visitor’s computer.
  • The security features of WordPress have grown as the platform has evolved.
  • The keys are stored in the wp-config.php file. If you install WordPress automatically, the security keys are generated for you. If you install WordPress manually, you can use an online key generator.


  • WP-XML-RPC is fundamentally a way for developers to communicate with WordPress via an API (Programming interface). A tool like Windows Live Writer would be ideal for this.
  • The writer uses XML-RPC for publishing, editing, deleting posts, and adding new categories and tags.
  • XML-RPC is enabled by default in WordPress 3.5 and disabling it will prevent applications from using the API.
  • Jetpack is a popular WordPress plugin that uses XML-RPC. If you disable it, Jetpack cannot function. Many WordPress problems can arise when users disable XML-RPC..
  • XML-RPC has been used in DDoS attacks, but Akismet usually spots them.
  • A security plugin can protect against brute force attacks using XML-RPC. XML-RPC has been used in brute force attacks.
  • Disabling XML-RPC probably won’t reduce the risk of your website getting hacked because of this. However, you can use a plugin such as Disable XML-RPC Pingback and Disable XML-RPC.


  • It is good to make sure that they are running the latest versions of PHP and MySQL. Hosts that fall behind on upgrading these are not great about their security. Updates often include security fixes, so hosts should keep up with this.
  • Check with your host about security measures they take against site hacking. Will they take backups? How about server maintenance? A well-maintained server is more resistant to attacks. Understand if they offer anything else to keep your site secure ?


Protecting wp-config.php:

  • To protect this file, move it above your WordPress install directory. It contains sensitive information about your WordPress database, security keys, etc.
  • Some people believe this is beneficial; others disagree.
  • You can place this code in your website’s .htaccess file if you wish.

<files wp-config.php> Order allow,deny

Deny from all </files>

This denies access to the file for everyone.

File Permissions:

  • Files and folders on your webserver have ‘permissions’. These determine who can access them.
  • You should set all directories to 755 (or 750).
  • Files should be 644 (or 640).
  • wp-config.php should be 644 (or 600).


Install and activate it.


Click on backup your database

Schedule automatic backup

Sensitive Data Exposure:

Description: Encrypted the password before the form got submitted with SHA256 encryption.

Implementation: Encrypted the password using the SHA256 Encryption method and changed the WordPress default encryption method to SHA256.

  1. We need to install the sh256pass plugin. We need to add a code in functions.php

/* Password Encryption */

add_action( ‘login_enqueue_scripts’, ‘wpse8170_login_enqueue_scripts’ );

function wpse8170_login_enqueue_scripts() {

//wp_enqueue_script( ‘jquery-script’, get_template_directory_uri() . ‘/assets/js/jquery.min.js’);

wp_enqueue_script( ‘encrypt-script’, get_template_directory_uri() . ‘/js/encrypt.min.js’);

wp_enqueue_script( ‘aes-script’, get_template_directory_uri() . ‘/js/aes.min.js’);

wp_enqueue_script( ‘sha-script’, get_template_directory_uri() . ‘/js/sha256.min.js’);


  1. We need to add these files to the js folder.
  2. We need to activate the plugin.
  3. We needed to try to log in, but it didn’t accept our old credentials.
  4. We need to go Sha 256 online and enter the password and copy that encrypted password
  5. We need to go to our database and change the USERS table.
  6. Reference link:

ClickJacking :

Description: Changed the X-Frame-Options to the Same Origin

Implementation: Used “HTTP Header Plugin” to change the X-Frame-Options to Same Origin.

  1. We need to install HTTP Header Plugin to change the X-Frame-Options to Same Origin.
  2. Then we need to go security category.
  3. Then we need to on the below options:

X-Frame-Options–à SAMEORIGIN

X-XSS-Protection–à 1; mode=block

X-Content-Type-Options–à nosniff

Referrer-Policy –à strict-origin-when-cross-origin

Cookie security–à ✔ Secure ✔ HttpOnly

Feature-Policy –à autoplay *; fullscreen *; vertical-scroll *

  1. Save settings.
  2. Reference link:

Security Misconfiguration: (server)

Description: Removed the PHP Version Display

Disabled the dynamic password, which showed the internal password field.

Implementation: Removed the PHP Version by disabling expose_php in php.ini

  1. We need to create one file in the root folder called php.ini and place this one line of code (expose_php = off).

Using Known vulnerable Components : (server)

Description: Upgraded PHP 7.4

Implementation: Used the Cpanel option to upgrade the PHP version.

  1. Whenever we create a dev environment, we need to install the updated PHP version to prevent attacks.
  2. Reference link:

Brute Force Attack :(server)

Description: Integrated reCAPTCHA with Admin Login

Implementation: Used “Advanced noCaptcha & invisible Captcha” plugin to add reCAPTCHA in Admin Login

  1. We need to install Advanced noCaptcha & invisible Captcha plugin
  2. We need to get the site key and secret key from google. (link is provided at the top).
  3. We need to select version V2, check the login form, and save changes.
  4. If we want to add a captcha for the contact form, we need to install ReCaptcha v2 for Contact Form 7.
  1. Then it creates a submenu under the contact form called ReCaptcha version. In that we need to select ReCaptcha version 2 and source from google. 
  2. We need to select integration under the Contact Us tab, then add this secret key and site key. 7. 
  3. We need to activate this captcha on our site.
  4. Reference link:

JavaScript Injection : (server)

Description: It is all taken from ER Forms

  1. Add this code in the .htaccess file.

# BEGIN Protect Against Script Injections

Options +FollowSymLinks

RewriteEngine On

RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]

RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]

RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})

RewriteRule ^(.*)$ index.php [F,L]

# END Protect Against Script Injections

  1. Reference link :

Malicious File Upload : 

Description: Allowed Specific File Uploads – jpg, Jpeg, jpe, gif, png

Implementation: Used the ‘upload_mimes’ hook to limit the file upload types.

  1. Add this code in functions.php


//restrict file image uploads

function restrict_mime($mimes) {

$mimes = array(

‘jpg|jpeg|jpe’ => ‘image/jpeg’,

‘gif’ => ‘image/gif’,

‘png’ => ‘image/png’,

‘pdf’ => ‘application/pdf’,


return $mimes;


  1. Reference link:
  • GDPR cookie consent: Using this plugin, we can add cookie acceptance to the project.

Thank you for reading this article, hope it was informative.

Leave A Comment

Related Post

Making the Web Accessible

Purpose of the Article: How to create a custom Vue component and publish it as an npm package Intended Audience: Frontend Developers(Vuejs) Tools and Technology:

Read More »