How to Harden WordPress From Attackers!

If you or your company have WordPress sites, there are two things to consider. First is to avoid having your own site hijacked, and second is to avoid becoming part of a larger problem.

Hackers are not gaining entry to up-to-date WordPress sites because of software exploits, but instead by attacking easily defensible weaknesses! Fortunately, there are simple recommendations that can lower the likelihood of catastrophe to almost zero!

  1. Avoid Obvious Passwords: Please take a few minutes to check out the security requirements recommended by WordPress.Computers are getting faster all the time, and just because we feel like a password is strong does not mean that it is. Hackers go after users that do not take the time to switch from default (weak) login information, because they are easy targets.
    A secure password is at least 12 characters (a number that will only increase as computing power grows), and makes use of
    upper and lowercase letters, numbers, and special characters (^%$#@*?!). Consider using a lengthy passphrase, or better yet, download a password manager to enable you to keep long and secure passwords for all digital logins.
    Important: a 25+ character passphrase with only lower case letters and spaces is exceedingly more secure than a 12 character password that uses many different character types
    , due to computation time exponentially increasing with each added character. Additionally, the 25+ character passphrase will likely be far easier to remember!
    Example: "j!bBeR!$h?!@" (12 characters), or "pigeons swiftly exceed housecat landspeed" (41 characters)? The password with 41 characters is safer, and easier to remember! Switch to passphrases today!

  2. Ditch the Admin Username: WordPress attackers are constantly collecting new WordPress IP addresses to target, and in fact they are attempting to crack default admin accounts right now. If you are still using admin, create a new user with adminprivilegesand give it a strong password as defined above. Afterwards, log in as the new user and delete the old admin account assign/attribute all content in that account to the new user.

  3. Use Two Factor Authentication: If you have a account, take advantage of two-factor-authentication (2FA) which ensures that you are an authorized human logging in, not a bot. With 2FA, an individual in possession of your username and password will not be able to gain entry without your authenticator.

  4. Update WordPress and Plugins: Many hackers exploit outdated versions of WordPress and WP plugins. Keep your installations up to date, and you have good odds of avoiding trouble. However, updated software is a less immediate threat than exceedingly weak login credentials.
    This excellent article, last updated by Robert Abela of in August 2019, sheds light on the importance of updating your software! Their analysis arrived at a shocking result: "[...] at least 30,823 out of 42,106 identified WordPress websites have exploitable vulnerabilities.This means that 73.2% of the most popular WordPress installations are vulnerable."
    WordPress founder Matt Mullenweg advises that if you do these first four steps, then you will be ahead of 99% of sites out there and will probably never have an issue.

  5. Consider WordPress Security Plugins: WordPress does a decent job of handling most threats against their platform, but it is never a bad idea to take some extra steps to ensure that you are extra secure in a way that does not interfere with usability. Check out these WP security plugin suggestions, posted by Pavitra Shankdhar of in February 2018, to decide if you have needs that can be met by any of these services.

  • WordPress, Hardening, Best Practices, Strong Password
  • 4 Users Found This Useful
Was this answer helpful?

Related Articles

How Do I Move My Site From My Old Host To Your Servers?

Transferring your account to us is a straightforward process with zero downtime if done properly....

Do You Host Adult Sites?

We police our systems only for the infractions as listed in our TOS and AUP.

Where Do I Upload My Website Files?

Your account includes spaces that are either web-accessible or web-inaccessible. Your user home...

What is an Error 404 page?

Error 404 indicates that server connection was successful, but that the requested file or...

How Can I Download a Backup of My Site?

Please login to your control panel from the 'Services' section of your Client side login, and...