Back to blog
"Hardware is easy to protect: lock it in a room, chain it to a desk, or buy a spare. Information poses more of a problem. It can exist in more than one place; be transported halfway across the planet in seconds; and be stolen without your knowledge." — Bruce Schneier


You can find a lot of articles with a list of tips on how to protect your WordPress website from hacking. But for ease of reading and use, we decided to write this article, which will serve as your guide to WordPress safe operation. It provides a list of tips on how to secure your website, and account on WordPress from hacking and troublesome brute force attacks.

Table of contents

  • Don’t call your account as “admin
  • Don’t use popular and easy passwords
  • Use captcha
  • Strong authentication
  • User role
  • .htaccess
  • Use WordPress security keys for authentication
  • Limit login attempts
  • XML-RPC access
  • Hosting & WordPress security
  • Be in tune with the times
  • Choose the plugins correctly
  • Contact BestWebSoft
  • Get Access to 30+ Premium Plugins

Don’t call your account as “admin

Remember that. This advice is fundamental and the easiest in terms of WordPress security. It could be applied not only to WordPress but also to other similar platforms. Let it be the first and basic step to WordPress operation. The main part of access to wp-admin / wp-login hacking accounts occurs because of Brute-Force attacks. Simply said, the cracker (hackers) use a familiar username (admin), and  trying many password’s combinations to gain the access to your account. The easiest way to protect yourself from such a hack would be to change the account name from admin to another, less-used and more complex.


Crackers use Brute-Force not only for the passwords’ selection knowing username but also can pull up your username using various scripts and programs. Just don’t forget about it, because security is not the way to get rid of hacking, it is a way to reduce or prevent your account being hacked.

As of today, such automated cryptographic attacks are suppressed by using a more complicated username. Of course, there is no guarantee that you will be fully protected from such type of hacking, but you at least make it harder for hacker when they try to hack your account. Please note that when we say admin or administrator, we mean the name of your account, NOT your user role on the website.

If you have already created an account using admin username, it would be better to create a new user account with Administrator rights. After creating an account with a new login and user role you can delete the old “admin” account. If you have already created and edited a post or created a page using this username, don’t worry, your posts will not disappear. WordPress displays a message that will ask you what you want to do with the old account content. There, you can remove the old content, you may also transfer users’ rights to another user. This new owner can be you, or rather your new account.

Don’t Use Popular And Easy Passwords

There are three easy criteria that will help you create a strong password. Your password must be:

  1. Complex
  2. Long
  3. Unique

Use the LastPass server, which will help you create a strong password. You choose the length and LastPass will generate the password. Save the proposed link and do not worry about your password safety. Depending on how much you are anxious about the safety of your data, your password complexity will differ. We recommend you to use a password length of 20 characters and do not forget about using those rare characters as *,#, %,:, and so on.

Using such passwords as “qwe123qwe”, “qwerty”, “123456” or “password” is the same as if you write the security code on the visiting card. Even passwords such as dragon and princess in the 2015 list of 25 most used passwords. You’re not as creative as you think…

Use Captcha

Captcha— completely automated Turing test which gives the opportunity to ensure that a user is actually a person, not a program. In other words, Captcha it’s a problem which could be easily solved by a person, but which is impossible (or extremely difficult) for the computer to solve. Captcha is applying for the sake to prevent multiple automatic check-in and spam messages from robot software. I.e., Captcha’s goal — is to protect your website against spam, flooding, and the accounts capturing.

Often Captcha looks like a random number, the word or inscription that the user should read and enter what he have read, although there are other algorithms.

There is a Captcha plugin which protects your WordPress website forms from spam entries by means of math logic.

Strong Authentication

Even if you have an original login, the complex password generated by LastPass, Brute Force attacks can still bother you. In such cases, two-factor authentication may help you.

Two-factor authentication may not be the most comfortable thing but the defense compensates all the hassle. The essence of this authentication type has been already inherent in the title: two factor of security. This method of data security is not new. We use the same authentication working with Gmail and other popular services. So it’s a good idea to use this verification method on WordPress.

User Role


The WordPress.org website has already put the article about users’ rights and capabilities. We strongly encourage you to read it and understand. By default, WordPress has 6 types of roles:

  • Super Admin – somebody with access to the site network administration features and all other features.
  • Administrator – somebody who has access to all the administration features within a single site.
  • Editor – somebody who can publish and manage posts, including the posts of other users.
  • Author – somebody who can publish and manage their own posts.
  • Contributor – somebody who can write and manage their own posts but cannot publish them.
  • Subscriber – somebody who can only manage their profile.

It’s unnecessary to give everyone Administrator rights for any short action. You can remove the administrator rights after one’s specific task performing. The administrator role gives the right to assign other users to their categories and give the appropriate rights and capabilities. If you find it difficult to understand and manage user roles on your website, you can use plugin User Role. This plugin has user-friendly interface and helps you manage other users profiles and capabilities to your website. Be careful when assigning a particular role, because this determines your security data.

Something About .htaccess

.htaccess is an additional configuration file of Apache web server and other similar servers. Allows you to specify a large number of additional data and permissions for the web server concerning individual users (as well as different folders of individual users). Such permissions can be the controlled access to directories, file types’ redirection, etc., without giving them access to the main configuration file, i.e. not affecting the whole entire service. For the website safety, you need to hide access to files. It is very easy, but nevertheless, you can also use Htaccess plugin, which in seconds will help to hide access to your files and directories and thereby improve the security of your website.

For better WordPress security, may need to add this to your .htaccess file for wp-config.php better protection:
<files wp-config.php>
order allow,deny
deny from all

That will deny access to you data:
<Files .htaccess>
order allow,deny
deny from all

Here you can read the article Some .htaccess Tricks for WordPress to know more information about it.

Use WordPress Security Keys For Authentication

Authentication keys and the modificator Salt were developed in order to protect cookies and passwords during their transaction from browser to storage web server. Authentication keys are the set of random symbols and figures that protect your cookies.

This set of keys will help you to make amendments in the wp-config.php file. These keys change when you refresh the page so that you will always have new versions of them.

Provided if the hackers still managed to hack you, the easiest way to change up your files is to go to Appearance > Editor in WordPress. In order to data safe you need to restrict the ability to modify the file using the editor’s rights. You need to open wp-config.php and add the following code

define('DISALLOW_FILE_EDIT', true);

The point is that you could modify the file using any FTP application you like, but will not be able to do it  using WordPress.

Limit Login Attempts

A great way to protect your account from hacking is to install a plugin that limits attempts number to enter the login and password from specific IP addresses. Use Limit Attempts plugin that will help to improve the protection of your account from the IP address that made attempts to brute force your WordPress account.

Watch Out! XML-RPC Access!

XML-RPC is an application programming interface (API). It is used by a number of plugins and themes, so we want to warn less experienced users about this protocol usage. This code disabling app can cost you money. That is why we advise you not to do the code disabling app for everything, just be selective in its actions, carefully define the access rights of what you allow. Learn more

Hosting & WordPress Security

There are no simple rules for choosing WordPress hosting company. But the hosting company plays a significant role when it comes to your WordPress security optimization.

WordPress security is like one of the main unique selling propositions offered by certain WordPress hosting products such as GoDaddy. They offer backups, redundant firewalls, malware scanning, Distributed Denial Of Service protection, and automatic WordPress updating for a reasonable price.

Be In Tune With The Times

It is difficult always keep track of all the updates every day. Especially for owners of websites and Internet resources, and we understand how difficult it sometimes is. We have hundreds of plugins, programs, and other things, and it’s hard always stay up to date and find time to apply all updates. According to research, more than half of the installations that are used are behind the times.

Talking about security updating also plays a significant role. More than half of successful hacking attempts occurs due to outdated, insecure plugins versions. So updates should be disseminated not only to the WordPress core but also to the plugins and programs. The reasons can be numerous, everything depends on the conditions and circumstances under which data backup is not achieved. A great way to solve this problem is to install the Updater plugin.

Choose The Plugins Correctly


It is important to choose the plugins correctly. There is a screenshot example above of what you need to pay attention to. The plugins and themes, especially those that are free, can be unreliable. Adding a new plugin always pay attention to the product rating and on the company-developer.

WordPress.org platform shows the product rating, but you know, a plugin with one or two marks of 5 stars is not the best choice, so also pay attention to the number of 5 stars marks. Also, please note the last updating date because some quite good plugins couldn’t have multiple 5 stars marks simply because they didn’t have the time to gain enough views and downloads.        

Screenshot (2)

If the plugin for a long time not been updated, WordPress will let you know. This does not mean that the plugin is bad, maybe just developers have no need to update it because it works well. So what we have: choosing a plugin pay attention to the number of active installs (the more the better), rating, and a compatibility plugin version with the WordPress.


Now, having reached the end of this article, you understand how important it really is to deal with your website security and all of the data you have. You need to improve the WordPress security on a daily basis. This process should be the same as a regular cup of coffee in the morning. We hope that this article was useful to you and will be glad to cooperate with you in the future, in order to make your life easier and carefree.

At BestWebSoft, we make it our mission to understand our clients’ demands and help them make their wishes come true.With 7+ years on the world market and 600+ of successfully realized projects give us the right to guarantee the best quality, reliability, and stability to our clients. Our experts will care about your WordPress website security and performance. Contact Us to Get a Free Quote Now

Popular Posts

Like This Article? Subscribe to Our Monthly Newsletter!

Comments are closed.