How to protect your WordPress website against hacking and brute force attacks

August 27, 2018

Last time I explained why most of the popular WordPress security tips are a myth and won't really protect your website. In this post, I'll provide some simple WordPress security tips that will genuinely make your website more secure.

Don't have an 'admin' user

'admin' is the default username on most WordPress websites. Most bots trying to hack into your site know this and bombard your login page with different password combinations for the 'admin' username. It's a numbers game and if they try enough passwords, they'll eventually manage to hack the 'admin' account.

Of course, the easy way to prevent this is simply by not having an account called 'admin'! If you're still using this username, create a new administrator-level account and remove the old one.

In one easy step, you've stopped most hacking attempts in their tracks!

Have fewer administrator-level accounts

In WordPress, administrator-level users have the most power. If an administrator account gets hacked, this means that more damage can be done. Malicious code can be added, plugins can be installed, and so on.

If you have several administrators on your website, think about whether they all need to be this level. Downgrade them if not.

See the WordPress Codex for details of their different user levels and choose the lowest suitable role for each user. If needed, you can create custom user roles with WordPress plugins such as User Role Editor.

Use secure passwords

Bots use the numbers game to hack into your website. Secure passwords give you the best chance of winning the numbers game. They should contain many digits and a combination of numbers, letters, lower and upper case, and other characters.

This is because with a secure password, hackers have to enter staggeringly more username and password combinations before they'll be statistically likely to find the right one.

Fortunately, WordPress now insists on secure passwords so you can't just use your pet's name or the latest Game of Thrones Reference. Use a tool such as Norton's Password Generator to create a bulletproof 16-digit password.

Use different secure passwords throughout your site:

  • For each WordPress admin user
  • For each FTP account used to manage your website's files
  • For your website's WordPress database (don't forget to update the wp-config file with the new password, otherwise your website will break!)
  • For your website hosting account

Restrict access to the WordPress login page

By default, WordPress websites use a page ending in /wp-login to access the login page for the WordPress admin.

Removing the 'admin' account and using secure passwords, as described above, will thwart most hacking attempts. However, bots can still access your login page and hit the Submit button. Even if they don't get in, this can put a huge drain on your web host and use excess server resources. This can impact performance and slow down your WordPress website. In extreme cases, it can even crash your server and cause downtime, which no one wants.

Plugins that lock you out after X number of failed login attempts don't help as you can still access the login page and hit Submit when you're locked out.

There are 2 main ways to stop bots from accessing your WordPress login page at all.

Change the login page url

By changing your login page url and redirecting anyone who tries to access wp-login to another url, bots can't even reach your login page. You can get a WordPress developer to do this for you, or use the Stealth Login Page WordPress plugin. (Just a note on this plugin - it will break your 'lost password' link for users who lose their passwords. I've raised this issue with the WordPress plugin developer and he doesn't seem to know how to fix it. Unless you want to get another WordPress expert to do it, don't use this plugin if your users are also using your login page, e.g. for a membership website. It's a handy plugin if only you will be using your login page.)

Password-protect your login page with a 2-step WordPress login

Alternatively, get a WordPress developer to add some code to the .htacess file requiring people to enter a username and password in order to access your login page. This means that each user will have to enter two sets of login details which isn't very user-friendly, so as with the Stealth Login Page, I suggest only doing this for websites websites where your users don't use the login page.

Install a WordPress firewall

This isn't really within the remit of WordPress as your web hosting account should have firewalls etc. However, there is some evidence that WordPress firewall plugins such as WordPress Simple Firewall can give additional protection.

Secure WordPress web hosting

A lot of people think that installing plugins is all you need to do to make your WordPress website secure. I hope I've shown that although this does have some value, it's only one of many factors.

Another important factor is the security of your web hosting. Your web host stores the actual files and database of your WordPress site. However secure your website itself, if the hosting environment has major security loopholes then the door will be open to hackers.

Choose your web host carefully. Do your research. What security measures do they have in place? How well they protect your website, both in terms of the physical location of the files and access from online?

How to keep your WordPress website secure

As a WordPress web designer, I've lost count of the number of WordPress websites I've seen that have been allowed to get out of date. We design a great website that meets the latest security best practices, and the client wastes this by letting everything get out of date.

It's really important to update WordPress, your plugins and the theme (if applicable) as soon as an update becomes available. Updates often contain security fixes after a new loophole is discovered. As soon as that happens, hackers update their software to target the new loophole, knowing that many websites will remain unprotected. Keep everything up to date and don't let your WordPress website be one of them.

Review your WordPress security regularly

This post recommends techniques and plugins that are currently the best way to protect your WordPress website. Don't forget that WordPress security is moving rapidly.

It's important to review your security measures regularly and see whether anything better has become available. For example, we used to recommend the WordPress Firewall 2 security plugin but this is no longer updated so we have switched to WordPress Simple Firewall.

Securing your WordPress website

WordPress security is difficult to get right and there's a lot of bad advice out there. By following these simple tips, you can create a pretty secure website that will thwart the vast majority of hacking attempts. You won't burden your website with unnecessary plugins and you can even do most of it yourself!


  1. Ulterios
    December 16, 2014 Reply

    First off I would like to thank you for this very nice article on protecting a WordPress site, it was very useful. Second, I downloaded the Stealth Login Page plugin and it doesn't change the URL for the admin login page, it just adds another pin or password so you have two forms or verification. It does redirect anyone who tries to access it without permission (Hack) to another URL of your choice. Just thought I would give you the heads up on this.

    It was a really nice article, I will keep checking out some of your other useful posts.
    Thanks and have a Great Day.

    • Katie Keith
      December 18, 2014 Reply

      Thanks for your comment, I'm glad the article was useful for you and hope you enjoy my other posts. Thanks for the clarification on how Stealth Login works, I wasn't aware of that.

Please share your thoughts...

Your email address will not be published.