Skip to content

How to Prevent Hackers from Accessing a WordPress Site


WordPress is a popular hacking target. The theme, core WordPress files, plugins, and even the login page are all being targeted by hackers.

These are the actions to take to make it less likely that you’ll be hacked and to make it easier to recover if you are.

Attacks on WordPress by Hackers

Hackers are constantly probing all websites on the internet, whether it’s a phpBB forum or a WordPress site. A hacker might scan thousands of pages or attempt to log in hundreds of times each day.

That’s only one of the hackers. Several hackers are attacking websites at the same time.

It’s usually not a person who is attempting to hack you. Hackers use automated software to cruise the internet in search of specific flaws in websites.

Bots are automatic software programmes that crawl the internet. To distinguish them from scraper bots, I call them hacker bots (software that is trying to copy content).

Using a Firewall to Protect Your WordPress Site

A firewall is a piece of software that detects and blocks intruders. The finest WordPress firewall, in my opinion, is a plugin called Wordfence.

Wordfence examines a website visitor’s behaviour to see if it matches that of an abusive bot. Wordfence will immediately ban the bot if it violates specific restrictions, such as requesting too many web pages in a short period of time.

Wordfence is also set up to allow genuine search engines like Google and Bing to access the site.

There are advanced tools that allow a publisher to see what bots are assaulting a site and where they are coming from, such as if the bot is originating from Amazon Web Services or Bluehost. Wordfence allows the publisher to restrict the bot based on their IP address, the full IP address range, or even the bot’s phoney browser user agent.

About User Agents (UA)

A user agent is a piece of identifying information supplied by a browser to tell a website what browser (Chrome, Firefox, or Vivaldi) and operating system it is using (Windows 10, Mac OS X).

A user agent string for a Mac OS X computer running Safari 11 looks like this:

Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) Mozilla/5.0 (Macinto Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) Mozilla/5.0 (Macinto Mozilla/5.0 (AppleWebKit 605.1.15 Macintosh) (KHTML, like Gecko) Version/11.1.2/605.1.15/605.1.15/605.1.15/605.1.15/605.1

Bots employ a variety of user agents to deceive websites and gain access. Some bots, for example, claim to be a browser on Windows XP.

Because the number of real users on Windows XP is near to zero, I can use Wordfence to construct a rule that blocks any user agents that use Windows XP as their operating system, and with just one rule, I can ban thousands of nasty bots regardless of their origin or IP address.

Because bad bots will occasionally reply by switching to a different user agent, a publisher can prohibit a wide range of dangerous hacker bots by combining these restrictions.

And that’s with Wordfence’s free version.

The premium version allows you to block entire nations. So, if you don’t have any legitimate site visitors from a particular country, you can restrict all traffic from that country.

Exploit Protection for WordPress

Furthermore, the commercial version of Wordfence will defend you against numerous compromised themes and plugins before they are repaired.

When Wordfence researchers become aware of an attack, they will upgrade the premium version of the firewall to protect subscribers against that exploit, sometimes weeks before the compromised theme or plugin vendor fixes it.

Hardening the security of your website

Sucuri Security is a free plugin that adds an extra layer of security to your computer. Sucuri (owned by GoDaddy) aids in the hardening of WordPress security by preventing bad bots from exploiting certain types of attacks. It also has a malware scanner that examines all files to see whether they’ve been tampered with.

Sucuri will notify you whenever someone logs into your site, assisting publishers in determining whether or not a hacker is logging in. Sucuri may also notify a publisher if a file has been modified, which is something hackers do.

The following are the characteristics of Sucuri’s free version:

  • Auditing of Security Activities
  • Monitoring of the integrity of files.
  • Remote Malware Scanning is a service that scans your computer for malicious software.
  • Monitoring of the blacklist.
  • Security Hardening that works.
  • Security Measures to Take After a Hack
  • Notifications of Security.

Your site’s logins should be limited

Bots that regularly type in user names and passwords on the WordPress login page can be blocked by WordFence.

Limit Login Attempts Reloaded is a plugin that allows publishers to automatically prohibit all hackers who enter a certain number of failed name and password combinations.

You can, for example, set it to prohibit hackers after three failed password guesses.

The login blocker has the following features:

  • When logging in, keep the number of retries to a minimum (per each IP). This can be customised to your liking.
  • On the login screen, informs the user of the remaining retries or lockout time.
  • Optional logging and email notification are both available.
  • IPs and usernames can be whitelisted or blacklisted.
  • Compatibility with Sucuri’s Website Firewall
  • XMLRPC gateway security.
  • Protection for the Woocommerce login page.
  • Extra MU settings for multi-site compatibility.
  • GDPR compliance is available. All logged IPs are disguised when this functionality is enabled (md5-hashed).
  • Support for custom IP sources (Cloudflare, Sucuri, etc.)

Limit Login Reloaded is a plugin that allows you to quickly shut down hack bots that are attempting to guess a password.

Your WordPress Site Should Be Backupped

It’s critical to have your website backed up on a daily basis. A backup can be used to recover the site in the event of a catastrophic occurrence.

There are other backup solutions available, but the UpdraftPlus WordPress Backup Plugin is one that I have found to be most beneficial. UpdraftPlus is a well-respected option with over two million customers.

It can be set up to deliver daily backups via email or to a cloud storage service like Dropbox.

I inadvertently unintentionally deleted all of the theme layout files from a website, rendering the site utterly unusable. However, using an UpdraftPlus backup, I was able to restore the site to its previous state. It was simple to do, and I was grateful.

I inadvertently unintentionally deleted all of the theme layout files from a website, rendering the site utterly unusable. However, using an UpdraftPlus backup, I was able to restore the site to its previous state. It was simple to do, and I was grateful.

All Themes and Plugins Must Be Updated

It’s critical to keep all themes and plugins up to date. WordPress has a feature that allows all plugins to be updated automatically, which is useful for publishers or businesses who don’t check in and conduct updates on a regular basis.

By enabling the auto-update feature, a publisher may ensure that their programme is always up to date. One of the most common ways to get hacked is by using an out-of-date plugin.

Abandoned Plugins Should Be Avoided

A final word on plugins that have been abandoned. Some plugins can continue to function even after their developer has abandoned them. It’s possible that these outdated plugins contain a security flaw. However, because they have been abandoned, they will never be repaired.

Another issue is that hackers occasionally purchase outdated plugins and infect them with malware and viruses.

Examine all of your WordPress plugins to ensure that they have not been abandoned and that they are being updated on a regular basis.

Hackers can cause havoc on your WordPress site if you don’t take precautions

For many websites, merely taking these modest measures to safeguard the site is sufficient to prevent it from being hacked. The free versions of these plugins provide a lot of security, and the premium ones provide even more security.

Many security-related plugins exist, and some of them have been found to include vulnerabilities. Wordfence and Sucuri are, in my opinion, the best security plugins for WordPress.