Preventing WordPress hacks

Why preventing WordPress hacks is easier than recovering from them

An ounce of prevention is worth a pound of cure. This can’t be truer in regards to website hacks. WordPress sites are compromised not by sophisticated hackers but by bots written to exploit known vulnerabilities. These vulnerabilities include weak passwords, outdated plugins and themes, and poor-quality web hosting.

When a site is hacked, the following things can be effected:

  • Files can be uploaded to the server containing malicious code or PHP backdoors
  • Files already on the server, such as your theme files, can be modified
  • Code can be injected into your WordPress database
  • Users with administrative privileges can be added to your WordPress database
  • Numerous post and pages can be published containing spam code
  • Your site can be redirected to malware sites

In other words, having your site hacked can be a BIG mess to fix. It can truly take hours to recover, and your SEO can take a big hit if Google decides to blacklist your site. See: Sites Hosting Malware Get 30 Day Ban from Google.

Luckily, preventing hacks is quite easy, though it does require diligence.

10 Tips for Preventing WordPress Hacks

1 – Use strong passwords

You should get a password tracking tool like 1Password to track all your passwords. You can no longer use the same password on every internet account and get away with it. You can’t use your dog’s name or favorite soft drink or band name. You need unmemorable, long, difficult passwords.

In the past couple weeks, I’ve had two clients call me because their Gmail, Instagram, or AppleID was hacked due to using a weak password. It is very easy to use a password hacking program to discover what your password is. In both cases, my clients used passwords that could be guessed by a password detection tool in under 1 second!

Test the strength of your existing passwords here. and then give some serious thoughts to using 1Password and creating passwords that are long, complex, and obscure and change them frequently. With 1Password, you only have to remember one complex password.

2 – Keep WordPress themes, plugins, and core up to date

It’s not enough to login once a month or less to do updates. Exploits will occur within days on massive numbers of sites as soon as they are published. My forgotten site that I didn’t update was exploited within a couple weeks of the Gravity Forms vulnerability being announced. You must update immediately when there is an update. Read my post on how to update your WordPress themes and plugins safely to avoid breaking your site.

For plugins that don’t have front-facing functionality, you can use the Shield WordPress Security plugin to perform auto updates for you. If you manage more than one site, check out my post on site management plugins.

3 – Keep your server clean

Delete unused versions of WordPress on the server. It’s easy to forget these exist. Unused WordPress files, plugins, themes, etc., even if they are not being used, not active, not even associated with your current install can be exploited. Delete delete delete. Run a tight ship

4 – Check your plugins and themes for continued support

Don’t use plugins and themes that are no longer maintained. If your plugin or theme hasn’t been updated in a year or more, replace it. This can be a huge problem with themes. Many developers are fly by night and don’t stick around more than a couple years to support their theme.

When you shop for a theme or plugin, look for a theme or plugins with current support requests that have been answered in a timely manner, good star ratings, and recent and frequent updates. Not all top-selling themes are the best themes, however, they are more likely to have ongoing support and updates. Read the comments for quality of response and tone. Look for helpfulness, enthusiasm, thoroughness, quick response, good articulation, and positive attitude.

WordPress premium themes often come bundled with third-party plugins. The theme developer may or may not provide timely updates for these bundled plugins. For example, the Revolution Slider, a popular animated slider, comes bundled with hundreds of themes on ThemeForest. The Revolution Slider had a major security vulnerability in 2014. However, theme developers who bundled it with their themes did not necessarily update the plugin when they updated their themes. As a result, many themes on ThemeForest distributed a highly insecure plugin for months after the vulnerability was discovered. This vulnerability lead to tens of thousands of websites being hacked and directing traffic to malicious sites.

The upshot of all this is that if you purchase a premium theme that comes bundled with premium plugins, like Visual Composer, Layer Slider, Revolution Slider, or others, purchase these plugins SEPARATELY, so you can be notified of updates to those plugins specifically and not rely on a theme developer to keep you safe.

5 – Protect your computer and home network

Run virus scans all the time especially if you run Windows. Be careful of the sites you visit. You can inadvertently give your WordPress login away through a keystroke tracking Trojan which will steal your passwords as you type them on your keyboard. Protecting your computer is often about not visiting websites that are distributing malware. But, even known sites, such as friend’s cooking blog, could be hacked. So, you need some protection wherever you go on the web.

For Mac OS:

  • Scanning software isn’t usually needed, but I like Avira because it recognizes malware patterns along with malware and trojan signatures.
  • Turn on the Firewall in your System Settings (Security & Privacy). In the Firewall Options, check the box to Enable Stealth Mode. This will allow your computer to not be visible on networks.

For PC:

For your network:

6 – Run a WordPress security plugin

MalCare - one-click malware removal

I highly recommend the MalCare plugin by the makers of BlogVault. They have both a free and paid version. What I like the most about their plugin is that there are no configuration options which can be super confusing with other security plugins. Also, all the malware scanning takes place on their cloud servers, so there is no impact to the performance of your site. It also runs brute-force protection and a robust firewall.

The paid version is just $99/year, which is a bargain compared to other similar services. You can use this link for 10% off your first year:

Please try it out and let me know how it works for you in the comments below.

I also like Shield WordPress Security by iControlWP. I have used Wordfence in the past, and it continuously created errors in the error log files on multiple sites. Other popular plugins out there can easily break your site or have you focused on “security” measures that do nothing for security while missing out on important things like login protection.

7 – Don’t login on public WiFi networks

If you login to your WordPress site on a public network, you are essentially giving your login credentials away to anyone else on the network who might be running packet sniffing software. If you don’t have an SSL certificate installed on your site (which encrypts your username and password on the network), then use a Virtual Private Network (VPN) service to encrypt your traffic on the network. Use this even if you do have an SSL certificate on your site as it’s good to stay in a virtual private network on any public networks.

8 – Install an SSL certificate on your site

This encrypts the data you and users to your site transfer via the site, such as when submitting contact forms or using login in pages. Otherwise, data is transferred like a postcard in the mail, meaning anyone who’s looking can read it. Having SSL installed on your site allows you to login security (via https) while traveling. Many hosts offer this for free, and you can use the Really Simple SSL plugin to force your content to use https.

9 – Consider better web hosting

Hosting companies like WP Engine, Site Ground, Kinsta, and Flywheel have your back when it comes to security. They routinely do security scans and will clean your hacked site for free, though I have known people to be hacked on these services, and it can take days to get unhacked (or not at all).  I’d still recommend running the MalCare plugin, because hosts are not malware experts. I have been hosting most of my sites lately with SiteDistrict, because their performance is quite excellent in terms of site speed (right up there with Kinsta), and their support is hands-on and proactive.

10 – Backup your site

While backups are not always all that helpful in recovering from a WordPress hack, they are essential for disaster recovery, especially when it comes to damage to your database which is where all your site content stored. See my post on Backing Up WordPress.

Ongoing monitoring of your site

  • It’s important to signup for Google Search Console to be alerted about any issues on your website.
  • Monitor error logs on the site via the cPanel File Manager or FTP (SFTP).
  • View Raw Access Logs on the server to track any users accessing files on the site, particularly. POST requests. If this is not turned on, you can turn archiving of Access logs on in your cPanel.
  • You can use the Shield WordPress Security plugin’s Audit Trail feature to track any changes to files or access to the site.


WordPress security is not hard. Cleaning up hacks is. Please take a little time to review your site, make a list of things you need to, and check them off one at a time. Start by getting everything updated and get a backup solution set up. Update your plugins and sign up for Google Search Console. Reset your passwords. I’ll be writing another post soon on how to audit your site to look for hacked files, so stay tuned!

Angela Bowman

Front-end WordPress developer since 2007 building highly custom websites for nonprofits and small businesses. Experienced in nonprofit administration, grant writing, and technical writing. Love high altitude hiking and backyard chickens.

View all posts by Angela Bowman

14 comments on “Preventing WordPress hacks

  1. Hi Angela
    my WordPress site is hosted on ubuntu VPS
    hacker still can manage to inject malicious redirect code in my WordPress core files although i have all files 644 permissions and folders 755 permissions.
    do you have any idea how to stop that

  2. Thanks Angela.
    These are great tips to keep WordPress safe.
    Well, I’m using Loginizer to limit unwanted logins to my WP back-end.
    And it really helped me to keep those hackers at bay!
    Keep sharing!

  3. On the tips #9, how can I inspect if the WordPress site has been hacked from the hosting provider security?

    If you’re in the situation, will you stay or move to the other hosting provider?

  4. Hey author great list of preventing wordpress hacks ssl certificate is very essential nowadays also the security plugins are available in wordpress that’s nice and storng passwords are always a key factor for wordpress security thanks for sharing these tips.

  5. 2 of my websites got hacked a couple of months ago, it was a database injection due to some plugin vulnerabilty (they were both using it).
    It took me 2 days to recover from it. After recovery, I changed the login URL and I never got attacked again 🙂

    • Hi Daniel, wow! That’s awesome. Brute force is a common hack pathway. I do highly recommend the MalCare plugin. It can do deep scanning of the site and database. Even though your site is clean, it might be worth running just in case anything was missed. They also provide support with the paid plan. You can get 10% off with this link:

  6. I love your articles! Very well structured, informative and easy to read and digest. Thank you for your time and effort! I really appreciate it!

Leave a Reply

Your email address will not be published. Required fields are marked *