This post may contain affiliate links. See our affiliate disclosure for more.

14 Easy ways to protect your website from hackers

In This Article

In 2014, more than 100,000 WordPress sites were targeted in a DDOS attack. This means that these computers were purposefully infected with a Trojan virus, and then used to target an unsuspecting third party.

Your information security has never been more important, and when you want to keep your website – and just as importantly, your clients’ websites – safe, be aware of where vulnerabilities exist and what you can do.

(Is devoting more time to WordPress the right next step for you? Read more here.)

Update regularly

As any expert in IT security technology will tell you, your site is only as safe as the updates it has gotten. Everything on your site should be updated and kept updated by a reliable system.

Updates happen to offer more functionality to you, but what you might not know is that updates are also a tool to stay ahead of hackers. The longer your websites sit without an update, the more vulnerable you (and your clients) are.

That means that not only does your security software need to be updated, but your site software needs to be updated as well.

The good news: you can set WordPress to update automatically.

Limit login attempts

When it comes to protecting a WordPress site, one of the best things you can do is limit the number of times someone can try to log in before the site gets locked down.

This prevents people from using guessing software to figure out what your password is.

If the site locks down after three attempts, you can simply go in, reassert your authority, change the password, and move on. This is a great way to thwart people who are looking to get into your site.

Back it up

Sometimes, no matter what you do, your website might run into issues.

If malicious enough, there is a chance that your website might be in serious trouble…like losing data or getting shut down by your web host. (This is a total nightmare.)

Backing up your website regularly will save yourself a ton of work rebuilding the site, especially when your client is frantic to have their site up and running for the big product launch in 2 days.

WordPress has several free plugins that will automatically archive your website every night (or weekly, or monthly). Not only that, they can save to your web server or a variety of cloud storage and you can limit the number of backups allowed in the storage space so you don’t have to periodically delete old ones.

Don’t allow uploads

It can be fun to encourage your visitors to share data and to upload their work, but this is incredibly risky. Uploads can open you up to a world of trouble if you’re not prepared for the worst.

If you don’t have a good security team working for you, do not allow guests to upload things to your site. It really is as simple as that.

(Visitors can still share links to their work in the comments, which is far safer.)

Use discreet error messages

Have you ever mistyped your password and gotten an error message like, “incorrect password.”

Seemingly harmless, right? This message is helpful, but you never want to be helpful to people who mean you harm!

Keep the error message discreet.

For example, if you use the error message “incorrect username/password combination,” a potential hacker isn’t informed they may have guessed half right. This is a small detail, but it’s a good, simple way to make sure that you stay safe.

Set permissions

Some of the worst hacker attacks don’t come from strangers.

The truth is that someone who has just a little bit of knowledge and a lot of ill will can still do a ton of damage to your site. If you don’t trust someone completely, do not give them access to your site.

If they need to have an account, limit their permissions. Do all of their uploading for them and limit their access to strictly what they need. (Not sure what plugin to use? Click here.)

Limit IP access

An IP is essentially an Internet address. Though an IP is easy to fake, it allows you to know where someone like a commenter is coming from, geographically speaking. On top of that, it can also tell you where an attempt to access your website is coming from!

If you are worried that you are being targeted by a specific IP, block that IP from your site.

Alternately, you can ban every IP that is not yours from accessing the administrative powers of your website…that is, of course, unless you have multiple remote administrators!

This is a fairly easy, fairly common procedure, and you can ask your IT person to do it, or you can look up the instructions on how to do it yourself.

Use stronger passwords

Everyone needs stronger passwords. Simply everyone.

When websites get hacked, especially on sites like WordPress, it is because their passwords are simply too easy for the right program to crack. For example, there is a program to get to your password if it is any word or term found on Wikipedia. (Yikes!)

The best passwords are always random strings of upper and lower case letters with numbers and symbols thrown in. If you need help, go to a secure password generator and make sure your password is written down somewhere.

Another thing to keep in mind: your password should change every six months or so.

Rename your “Admin” account

A shockingly high number of people leave their administrator account labeled as Admin. This means that if the hacker can guess this account name, they are halfway to making sure that they can access your site and lock you out of it!

Instead, make another administrator account, and delete the Admin account. It’s simple, fast, and effective!

Consider penetration testing

This is exceedingly useful the more “important” – read well-visited or well-known – your client’s website or company is. (Let’s face it, designers really aren’t famous, except within our industry.)

A penetration test is conducted by a security professional you trust to “attack” your system and find the weak spots.

Penetration testing is often the first major step to building the kind of security protocols a website needs in order to stay ahead of hackers.

Layer your security

There is no such thing as one security device to rule them all! (Sadly.)

The more diverse systems you have in play, the harder it gets for hackers to access your site.

At the beginning should be good firewalls, followed by great anti-virus software, followed by good login forms, followed by secure passwords, and so on. The more protections you have in place, the safer your website is.

Be alert

In most cases, attacks from hackers are fairly obvious.

Strange things suddenly appear on your site, or your site simply stops working completely.

Keep an eye out for things like a slowing of your website’s speed and the inability to access certain things, even if it resolves after a certain point.

If your website is not behaving correctly, find out why as soon as you can!

Be aware of your vulnerability

It’s hard to tell what types of webpages are going to be targeted by hackers. It’s all up to what the hacker wants to do. Because of that, it is impossible to have a webpage that is completely ignored by sinister forces.

Simply keep up your protections, and don’t make it easier for them.

Hire a professional

As you or your client’s website grows, having a professional security team becomes more and more important, especially if you’re accepting and saving personal or financial information.

An IT security specialist can make sure your site safe via regular updates and information…and less headache for you. They can solve small problems before they turn into major ones and are dedicated to keep your site from being abused.

Information security is important!

You don’t need to be an IT professional to block off some of the hackers’ favorite targets. Do what you can, stay alert, and get help before you think you need it.

  • Have you ever been hacked?
  • Do you have favorite security plugins?
  • Got more security questions?

Share your thoughts in the comments.

Keep the conversation going...

Over 10,000 of us are having daily conversations over in our free Facebook group and we'd love to see you there. Join us!

Profile Image: Sarah Smith

Written by Sarah Smith

Contributor at

This post comes from Sarah Smith from Sense of Security, who likes to consider herself a blogger, traveller and techie. Sarah is interested in all parts of the digital nomad lifestyle, which has taken her into ethical hacking, internet marketing, coding and more.

Sarah's Articles

At Millo, we strive to publish only the best, most trustworthy and reliable content for freelancers. You can learn more by reviewing our editorial policy.

  1. Hey there! I’ve been following your bⅼog for a while now and finally got the couraɡe to go аhead and give you a
    shout out from Huffman Tx! Just wanted to say kеep up the fantɑstic job!

  2. Great post! One question, how do you change your login error message?

    1. Sarah Smith says:

      Hi. The text you need to change is in pluggable.php, in the wp_authenticate() function. You can follow the suggestion here

  3. Thanks for the post. Is there any way to avoid plugin incompatibility issues? I’m always cringing whenever I hit “update ” on WP. Too many times it’s a game of trying to make sure all versions play well with each other.

    1. Sarah Smith says:

      There is a useful plugin for incompatibility issues, “Better Plugin Compatibility Control” The plugin adds version compatibility info to the plugins page to inform the admin at a glance if a plugin is compatible with the current WP version.

      You can try that!