The popularity of WordPress makes it a big shiny target for hackers. Whether you’re managing a humble micro-niche site or a massive authority site empire, it’s wise to keep your guard up and not take any chances. In fact, hackers love to thrive where there is the least resistance! The common goal is to hack as many websites with as little effort as possible. So no, you can’t be too sure that they’ll skip your six-page website.

Let this guide get you started with 9 ways to secure your authority site, complete with simple and advanced tips you can follow depending on your skill level.

Simple security measures

Don’t fret, you don’t need to have mad coding skills to beat hackers real-time like in the movies. Check out these simple security measures you can even try out as you go through this article.

1. Keep your WordPress site and plugins up to date

WordPress has never been complacent despite being the ultimate big boss among Content Management Systems (CMS). New features. Constant bug fixes. Never-ending optimization. However, these innovations come at the expense of security gaps for older versions. Developers often resolve these issues in no time, but it’s best to update your authority site as soon as you can.

The same goes for WordPress plugins. Stay skeptical! Only install themes and tools from reliable sources. That enticing upgrade might be a malicious code in disguise, with bogus developers building a backdoor for easy malware penetration.

Sending Cold Emails?
Send better cold emails with Mailarrow, your AI-driven solution for sending targeted cold emails efficiently. Perfect for linkbuilding, getting meetings, agency clients and more.

Before clicking on that install now button, conduct a full background check about the provider on Google or the WordPress theme and plugin directory. Subscriptions to premium developers often cost more, but the peace of mind you get is definitely priceless.

2. Create complex passwords and enable login authentication

You could be the most forgetful person in the world, but I still won’t tolerate your classic “123456” or “asdfghjkl” passwords. It’s highly unadvised to use them even for social networking accounts, so why would you entrust your money-making authority sites to these predictable keys?

Draft long cryptic passwords, complete with upper and lower case letters, numbers, and special characters. You can play around with your favorite quote (e.g. blur the line between work and play = “13lurTheL!n3b/nW0rk&Pl@y”), but I prefer to create random gibberish phrases like ‘dU$2154z1x7wWwf’.(nope this is not my password)

If you’re wondering how I remember my passwords – I actually don’t! But there are services like LastPass which can help you store and manage them easily.

Weave your security blanket bigger and enable the 2-factor authentication too. Even in the rare event that someone guessed your password, they’d still be required to enter a code within a short time period. Unless you’re dealing with a hacker that can also tap your mobile device in just a few seconds, this feature is a simple yet superb tactic to protect your website from unauthorized logins.

3. Customize your WordPress user settings

There are two things on WordPress that you should never set in default: your username, and your user rights.

Did you know that the first thing hackers would do is to try entering a standard username? These brute force attackers love WordPress accounts who still use “admin” or “wp_admin.” Unless you want to do them a favor, update it by creating a new user with admin rights. Simply go to User > Add New. Log in with the new account, then delete the old admin.

Add a layer of protection by managing your user rights. Your team doesn’t need access to everything on your site. You could use the admin user you created for administrative tasks. Meanwhile, an extra user with only editor rights would be enough to handle content publishing.

Even if you’re running a one-man company, having multiple user accounts is still smart. When you’re working away from home and have to use unsecured WLAN networks, never log into your admin user. At least thieves won’t cause any major damage though they’ve accessed your editor account.

4. Install WordPress Security Plugins

While WordPress only offers the bare minimum in protecting your account, handy plugins can get the job done for you. Here are a few options you can consider installing:


This simple but powerful plugin can ward off brute force attackers from your authority site. When activated with a firewall setting, hackers will be blocked for accessing the site from fraudulent IP addresses and after wrong login attempts. For every succeeding failed shot, banning time is increased to 24 hours. This plugin will then track the IP address of the hacker and inform you about the attempt via email(if you set it up correctly).

This plugin has not been updated for several years, but it works just fine for my sites. Other alternatives you could explore are Login Ninja and Jetpack.

AntiVirus Plugin

Want a dependable plugin that can automatically check your site for manual infections? Try out AntiVirus. It can also head to the Google Safe Browsing database for you, to see if your authority site has been classified as unsafe. Whenever it finds something suspicious, this plugin will send you an e-mail notification.

The plugin Antivirus checks your theme manually or daily automatically for malware infection. The plugin also checks the Google Safe Browsing database to see if your site has been classified as unsafe. If there is any suspicion you will be notified by e-mail. As an alternative, you can also give the Google Search Console a try.

5. Prevent spam

Comment sections are great for engaging your readers, but they also make your authority site vulnerable to spams. As you gain popularity, you become a tempting target for spammers who will try to flood you with negative or random feedback. To protect your website from this kind of attack, install the free plugin Antispam Bee. I’ve been using it for all my pages. It’s easy to set up but is powerful enough to protect me 99.9% of the time.

Though using captchas for the comment section seems tempting, steer away from this tactic. Apart from spammers, it may also turn off your readers! A few seconds of hassle can be enough for you to lose a potential viewer engagement.

Sending Cold Emails?
Send better cold emails with Mailarrow, your AI-driven solution for sending targeted cold emails efficiently. Perfect for linkbuilding, getting meetings, agency clients and more.
You must also be wary of the so-called “referrer spam,” a technique where the spammer makes repeated website requests by using a fake referrer URL. They do not cause any harm to your niche site, but these attacks can cause your Google Analytics stats to go bonkers. From experience, I’ve determined that the best way to secure your site is by tweaking around Google Analytics’ filters.

6. Create regular backups

No matter how many plugins you install or how complex your password is, these can all be in vain if you don’t make regular backups. It’s important to do so at regular intervals. In the event that all your security measures fail, your backup will save you a lot of tears. Getting your authority site back up will be a breeze.

The ideal frequency for creating backups will depend on how often you publish new articles. No need to do this every day if you only post once a month!

I personally back up all of my websites every week with the help of the BackWPup plugin. It has a free version that allows you to save your data directly into a dropbox or your hard disk, while a cloud storage and advanced features are up for grabs. Similar plugins available in the market are Updraft Plus, BlogVault, and BackUpWordPress.

How often you create a backup depends on how often you publish new articles. If you publish something on your finished niche site only once a month, you don’t need to create a backup every day. But I would recommend backing up everything once a week. I have been using the plugin BackWPup for years. In the free version you can save your backup directly into the dropbox or save it to your hard disk. In the Pro Version* more features and cloud storage are available.

Advanced security measures

The basic security tactics we’ve discussed are often enough, but it doesn’t hurt to take things farther if you have advanced technical skills. Don’t try to do these via trial and error! If you have no idea what you’re doing, you might end up with a big chaotic mush that used to be your perfectly running website.

7. Protect your website with the .htaccess file

If your host provider supports .htaccess files, you have abundant opportunities to protect your authority site:

  • Creation of an additional login area for WordPress
  • Change your default WordPress login URL
  • Prohibit outsiders from accessing important folders and files
  • Prohibit image hotlinking
  • Protect XML-RPC interface from DDOS attacks
  • Suppress PHP error messages to prevent the attacker from displaying information

8. Set write and read rights correctly

The golden rule is to give write permissions to as few files as possible – just enough to make your authority site functional:

  • /wp-content/uploads/ for media uploads
  • /wp-content/cache/ for enabling your caching plugin

If a new plugin or theme requires too many rights to work, take that as a red flag! Find another alternative instead.

9. Change database prefix

After installation, you will be given the default database prefix of “wp_”. To prevent your authority site from brute force attacks, change it pronto through the phpMyAdmin interface or use the plugin Change Database Prefix. If you choose the latter, you’ll have to temporarily give the wp-config.php write permissions. Remove it after you make the necessary changes and uninstall the plugin.

How do you protect your nice site from hackers and spammers? Share your favorite plugins and techniques in the comments below! Protection Status