Stop WordPress Hackers in Their Tracks

Hackers constantly prowl cyperspace in search of vulnerable prey. Some WordPress websites unwittingly roll out the red carpet and put up a neon sign, and the results can be devastating. One website owner posted this urgent plea on the forums page:

I am in desperate need of help. My WordPress account was hacked this morning. I spent hundreds of hours putting together my website and now this. The hack changed my username and somehow disabled all access to my page and post editor, plugins, and all the other sidebars in my Dashboard. (

Don’t let his misery become your fate. Consider four quick and painless ways to shore up your defenses against future attacks.


Weak logon credentials leave your WordPress administrative account wide open to brute force attacks. In this scenario, a hacker systematically bombards your login page with password guesses in hopes of hitting the jackpot. But you can greatly reduce the possibility of a brute force hack with a few minor tweaks:


Many WordPress installation scripts create a default administrative account with the user name admin. The neon sign I mentioned earlier? This one is a hot pink arrow. Make your admin user name a little less obvious by creating a new admin account and deleting the default one:

  • Log on as the current administrator
  • Create a new account with admin privileges and a user name containing a mix of letters and numbers, like Jdoe22 or Jill1089.
  • Log out and then log on as the new administrator.
  • Delete the old admin account, making sure to select the “attribute all content to” radio button to reassign your posts to the new admin account

Another potential area of weakness is your public author name. Malicious bots will grab this information from your posts and attempt to log in with it during a brute force attack. This is because hackers know that WordPress defaults your public author name to the id that you use to log in when the admin account is created. Instead of handing your login name to someone on a silver platter, simply change the nickname and display publicly as fields on your user profile to something other than your user name.


While you can reduce the risk of brute force break-ins with a plugin that locks out an IP address after so many failed login attempts, that won’t help you much if your password is easily guessed. The remedy is to beef up your wimpy WordPress password by making it strong. A strong password has several important features:

Use strong passwords
  • It’s over 8 characters long (ideally 12 or more)
  • It does not contain names or dictionary words
  • It contains a combination of uppercase, lowercase, numbers, and symbols

How do you remember a password like that? Experts recommend picking a meaningful phrase to use as a guide. For example, with a little creativity we can turn the phrase I love to play tennis into the strong password ILuv2plTnn1s! OrĀ Jack’s birth date is 5 June 2001 becomes Jksbd8i5/601.

Kevan Lee offers additional tips in his excellent article How to Create a Secure Password You Can Remember. And if you’re looking for an even thicker layer of security at the login level, you can also investigate two factor authentication – requiring an additional source of identification such as a PIN number – to see if it’s a good fit for you.


Each plugin on your WordPress site is a software application containing code that can potentially be exploited by hackers. The plugins least likely to be hacked are those created by experienced software developers who use best coding practices. There are a few ways to identify the cream of the crop:

Avoid unmaintained plugins

  • As a general rule, choose plugins that are widely used and highly rated by a sizable number of users (a five star rating doesn’t mean much if it was only rated by one or two users)
  • Avoid plugins that are flagged on the WPScan Vulnerability Database
  • Avoid plugins that haven’t been updated by the author in over a year or aren’t compatible with your WordPress version

The next step is to make sure those carefully selected plugins stay up to date. Hackers regularly exploit the security vulnerabilities of outdated software, but you can shut them down just by keeping up with your WordPress software updates – including plugins, themes, and WordPress itself.


Chances are you could use some outside help fortifying the rest of your website against hackers. There are several excellent security plugins available for free, which means there is no excuse for not installing some basic protection. Three top choices in the WordPress community are WordFence Security, BulletProof Security, and iThemes Security.

iThemes Security is my recommendation for its depth of protection and ease of use. It safeguards your WordPress site in dozens of ways including scheduled malware scanning, WordPress tweaks, and automatic database backups. The dashboard lists each security vulnerability on your site and organizes them into priorities of high, medium, and low, with a refreshingly simple “Fix It” button next to each. Clicking on that button takes you to a clearly explained security setting that can be turned on at your discretion.

A properly configured security plugin makes life a lot more difficult for would-be hackers. And that makes it a lot less likely that they will pick your site, when there are so many easier targets to choose from.


Although the steps in this article will help you significantly reduce the odds of getting hacked, no security solution is 100% foolproof. Consequently, you should backup your website data on a regular basis.

iThemes security features the ability to back up your WordPress tables on a scheduled basis. They also offer a paid service called BackupBuddy that will backup your entire website for a modest yearly fee. Alternatively, UpdraftPlus is a popular free solution with the option of paying for additional features.

No one plans on their server crashing or their site being hacked, but it can and does happen. By making sure you have a backup in place you will be prepared for this worst-case scenario.


Security probably wasn’t a high priority for that poor soul whose account was decimated by a hacker. But I’m willing to bet it is now. Don’t wait until someone ransacks your hard work to protect your data. By implementing these relatively painless steps, you can prevent needless hours of misery and gain some well-earned peace of mind: your site has yanked back that red carpet and torn down the neon sign for good.

Sarah holds a B.S. in Information Science and worked in the corporate world as a software engineer for 12 years before striking out as a freelance WordPress web developer in 2013. When she is not furiously coding away, she can be found outdoors exploring Florida's natural beauty with a camera in hand.