WordPress – Popular with hackers

WordPress is the most common software used to create a website, powering roughly 40% of all websites in existence, so it stands to reason that it’ll also be targeted by hackers as well as their time and effort can go a long way when there’s lots of potential targets.

Most security problems don’t stem from WordPress itself, the core, but from themes or plugins written to work with it.  Fortunately there are a number of simple things you can do to help protect your website and here are the first 6 of our 18 tips.

1. Backup, backup, backup

No matter what precautions you take, there is always a chance someone will be able to break in to your website, that’s why we’ve put backups are number one in our list.  Without good backups if someone does hack your site you may struggle to recover from it.

If your web host does backups every hour, that’s great, but you should never rely just on a single backup copy or method.  We’d always recommend you take your own backups manually as well – or regularly download the backups your provider makes for you.

2. Change your username

Don’t rely on defaults such as admin, or your actual name for your username.  Ideally pick something a bit random and like your passwords, don’t use it elsewhere and store it in a password manager.

Once you’ve picked your username you’ll want to make sure WordPress isn’t setting it as your real-name and display name by going to the Users menu in the WordPress admin area and clicking through to your user:


If your WordPress was setup some time ago and you need to change your username you’ll need to use a plugin such as Easy Username Updater as WordPress doesn’t allow you to change a username from the admin area.  As always, make sure you’ve got a backup first!

3. Set good passwords

Our number one recommendation when it comes to passwords is to use a password manager to both generate and store your passwords.  If you don’t want to use a password manager then we’d recommend using a password phrase, pick 4 random words from a dictionary and form them in to something you’ll remember and don’t use it anywhere else.

 Password strength, courtesy of XKCD.com

Image creidt xkcd.com

4. Block multiple login attempts

With so many large scale data breaches these days hackers have a vast collection of usernames, email addresses and passwords at their disposal to try out on other websites, this is called credential stuffing.  They’ll try lots of different usernames and password combinations, often from multiple computers in their “bot net”.

WordPress doesn’t offer any protection against this as standard, so you’re going to either need protection in place with your hosting provider or to install a plugin such as Wordfence or All In One WP Security and Firewall to take care of it for you.  The free versions of both offer quite extensive functionality for protecting your WordPress site(s) and can take care of some of the other issues we’ll be mentioning as well.

5. Remove unused plugins and themes

Over time it can be easy to accumulate themes and plugins in WordPress, but the more plugins and themes you have installed the more chances there are for your site to be compromised, you have a large “attack surface”.

  1. Deactivate any plugins you’re not using
  2. Uninstall plugins not activated
  3. Uninstall unused themes
    1. If you’re using a child theme, don’t delete the parent!

Not only will this help make your site more secure, it may even speed it up as well.

6. Stop malware in your uploads directory

Often hackers will find ways to upload their own code to your website, through security issues with themes or plugins.  The most common type of code uploaded is known as a backdoor, and just as you’d guess, it gives the hackers a backdoor in to your website and hosting.  They’ll be able to run whatever code they want on your hosting, peak at your configuration files and look at your databases etc.

We can take steps to help present this, by preventing them from running their code inside the uploads directory.  You’ll usually see it recommended to just block PHP files, but as most hosting supports different programming languages we’d recommend blocking a few more as well.  There are two approaches to this:

  1. Block everything and only allow through what you need
  2. Allow everything through except what you blocked

i. Block everything

This is our personal preferred method, but it can cause some unexpected problems unless you test carefully.  We’d recommend testing it first on a development copy of your website, and that you also document it so when you need to use a new file type in the future you allow it through.

In your wp-content/uploads directory create a file called .htaccess if it doesn’t exist already. Inside the file you’ll need to add:

Copy to Clipboard


What this code does is:

  1. Match all files inside the directory
  2. Deny access to all those files
  3. Match all files that end with any of:
    1. .jpeg
    2. .jpg
    3. .gif
    4. .png
    5. .svg
    6. .webp
  4. Allow access to those matching files

This means that any .php files will access denied to them, as will and .pdf files etc.  If you wanted to allow PDF files you can change the 2nd FilesMatch to:

Copy to Clipboard


One of the most important aspects is the $ in the FilesMatch, this basically means that we’re matching for the end of the filename, not at the start or in the middle, but only at the end.

ii. Block what you don’t want

This is safer to implement as it only blocks things you know you don’t want, but we’d still recommend testing on a development copy of your site.

In your wp-content/uploads directory create a file called .htaccess if it doesn’t exist already. Inside the file you’ll need to add:

Copy to Clipboard


This will block access to any files that end with .php (PHP), .pl (Perl), .sh (Shell Script) or .py (Python) and if they can’t be accessed, they can’t be run.

Part 2

That’s it for part one, please keep an eye on our socials for Part 2 and 3 and remember, backup your website.