Get the Best WordPress Backup
& Migration Plugin Today
Get Duplicator Now
Announcement remote restores

Introducing New Remote Restores For More Accessible Cloud Backups

Are you securing your site backups in the cloud? You'll need an easy way to restore them. Our new features…
How to protect your website from hackers

How to Protect Your Website From Hackers (16 Expert Tips) 

Written By: author image Joella Dunn
author image Joella Dunn
Joella is a writer with years of experience in WordPress. At Duplicator, she specializes in site maintenance — from basic backups to large-scale migrations. Her ultimate goal is to make sure your WordPress website is safe and ready for growth.
     Reviewed By: John Turner
reviewer image John Turner
John Turner is the President of Duplicator. He has over 20+ years of business and development experience and his plugins have been downloaded over 25 million times.

Want to learn how to protect your website from hackers?

If your website is vulnerable, hackers and cyberattacks may compromise your data and harm your reputation. Fortunately, there are many ways to prevent potential security breaches.

In this tutorial, we’ll show you how to protect your website from hackers!

Quick Summary: How to Protect Your Website From Hackers

The best way to protect your website from hackers is to set up automatic backups. With a backup plugin like Duplicator, your data will be consistently saved in the cloud. Be sure to set a disaster recovery point so that you can recover your entire site, even if it gets corrupted.

You’ll also need to do regular maintenance tasks to boost your security. Updates, malware scans, and database cleanups can often keep hackers out of your website.

How Do Most Websites Get Hacked?

Before you start protecting your website, you’ll need to understand the enemy’s tactics. Websites are often hacked due to outdated software, weak passwords, unpatched vulnerabilities, and poor security practices. 

Any website can be vulnerable to a cyber attack. WordPress is the most popular Content Management System (CMS), making it a popular target for malicious activity.

For more explanation, read our post answering the question: Is WordPress Secure?

Here are the most common reasons for hackers to access your website:

  • Weak passwords
  • Incorrect file permissions
  • Insecure web hosting
  • Outdated versions of WordPress, plugins, or themes

If you don’t fix these security vulnerabilities, you could be the victim of brute force attacks, SQL injections, social engineering, cross-site scripting (XSS), ransomware, and other hacking attempts. As a result, you could get security issues like malware, malicious code, and data breaches that leak sensitive information. 

Can a Website Be Hack Proof?

There’s no way to guarantee that your website will never be hacked. However, you can address many vulnerabilities and significantly reduce the risk of a successful cyberattack.

Using good security practices, you can minimize the possibility of a breach and enhance your website’s overall security. You’ll make your website an incredibly challenging target for hackers. 

How to Protect Your Website From Hackers (16 Expert Tips)

As a website owner, you’ll want to protect your website from hackers. However, you might not know how to do this. To prevent your sensitive data from being leaked, we’ve gathered some helpful security tips!

1. Back Up Your WordPress Website

One of the best ways to protect your website from hackers is to regularly back it up. This involves saving a functional copy of your WordPress files and database. 

If you back up your website frequently, you’ll be able to restore your data after a cyber attack. You won’t have to worry about removing malware since your site will revert to how it was before the hack.

To get started, we’d recommend installing a WordPress backup plugin. A tool like Duplicator allows you to easily create backups of your entire site and restore them whenever you need to.

Duplicator plugin

All you’ll need to do is create a new package. Give it a unique name and make sure all your files and database tables are included:

Duplicator custom package components

Then, you can download the package (or backup). Save this in a safe location so you always have your backup files on hand.

If you don’t want to worry about manual backups, you can set up automatic backups. By creating a new schedule, you’ll make sure your website is backed up every hour, day, week, or month:

Duplicator automatic backup schedule

2. Have a Disaster Recovery Plan

Just in case you ever get hacked, you’ll want to have a disaster recovery plan in place. Before an incident happens, you can set a recent backup as the disaster recovery point.

In your Duplicator backup log, click on the blue disaster recovery icon:

Duplicator disaster recovery

Then, set disaster recovery:

Set Disaster Recovery

Once you do this, you can recover a backup two different ways. One option is to copy and save the disaster recovery link. Pasting this in a browser window will immediately launch the recovery wizard.

Disaster recovery link

You can also download the recovery launcher. Save this HTML file, and open it whenever you need to recover your site.

Disaster recovery

Disaster recovery can be a good option to resolve hacks, especially if you’re locked out of your WordPress dashboard. Simply paste the recovery link or use the recovery launcher to immediately regain access.

If you can still log into WordPress, you can restore your original site with one click. Go to the Packages page, find a clean backup, and hit Restore:

Duplicator restore button

By restoring a backup, you’ll automatically remove any malicious activity that happened after you created the backup. However, continue to read this guide to boost your security and avoid future hacking attempts.

Your site just got hacked, but you forgot to set disaster recovery! You don’t have a backup, so what do you do? Here’s how to restore your site without a backup.

3. Don’t Forget Updates

Updating your website’s software – including themes, plugins, and the WordPress core – is an important part of website security. Hackers often exploit known vulnerabilities in outdated software. 

By keeping everything up-to-date, you get rid of potential entry points for cyberattacks. Software updates often come with security patches, which will add extra protection to your website.

You can manage your software updates on the Updates page of your WordPress dashboard. You’ll see any new versions of WordPress core, plugins, and themes:

Update WordPress software

Are you worried that an update will make your site crash? Go ahead and do it, because you can easily downgrade your WordPress version after a bad update.

4. Delete Inactive or Unused Software

Along with keeping your software up to date, it’s important to delete any plugins and themes you’re not actively using. 

Vulnerabilities in outdated plugins can be exploited to compromise your website’s security. This could potentially lead to data breaches, unauthorized access, and even malware distribution.

By removing unused plugins, you minimize potential security risks and create a better defense against cybersecurity threats.

5. Use Strong Passwords

Your first line of defense against hackers is a strong password. You might be tempted to choose a simple and short password because it’s memorable, but this can leave your site vulnerable.

WordPress makes it easy to use a strong admin password. As you’re changing your password, WordPress will automatically generate one with a unique combination of letters, numbers, and special characters:

New WordPress password

We’d recommend using a password manager to store your passwords safely. To make sure no one else knows your admin credentials, you should also give your team members their own user roles and permissions. 

Keep in mind that you’ll also need strong passwords for your hosting control panel, FTP account, and email address. This way, hackers won’t be able to enter and exploit any of your accounts. 

6. Change Your Admin Username

WordPress used to automatically assign “admin” as your default username. Thankfully, it now allows you to choose a custom username.

If your site has existed for a while, you might still be logging in with “admin” as your username. This can make it easier for hackers to exploit your website, since “admin” will be one of their first guesses.

You may also have an “admin” username if you used the one-click install feature from your web host. In this case, you’ll want to change your WordPress username to secure your website. 

7. Select a Secure WordPress Hosting Provider

Your web hosting provider can make or break your website. With the wrong choice, you may not have enough security precautions to protect your website from hackers.

Here are some essential security features that should be provided by your WordPress hosting plan:

  • Continuous network monitoring for suspicious activity
  • Tools to prevent DDOS attacks
  • Up-to-date web server software, PHP version, and hardware
  • Disaster recovery plan

If you just started a small blog, you might have picked a shared hosting plan because of its affordability. However, you’ll share resources with many other websites. This means that if another site on your server is hacked, your data might be at risk.

To boost your security, we’d recommend moving to a new web host. Options like Bluehost, SiteGround, and Hostinger all have high-quality security features in place to prevent hacks and other cyber attacks.

You might also want to consider a managed hosting provider like WP Engine. This often provides a more secure platform with firewalls, SSL certificates, automatic backups, and automatic updates. 

Ready to make the move to a more secure hosting provider? Read our tutorial on how to move a WordPress website to a new host!

8. Install a Security Plugin

Along with a good web host, you’ll need to install a WordPress security plugin. These website security tools can detect and thwart malicious activities, provide firewall protection, and even perform malware scans.

One of the best security plugins available today is Sucuri Security. There is a free version that offers malware scanning, blocklist monitoring, security hardening, and actions for after your site gets hacked.

Sucuri Security plugin

After installing Sucuri, all you’ll need to do is open the settings and find the Hardening option. Here, you can go through the list of security features and hit Apply Hardening next to each one:

Sucuri security hardening

This will protect your website against common hacking techniques. However, keep in mind that you’ll have to upgrade to the premium version to access the Web Application Firewall (WAF).  

9. Have a Web Application Firewall

A Web Application Firewall (WAF) is a powerful security tool designed to shield websites from a wide range of cyber threats and attacks. A firewall filters incoming and outgoing traffic, blocking malicious requests, unauthorized access attempts, and suspicious activities. 

As we mentioned earlier, Sucuri is a comprehensive security plugin that comes with a firewall. This security feature is so useful that it helped WPBeginner block 450,000 hacks in just 3 months.

Boost your WordPress security with Sucuri’s firewall today!

10. Use SSL Encryption

SSL (Secure Sockets Layer) is a type of encryption that secures the transfer of data between your website and a web browser. It ensures that data exchanged between these two points remains confidential and protected from unauthorized parties like hackers. 

For a WordPress website, SSL encryption is not just a luxury; it’s a necessity.

This security precaution makes it nearly impossible for hackers to intercept sensitive information like passwords, credit card details, and personal data. It’s important for websites that handle user registrations, login credentials, or e-commerce transactions.

Once you enable SSL encryption, your website will use HTTPS instead of HTTP. You’ll also see a padlock next to your web address, telling visitors that your site is secure.

SSL certificate prices used to range from 80 to hundreds of dollars a year. However, a non-profit called Let’s Encrypt started providing free options. This led to web hosting companies including SSL certificates in their plans.

If you need to start using SSL, check to see if your host offers one for free. If not, you can buy one from

11. Scan For Malware

Once you have a security plugin installed, it will regularly scan your website for malware and send you a notification if it finds any. However, you might notice a drop in organic traffic or SEO ranking and want to check for malware yourself.

Your security plugin will usually allow you to start a new malware scan. Alternatively, you can use an online malware scanner

Using a tool like Sucuri’s malware scanner, you can enter your website’s URL. Then, it will inform you if it detected malware or if you’ve been blacklisted by search engines.

Sucuri malware scanner

This allows you to check your WordPress security for free at any time. If Sucuri notices any malware, you can start cleaning up your site or restore an error-free backup. 

12. Limit Login Attempts

Another thing you can do to protect your website from hackers is to limit login attempts. This security measure will prevent brute force attacks, a form of hacking where a bot will guess passwords until your site is breached.

By default, WordPress allows unlimited login attempts. However, you can easily set a limit with the Limit Login Attempts Reloaded plugin. This free tool will block any IP addresses that try to log into your website too many times:

Limit Login Attempts Reloaded plugin

For more details about this process, check out this helpful guide on how to limit login attempts in WordPress

13. Add Two-Factor Authentication

Two-factor authentication (2FA) adds an extra layer of security to WordPress logins. Users must provide a second piece of information, such as a code sent to their phone, in addition to their password.

The easiest way to set up 2FA is to install a plugin like WP 2FA. You can use this to enable two-factor authentication for every user who tries to get into your WordPress site:

WP 2FA plugin

To see step-by-step instructions, check out this tutorial on how to add two-factor authentication to your WordPress site!

14. Hide Your Login Page

Most WordPress websites use a login URL that ends with wp-admin or wp-login. Since WordPress is the most popular CMS, hackers will know how to view your login page and start trying to break into your site.

To add an extra layer of security, you could hide your WordPress login page. This involves using a custom login URL instead of the default options.

With the WPS Hide Login plugin, you’ll be able to easily update your login URL. It makes your wp-login.php page inaccessible and redirects to your custom login URL instead.

WPS Hide Login plugin

Need help hiding your login page? Here’s how to add a custom login URL in WordPress.

15. Disable File Editing

In your WordPress dashboard, you’ll see built-in code editors to edit your theme and plugin files. If a hacker accesses your admin area, they could use these editors to harm your website.

To prevent this from happening, consider turning off this feature. All you’ll need to do is add this code to your wp-config.php file:

// Disallow file edit
define( 'DISALLOW_FILE_EDIT', true );

If you installed Sucuri, you can also turn off file editing in the security hardening settings. This will prevent any unauthorized users from editing your site files!

16. Disable PHP File Execution

One way hackers could exploit your website is by adding a file to a directory and executing its PHP. Since WordPress makes some directories writeable, this feature could be abused by malicious users.

Fortunately, you can disable PHP file execution for any directories you don’t need it. This prevents any PHP files from being run in these specific directories.

To do this, open a text editor and add this code:

<Files *.php>
deny from all

Save this file as .htaccess and upload it to your uploads folder. 

For a full step-by-step guide on this process, you may like this post on how to disable PHP execution in certain WordPress directories

Keep in mind that Sucuri can help you disable the WordPress file editors in one click. This can be a good alternative for beginners. 

FAQs About Protecting Your Website from Hackers

How can I make my website safer?

You can make your website safer by creating regular backups, performing updates, using strong passwords, and installing security plugins. This will significantly enhance your website’s safety.

Can a hacked website be recovered?

Yes, a hacked website can be recovered. Be sure to install a backup plugin like Duplicator Pro and create routine backups of your site. After you set the most recent error-free backup as the recovery point, paste the recovery point URL in a browser window. You can then use the Duplicator recovery wizard to roll back your site. 

Tip: If you didn’t set a recovery point before you got hacked, don’t worry! Find the most recent backup files that you downloaded to your computer or saved to the cloud. Then, use an FTP client or file manager to re-upload these files to your site.

How do I know if my website has been hacked?

Your website might have been hacked if you’re seeing unusual or unauthorized changes, such as new pages, unfamiliar code, unexpected redirects, or unwanted ads. You may also get alerts from your hosting provider, security plugin, or Google. 

How do I check my website security?

You can check your website security by conducting a scan with a WordPress security plugin. Alternatively, a third-party malware scanner can help you identify any cybersecurity threats. 


By now, you’ll have a full understanding of how to protect your website from hackers!

While you’re here, you may like these extra WordPress tutorials:

Are you ready to protect your website against future hacking attempts? Download Duplicator Pro to save regular backups and easily roll back your site whenever you need to!

author avatar
Joella Dunn Content Writer
Joella is a writer with years of experience in WordPress. At Duplicator, she specializes in site maintenance — from basic backups to large-scale migrations. Her ultimate goal is to make sure your WordPress website is safe and ready for growth.

Disclosure: Our content is reader-supported. This means if you click on some of our links, then we may earn a commission. We only recommend products that we believe will add value to our readers.