How to Secure WordPress Website from Hackers: Just 8 Steps

Hi, My name’s Likhon Hussain. I work at HostGet Cloud Computing as a Senior Operations Executive, dealing with cloud engineering and SaaS stuff. Last Tuesday, I got a call at 2 AM from a client whose WordPress site got completely trashed by hackers. Everything was gone. Their whole online store, customer data, years of content – wiped out.

The worst part? It could’ve been avoided with like 20 minutes of setup work. So yeah, I’m writing this because I’m tired of seeing good people lose everything. WordPress security isn’t complicated, but most people just… don’t do it. Then they call me crying at 2 AM.

Why Hackers Keep Attacking WordPress Sites

WordPress runs about 43% of the internet. That’s a LOT of websites. For hackers, that’s basically an all-you-can-eat buffet.

Every WordPress site has the same login page – /wp-login.php. You don’t need to be some genius hacker to find it. My 12-year-old nephew could find it. And once they find it, they start trying passwords. Lots of passwords. Like, thousands per minute.

I’ve watched these attacks happen in real-time on our servers at HostGet. It’s actually crazy how fast they work. One bot tried 50,000 different passwords in under an hour on a client’s site last month.

What Actually Happens When Your Site Gets Hacked

Let me tell you about Sarah. She ran a small jewelry business, real nice person. Used “Sarah2023” as her WordPress password because she thought nobody would guess it.

They guessed it in 4 minutes.

Here’s what the hackers did:

• Installed malware that kept coming back even after we cleaned it
• Stole her entire customer email list (sold it, probably)
• Put up spam pages selling fake designer bags
• Got her site blacklisted by Google
• Her hosting company suspended the whole site

Took us three weeks to fully clean everything up. She lost about $15,000 in sales during that time.

The thing is, Google doesn’t mess around. When they flag your site as hacked, they put a big red warning that says “THIS SITE MAY HARM YOUR COMPUTER.” Nobody’s clicking through that. Your traffic drops to basically zero overnight.

Step 1: Fix Your Passwords (Seriously, Right Now)

I’m just gonna say it – most people’s passwords suck. “Password123” is not a password. Neither is your kid’s name plus your birth year.

You need something that looks like this: mK9$vL2#nP8@qR5

“But Likhon, I can’t remember that!”

You’re not supposed to. That’s what password managers are for.

I use Bitwarden. It costs me $10 a year. That’s less than a pizza. It generates crazy random passwords for everything and remembers them for me. My WordPress password is 25 characters of complete nonsense, and I have no idea what it is. Bitwarden does.

Here’s the other thing – use different passwords for EVERYTHING. I know it’s annoying. Do it anyway.

Last year, someone hacked a random cooking forum. Sounds harmless, right? Well, turns out 300 people used the same password for that forum and their WordPress sites. All 300 sites got hacked within a week.

Step 2: Stop the Bots From Trying Forever

WordPress has this really dumb default setting. It lets anyone try logging in as many times as they want. Forever. No limit.

That’s insane.

I set up limits on every single site I touch. After 5 wrong tries, you’re locked out for 15 minutes. Real users might forget their password once or twice. Nobody needs 500 attempts.

The bots that try to hack your site? They NEED those unlimited attempts. Cut them off, and most of them just leave.

Step 3: Two-Factor Authentication (The Thing That Actually Works)

You know how your bank texts you a code? That’s 2FA. And it works incredibly well. I started forcing all our clients to use 2FA about two years ago. Guess how many of those sites got hacked since then? Zero.

Even if someone somehow steals your password (maybe you wrote it on a sticky note like my dad does), they still can’t get in without that code from your phone.

Setting it up takes maybe 5 minutes. Most security plugins have it built in. Solid Security does it. So does Wordfence. Pick one and turn it on.

Step 4: Add Those Annoying CAPTCHA Things

Yeah, clicking on fire hydrants is annoying. Know what’s more annoying? Having your website deleted by a bot.

CAPTCHAs stop automated attacks cold. The bots can’t solve them, so they just bounce off your login page like tennis balls.

I add CAPTCHA to:

• Login page
• Registration forms
• Contact forms
• Anywhere someone can submit something

Modern CAPTCHAs are actually pretty smart. Sometimes they don’t even need you to click anything – they just watch how you move your mouse and know you’re human.

Step 5: Keep Everything Updated (I Know You’re Not Doing This)

WordPress sends you update notifications. Those little red numbers. And you ignore them because updates are scary and might break something. I get it. But outdated plugins are literally the #1 way hackers break into sites.

Every week, some plugin has a security hole discovered. The developer fixes it immediately. But if you don’t update, that hole stays open.

Set a reminder on your phone. Every Sunday morning, spend 15 minutes updating your stuff. If you’re really worried about breaking things, get a staging site to test updates first. But seriously, do the updates.

Step 6: Watch What’s Happening on Your Site

I check my security logs every morning with coffee. Takes me 60 seconds. I just want to see if anyone’s trying anything sketchy.

Most security plugins show you this stuff on a dashboard. Failed login attempts, suspicious IP addresses, weird file changes – it’s all there.

You don’t need to be paranoid about it. But you should at least KNOW if someone’s knocking on your door.

Last month, I noticed someone from Russia tried logging into a client’s site 847 times in one day. Banned that IP address, problem solved. But I only knew about it because I was checking the logs.

Step 7: Use Actual Security Plugins (Not the Sketchy Free Ones)

There are a million WordPress security plugins. Most of them are garbage.

Here’s what I actually use and trust:

Solid Security – This is my main one. Does pretty much everything you need. Free version works fine, but I usually spring for the paid version.

Wordfence – Another solid option. Good firewall, scans for malware, does 2FA.

Cloudflare – Not exactly a plugin, but their free plan blocks a ton of garbage before it even hits your server.

Don’t install like 10 different security plugins. Pick one or two good ones. More plugins means more things that can break.

Step 8: Backups (For When Everything Else Fails)

Even with perfect security, things can still go wrong. Server crashes, plugin conflicts, your own mistakes – stuff happens. I run automatic daily backups on everything. Every single site. No exceptions.

UpdraftPlus is good. BackupBuddy works. Your hosting company probably offers backups too (we do at HostGet, but don’t rely ONLY on that).

Store your backups somewhere else. Not just on your server. If your server gets compromised or crashes, you need those backups to be safe somewhere else.

The Stuff You Shouldn’t Waste Time On

Some people try to “hide” their WordPress login page by changing the URL. Waste of time. Real attackers can still find it. You’re just making your own life harder.

Don’t use “admin” as your username. That’s like using “password” as your password. Just don’t.

Don’t think your site’s too small for hackers to care about. They don’t care how small you are. Bots attack EVERYTHING. Your mom’s recipe blog is just as much a target as Amazon.

My Quick Checklist (Do This Today)

If you do nothing else, do these five things RIGHT NOW:

1. Change your password to something actually strong
2. Install Solid Security or Wordfence
3. Turn on two-factor authentication
4. Limit login attempts to 5 tries
5. Set up automatic backups

That’s it. Takes less than an hour total. And you’ll sleep better.

Real Talk About WordPress Security

I’ve been doing this for years now. Between my work in cloud engineering, AI/ML stuff, and managing operations at HostGet, I’ve seen every kind of hack you can imagine. The thing that gets me is how preventable most of them are. Like 90% of the hacks I deal with could’ve been stopped by a strong password and 2FA.

People just don’t think it’ll happen to them. Until it does. Then they’re calling me at 2 AM panicking because their business is offline. Don’t be that person. Your WordPress site matters. Whether it’s your business, your portfolio, your blog, whatever – it’s worth 30 minutes to secure it properly.

I’ve seen small businesses completely destroyed by hacks. Lost customer trust, lost revenue, lost everything they built. All because they thought “it won’t happen to me.”

It can happen to you. The internet is a mess out there. But the good news is that basic security actually works really well. You just have to actually DO it.

What to Do If You’re Already Hacked

If you’re reading this because you’re already hacked – sorry. That sucks. First thing: don’t panic. I mean, panic a little. But then get to work.

1. Change ALL your passwords. WordPress, hosting, email, everything.
2. Contact your hosting company. They might have backups.
3. Scan your site with Wordfence or Solid Security.
4. If it’s really bad, hire someone. Seriously. Don’t try to DIY a major infection.
5. Once it’s clean, implement everything in this article so it doesn’t happen again.

Most hosting companies (including us at HostGet) will help you clean up hacks. It’s not fun, but it’s fixable.

Final Thoughts

Look, I could write another 5,000 words about WordPress security. There’s always more you can do – web application firewalls, intrusion detection systems, file integrity monitoring, all kinds of advanced stuff. But honestly?

For most people, the basics I’ve covered here are enough. Strong passwords. Two-factor authentication. Login limits. Updates. Backups. That’s like 95% of what you need.

The other 5% is just being aware. Check your logs occasionally. Keep an eye on things. If something feels weird, investigate. And please, PLEASE do this stuff before you get hacked. Not after. I’m tired of getting those 2 AM phone calls.