5 steps to protect WordPress website against hackers

Why protecting WordPress is so important? Well, first, it runs 34% of the whole internet. Yup, you read that right. New York Observer, New York Post, TED, Thought Catalog, Williams, USA Today, CNN, Fortune.com, TIME.com, National Post, Spotify, TechCrunch, CBS Local, NBC, and more, all use WordPress.

This is awesome because it proves how WordPress is an amazing piece of free software, but it also makes it a target for hackers. In no time you can end up with a non functional website that spam-bombs your users with Viagra pills emails or (more sneaky) a zombie WordPress website that will continue to work normally to your eyes but will actually (via malicious code) push ads or SEO links for another website or mine cryptocurrency making your website super slow.

In 2016, Google warned more than 50 million website users that some websites they’re visiting contained malware or were stealing information.

Protect WordPress to avoid the red screen of hell!

Google is blacklisting around 20,000 websites for malware and around 50,000 for phishing each week and you don’t want to be on that list. You basically could be loosing thousands of dollars because you didn’t pay attention to protect WordPress.

What can you do to protect WordPress when you’re not a developer?

Here are points we will review for a better, stronger and more secure WordPress website when you are not a developer:

  1. Your WordPress hosting
  2. Your domain name
  3. Your WordPress version
  4. Your WordPress template
  5. Your WordPress plugins

This article is gonna focus on basics steps you can take to protect WordPress website. Of course there are more complex actions you can take, but I want to keep it simple so you are not overloaded with technicality.

1. Secure your WordPress hosting

Your WordPress hosting is gonna be the most important part because without it there is no website. There are TONS of hosting platforms out there and most of people go trough a service like Godaddy, buy their domain name there and add it to a hosting package. And most of the time it’s ok. Now you need to know that there are 3 types of servers:

  • Shared hosting
  • VPS hosting
  • Dedicated hosting

And they all come with advantage and disadvantage in the way you can secure and protect WordPress in it.

Shared hosting

The cheapest one is the shared server and it’s the one most people take when they add a $5.99/m hosting package to their domain name. Shared hosting means that you share a server with other users. In other words you can have 500 other websites on the server you are set in.

What it means for you is that you will get basic resources from it. Limited space, limited bandwidth, limited CPU and memory etc.. And no way you can touch anything related to the server software, version of PHP (the code that runs WordPress), MySQL and others.

It also means that if one website is affected by a nasty virus it can spread to the whole server and put it down, your website with it. Of course it’s unlikely as those servers are monitored by the company that sells them and they are usually quick to act on any problem like that, but you get my point here. Protecting WordPress in a shared hosting can be tricky.

VPS hosting

VPS servers are more expensive than the shared ones because they are kinda between shared and dedicated. You still share the server with others but you get more access to the actual software that runs your part of the server. In short you still can get your website down if one of the hosted websites get a nasty virus (unlikely), but you get more control in terms of settings and it helps for security purpose like keeping the latest version of PHP, for example. It’s a good solution to protect WordPress.

Dedicated hosting

Finally the dedicated server is the cherry on top of the hosting solutions as you have full access/control and no one else is there with you. But, there is a but, you need to know what you are doing, meaning that you have a server guy working with you or you pay a hosting company to manage the details for you. This solution is, to me, the best when you want to protect WordPress as you have a much better control of everything.

Conclusions on hosting

Of course I highly recommend you to be on a dedicated server and you may think that it’s not for you because you don’t have a “server guy” and/or you don’t want to pay what most hosting companies ask for a dedicated server. Well it’s your lucky day as I introduce CloudWays to you!

When Godaddy, for example, asks for $89/m for a dedicated server, with CloudWays you can start as low as $12/m, YAY. You can even try it for a month for free and they will migrate your website over there for free if you want.

Now you can think that I’m trying to sell you something here? Well, damn right I try! But not for the reasons you may think of, I truly think that CloudWays is the best hosting solution out there, period. All my websites are running with them including my membership one (the biggest) Learn Watercolors, and the one you are on at the moment. All my Divi Design Service Maintenance clients are on CloudWays as well.

If you do your research in terms of the best servers out there for your WordPress website, you will eventually end up with a list like this one:

  • Digital Ocean
  • Google Cloud Platform
  • Amazon Server
  • Linode
  • Stack Path
  • Vultr

Well guess what, those companies are all CloudWays partners. When you set-up a CloudWays account you can choose between those companies for your hosting. Then use CloudWays super simple dashboard to install your WordPress with one click, link your domain name and so much more that I’m gonna write a post just to highlight that. By the way, if after your own research you decide on using CloudWays but you don’t want to deal with technicalities, feel free to use my WordPress security and maintenance service.

Anyway, CloudWays will protect WordPress with features like:

Dedicated Firewalls
All Cloudways hosted servers are protected by OS-level firewalls that filter out malicious traffic and keep out the intruders.

1-Click Free SSL Installation
Our built-in Let’s Encrypt SSL improves website security with a trusted certificate that fulfills all your HTTPS requirements for free.

IP Whitelisting
Allows you to create a whitelist of IPs, making it easy to collaborate with networks or regions with unrestricted access to SSH and SFTP.

Regular Security Patching
We perform regular OS patches and firmware upgrades on your server. This ensures a secure managed cloud server and avoids vulnerabilities.

Two-Factor Authentication
TFA is an easy and effective extra layer of safety for your Cloudways account, keeping your server safe from any intruder.

So again, to me it’s the best solution regarding the price out there, but don’t take my word for it, do some research or sign up for a free month and figure it out for yourself :).

2. Your domain name

Domain name registrar (the company that sells domain names) is also an important choice when it comes to protecting WordPress website. I always recommend my customers to use Google Domain or CloudFlare because those are the simplest in terms of interface. Also they are top companies in security and reliability area by far.

Of course most of the big names in domain hosting like GoDaddy or Namecheap also have good interface and security so you will be good with either of those. Now, a plus to use CloudFlare will be having your DNS protected right up with no further configuration needed. I’ll talk about CloudFlare a bit later.

SSL certificate for your domain name

What you are mostly looking at, in terms of domain name security, is using a SSL certificate that will transform your website url from http://yourwebsite to https://yourwebsite. The “S” in “https” stands for security.

Google has made it a SEO imperative and your ranking will suffer if you are not using it. Now, most hosting companies and domain name companies offer SSL certificate to buy. The only problem is that it requires you to do some “coding” within your server to actually activate it, and it is not the point of this article to get into dev technical things. Good for you if you are using CloudWays: installing a SSL certificate on your domain name is free and it’s doable with one click, no code.

Using CloudFlare for speed and security

Finally what you want to add as security layer to your domain name is a DNS service. DNS is what tells your browser that a particular domain name is linked to a particular IP address (your server). So when you enter a domain name address in your browser, your internet request goes to the closest DNS server in your region and asks where this domain should go and then brings you there.

Usually domain providers uses their own DNS servers and they are pre-installed when you buy your domain. The only problem with those is that they are slow and if they get down, your domain access gets down with it.

With the use of CloudFlare, though, you will get to use the CloudFlare DNS:

They have the biggest network in the world and they are SUPER fast so your website will appear in the browser faster which is also good for SEO.

The second thing about CloudFlare is that if your server is down for whatever reason, CloudFlare will still show a cached version of it so your visitor can still see your content.

Finally using CloudFlare in terms of security will protect WordPress as it also works as a firewall against DDos attacks, for example. Oh, and it’s free!

3. Your WordPress version

After server and domain, an important part of course is the actual WordPress software. As we’ve discussed that already, 34% of the internet runs on WordPress. It’s a lot of websites, but the problem is that only 22% runs on the latest version:

WordPress versions statistic

It means that all the security breaches that have been fixed with 5.2 in this example are still open for business in your WordPress website, and your chances to get hacked are big.

On that note, hacking a WordPress website is probably not what you think it is. Maybe you picture a hacker finding your website and trying to access the backing using green terminal command line on a black screen… Well, sorry to disappoint you but hackers are smarter than that. They use automated script that mostly runs on already hacked computer (zombie computer) all around the world and scouts the internet for WordPress websites with outdated versions. When found, those scripts automatically use the unpacked security breach and install malicious code then move to another one and again, and again in a matter of seconds.

So you need to have a constantly updated version of your WordPress website to prevent security breach.

Best way to protect WordPress would be to update on a staging version of your live website to check that it doesn’t break anything after updating, then make it live only if it doesn’t break anything.

You can do that if you are using CloudWays and/or I can do it for you if you’re using my maintenance package.

4. Your WordPress template

Well, if you are reading this post you know that I recommend using Divi :). I know there are LOTS of different WordPress builders out there, Elementor, Beaver etc… I’ve tested them as well and they are good, no problems there, I’m not NOT recommending to use them, I just feel Divi is as good if not better (I do think it’s better ^^) in many ways and super user-friendly.

It’s also very well coded and constantly updated, which is our main concern here. 29% were hacked via a security issue in the WordPress Theme they were using. If you use a template, let’s say from Envato market place, which is maintained by just one person you are open for hackers eventually finding a breach in the theme code and exploiting it without the creator knowing it. With a template like Divi you get a big team working on it full time.

WP Beginner wrote a good WordPress builder comparison article you can read and conclude:

As we compared different drag and drop WordPress page builders, one thing became very clear. Beaver Builder and Divi are clearly the top choice.


The team that developed Divi (Elegantthemes) is super responsive and updates/adds new features all the time, making this WordPress template better and better. I’ve been using it to develop my clients’ websites since the first version and I would not use any other WordPress builder.

5. Your WordPress plugins

Here is the most important part of the whole list, so pay attention :). Most of WordPress websites are hacked via a security issue in the WordPress Plugins they were using.

WordPress Vulnerabilities Overview – Source

The solution here is, first, to use as less plugins as possible. If you can achieve what a plugin would do with a line of code, then do it.

Second, you need to maintain your plugins up do date and check every week, at the least. Of course, it doesn’t 100% guarantee that your WordPress will not be hacked, but, it will certainly protect you much better. And if you have a good back-up system in place you can always get back to “before the hack” and re-deploy a clean version of your website.


Ok, let’s wrap this up. By now I’m sure you understand the importance of protecting WordPress. It’s an amazing software, really, it’s free and it comes with an insane amount of templates and plugins, and now you know that’s where you need to be careful. I know it’s annoying to maintain a website, to check on plugins, WordPress core version, server PHP version etc… But that’s what you need to be doing to be safe. Now, if you don’t want to be bothered with all that stuff I can maintain and protect your WordPress website for you.

About the author

Hey I’m Lesly,  a French web designer , full time traveler and WordPress enthousiat since version 0.1. I write about design, security and speed mostly. On the side I’m also the co-founder of Learn Watercolors.

Like this article? Let’s discuss it then

Notify of
Inline Feedbacks
View all comments