Since its release 14 years ago, WordPress has become the preferred CMS (Content Management System) across the web; it has been statistically shown to power more than 60 million websites. Not only is it free but it supports multiple user accounts and so many other features, from third-party plugins and themes to tagging and clean permalinks.

Of course, like all CMS platforms it is susceptible to hacking; although statistics show that cyber threats are in fact more common among WordPress websites; it has been shown to suffer from 60 percent more in the way of Cross-Site Scripting (XSS) based vulnerabilities than other CMS platforms.

Given how much time we at Trent & Hanover put into building good websites (as part of our work as a London SEO company and Web Design Company), we are well aware of how frustrating it can be when a hacker seizes control of a website you’ve put so much time and effort into building to a good standard. Exactly what can you do to best protect your WordPress based site from this kind of hacking? Here are some tips.

1. Make sure you use a strong password

Passwords must be extremely strong; this is key. One way hackers crack more basic passwords is through combinations of special characters with letters and numbers; as soon as they have overcome this hurdle they can easily edit your files and content as much as they please.

Make having a really unique password your focus, however, and the chances of this happening will be reduced massively.

According to the developers of WordPress, the best two methods to ensure this level of protection are:

A. Use a Password Manager such as RoboForm or LastPass. They automatically create an extremely strong and unique password for your website and encrypt it in a database.

B. Use a Passphrase; this method consists of creating a four random word phrase, the key point of which is that it is based around words which have no association with one another; and, you can increase the level of security further by using a combination of lower and upper-case letters along with your special characters and number.

2. Make sure not to use the ‘Admin’ Username

Because new WordPress installations create a new admin account by default with the ‘admin’ username, this is an easy trap; hackers don’t find it hard to crack your name if you stick to this and then they need only overcome your password.

You need to avoid using this username at all costs; instead, wrack your brains to create a really unique one.

It’s not hard to do: while it can be accomplished through a third party plugin or an edit of your website’s database, the simplest way is to just create a new user – ensuring of course that the old ‘admin’ user is deleted.

Doing this requires only that you log in to your site as admin, then follow the basic steps to create a unique name; also ensure you use a different email address than the one you’ve used for your ‘admin’ username. Once this is created, just go back and delete the old admin user account.

3. Make sure you disallow File Editing via the WordPress Dashboard

One easy way to edit your theme’s files is through the WordPress Dashboard; the trouble with this is that hackers can then edit the files of your theme if they are able to gain admin access. You can stop this by adding the following code to your site’s wp.config.php file:

define(‘DISALLOW_FILE_EDIT’, true);

While this won’t stop any hackers from altering your content, they won’t be able to edit your files themselves.

You need only use a FTP (file-transfer-protocol) program such as WinSCP or CuteFTP if you need to edit the files of your theme.

4. Make sure you limit any login attempts

Hackers will have to make many attempts if they wish to find the correct combination, unless they are already aware of your password and/or username for your site. Their method of getting around this, however – brute force attacks using different passwords and usernames – can work quite easily.

One easy solution to this is to use a plugin such as the “Limit Login Attempts plugin” by Johan Eenfeldt, which allows you to limit how many times someone can attempt to login to your website – you can set it to lock them out after five failed attempts, for example.

Using innovative methods such as this to protect yourself is part and parcel of web design and SEO, and as a Web Design Agency and London SEO company, Trent & Hanover are very aware of how important such security is to any developing company; contact us if you need any further tips along these lines.

5. Choosing a secure web host and why it matters

Using the wrong web host is a big factor in increasing the risk of your site being successfully hacked; especially with regards to shared web hosts, because they can place up to thousands of sites on the very same server.

With a statistic of around 41% of WordPress sites shown to have been hacked due to hosting vulnerabilities, you ideally need to choose a VPS (Virtual Private Server) or a dedicated host; just ensure that if you do go down the route of shared hosting, it features virtual isolation.

6. Keep on updating!

Make it a priority to ensure your site is running the latest version of WordPress and anything related to it (I.E. plugins or themes). Any web design agency such as we at Trent & Hanover needs to make sure it is on the ball with keeping everything updated; which is why we’re in a good position to give you these tips.

The same also applies to what we do as a London Based SEO company, because a site which is not updated regularly will not receive the correct search engine optimisation.

While WordPress 3.7 automatically downloads new updates for any minor releases, you’ll have to log in and update it manually through the dashboard for major ones. Get into the habit of logging in at least once at week to check if your site needs updating.

7. Keep user permissions restricted

Finally, you want to ensure multiple users are given the least amount of privilege necessary to fulfil their respective tasks; you don’t want to give most people the ‘admin’ role, for example, because then these individuals will be able to do everything you can. Give them the ‘author’ role, on the other hand, and they can merely edit and write their own posts before publishing them; the ‘contributor’ role is even more limited as they can write and edit but not publish.


Given how multifaceted and powerful a tool WordPress is, you can fall into the trap of thinking it’s near perfect; but in actual fact it has its flaws like everything else, security based ones being the most potentially dangerous. But with the help of us and the tips we’ve given you here, you can safely protect your site from hackers.