Website Hack Protection – Complete Guide

Feb 22, 2020

Website Hack Protection – Complete Guide

Feb 22, 2020

Do you know that your website can be hacked any day? Are you aware of the security measures you need to take for your website? Do you need website hack protection?

On the internet today, there are over 1.74 billion websites and counting. WordPress powers 35% of all websites, making it the most popular website building platform.

But its popularity makes it a hunting ground for hackers who are constantly on the lookout for vulnerable WordPress websites that they can exploit. Once they gain access to your website, hackers can use your site’s resources to launch attacks on other websites, send spam emails, store pirated software among other things.

You would think that you are safe because your website is small and draws insignificant traffic. But you’d be surprised to learn that hackers prefer targeting small websites because such websites tend to be lenient about their site security and therefore easy to hack.

No matter the size of your website, you can take steps to prevent hacks and their consequences.

In this guide, we’ll show you the exact measures you need to take to secure your website against hacking attempts.


There are quite a few measures you can take but you can get complete protection for your website by installing our MalCare Security Plugin. It’s designed to address any security issues your WordPress site is likely to face. Simply activate the plugin to get daily malware scans, a strong firewall, and all-round protection for your WordPress site.

In this article, we are going to acquaint you with a number of website protection measures. We have grouped them into two levels according to their importance.

    • Level 1 contains the most important measures and is mandatory for the well-being of your website.
    • And Level 2 is advanced measures meant to further harden the security of your website.


Level 1 – Basic Website Hack Protection Measures

In level 1, there are 5 really important WordPress security measures. And those are:

    • Use a WordPress Security Plugin
    • Use an SSL Certificate
    • Keep Your Website Updated
    • Use Unique Username & Strong Password
    • Use a WordPress Backup Plugin

1. Use a WordPress Security Plugin

One of the first steps we strongly suggest you take is to install a WordPress security plugin. There are 3 core functions that a security plugin offers. Those are – scanning, cleaning and protecting your website from hackers.

Most of these functions are automated so you don’t have to be involved in monitoring your website. It’s only when your website is hacked, that you need to get involved to initiate the malware removal process.

Most website security tools have web application firewalls that help filter bad traffic and allows only good traffic to access your website. This too is automated.

That’s all well and good but choosing a security plugin is no walk in the park. There are many security plugins in the market and every one of them has a different take on security.

Take for instance, some WordPress scanners scan websites in hopes to detect known malware while our security scanner (MalCare’s WordPress Malware Scanner) goes beyond that. It finds new and complex malware hidden in the files and folders of your website. 

malcare hacked files detected 

Choosing the right kind of security plugin is a huge task – one that we thought we’d do for our readers. Here’s a list of the best WordPress security plugins.

[ss_click_to_tweet tweet=”Install a WordPress security plugin to ensures that your WordPress website is being protected against hacked & bots.” content=”” style=”default”]

2. Use a WordPress Backup Plugin

When a website is built, installing a backup plugin is generally not something many small to medium-sized websites consider.

No one thinks of website backups unless they are facing a disaster.

Maybe a user accidentally deleted a few pages or your website crashed and you lost orders that were placed on your site by clients or customers. It’s moments like these when you regret not having backups.

Take complete website backups on a regular basis.

There are many backup plugins to choose from. But not all plugins offer good services. You’d be surprised to learn that some backup plugins lack the ability to reliably restore backups.

It is difficult to invest time and money to test all the backup plugins available in the market. But don’t worry. We tested some of the best plugins in the market and came up with the Best WordPress Backup Plugins.

3. Use an SSL Certificate

WordPress website collects sensitive information like contact details, credit card details, etc from visitors. This data, when it’s traveling from the visitor’s browser to the site server, can be intercepted and read by hackers. They can steal the data and use it to launch scam campaigns.

An SSL (secure sockets layer) certificate offers a safe way of obtaining this sensitive data. It encrypts the data so that even if hackers get their hands on the data they can’t read it.

When you install an SSL certificate, your website migrates from HTTP to HTTPS.

Website without SSL –

Website with SSL –

The “S” in https stands for “Secure.”

Besides securing your website, SSL certificates are important for SEO. Websites with an SSL certificate may see a spike in their search engine rankings.

If all this makes you wonder how to install an SSL certificate on your WordPress website, we have just the guide to need – How to Move WordPress Site From HTTP to HTTPS?

4. Keep Your Website Updated

Did you know that 80% of the websites that are hacked is because they are not updated?

Themes and plugins develop security vulnerabilities over time. Developers release updates when they’ve found a vulnerability that they need to patch immediately.

When you update the plugin or theme, the vulnerability is patched.

But when website owners don’t update their plugin, theme or even the core, the vulnerability remains and hackers use the vulnerability to hack your website. 

update wordpress plugin for better website hack protection 

Updating a WordPress website is fairly easy and most you have updated your plugins, themes and the WordPress core from time to time. Just ensure that you are updating your software whenever a new update appears. You can set some time aside every week to update your website.

That said updates can sometimes break your website.

People rarely realize the importance of updates. They build websites then forget about it. When they return they notice something being off on their site and later realize that it’s hacked.

5. Use Unique Username & Strong Password

The login page of a WordPress website is a common target by hackers because it is the gateway to your admin dashboard. Moreover, many websites contain weak login credentials which are easy to guess.

Hacker design bad bots who can generate hundreds of combinations of usernames and passwords within a minute. The bots will keep trying out different combinations of credentials on your login page until they find the right one. This type of hack attacks are called brute force attacks.

You can implement all the security tips found on the internet but if your login details are easy to guess, hackers will break into your website within minutes.

Therefore, we strongly advise you to use unique usernames. This means you can’t use usernames like Admin or names that can be found on your website. This could be the names of authors of blog posts or the founders mentioned in the ‘About Us’ section.

You need to ensure that every user of your website changes their usernames. We have a guide that you’ll find helpful – How to Change WordPress Usernames?

As for passwords, we’d offer the same advice – it should be strong and unique so that hackers can’t guess it. So your password can’t be ‘passw0rd’ or ‘password1234,’ etc. Here’s a guide on How to Generate a Strong Password?

[ss_click_to_tweet tweet=”Do you know that your website can be hacked any day? Learn the exact measures you need to take to secure your site.” content=”” style=”default”]

That brings us to the end of level 1. These security measures should be enough to deter hackers. If they can’t hack your website, they’ll quickly move to an easier target.

However, hackers are getting better at hacking secure websites. They are advancing their skills and technology and inventing new ways of breaking into sites with security measures in place. We strongly recommend taking advance measures (level 2) to ensure that your website is completely safe.


Level 2 – Advance Website Hack Protection Measures

In level 2, there are 3 important WordPress security measures that you need to take. Those are:

    1. Website Hardening Measures
    2. Geo-Blocking
    3. Implement 2-Factor Authentication
    4. Limit Failed Login Attempts

1. Website Hardening Measures

WordPress recommends that you harden your website against hack attempts. Most of the steps that WordPress recommends for site owners to take are difficult to implement for a non-tech person. You’d have to know your way around WordPress files and folder to make any changes safely.

This is why we suggest you use a security plugin to implement those changes. Our plugin – MalCare comes with a Site Hardening features. It enables you to implement the steps WordPress recommends with the click of a button. No technical knowledge needed.

The site hardening measures that you can take with MalCare are –

i. Block PHP Execution in Untrusted Folders

After gaining access to your site, hackers want to carry out malicious activities. To do that, they upload their own malicious files and folders. These file uploads contain scripts that can execute a bad command on your site such as redirecting your customers to an adult site. Blocking PHP execution will prevent hackers from executing such commands.

ii. Disable Files Editor

Anyone who has admin access to your dashboard can open the file editors and add scripts or delete scripts to make modifications to your website. Disabling file editors are a good idea.

iii. Block Plugins & Themes Installation

One of the first things that a hacker does after gaining access to your site is to install a backdoor. A backdoor is a hidden entry point that enables them access to the websites whenever they want. The backdoor can be installed in the form of a nulled plugin or theme. If you disable plugin or theme installation then you are reducing chances of exploitation.

iv. Change Security Keys

If your website is hacked, changing security keys will automatically sign out all users who are logged into your website including hackers.

v. Reset All Passwords

This will reset all user passwords. This means if there are hackers posing as users, they can be instantly locked out.

2. Block Countries

Geoblocking is a method using which you can ban many IP addresses originating from the same country.

If you have a firewall like MalCare, you may notice that the plugin blocks a lot of traffic requests. You may even observe many of the blocked requests originate from the same country.

In that case, you can block the entire country to reduce the risk of a hack. 

malcare geo-blocking to protect website from hack 

3. Implement 2-Factor Authentication

Earlier we spoke of how the login page is a common target for hack attacks. Wouldn’t it be great if you could prevent hackers from accessing the page altogether?

Wish granted! You can do that by implementing 2factor authentication.

You must have noticed how when you try to log in to your Facebook or Gmail account they ask you for a unique code that they have sent to your smartphone. It’s only when you enter the code that you can access your dashboard. So basically, you had to log in twice – once with your login credentials and then with your unique code generated in real-time. This is 2-factor authentication.

Your account is linked with your smartphone. Without it, no one can log into your account even if they have your credentials.

Given that many WordPress users tend to have really easy to guess username and passwords, it’s best to have a second layer of protection on your WordPress website. You can implement 2-factor authentication on your WordPress login page. Even if a hacker can guess your username and passwords, they will need the code on your smartphone to access your dashboard.

You can follow this guide to implement two-factor authentication.

4. Limit Failed Login Attempts

There’s one more security measure for your login page.

We have discussed earlier, how hackers use a brute force attack to try and guess the user credentials of your website.

In this type of attack, hackers deploy bots to generate hundreds of usernames and passwords within a minute. They keep trying until they find the correct credentials. So if you limit the number of failed login attempts, then the bots will move to their next target.

If you’ve installed MalCare, it will automatically limit login attempts on WordPress. Users will have three chances to enter the correct credentials. After this, they will be locked out of their account and will need to pass a CAPTCHA test to regain access to the login page to try again.

Note: CAPTCHAs are a method of testing whether the user is a bot or a human. It will identify malicious bots and users and block their login attempts. 

malcare login protection for hack protection 

By limiting login attempts, your site is safe from brute force attacks.

That brings us to the end of level 2.


Final Thoughts

We know, this was a really long read and a tad bit overwhelming too. But before letting you off the hook we’ll summarize the point below –

    • Use a WordPress Security Plugin
    • Use an SSL Certificate
    • Keep Your Website Updated
    • Use Unique Username & Strong Password
    • Use a WordPress Backup Plugin
    • Website Hardening Measures
    • Geo-Blocking
    • Implement 2-Factor Authentication
    • Limit Failed Login Attempts

We sincerely hope that you found this guide helpful and if you’d be interested in learning more about how to secure and protect your WordPress sites from common hack attacks like SQL injections, cookie stealing, Japanese keyword hack, DDoS attacks, crosssite scripting attacks, etc check out our WordPress blog.

Would love your thoughts, please comment.x