How to Protect Your WordPress Website

Protect your WordPress website (Image of security)

How vulnerable is your website to attacks? Some may think that their website is too insignificant for hackers to care about, which is partly true in that hackers are less likely to spend all of their time and resources trying to force their way in to a new and undiscovered website. However, if they do find an easy opportunity, they will definitely take it. You should also consider that a lot of hacking is automated with scripts, and these programs scan the web for any websites that they can hack.


Website security is an aspect that is commonly overlooked until an attack happens. Avoid becoming another victim and take these few steps to reinforce your website’s resistance to hacking attempts.


Choose a Reputable Web Host

Making the right choice when it comes to web hosting adds an extra layer of security to your website. If security is your primary concern, you may want to choose Thai VPS or dedicated server hosting, which would pose less of a risk since you are sharing with fewer websites on VPS hosting and have the whole server to yourself on dedicated hosting.


Using Thai shared hosting involves other sites being on the same server, it is often thought of as less secure since other sites on the server could be attacked and potentially crash your website as well. However, with good security and other server-side tweaks, even shared hosting can offer quite a stable and secure environment.


Additionally, a good hosting provider can be a source of timely support if your website ever gets compromised or if you ever run into issues on your website. They will be happy to assist you with any security-related concerns. This is one aspect that is good about managed and shared hosting services.


Backup Your Site Regularly

Although backups do not do much in the way of prevention, they are definitely useful to have should your site ever fall prey to a hacking attempt. If that happens, your website’s files and data may be lost or corrupted, resulting in a great inconvenience and possibly even a financial loss. Sometimes, the data can be unrecoverable if you do not have a copy of it stored somewhere. Having a recent backup to restore saves you a large amount of time and ensures that your website can get back up and running right away.


Depending on your website, you may be able to set up daily or weekly backups of your website. With systems like WordPress, these regular backups are automatic and can be easily sent to another (off server) storage device in compressed format, which can be invaluable if your website ever goes down. Off server if backups are best where possible, as then you have full control, even if the server goes down and/or data is lost. It also means that you are in control of the backups and frequency.


Install Only Trusted Plugins and Themes

Users may often check for possible security loopholes in their plugins, but sometimes, the security breach comes from the plugin itself. Apart from gaining access to someone’s login information, another way to hack a website is by inserting malicious code into it – and doing so in plugins or themes is the perfect way to go about it.


To be extra sure, always carefully inspect the source code of any package you plan to install. If you are unable to do so, at least make sure that the plugin or theme comes from a trusted source, such as the official WordPress library. You can also look up the plugin on a search engine and read user reviews of it. If the plugin seems shady or contains suspicious code, you could contact the developer about it or ask on a WordPress plugin forum before installing it.


Protect Your Login Page (Advanced)

This is one of the most powerful measures to protect your website from hacking attempts, but it is also somewhat advanced and may not work for everyone.


To do this, you have to locate the .htaccess file for WordPress, which should be in the directory you installed WordPress to. Open this file and add the following code to the top:


ErrorDocument 401 “Denied”
ErrorDocument 403 “Denied”

<Files wp-login.php>
order deny, allow
deny from all
allow from <Your IP address>

<Files wp-config.php>
order allow, deny
deny from all


The code ensures that nobody is able to access the login and configuration pages of your WordPress site except for you. Remember to add your IP address accordingly in the above code, or you will be locked out of your login page. If you wish to allow multiple IP addresses to access the login page, simply copy the “allow from” line and replace the IP address.


This method is possibly the most secure, but it does have some drawbacks:

  • You must be on a personal Internet connection, not shared (work, school, free WiFi) or VPN (unless the VPN server is exclusively used by you)
  • Your IP address must be static, not dynamic, or you would constantly have to change the allowed IP address in the .htaccess file
  • Your Internet connection must not be accessible by potential hackers


However, if you fit these criteria, restricting access to your admin login page works amazingly and ensures that only someone on your Internet connection will even have the possibility of attempting to log in. Restricting access in this way does not prevent anyone from viewing your site as it is, only from accessing the login page to the WordPress dashboard.


Another easier alternative is to use a plugin to protect your login and files (if your CMS allows for it). The plugin can act as a firewall and block most hacking attempts for you. Some even help you to change the login URL and other aspects to ensure that your website is at the very least a difficult target for hackers.


We hope this guide helps to keep your website secure. If you are new to our website, please also consider checking out our webhosting options.