CALL 0438 139 719FREE QUOTE

How to Keep Hackers Out of Your Website

By | First Published: | Last Updated: 18 November, 2023

Don’t think you are too small to be hacked. When I started building my own websites 15 years ago, I began with a simple blog. I thought I was too small to worry about hackers. So, I didn’t consider how to keep hackers out of my website.

A few years later, I was hacked, and I lost years of work.

Whether you’re a small business owner, a local sporting club or a hobbyist, you must think about ways to guard against website hackers. It is the first part of keeping your site secure and it is a critical part of web design.

And this quick guide will show you 6 potent ways to keep hackers out of your website.

1. Install a WAF

The first thing that will help you thwart website hackers is a WAF.

A WAF or Web Application Firewall is a barrier between visitors and your website. This barrier uses rules to filter out suspicious activity (potential website hackers) before those visitors reach your site.

The best free WAF is a WordPress plugin called Wordfence. The downside is that the rules are updated with a 30-day delay. That means you are not protected from new threats if they are less than 30 days old.

Another great alternative WAF is Sucuri ($9 US per month). Unlike Wordfence, it doesn’t slow down your site at all and rules are updated daily.

2. Use Strong & Unique Passwords with a Password Manager

The second key to website security involves using strong and unique passwords.

Two things influence how strong a password is:

  • Length
  • Randomness

Google recommends that you use a password that is at least 12 characters long. And these characters should be random (i.e., not words, bot nicknames). Ideally, they should include:

  • Uppercase and lowercase letters
  • Numbers and special characters

Finally, you should never use the same password for more than one account.

Due to the above, you will need to use a password manager to keep track of all your passwords. A good free one is Google Password Manager.

For more information see 3 Keys to a Genuinely Secure Password.

3. Keep All Your Code Updated

This may sound a little daunting, but you need to keep your plugins, themes and WordPress core files updated. It is part and parcel of running a self-hosted WordPress site.

Security experts (both the good guys and hackers) are always looking for code vulnerabilities in the above.

  • If the good guys find one first, it is patched in an update
  • If the hackers find it first, it is quickly patched in an update soon after

But these patches do not protect you if you don’t keep things updated – so they are critical to website security.

4. Disable XML-RPC

XML-RPC is a way of connecting to your website. It is outdated and unnecessary unless you use:

  • Jetpack (which I don’t recommend for other reasons)
  • The WordPress phone app to publish content

It is also a common portal hackers use to penetrate your website. So, I recommend disabling it.

If you are using the free Wordfence plugin as your WAF, you can disable XML-RPC through the plugin. Go to Wordfence > Login Security > Settings. Then scroll down and check the box next to Disable XML-RPC

authentication. Don’t forget to hit save.

Sucuri doesn’t include this option. But you can use a specific purpose plugin just for this task. For example, Disable XML-RPC.

5. Limit Login Attempts

This strategy to prevent website hackers involves limiting the number of failed login attempts before the account is locked for a period.

Brute force attacks involve bots in guessing and checking passwords at an unbelievable rate.

Limiting login attempts prevents this.

If you use Wordfence as your WAF, you can limit login attempts through the plugin’s settings. Go to Wordfence > All Options then scroll down to Brute Force Protection. Turn brute force protection on and limit the attempts to between 4-7.

Sucuri doesn’t come with this option. But you can use a free plugin such as WPS Limit Login.

6. Set Up 2FA

I saved the best till last. 2FA or two-factor authentication involves a code being sent to your phone after you enter your username and password.

It is one of the best ways to prevent hackers from accessing your website.

First, download an authenticator app on your phone. Common and trustworthy apps include:

  • Google Authenticator
  • Microsoft Authenticator
  • Authenticator (Apple)

Then, if you use Wordfence, go to Wordfence > Login Security > 2FA. Scan the QR code using your authenticator app and follow the prompts.

If you do not use Wordfence, install the plugin WP 2FA and follow the prompts.

How to Keep Hackers Out of Your Website In a Nutshell

I have outlined 6 key ways to prevent website hackers:

  1. Installing a WAF
  2. Using a Strong & Unique Password
  3. Keeping Your Code Updated
  4. Disabling XML-RPC
  5. Limiting Login Attempts
  6. Setting Up 2FA

Is that all there is to website security? No, it is not. You can do a lot more. But no matter what you do, you can never guarantee that you won’t be hacked.

But these are the first 6 things I would do to prevent website hackers.

If you want to prevent spam, I suggest using CleanTalk.

shaun killian profile picture.jpg


Shaun Killian (me) is a small business owner, who is passionate about helping other small businesses succeed. He has been working with website design since 2008. He is also an expert in digital marketing, including SEO, content marketing and email marketing. In a former life, Shaun was a school teacher and principal before a heart transplant and bilateral leg amputation led him in other directions.