The following 10 steps will help you secure and protect your WordPress website against hackers.

1. Use a strong password

Minimum password recommendations:

- At least 8 characters total
- Mixture of upper and lower-case letters
- Numbers, punctuation or other non-alphanumeric characters

Example weak password: secret1

Improved strong password: Z#hupsZ2M4!Z

Take a look at how to create a secure WordPress admin password for easy steps.

2. Change default WordPress admin username

When installing WordPress by default the administrator user has the username of admin.

The botnet attack is currently only targeting this default username, so even having an administrator username of admin123 could significantly reduce the likelihood of your site being succesfully logged into by a malicious user.

Check out how to change the WordPress default admin username for security.

3. Lock down WordPress admin access with .htaccess

Utilizing a WordPress brute force plugin for this type of attack is not very efficient, and in some cases can actually lead to your site becoming unavailable due to the large amount of processing power used to attempt to challenge each and every malicious login attempt.

Setup a secondary level password to prevent unauthorized WordPress wp-admin and wp-login.php attempts.

Or you can rely on the information we have on limiting WordPress admin access with .htaccess.

4. Temporaily disable CPU intensive login limit plugins

Blocking this attack with .htaccess rules is the preferred method, as login limiting plugins can not only lead to issue with triggering our own internal security rules, but they also will not be effective in this type of large scale attack.

5. Scan website for hacks, check Google Safe Browsing

If your WordPress site had been successfully compromised, a clear indication will usually be found either by a surface security scan of the website, or it will also get reported to Google's Safe Browsing.

Scan your website with an online malware scanner like

Check Google's safe browsing for your domain, at

6. Setup CloudFlare DNS level protection

Due to the large scale of this botnet attack, CloudFlare has offered DNS level filtering for this attack on all of their free accounts.

While probably not an ideal solution if you have many WordPress sites due to having to update the name servers for each domain, and then waiting typically 24-36 hours for DNS propagation. Single site owners might benefit greatly from this type of protection which should block the botnet requests from even making it to the server in the first place.

7. Backup WordPress

At this point it's probably a good idea to backup WordPress just in case. That way, as the attacks continue, you're ensured that you always have a good point to restore back to in the event something goes bad.

Backing up your data

Restoring your data

8. Update everything WordPress

To protect yourself from any known exploits to WordPress you should update everything related to WordPress:

Necessary updates to make:

9. Clean up hacks

If your website has been the victim of a hack, you can follow my guide on how to reinstall WordPress after a hack for steps on cleaning it up and getting back in business.

10. Other general WordPress recommendations

Hopefully your WordPress website should be locked down and secure now, which should help prevent our own internal security rules from blocking your own access to your WordPress admin.

If you're blocked out of your own account and were directed to this article via a warning message be sure that you followed step #3 Lock down WordPress admin access with .htaccess in order to regain access.

Continued Education in Course WordPress
You are viewing Section 3: 10 recommended steps to lock down and secure WordPress
Section 2: WordPress Login Temporarily Disabled - FIX
Section 4: 346: Fixing 3.7 redirect error in Wordpress
Did you find this article helpful?

We value your feedback!

Why was this article not helpful? (Check all that apply)
The article is too difficult or too technical to follow.
There is a step or detail missing from the instructions.
The information is incorrect or out-of-date.
It does not resolve the question/problem I have.
How did you find this article?
Please tell us how we can improve this article:
Email Address

new! - Enter your name and email address above and we will post your feedback in the comments on this page!

Support Center Login

Social Media Login

Related Questions

Here are a few questions related to this article that our customers have asked:
Ooops! It looks like there are no questions about this page.
Would you like to ask a question about this page? If so, click the button below!
Ask a Question

Post a Comment

Email Address:
Phone Number:

Please note: Your name and comment will be displayed, but we will not show your email address.

0 Questions & Comments

Post a comment

Back to first comment | top

Need more Help?


Ask the Community!

Get help with your questions from our community of like-minded hosting users and InMotion Hosting Staff.

Current Customers

Chat: Click to Chat Now E-mail:
Call: 888-321-HOST (4678) Ticket: Submit a Support Ticket

Not a Customer?

Get web hosting from a company that is here to help. Sign up today!