Why do WordPress websites get hacked? (part 2)

If you have not done so yet, please start by reading part 1 of this post so that you understand the motivations and techniques behind the attacks on your website. Now we are ready to discuss the various levels of protection you can surround your site with. All of these techniques address different aspects of security and complement each other. Most modern types of attacks use a variety of different techniques and exploit vulnerabilities in each of the layers described below.

Hosting Server

The server your website is hosted on protects site files, the database, and your domain and executes the web server processes on your behalf. Most reputable hosting companies will apply all the patches to the server and restrict access to your file system and databases. Attacks on the hosting server are therefore rare. If you are following the configuration recommendations from your hosting provider you will be in good hands. Make sure your PHP version on the website is up-to-date and that you are using a strong password to log in to your account.


Firewall is a piece of software that blocks requests coming to your website based on a list of different criteria. It might be looking at the IP the request originated from (after comparing the IP to the list of known bad actors), or it might look at the content of the request and reject everything that looks suspicious or out of place. Firewalls can be installed on the server level, on the domain, and on the website itself. They are a critical part of protecting the integrity of your website.

Hardening your site

Hardening your website makes it more difficult for anyone to log into the site via the login screen. The hardening techniques would include 2FA, or changing the login URL to a custom slug. They protect your website for brute force login attacks (or make these attacks more difficult to execute). Hardening the site is the most visible layer of protection but not always the most effective since the majority of the attacks are not brute force logins.

Wise Choice of software 

Avoiding questionable themes and plugins on your site is really the best way of protecting your WordPress site. As we mentioned in the previous article, 80% of all attacks on websites are targeting vulnerabilities in free plugins. If you are selecting a free plugin for your site, make sure that it is still actively being updated and that it is coming from a reputable source. All this information is available on the WordPress website.


If a plugin has a security update, it is imperative that you install the update as soon as it becomes available. This rule applies to the WordPress Core, themes and plugins alike. If you notice that a plugin has not been updated for a year, it is time to remove it and find a substitute. WordFence also keeps a list of plugin updates that you can reference.

Security Scans

Regular security scans of your site are not going to protect you from an attack but will notify you when your site detects malicious malware and help you remove it. Again, acting quickly on the scan will protect the virus from spreading to other websites and causing further damage to yours.

Not sure how to get started? Watermelon offers a Security and Performance plan that helps to keep your site updated.

Image by Pete Linforth from Pixabay

Work With Us

We've been building websites for over twenty years, and have learned a thing or two about how to make web projects go smoothly.