WordPress Theme Security: How to Keep Your Website Safe

Nobody likes the thought of a website hacker lurking around their website. They’re out there though, whether we like it or not. Think your website is too small to be a target? Think again.

Hackers are increasingly targeting smaller, more vulnerable businesses. In fact, a whopping 43 percent of cyber attacks target small businesses. Before you start panicking, know that a little WordPress theme security can go a long way. Here’s how you can keep your WordPress website safe.

Hacker Tactics

The first step in tackling WordPress theme security is to understand the approaches used by hackers. Unfortunate as it is, hackers are smart. Instead of utilizing their tech know-how to invent the next wonder of the web, they’ve decided to head a darker route.

Some common tactics used by hackers to wreak havoc on websites:


By distinguishing themselves as a trustworthy website or email, hackers “phish” for your personal information. This can include names, emails, credit card information, and whatever else can help them gain access to your accounts.

DDOS Attack

This kind of attack is carried out with the help of many bots. Hackers will instruct the bots to flood your website with requests ultimately causing the server to crash.

Bait and Switch

Advertisement spots and banners are purchased from websites. The hacker will send safe links to the advertisement approver, only to switch it out with malicious malware following approval. This malware can be coded for specific IP addresses, so that each time the website owner clicks the advertisement they are redirected to the original, safe link.

Cookie Theft

Hackers use malicious software to steal your browser’s cookies. These cookies, meant to make life more convenient and load websites faster, can turn out to be quite the inconvenience when in the wrong hands. Cookies store important information like your browsing history, usernames, and passwords.

SQL Injection

Vulnerabilities in a website’s SQL database are exploited when a hacker inserts malicious SQL statements. This can put them in control of your website’s database server.

It’s clear that hackers have little to no mercy for the businesses they inflict harm on. Rather than hope you won’t become a victim, you can choose to take a more proactive approach to WordPress theme security.

Two-Factor Authentication

Regardless of how many special characters and secretive words you use, passwords can be leaked by a server breach since they are being stored wherever you log in.

WordPress Theme Security - Two-factor authentication

Because of this, more and more WordPress developers are turning to two-factor authentication plugins. This security measure requires authentication by providing two of three things:

  1. Biometric Information – retinas, DNA, finger print, voice
  2. Personal Possession – code sent to cell phone or security keychain
  3. Password – group of secret letters, numbers, and special characters

SSL Certificate

SSL, short for Secure Sockets Layer, is a safety measure that benefits both webmasters and website visitors. By establishing a secure connection between the user’s browser and website’s server, it prevents hackers from intercepting information.

Just having that ‘https://’ increases your business’s credibility and assures users that their sensitive information will be safe on your website.

Getting an SSL Certificate is completely free thanks to Let’s Encrypt. An open source certificate authority, Let’s Encrypt offers SSL certificates for webmasters to enable HTTPS on their websites.

Stronger Passwords

No human can expect to honestly remember hundreds of unique usernames and password combinations. This is where a password management service can prove a godsend. Adding one of these as an extension to your browser allows you to set complicated, unique passwords without having to keep track of them. Credentials are autofilled each time you visit a saved website.

WordPress Theme Security - Strong Passwords

Good guidelines to follow when selecting a password:

  • Use unique passwords for each account.
  • The more characters – the better. Use eight at a minimum.
  • Avoid entering login information on public computers and unsecured WiFi connections.
  • A wide variety of characters is best (lowercase, uppercase, numbers, symbols).

Log Out Idle Users

If users logged into your website step away from their computer, there’s no telling who may have access to your website. Install an inactive user logout plugin that will limit the amount of time idle users remain logged into your website.

Secure Login Page

A brute force attack, one of the most common methods used by hackers, is when different passwords and usernames are repeatedly attempted until the hacker gains access to your website. This technique is only possible if the hacker is at the right login page.

When left at default, it’s not hard to guess a WordPress website’s login URL. Go a step further than wp-admin.php and wp-login.php to strengthen WordPress theme security; create a custom login page.

This can be done simply with a WordPress Plugin. Install the plugin of your choice and in less than a minute your login URL can be changed to whatever your heart desires.

Limit Login Attempts

WordPress allows users to enter as many passwords and usernames as they’d like by default. This can be convenient for occasional mistypes, but there is really no good reason for someone to submit different credentials hundreds of times.

With another handy plugin, you can limit the number of login attempts a user is allowed and ward off brute force attacks.

Disable Directory Indexing

Access to your website’s directory can be a dream come true for hackers. They use directory browsing to identify weak files that can be exploited.

Take the following steps (or ask a developer to do so) to disable directory indexing and browsing:

  • Connect to your website using an FTP client.
  • Locate the .htaccess file in your website’s root directory.
  • Save the file to your computer and open it with a text editor.
  • Insert ‘Options -Indexes’ at the end of your file’s code.
  • Save the .htaccess file and upload it to your server.

If you are having trouble finding your website’s .htaccess file, check that you have enabled FTP client to display hidden files.

That’s it! When done correctly, users now attempting to view your directory will be redirected to an error page.

Login Page Security Questions

Setting up security questions for your website’s login screen adds another layer to your WordPress theme security. Install a security questions plugin and choose a question that’s actually difficult to guess. ‘What’s your favorite color?’ may be easy to remember, but it’s also not a great choice to ward off hackers.

While no website can be truly unhackable, you can tie up all those loose ends that would otherwise make your website a target. Start with a reliable WordPress template, then use the tips listed above to enhance WordPress theme security and safeguard your website from the bad guys.