How to protect your wordpress website...

Using these free plugins you can fully protect your wordpress website from hackers & injection attacks

How to protect your wordpress website

On 24th December 2017 I received a text that read something like "hey Will sorry I know Its Christmas Eve but I think our websites been hacked, can you take a look" Not what you want on Christmas Eve when your already 5 bottles of Corona down having fun with your family.

Anyway with about a quarter of the worlds websites running on WordPress sites are often compromised. It's actually pretty easy (and FREE) to keep your WordPress sites protected. Here's what we do with all the sites we look after...

Change your WordPress login URL

Most WordPress sites can be accessed via the normal WordPress URL or /wp-admin. It's a good idea to change this URL to something totally random like

To do this you can get the free plugin WPS Hide Login. To do this (as with any plugin) go to plugins -> add new -> use the search box -> type: wps hide login. Once installed feel free to active and go to settings -> wps hide login. At the bottom of the page you can set your random URL (feel free to make it as crazy as you like).

WPS hide wordpress login setup

Install Google login reCAPTCHA (it's really easy)

Once you've installed this you're wordpress login will look like this, you'll recognise the "I'm not a robot" that's normally below most contact forms:

wordpress login google recaptcha setup

Head over to plugins and add new again search for Login no Captcha reCAPTCHA install and active. To setup the plugin go to settings -> login nocaptcha. From here you'll see you need a site key and a secret key.

At this point you'll need just a normal Google account, if you've already got a Gmail account or Google webmaster tools account your good to go. In the settings page there's a link Google to create the keys you can also use this link:

Once your logged into Google register your site simply by popping in your domain and select reCAPTCHA v2 click the blue register button. On the next page you will see your site key and secret key then simply copy and paste those back into the plugin settings page:

google wordpress recaptcha setup

These two simple to setup plugins with hide the default WordPress login page and then protect that page from rouge login attempts. For extra security you can also use the plugin Captcha by SimplyWordPress which allows you to also add a simple math problem at the login screen.

Install WordFence Security for WordPress

There are many free and paid security plugin solutions but our preferred plugin is WordFence. In the free version you get website scanning and basic firewall protection. Install WordFence just the same way you would do any other plugin and follow the instructions for setup (there's just a couple steps).

For all the websites we look after we do choose to use the paid version at about $180 for a 3 year license and I would recommend buying the paid version if your website has previously been hacked. The biggest advantage of the paid version is the full firewall and SQL injection protection.

If your website has never been compromised the free version will do just fine we recommend running a manual site scan every couple of weeks.

wordfence security plugin for wordpress

Keep WordPress and Plugins up to date!

It can always be a little bit of a worry running WordPress and plugin updates on your own if you don't have much WordPress or web experience.

If you are looking after your website on your own you really don't have any choice but to do these update and just hope that nothing breaks your site.

It is essential that updates get done for your plugins on a weekly basis and WordPress updates get done as soon as you notice there's an update available.

Now a couple things you can do to make this all less stressful. Talk to you website hosts and learn how to FTP access your website so you can take a very simple backup. (You should do this before you do WordPress Updates). How to take simple full WordPress backup

If you have had someone help you with your site in the past (maybe the person or company that first built the site) try to come to some sort of reasonable agreement whereby you are happy to do the updates yourself but if the updates do break the site they are willing to fix any problems at a pre-agreed reasonable rate.

Protect your WordPress contact forms with Google reCAPTCHA

It's almost as simple as what we did in step 2. Chances are if you have a WordPress website or blog you'll be using contact form 7 and on all your contact form you'll want to use Google captcha to prevent spam and misuse of your contact forms.

The first and simplest way to protect all forms is to install and setup Google invisible reCAPTCHA. This option will leave a funky reCAPTCHA logo on your website or blog you might not want but it will protect all your forms without needing to modify any settings in contact form 7.

The plugin that you'll want to install is called Invisible reCAPTCHA By Mihai Chelaru. You can manage the plugin from settings and just as you did in step 2 use the same link to generate site and secret keys. FYI generate new ones don't use the same as you did for step 2.

Now I actually prefer to have the Google reCAPTCHA box on every contact form so to do this I use the plugin Really Simple CAPTCHA By Takayuki Miyoshi. Once this plugin is installed and activated manage it from settings -> CF7 simple reCAPTCHA and again generate new keys.

Once you have your keys hit save settings and you'll see on the same page the shortcode you'll need to add to contact form 7 should look like this [cf7sr-simple-recaptcha]

contact form 7 recaptcha setup

Make a copy of that and go to contact -> contact forms -> select any of the contact forms you like; you might have just 1 or hundreds you need to edit. The first page you'll see you will want to add the shortcode just about submit or send just like this:

contact form 7 captcha setup

Make sure you test your contact forms after any edits you make and if they don't work simply delete out the shortcode you just added and test without captcha to check if your form worked in the first place.

I have never had a form not work using this method but if yours for some reason don't please speak to your website guru and seek an hours help.

If you have ever had your WordPress site hacked in anyway and have some nice easy solutions of your own how you protect WordPress leave us a comment or if you are currently looking for help to fix up your website that's been compromised don't be shy to get in touch. Open Internet Promise...

We believe in a totally free and open internet where you can find what you're looking for, find great advice and helpful articles without being tracked or monitored in any way by the websites you visit.

That's why when you visit Blog or IT Support we guarantee that you are not tracked in anyway, we won't even serve pointless ads or clickbait at the end of our articles.

So if you like the sound of an open internet that doesn't track you or serve up junk advertising share this and let's make the internet a better place!