WordPress Security Guide for Sri Lankan Websites 2026 — Protect Your Site

The most common way Sri Lankan WordPress sites get hacked is through weak or default passwords. Never use "admin" as your username — it is the first thing bots try.

How to change your WordPress admin username:

1. Go to WordPress Dashboard → Users → Add New
2. Create a new user with a different name and set role to Administrator
3. Log out, log back in as the new user
4. Go to Users, delete the old "admin" account → assign its content to the new user

Strong password formula:

Over 90% of WordPress hacks in Sri Lanka and worldwide exploit known vulnerabilities in outdated plugins and themes. When a security flaw is discovered, it is publicly announced — and bots immediately start scanning for websites still running the old version.

A security plugin acts as a firewall, malware scanner, and login protector all in one. Install one of the following on your Sri Lanka WordPress site:

By default, WordPress allows unlimited login attempts. Brute force bots will try thousands of password combinations per minute. You need to stop them after a few failed tries.

Enable login lockout (via Wordfence):

1. Go to Wordfence → Firewall → Brute Force Protection
2. Set: Lock out after 5 failed login attempts
3. Set: Lockout period = 30 minutes
4. Enable: Immediately block IPs that try to log in as "admin"

Enable Two-Factor Authentication (2FA):

1. Install WP 2FA plugin (free from wordpress.org)
2. Go to WP 2FA → Setup Wizard
3. Choose Google Authenticator or email OTP
4. Scan the QR code with your phone → enter the 6-digit code to confirm
5. Now every login requires your password plus the one-time code

SSL encrypts all data between your visitor's browser and your server. Without it, login passwords, form submissions, and payment details are sent in plain text — readable by anyone on the same network. Google also marks non-HTTPS sites as "Not Secure."

Install your free SSL from cPanel (included with Sri Lanka Web Hosting):

1. Log in to cPanel → find Security → SSL/TLS
2. Click Manage SSL Sites
3. Select your domain and click Autofill by Domain
4. Click Install Certificate

Force WordPress to use HTTPS — add this to your .htaccess file:

Backups are your last line of defence. If your Sri Lankan website gets hacked, a clean daily backup means you can restore it within minutes instead of days. No backup = no recovery.

WordPress has a built-in file editor in the dashboard that lets you edit PHP files directly. If a hacker gets admin access, they can use this to inject malicious code instantly. Disable it permanently.

Add these lines to your wp-config.php:

Also protect your wp-config.php file itself — add to .htaccess:

By default every WordPress site uses /wp-admin and /wp-login.php as the login URL. Every hacking bot in the world knows this and targets it directly. Change it to something only you know.

How to change your login URL:

1. Install WPS Hide Login plugin (free — 1M+ installs)
2. Go to Settings → WPS Hide Login
3. Enter your custom login path — e.g., my-secure-login-2026
4. Save — your login page is now at yourdomain.com/my-secure-login-2026
5. Bookmark this URL immediately — you cannot access /wp-admin anymore

Incorrect file permissions are a common security hole on Sri Lankan hosting accounts. Files set to "777" (read/write/execute for everyone) allow anyone to modify them. Use the recommended permissions below.

Fix permissions via cPanel File Manager:

1. Open cPanel → File Manager → navigate to public_html
2. Right-click any file/folder → Change Permissions
3. Set the numeric value to the recommended number above
4. For folders, check Recurse into subdirectories

All the WordPress-level security in the world won't help if your server gets taken offline by a DDoS attack. This is a hosting-level protection that must be provided by your Sri Lanka web hosting provider.