10 Steps To Secure Your WordPress Site

10 Steps To Secure Your WordPress Site

Step 1 : Update WordPress

WordPress is updated at regular intervals to resolve security issues as they occur. So you should always keep it up to date with the latest version because older versions of WordPress are not maintained with security updates.

Also out dated plugins/themes are the most vulnerable to hacking. So Please make sure your plugins/themes are always updated. Also, if you are not using a specific plugin, delete it from the system.

NOTE: Please backup your site before you proceed with the WordPress site update. This ensures that you still have the working backup of your site which can be easily restored later if the update fails. To learn how to generate a backup to download and store locally, click here.

Step 2 : Change Your Login/Password

The default WordPress username is “admin” which is known to everyone (hackers). So you must change it to something different. For instance “David86“. Add this as a new user and allow admin privileges. Don’t forget to delete the default admin account.

Typically hackers will try to brute-force your passwords. So you should be fine if the password is strong enough.

We would suggest you to use strong passwords always (http://strongpasswordgenerator.com) such as UPPER and lowercase letters, numbers, and symbols. For instance “Fl@weRs#1$“.

Please don’t use the following when choosing a password

  • Any permutation of your own real name, username, company name, or name of your website.
  • Dictionary word
  • A short password.
  • Any numeric-only or alphabetic-only password (a mixture of both is best).

Step 3 : Change file permissions

Allowing write access to your files is quite dangerous, especially in a shared hosting environment. Please make sure the following permissions are set on your files:

Folders should have 755 whereas files should have 644 permissions.

If you have shell access to your account, you can change file permissions recursively with the following command:

*Please note if you are unsure about linux commands we recommend you open a ticket where we can complete this for you

For Directories:
find /path/to/your/wordpress/install/ -type d -exec chmod 755 {} ;

For Files:
find /path/to/your/wordpress/install/ -type f -exec chmod 644 {} ;

Step 4 : Securing wp-config.php

Please make sure that only you (and the web server) can read this file (it generally means a 400 or 440 permission).

Step 5 : Prevent .htaccess Hacks

To prevent .htaccess hack, You can put this in that file (at the very top) to deny access to anyone surfing for it.

<files wp-config.php>
 order allow,deny
 deny from all

Step 6 : Disallow search engine

Most of the search engine spiders crawl your sites (including all its sub folders) unless they are told not to index them. For instance, there is no point in indexing your wp-admin folder of your site because it can lead to security issues.

So let’s block search engine spiders from indexing the WordPress admin area. Just add the following lines of codes to the robots.txt file in your public_html folder.

 Disallow: /cgi-bin
 Disallow: /wp-admin
 Disallow: /wp-includes
 Disallow: /wp-content/plugins
 Disallow: /wp-content/themes

Reference link : http://support.google.com/webmasters/bin/answer.py?hl=en&answer=156449

Step 7 : Install WP Security ScanPlugin and User locker

WP Security Scan(http://wordpress.org/plugins/wp-security-scan) checks your WordPress website/blog for security vulnerabilities and suggests corrective actions such as passwords, file permissions,
database security, version hiding, WordPress admin security and removes WP Generator META tag from core code.

This User locker (http://wordpress.org/plugins/user-locker) plugin locks user account after given number of incorrect login attempts. This makes brute force and dictionary attacks nearly impossible.

Step 8 : Change Table Prefix

Sometimes your WordPress site might be affected by SOL-injection attacks. It is because of SOL-injection attacks make the assumption of default  table_prefix for a WordPress site is “wp_”. So changing this to be different prefix like “fish_” can block at least some SQL injection attacks.

  • You can change database tables prefix during the time of one click installation using softaculous.
  • You can also use WordPress Security Scan Plug-in to accomplish this(http://wordpress.org/plugins/wp-security-scan). This plugin has a tab called “Database” in which there is an option to rename table prefix completely.

Step 9 :  Change your WordPress Keys

If your WordPress site gets hacked its very important to change the keys and wp-admin password immediately because a hacker can still login to your WP admin even after your admin password changes. In most cases when a WP gets hacked the hacker can still gain access to your WordPress admin area via the use of cookies (your old keys/salt). You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.

You can use the WordPress Key Generator(https://api.wordpress.org/secret-key/1.1/salt) to generate the below keys. Edit wp-config.php file and find the following lines:

 define(‘AUTH_KEY’, ‘copy and paste the unique key here’);
 define(‘SECURE_AUTH_KEY’, ‘copy and paste the unique key here’);
 define(‘LOGGED_IN_KEY’, ‘copy and paste the unique key here’);
 define(‘NONCE_KEY’, ‘copy and paste the unique key here’);

Save it.

Step 10 : Remove vulnerabilities on your computer

  • Scan local computer with good antivirus, anti spy ware programs and clean bad programs.
  • There is no point in spending time securing your WordPress site if there is a keylogger on your computer.
  • Keep your software up to date, especially your web browser.

EXTRA: Only Allow Admin Login From 1 IP Address

If you’re completely sure you have a dedicated (static) IP address from your ISP you may want to restrict access to your WordPress admin interface to your IP address only.

To do this simply edit the .htaccess file in the public_html folder and add the following code at the top.

<Files wp-login.php>
        order deny,allow
        Deny from all

# whitelist First IP Address
allow from xx.xxx.xx.xx

#whitelist Second IP Address
allow from xx.xxx.xx.xx


Note: If a brute force attack were to occur on your site we recommend that you change the permissions on the wp-login.php file to completely hide it. This will stop the attack as the page being hacked will be inaccessible. To do this simply set the permissions to 000.

Then when you need to log in to your WordPress admin area again just revert the permissions back to 644.

Note: We have started the process of upgrading all our Shared Servers to use CloudLinux for added protection against Symlink and other WordPress hacks.  This process will be completed by the summer.  Details on what additional security Cloudlinux brings can be found here.

Related Articles


VPS Security

What can you as a VPS user do to protect your server from attack and possible compromise. Below are some commonly used tools and procedures to help protect your server. It should...

Posted on by bwf

WordPress Management – All You need to Know

I wanted to take some time to explain to our clients what our WordPress Management & Malware Removal Package is and why it is something we recommend as an add on for your...

Posted on by BWF Hosting