Wordpress Security

Below are the steps to be followed if you use wordpress to overcome hacking.

Install WordPress Security Scan Plugin
There is a good plugin which scans your WordPress installation and give the suggestion accordingly. This plugin will check for below things:

File Permissions
Database Security
WordPress Admin protection

In-order to secure your WordPress applications, we suggest you to follow the below provided general guidelines:


1.Keep WordPress up-to-date:

Something so simple can have a big impact on site security. Whenever you login to the dashboard and see that “Update available” banner, click it and update your site. If you’re worried about something breaking, make a backup before installing it. The important thing is that you do it, and with regularity.

Also extend this to automatically install major WordPress releases, by adding the following to your site’s wp-config.php file:define( 'WP_AUTO_UPDATE_CORE', true );

2.Keep plugins and themes up-to-date :

Just as you update the WordPress Core regularly, you should also update plugins and themes. Each plugin and theme installed on your site is like a backdoor into your site’s admin. Unless properly secured (vetted thoroughly, updated regularly, etc), plugins and themes are like an open door to your personal info.

3.Delete any plugins or themes you’re not using:

Along the same line of thinking as what’s listed above, getting rid of any plugins or themes you don’t need will reduce the likelihood of being hacked. If you’re not using them, you’re not going to want to update them, so it’s a much better idea to delete them.

4.Change file permissions:

Avoid configuring directories with 777 permissions. You should opt for 755 or 750, instead, according to WordPress.org. While you’re at it, set files to 640 or 644 and wp-config.php to 600.

5.Don’t use “admin” as a username:

A majority of today’s attacks target your wp-admin / wp-login access points using a combination of admin and some password in what is known as Brute Force attacks. Common sense would dictate that if you remove admin you’ll also kill the attack outright.

Yes, the argument exists that the attacker can still enumerate the user ID and Name and can in some instances pull the new username. There is no denying this. 

For the everyday, automated Brute Force attack, removing the default admin or administrator username will already help a lot. You’re at least making it a bit harder for the hacker to guess the username. For the sake of clarity, understand that when we say admin we are speaking specifically to the username only and not the role.

Simply create a new user in WordPress at Users > New User and make that a user with Administrator rights. After that, delete the admin user. Don’t worry about the post or pages the admin user has already created. WordPress will nicely ask you: “What should be done with content owned by this user?” and give you the option to delete all content or assign it to a new user, like the one you have just created.

6.Change your password often (and make it good) :

Random strings of letters and numbers are best. If you don’t feel like coming up with something manually, you can use a password generator to accomplish the task.

7.Protect your WordPress Admin Area :

It is important to restrict the access to your WordPress admin area only to people that actually need access to it. If your site does not support registration or front-end content creation, your visitors should not be able to access your /wp-admin/ folder or the wp-login.php file. The best you can do is to get our home IP address (you can use a site like whatismyip.com for that) and add these lines to the .htaccess file in your WordPress admin folder replacing xx.xxx.xxx.xxx with your IP address.


<Files wp-login.php>
order deny,allow
Deny from all
Allow from xx.xxx.xxx.xxx


In case you want to allow access to multiple computers (like your office, home PC, laptop, etc.), simply add another Allow from xx.xxx.xxx.xxx statement on a new line.

8. Hide wp-config.php and .htaccess:

It’s actually really simple for better WordPress security, you’d need to add this to your .htacces file to protect wp-config.php


<Files wp-config.php>

order allow,deny

deny from all



That will prevent the file from being accessed. Similar code can be used for your .htacces file itself, by the way:


<Files .htaccess>

order allow,deny

deny from all



9. You could also limit the number of attempts to login from a certain IP address:

There are several WordPress plugins to help you to protect your login form from IP addresses that fire a multitude of login attempts your way.

Was this answer helpful?

 Print this Article

Powered by WHMCompleteSolution