Page 1 of 4 1234 LastLast
Results 1 to 25 of 77
  1. #1
    Join Date
    Nov 2010
    Tulsa, OK

    Lightbulb Securing Your WordPress Site [first posted 2012]

    We have been having some issues come up recently with clients not fully understanding or knowing exactly how to secure their WordPress site from being hacked. Here's a quick tutorial on how to do exactly that. Credits go to David from Hostwinds for writing this!

    Step 1

    Create a backup of your site.

    If you have cPanel you can do this with the backup manager.
    If not I would recommend "backup buddy", a WordPress plugin you can find with a google search.

    Step 2

    Update WordPress Version

    This is critical because WordPress issues updates that close security vulnerabilities; it's things like this that could keep your site healthy!

    Step 3

    Change Your Login/Password

    The default WP username is "admin" and hackers know this. So you should change it to something more personal EG "RocketRanger416" or "James86". Best thing to do is to add that new user and make it a admin the delete the original login of "admin"

    I would suggest really strong passwords (These should incluse UPPER and lowercase letters, numbers, and symbols) Like "Rocket!2@" or "jessieNOMAD12#4"

    Most hackers try to brute-force your passwords so if it is really strong you should be fine in that regard.

    Step 4

    Change your Wordpress Keys!

    Many people overlook this step but it is an important one as these keys work as salts for cookies and ensure better encryption of data.

    Use the WordPress Key Generator to generate mentioned keys. Now edit your wp-config.php file and fine the lines that look like:

    define(‘AUTH_KEY’, ‘put your unique phrase here’);
    define(‘SECURE_AUTH_KEY’, ‘put your unique phrase here’);
    define(‘LOGGED_IN_KEY’, ‘put your unique phrase here’);
    define(‘NONCE_KEY’, ‘put your unique phrase here’);
    and replace them with the ones from the Key Generator.

    Save and you're good to go.

    Step 5

    Install WP Security Scan

    This plugin is great and makes securing your site simple. It scans for security vulnerabilities and informs you of any malicious code.

    If the plugin shows your text as green you should be good. However, if they are not green you will have to fix the problem to make them green.

    Step 6

    Change Table Prefix

    -- Warning! Make a backup of your database before continuing. --

    The default prefix for a WP bsite is "wp_" This makes it so sql injection hacks are easy for the hacker because it is easy to guess.

    A good prefix would be "march26_" or "magnol1a_" this is a highly recommended change and you can do this with the WP Security Scan Plug-in.

    WP Security Scan has a tab called "Database". Once you open that tab you have the option to rename your entire prefix to something secure.

    Step 7

    Prevent WordPress hacks by blocking search engine spiders from indexing the admin area. Spiders crawl all over your site structure unless they are told not to, and we don't want that.

    The easiest way to prevent spiders from indexing the admin area is to create a robots.txt file in your public_html folder with the following lines of code.

    User-agent: *
    Disallow: /cgi-bin
    Disallow: /wp-admin
    Disallow: /wp-includes
    Disallow: /wp-content/plugins/
    Disallow: /wp-content/cache/
    Disallow: /wp-content/themes/
    Disallow: */trackback/
    Disallow: */feed/
    Disallow: /*/feed/rss/$
    Disallow: /category/*
    Step 8

    Prevent .htaccess Hacks

    .htaccess (hypertext access) is the default name of directory-level configuration file that provides decentralized management of configuration while inside your web tree.

    .htaccess files are often used for security restrictions on a particular directory.

    So let's secure your .htaccess!

    First we want to protect the .htaccess file itself so add the following (Do this for all .htaccess files you have in root and or create)


    order allow,deny
    deny from all
    satisfy all
    Public_html .htaccess below

    Now lets secure your config.php by adding:

    # protect wp-config.php

    Order deny,allow
    Deny from all
    Now lets prevent the hacker from browsing your directory tree by adding

    # disable directory browsing
    Options All -Indexes
    Lets prevent some script injections now:

    # protect from sql injection
    Options +FollowSymLinks
    RewriteEngine On
    RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
    RewriteRule ^(.*)$ index.php [F,L]
    Go to your /wp-content folder. Lets limit access to the wp-content directory by creating a .htaccess in the wp-content folder and adding:

    Order deny,allow
    Deny from all

    Allow from all
    Go to your /wp-admin/ folder. Now if you have a static IP I would recommend creating a .htaccess in your wp-admin folder with the following (replace x's with your STATIC IP)

    # deny access to wp admin
    order deny,allow
    allow from xx.xx.xx.xx
    deny from all
    Replace the X's with your IP.

    Step 9

    Last but not least!

    You can install Wordpress Firewall 2 - this actually prevents most hacking attempts. Use with care, however, because you can lock yourself out of your site!

    Hope this helps anyone having WordPress security issues, or people who DON'T want to have them.
    Hostwinds Unlimited Web Hosting
    Cpanel/WHM | Not Oversold | Low Server Loads | Reseller / Business Plans Available
    VPS Hosting | OpenVZ | SolusVM | Popular Distributions | Windows VPS's

  2. #2
    Join Date
    Mar 2012
    Great advice! Lot's of truly useful tips here. Is WP Security Scan a 3rd part scan external from the host? If not That is the only additional things I would recommend. Thanks for posting this for the community.
    Go Daddy® Hosting Ambassador

  3. #3
    Join Date
    Nov 2010
    Tulsa, OK
    Quote Originally Posted by Gabe_GoDaddy View Post
    Great advice! Lot's of truly useful tips here. Is WP Security Scan a 3rd part scan external from the host? If not That is the only additional things I would recommend. Thanks for posting this for the community.
    Thank you very much! Yes, WP Security scan is a third-party WordPress plugin located here. Always glad to help.
    Hostwinds Unlimited Web Hosting
    Cpanel/WHM | Not Oversold | Low Server Loads | Reseller / Business Plans Available
    VPS Hosting | OpenVZ | SolusVM | Popular Distributions | Windows VPS's

  4. #4
    Join Date
    Mar 2009
    Santa Monica, CA
    Has anyone tried password-protecting the wp-admin folder? I am wondering if that would create any problems.

  5. #5
    Join Date
    Sep 2011
    Nice post. Some good info there. Hopefully people jump in and share their own tips.

    I will never understand why some hosting companies think that updating to the absolute latest version of the wp core is the only thing that matters and is so important. Many wp version updates have absolutely nothing to do with security related patches or vulnerability fixes. Meanwhile most wp installs have huge gaping holes that you could drive a bus through regardless of having or not having the latest core updates.

    The plugins and themes are most often the weakest link beyond brute force or stolen pw's, not hacked wp core files. The path to the core is started by first exploiting the plugins/themes.

    The best thing you can do to secure your wp is to delete all the old themes and plugins that you are not using. Then update the ones that you are using. If there are no recent updates, or your plugin hasn't been supported for many moons, then de-activate and delete it. I'm always amazed at the ignorance shown by "admins" who have the latest version of wp, yet fail to deal with their themes and plugins.

    Speaking of plugins, I highly recommend getting a few security plugins such as 'limit login attempts', 'wordpress file monitor' and 'bulletproof security' or similar that create hardcore htaccess, brute force protection, and file monitoring. Obscurity is a weak and easily foiled "protection" against hackers. The 'limit login attempts' shuts down brute force attacks without the need for any obscurity measures. The bps plugin automagically generates bombproof htaccess files that foil most nasties. The file monitoring is just common sense. If a file is changed, deleted, or added, then the admin should be notified.

    Also Check and change your permissions. Beyond using the htaccess, you should be using the strictest possible permissions so important files cannot be viewed, changed, or executed.

    Delete old themes. This is an extremely common problem. People try out many themes, then choose one and activate it. Then they leave the others and ignore them. There are many popular exploits that take advantage of un-activated themes. Even the themes that come pre-packaged with wordpress are often easily hacked.

    Sure, update the core when there is a security related patch, but don't blindly ignore the real threats.

  6. #6
    Join Date
    Jun 2012
    Thank you for this advice actually wordpress is secured however there is many addons non secured

  7. #7
    Join Date
    Mar 2012

    You bring up a really great point about removing inactive themes and plugins. Many people forget that even in an inactive state they can still provide entrance for malicious activity.

    In addition, this removal of inactive themes should be performed server wide.
    Go Daddy® Hosting Ambassador

  8. #8
    thank you man it was so helpful

  9. #9
    Very informative post. I have implemented only some of the points. Very helpful to a beginner like me. Thanks for sharing.

  10. #10
    Thanks for sharing these tips. You might also wana try better wp security plugin.

  11. #11
    Join Date
    Oct 2007
    Jaipur, Rajasthan, India.
    Thanks for sharing the good tips
    We have been also getting many notices that Wordpress sites are getting hacked if you are using an older version, thus it is also necessary to make sure all plugins and Wordpress version is latest and up to date.
    B4UIndia Web Technologies - Web Hosting India Service Provider.
    Domain Name | Web Hosting | Reseller Hosting | VPS Hosting Specialist from India
    99.9% Network Uptime, 24/7 Technical Support
    Follow Us on Twitter @b4uindia More Info Visit:

  12. #12
    Great tutorial here. Covered all areas!

    Although each of the steps are equally important, steps 6,7,8 are my top 3.

  13. #13
    Join Date
    Nov 2011
    Nasik, MH,INDIA

    Thanks for sharing the useful knowledge. It's really helpful for us..

  14. #14
    Join Date
    Sep 2012
    Thanks for sharing. That's very useful information.

  15. #15
    This was great! I had some of the things done, but a lot of the htaccess stuff I had not done. Thanks.

  16. #16
    Join Date
    Jun 2009
    Sri Lanka
    Thanks for the tutorial and its really helpful
    LK Domain Registration | Business Hosting | Windows Hyper-V VPS | XEN VPS | Dedicated Servers

  17. #17
    Join Date
    Dec 2010
    United States
    First of all, since i am on and uses Self-hosted WP as well, i would say thanks for the tutorial. Yet one of the most important part can be "Using CDN" to fasten your site rendering + to optimize your site code for better alexa ranking.
    Wanna Wiki ? So here it is Wiki

  18. #18
    Thanks a lot for this nice article, really helpful.

  19. #19
    Join Date
    Nov 2009
    Toronto, Canada
    On a lower level, things like mod_security, php suhosin, and csf all help prevent attacks as well. In fact they will often help with unpatched exploits. These things however would be the responsibility of your web hosting provider.
    █ CanSpace Solutions - - Canada's leading domain registrar and web hosting provider
    Premium Canadian Web Hosting and .ca domains. Trusted by Canada's largest corporations
    Affordable Web Hosting | 24/7 Support | CIRA CERTIFIED | Proudly Canadian

  20. #20


    Hey guys

    That is great thanks for sharing wonderful tips..

  21. #21
    Join Date
    Nov 2009
    San Antonio, Texas
    Thanks HostWinds and David. You anticipated a thread I was going to post. I'd also like to see -- from a host's point of view -- a similar review on essential and minimal plugins for WP caching and backup.

  22. #22
    Thansk a lot for useful information. I will try to applied on my blogs. For now, I just change the password regularly without any other security technique.
    Web Hosting for ASP.NET | Reliable Webhosting
    Support Latest ASP.NET, MVC,PHP, MSSQL 2012

  23. #23
    Join Date
    Oct 2012
    Houston, Texas
    I found that installing a 404 plugin also led me to hints of a lot of malicious activity by visitors attempting to access plugins that didn't exist. I ban them on a case by case basis now.

  24. #24
    Join Date
    Nov 2012
    Thank you! I did everything what you wrote - Since 2012. Web Hosting, VPS and Dedicated Servers in more than 10 locations
    Locations: USA, Netherlands, France, Germany, UK, Canada, Czech, Singapore, Japan, Australia, Russia & Ukraine.
    24/7 Response Tech Support | 30 Day Money Back Guarantee | Linux and Windows

  25. #25
    Join Date
    Apr 2011
    This tutorial is really helpful for us.Thanks

Page 1 of 4 1234 LastLast

Similar Threads

  1. Fair Price For Securing A Wordpress Site?
    By chilli in forum Hosting Security and Technology
    Replies: 8
    Last Post: 07-26-2013, 05:48 PM
  2. Replies: 1
    Last Post: 01-19-2011, 08:35 PM
  3. WordPress Help Desk Plugin - Add a help desk to your WordPress site
    By Hey It's Me in forum Software & Scripts Offers
    Replies: 0
    Last Post: 11-17-2009, 12:31 PM
  4. WordPress Help Desk Plugin - Add a help desk to your WordPress site
    By Hey It's Me in forum Software & Scripts Offers
    Replies: 0
    Last Post: 08-20-2009, 09:15 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts