How to Protect WordPress from hacking


Do you know how to protect WordPress from hacking? Is your website or blog built with WordPress CMS? Are you aware that you may be at risk if you do not protect your website?

Today WordPress Software has become one of the most used Content Management Systems by web developers  or anyone who wants to build easily a blog, website or an online store. Unfortunately if you do not know how to protect WordPress from hacking you may become an easy target.

Below I am going to list some preventive measures that will show you how to protect your WordPress website from hackers and help you improve your WordPress website security.

It’s not guaranteed that you will keep the hackers away, but at least you give them hard time if they try to access and compromise your site.

Change the Default Password & Username

The simplest way on how  to protect WordPress from hacking is to change the default credentials. Any WordPress site can be accessed by adding /wp-admin to the domain name. This will take anyone to the login area where the username and password is required to access the site.

In order to secure your website the default username (admin) should be changed to something harder to guess. Next step is to choose a new password stronger that will include letters, symbols, signs, spaces.

The default WordPress password is very strong but it’s good to change it or add more symbols to it. The length of the password is very important and it should not be less that 16 – 18 characters.

If you already have installed WordPress with the default username & password you can always create a new user. Then give an appropriate name and password, assign the administrator role, and sign out of the account. Next when signing in with the new username go to “Users” and delete the old (that has been created by default) username.

Finally, go to “Users”-“Your Profile” and change the default Nickname with something different than your username. It’s a good practice  as it’s always assigned to the posts and it’s very easy for a hacker to know what is your username by simply looking at the bottom of the posts (see who wrote the post).

If you know how to protect your WordPress  from hacking you will get an advantage against those who try to take down your blog or hack your WordPress website. Changing the username and password of your WordPress  websites or blog should always be prioritized as most WordPress users leave their default login credentials.

Limit Login Attempts

Another best practice is to Limit the Login Attempts. This can be easily achieved by  installing & activating a simple plugin Login LockDown . This plugin is highly customizable and easy to set up. By limiting the login attempts you can protect from the brute force attacks  which is one of the preferred method by the hackers.

There are also different plugins such as Wordfence Security, that allows to limit the login attempts,  scan the website for threats (malware, spyware), perform regular check-ups, block IP’s etc. The Premium version  lets you block  countries (where you will get the most attacks from) , two way authentication (cellphone sign-in), url blocking, etc.

Back Up your Website

Backing up your site is a good practice as it can help you access your files (post, comments, page database, link) in the event they get erased or corrupted. Backing up is relatively easy to achieve.

Just install and activate a plugin such as BuckupBuddy  and you will get the most reliable plugin that is available out there. It is not free but is one of the most used plugins for backing up and for migrating your site from one host to another.

There are also free plugins that do the same thing such as :DropBox Back Up &Restore, BackupWordPress, UpDraftPlus Back Up & Restoration, etc.

Update your WordPress Software and Plugins Regularly

It is recommended that you keep the WordPress website updated  to the latest version as there might be vulnerabilities in the older versions. By doing so you are always a step ahead of the hackers and benefit from the latest security upgrades.  Also all the plugins should be updated regularly in order to get the maximum protection for your site.

Keep wp-config.php file Secure

The most sensitive data about your website is stored into the wp-config.php file . You may want this data to be protected from the prying eyes right? All you have to do is add the below code into your .htaccess file and you are protected against hacking that involves your wp-config.php file.

# protect wp-config.php
<files wp-config.php>
Order deny,allow
Deny from all

Protect against script injection hacks

This is one of the preferred method used by hackers that use JavaScript injections, SQL injections, Jquery Injections to gain access to your site. Sometimes this injections are possible due to vulnerable plugins or themes installed.  In order to protect WordPress from hacking through script injectionsTyou will need to place this code into your .htaccess file in your root directory.

# protect from script injection
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

Disallow PHP file uploads

Hackers always look for for vulnerabilities in your directory where they can post spamming scripts. File permissions are very important as they let us perform tasks in our files but you should be aware that hackers know this and you should never have a 777 permission set up.

If you are using any plugins that allow to rewrite permissions in order to upload or write permissions for images you are vulnerable to hacking. Fortunately, to avoid this from happening place the below code into your .htaccess file located in your root directory. Always back-up your .htaccess file

#redirect php script requests to nothing
Options +FollowSymlinks
RewriteEngine on
RewriteRule ^(.*)\.php$ $1.htm [NC]

#no php access
<files *.php=””>
deny from all

Stop Directory Browsing

Often hackers are looking for security vulnerabilities in your website or blog by browsing the website directory. In order to prevent this from happening you’ll need to add this piece of code in your .htaccess file located in the root directory.

# disable directory browsing
Options All -Indexes

Keep your Computer free of Viruses & Malware

You may think that this won’t affect your website/blog/online store but if your computer is infected with viruses you can become a very easy target for hackers. Viruses & Malware (keyloggers, macro viruses, trojan, spyware,) are always hidden in programs you download of the Internet, email attachments (never open an . exe file), etc.

Protect .Htaccess file

.htaccess file can be vulnerable to hacking if not properly protected. The code below prevents external access to any file with .hta. To accomplish that just place the below code in your .htaccess file and you are sorted. If using All In One SEO plugin you can edit your .htaccess file from your dashboard.

<Files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all

Tips: I always recommend backing up your  .htaccess file before doing any modifications or adding any code.

Block Search Engine Crawlers from Indexing the Admin Area

Another way to protect WordPress from hacking is block accessing the admin area. You may not be aware but search engine spiders (crawlers, bots) index every bit of content of your website.

There is nothing wrong with that but you may want to block indexing the admin section as there is very sensitive information about your website. Even if you tell the search engines not to index a particular section of your website you may be certain if they are indexing or not.

The best way to stop the search engines crawlers is to add this code into your robots.txt file in your root directory.

User-agent: *
Disallow: /cgi-bin
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins/
Disallow: /wp-content/cache/
Disallow: /wp-content/themes/
Disallow: */trackback/
Disallow: */feed/
Disallow: /*/feed/rss/$
Disallow: /category/*

Tips: If you are using All In One SEO plugin (WordPress only) you can edit your robots.txt file from your dashboard.

Restrict Admin Area

If you have a site that does not require registration you can restrict access to the wp-admin area by simply adding the following code to your .htaccess file . Replace the zz.zzz.zzz.zzz with your IP address .

<Files wp-login.php>
order deny,allow
Deny from all
Allow from zz.zzz.zzz.zzz

Finally, if you are looking for a web developer in Dublin that can show you how to protect WordPress from hacking,  and implement the correct security measures please contact Luigy’s Web Studio at info(at) . We will make your website, blog, e-commerce store bug free and keep it up-to-date with the latest security software available.