WordPress Security Tips :: Avoid Being Hacked

WordPress Security Tips :: Avoid Being Hacked

How to Strengthen the Security of Your WordPress Install

As tremendous a software as WordPress is, it is not immune to security breaches or hacking, much like all software and programs out there today.

There are, however, some measures which can be taken to prevent, or at least make it that much harder, for your blog to be hacked. Some measures can be implemented before installation of WordPress, others after WordPress has been installed.

Note: The first security measure is to always ensure your instance of WordPress is updated to the newest version of the software.

In this tutorial, we will go over the steps to help prevent security breaches.

Measures Which Can Be Taken Pre-Installation

Change Database Prefix

To do this, locate the “wp-config-sample.php” file in your WordPress package, and find the following line:

$table_prefix = ‘wp_’;

This is the WordPress database default prefix. Hackers know this and can use it to try and hack into your database. For this reason, it is best to change the value to something random.

Replace the line above with something like this:

$table_prefix = ’5ttpx_’;

But use a different prefix that only you know.

Once that line in changed, rename “wp-config-sample.php” to “wp-config.php”.

You can then go ahead with your WordPress installation.

Note: If you’re using an application such as Fantastico or Softaculous to install your WordPress blog, then you will be able to enter your random prefix during the installation process.

Measures Which Can Be Taken Post-Installation

To help an already existing instance of WordPress be more secure, do the following:

1. Change Username

By default, your WordPress administrator username is “admin”. Many users keep this unchanged, which makes their blog susceptible to attacks. If you haven’t already done so, change your username to something else.

To do this:

Log in to your blog’s dashboard, then hover your cursor over “Users” and click “Add New”, as shown by the red arrows below:

In the following page, fill in the necessary information. Pick a unique username. From the “Role” drop-down menu, select “Administrator”, and click “Add New User”

This will create a new user with a unique username.

Next, log out of your dashboard and log back in under the new user, then delete the old user; the one with “admin” as a username.

To delete the old user, do this:

Once you’ve logged back in to your dashboard under the new user, click “Users”, hover your cursor over the “admin” user, and click “Delete”.

2. Password-Protect Your “wp-admin” Folder

Protecting your “wp-admin” folder with a password will enhance your blog’s security. To do this;

Log in to your web host cPanel and click “Password Protect Directories” under “security”.

Then, click your blog’s folder.

In the next screen, create a user and a password, click “Add/modify authorized user”, and then click “Save”.

3. Restrict IP Access

An efficient way to keep other parties from accessing the admin section of your WordPress blog is by restricting IP access. You can set your blog to only allow access from your IP. This can be done by adding an “.htaccess” file, with a snippet of code, to your “wp-admin” folder.

To do this:

Open up Notepad, and type the following:

Deny from all

Allow from

The part should be replaced with your IP address.

Save the file. (Give it any name, you will be changing the name in the next step).

Next, you will need to rename the file to “.htaccess”, and upload it to your “wp-admin” folder.

4. Restrict Access to “wp-includes” and “wp-content”

You can deny access to files in the “wp-includes” and “wp-content” folders by creating and placing an “.htaccess” file in each of the two folders. The “.htaccess” file needs to contain the following piece of code:

Order Allow,Deny

Deny from all

<Files ~ “\.(css|jpe?g|png|gif|js)$”>

Allow from all


This will block anybody from accessing all files within the two folders except for images, stylesheets and javascripts, which need to be accesses by the browser in order to properly display web pages.

Implementing the above measures will greatly enhance the security of your blog.


Website by AboutWebsites.ca