The Blog

Securing Your WordPress Site in 8 Steps

Protect your investment from hackers with these WordPress security tips

You’ve probably heard stories of WordPress sites getting hacked and you don’t want to become another victim. That’s a good first step, but how do you go about securing your WordPress installation? While there are some obvious things like using strong passwords and not giving out your username over Facebook, there are some more reliable ways of making the hacker’s job a nightmare.

Change the Keys

When you install WordPress, you will find that many files are added to your server. One of them is wp-config.php. If you open this file, then you’ll find some secret keys that hackers can use against you. There are currently eight keys, but don’t worry, they’re easy to find.

Just look for the line that starts with “AUTH_Key.” Changing the default keys will ensure that a hacker can’t just sneak in through this way. You can manually create your own key, or you can use a key generator to make some for you.

Changing WordPress wpconfig keys

Modify Database Prefix

Almost everyone automatically installs WordPress. This is a great way to have a functioning website in seconds, but there are a few security problems. One of them is that the database prefix is set to the default “wp_.”

Keeping the default prefix makes it easy for a hacker to check your database’s tables, which can give him or her some lethal information. You can fix this by just changing the prefix to something else (like “md_” or “us_”).

Secure the Config File

Remember the wp-config and .htaccess files we talked about earlier? These files have a lot of important information about your website. It’s great to have them because they will manage many different aspects of WordPress, but it’s also where most hackers start.

Securing these files isn’t as hard as you might think. Go to your .htaccess file, which should be on your server. Then, just enter this coding:

order allow, deny
deny from all

You should enter this coding twice, one for each file. Replace [file_name] with the name of the file (both wp-config.php and .htaccess). That’s all there is to it.

Editing WordPress .htaccess file

Remove WordPress Version

WordPress will usually automatically show what version you are running in the meta information. This information is completely useless to anyone except hackers because search engines, users and everyone else doesn’t care about it.

Hackers care because having an earlier version of WordPress means that your installation doesn’t have the same security that newer installations would have. You are susceptible to all of the exploits and coding errors that the previous version had. A hacker will know exactly how to penetrate your website.

Open the function.php file. You’ll find it in your theme. Then, enter this coding:


Editing WordPress theme functions

Security Scan

Installing a scanning plugin can be a great way to reduce the threat of hackers. An example of this would be Security Scan. This type of plugin will scan through your various passwords, file permissions, admin settings and other things to see if anything is vulnerable. Some will even scan these settings to ensure that they are forcibly changed.

If something is vulnerable, then the plugin will give you a message with some suggestions. For example, it might suggest using a password with several numbers and capital letters. Just follow these suggestions to dramatically improve your security.

Limited Failed Logins

If you don’t give a hacker much to go on, then he or she will commonly initiate a brute force attack. This is when the hacker randomly guesses your login information thousands of times until he or she discovers it. There are only so many usernames and passwords, and this tactic will work if the hacker has enough time.

By default, the hacker can do this as many times as he or she wants to without WordPress doing anything about it. However, there are some plugins, like Limit Login Attempts, that limit the number of times that someone can login. If the person goes beyond this limit, then he or she will have to wait about 15-60 minutes before trying again.

Hackers want to move as quickly as possible. Considering that it might take thousands of attempts and these plugins usually limit the attempts to three to five, many hackers will leave you alone before they guess the right username and password combo.

Secure Hosting

Some hackers go the sophisticated route of bypassing WordPress and just attacking your host. If the hacker can get to your server sector, then he or she can easily control your website. This might sound hard, but sometimes it’s easier than going through the trouble of bypassing your security.

You can avoid this by just choosing a good host. The vast majority of hosts should be secure enough to block most hacker attacks, but you still want the best host so that you are as safe as possible. This will also help your WordPress site run faster and better, which is always a plus.

Another advantage is that a host with good customer support will help you if there is a hacker attack, whereas a bad one might not be qualified to assist you.

Avoid “Admin”

Another one of the problems that you’ll face when automatically installing WordPress is that your username is “admin.” If you have pre-3.0, then you couldn’t change this, but that problem has been rectified. If you installed WordPress before version 3.0, then go back and change your username. If you are just installing it now, then choose a different username.

The reason for this is because knowing your username will make things much easier for the hacker. Instead of having to guess the right username and password combination, the hacker just has to bombard your website with passwords until one works. Ensure that it’s something that’s hard to guess, and don’t post it on your website.


Keeping your WordPress installation secure is important because you don’t want your website to be tampered with or destroyed, especially if you are trying to make money or start a business. The good news is that securing your website is fairly easy once you know what to do. You can do all of these things within a few minutes, and most hackers won’t be able to penetrate these security parameters without a lot of difficulty.

Cam SecoreAuthor Bio

Cam Secore enjoys reading about branding, marketing psychology, and web design. He graduated with a business management degree from Keene State College. He currently blogs at Power Moves. He loves the New England Patriots and owns beach-front property on Venus. One of these statements is not true.