Follow TwitterFollow Us:
Follow Us:

How To Prevent Your WordPress Site From Getting Hacked

banner security11 How To Prevent Your WordPress Site From Getting Hacked

Recently, I’ve been hearing a lot about people having their WordPress websites hacked and compromised by malicious code. I’ve written about how to secure your WordPress Installation before, but in light of the recent string of hacked websites, I think a more thorough article is needed.

In order to protect your site from being hacked, we need to understand how a hacker would attempt to hack you in the first place. One of the most common (and luckily easiest to proof) ways is through the wp-login.php page – the WordPress login page.

Securing The WordPress Login Proccess

Make Your Password Secure…

Yaya, sounds like a no brainier but I feel like I need to beat this simple idea into some of your heads! If I find one more password that is a clients name plus their birth year I’m going to snap.

Passwords should be 8 characters long, be CaSeSeNsItIvE, and contain numbers and symbols. I really don’t care if you have a hard time remembering it, it’s much better than the headache of dealing with a hacked site icon smile How To Prevent Your WordPress Site From Getting Hacked

Delete The Admin Username

Every fresh install of WordPress includes a user called admin. Knowing this, hackers attempt to brute force login using the admin username. There are many ‘dictionaries’ of most commonly used passwords online, so what a hacker will do is try each common password with the admin username and hope they break in.

Enable and Use Nicknames

So you are a smart webmaster and deleted the admin user and now have a safe and secure password – hackers are screwed now! Not quite yet my fine friend, because most WordPress themes display the name of the author on posts. This is especially true if you are using WordPress as a blogging platform.

Luckily there is an easy way to fool the hackers on what your username is. If you edit your user profile, you can choose a nickname. Make your nickname different from your username and then select it in the “Display name publicly as” section. So now your username can be “NaNaNaCannotHackMe” but the site will display the author as “Dylan”.

Install the Limit Login Attempts Plugin

This plugin allows you to set a ‘failed login limit’ that is extremely useful in stopping bots and scripts from brute force loging in. Many customization features such as email notification are available as well. Download

Install Semisecure Login Reimagined

This simple but nifty plugin secures your login information by encrypting it from the client side using JavaScript. It is most useful for situations where SSL is not available, but the administrator wishes to have some additional security measures in place without sacrificing convenience.Download

Hiding Your WordPress Version

Older versions of WordPress have known vulnerabilities that hackers can use to compromise your site. Hiding what version of WordPress you are running stop most bots/scripts from even attempting to hack you.

Removing Unimportant Files From Your Server

There are many ways you can do this: FTP or maybe just through your hosts file manager. Either way all you have to do is delete these files:


The reason for this is that those two files are not important in any way to run your site, but contain the WordPress version that you have. This information could be used by hackers to help gain access to your site!

Install Secure WordPress

This plugin performs two basic but very important tasks for you. The first is creating an index.html in each sub folder, stopping anyone from browsing and being able to access files in the directories of your site.

The second is the ability to remove default WordPress headers such as the WordPress version.Download

Other Basic Things to Keep Your Install Safe and Secure

Keep Your Version of WordPress and All Plugins Updated

This is another one that seems obvious, but please don’t ignore it! Sometimes it’s not WordPress itself that allows a hacker in, but an outdated plugin instead. There are many common and popular plugins out there with known security vulnerabilities, so keep ahead of the hackers and update.

Change Your Table Prefix

Sometimes instead of using the WordPress files themselves, a hacker will use the database to gain entry by injecting malicious SQL code,  or compromising the database through other means.

Because of this, it is important the change the default WordPress table prefix of wp_ to something else. The free WP security plugin WebsiteDefender has a built in tool that will do this for you.

*note: Remember to backup your database before


Hopefully if you follow all of these points, then you won’t ever have to deal with getting hacked or malware on your site – Good Luck!


Leave a comment