Secure Your WordPress

Since a lot of WordPress sites got hacked in the last months, i wrote some tips, and collected some from other blogs on how to secure your WordPress from getting hacked.

keep your WordPress and the plugins up to date

you must keep your WordPress and the plug-ins up to date, because mostly it will prevent the bad guys from using known vulnerabilities to hack your site

Use a strong password

check this meter out

Use a different prefix

for your WordPress Database tables to mitigate zero-day SQL Injection attacks.

Disable directory browsing

Always backup your files before modifying or editing them!

attackers will know what u have on your site [plugins, etc] , so just write this to your .htaccess file

 Options All -Indexes 

Prevent Search Engines from indexing your sub-folders

Also write this code to your robots.txt file to prevent bots from indexing your sub-folders contents

User-agent: *
Disallow: /cgi-bin
Disallow: /wp-*

Protect your wp-config.php file

wp-config.php file contains all your database login information, it should be protected well, this code will prevent anyone from looking at it, write it to your .htaccess file

# protect wpconfig.php
<files wp-config.php>
order allow,deny
deny from all

or u can just move it, the wordpress has the ability to check for wp-config.php in your root directory,
which will make it harder to find or access your wp-config.php file
So you can change the location of your wp-config.php file from




Limit login attempts

Sometimes the hacker might think they know your password, or they might develop a script to guess your password. In that case what you need to do is limit the login attempts. You can easily do so by using a plugin called Login Lockdown

which will lock a user out if they entered the wrong password more than the specified time. They will be locked out for a specified time. You can control the settings via your wp-admin panel.

Limit the access to the admin panel

if you have a static IP address this will be helpful, with this code you will be the only one who can access the admin area , write this to the .htaccess in your wp-admin folder,

Order Deny,Allow
Deny from all
Allow from

replace the with your IP address

Use secret-key

security keys, AUTH_KEY, SECURE_AUTH_KEY, and LOGGED_IN_KEY, were added to insure better encryption of information stored in the user’s cookies. A secret key is a hashing salt which makes your site harder to hack and access harder to crack by adding random elements to the password, In simple terms, a secret key is a password with elements that make it harder to generate enough options to break through your security barriers. A password like “password” or “test” is simple and easily broken. A random, unpredictable password such as “88a7da62429ba6ad3cb3c76a09641fc” takes years to come up with the right combination.To add security keys, open your wp-config.php
Visit this URL to get Security Keys: click here [random keys <-]
Find these lines in wp-config.php

define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');

And insert the keys you from the generator, ex:

define('AUTH_KEY', 'GJ--Vxy|sNmv8J4XS-o]={]O90_kK%ns,hsZ*hMpq+)y?aZc$,[s`I{Qh-?P22kd');
define('SECURE_AUTH_KEY', '&#+Rlm?xb?1]#w-v|W||H[!_ev@KMrP');

Protect your blog from malicious URL Requests

install the plugin to your WordPress installation and it will work like a charm.

BBQ: Block Bad Queries

Remove or Disable non used plugins

Youwould have tried lot of them for checking the functionality, but you would not have disabled or removed them. Remove all the non used plugins. Hackers can find a way exploit to them, even if you are not using them.


Always keep back up of your blog’s files and database, backup the blog contents to your system regularly. Taking manual backups are tedious tasks. try using WP DB Manager. or any other plugin that does the task

Happy Safe Blogging  😛

Leave a Reply

  1. Excellent article! some measures that I use, and some new practices for me to put in place! Have you evaluated the services from CloudFlare? I consider it a key part of securing WordPress sites that I put up.