How do I secure my WordPress website?

Some of our clients do not fully understand or know exactly how to secure their WordPress website(s). Here's a quick tutorial with step-by-step directions on how to do exactly just that...


Create a backup of your website:
Make sure to keep regular backups, and keep them on a CD-ROM, DVD, Portable Drive, ect.. (don't forget to make sure your backups work!). You can do this with the cPanel Backup Manager Feature in your control panel or via FTP. A FULL cPanel backup is highly recommended. A full cPanel backup file contains the entire contents of your hosting account, and can be used to easily and seamlessly move to another host that uses cPanel. You can even send your backup file to a remote server, such as a Remote Backup Service Provider.

NOTE: Never keep or store your backup files on the same hosting account/server that created it. If your hosting account or server goes down, so are your backups! - Always keep off-site backups..


UPDATE your WordPress to the latest stable Version: 

This is critical because WordPress updates usually close security vulnerabilities/exploits and implement other important fixes!.. Many users ignore upgrades fearing it will break their website or theme. And although sometimes this is true, the cost of NOT upgrading is far worse than upgrading and possibly having to fix your theme or plugin. You could be faced with account termination, or worse, be liable for damages and blacklisting fees. Do yourself a HUGE favor and upgrade your WP installation and all themes (and plugins as well).


Change your "Admin" user login account and password:

The default WP username is "admin" and hackers know this. So - you should change it to something more personal (e.g. - "LeetUser1337" or "John1234", ect..). The best thing to do is to add a new user with admin privileges and then delete the original "admin" user account.

We suggest you use really Strong Passwords (it should include UPPER and lowercase letters, numbers and symbols, and at least 16 characters long). Most attackers try to brute-force your passwords so having a strong password is imperative.


Change your WordPress Keys:

Many people overlook this step but it is an important one as these keys work as salts for cookies and ensure better encryption of data.

Use the WordPress Key Generator to generate mentioned keys. Then edit your "wp-config.php" file and find the lines:

define(‘AUTH_KEY’, ‘put your unique key here’);
define(‘SECURE_AUTH_KEY’, ‘put your unique key here’);
define(‘LOGGED_IN_KEY’, ‘put your unique key here’);
define(‘NONCE_KEY’, ‘put your unique key here’)
and so on.
And replace them with the new ones you got from the Key Generator.


Install Some Security Plugins:

There are many to choose from, but not all of them are good. We highly recommend using Better WP Security Plugin. This plugin is the #1 Security Plugin for WordPress. It takes the best WordPress security features and techniques and combines them in a single plugin thereby ensuring that as many security holes as possible are patched.

Another highly recommended plugin is Wordfence Security Plugin. Wordfence Security is a free enterprise class security plugin that includes a firewall, anti-virus scanning, malicious URL scanning and live traffic including crawlers. Wordfence is the only WordPress security plugin that can verify and repair your core, theme and plugin files.


Change your Database Table Prefix:

-- Warning : Make a backup of your database first! --

The default database table prefix for a WordPress is "wp_" This makes your WP site vulnerable to SQL injection attacks.

Changing the prefix to something custom like "leet1337_" or "mysite123_" is highly recommended. You can easily do this with the Better WP Security Plugin.


Prevent attacks by blocking search engine spiders from indexing the admin area and other sensitive areas:

Spiders crawl all over your site structure unless they are told not to. The easiest way to prevent spiders from indexing the admin area is to create a "robots.txt" file in your "public_html" folder with the following code:

User-agent: *
Disallow: /cgi-bin
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins/
Disallow: /wp-content/cache/
Disallow: /wp-content/themes/
Disallow: */trackback/
Disallow: */feed/
Disallow: /*/feed/rss/$
Disallow: /category/*


Secure your ".HTACCESS" files:

Hypertext Access or .HTACCESS is the default name of directory-level configuration file that provides decentralized management of configuration while inside your directory structure and are often used for security restrictions on a particular directory. Again, most of the fixes listed in this thread can be easily implemented with a click of a button using Better WP Security Plugin.

NOTE: To ensure the codes below are not overwritten by WordPress, place them outside the # BEGIN WordPress and # END WordPress tags in the root .htaccess file. WordPress can overwrite anything between these tags!

First, we want to protect the ".htaccess" file itself, so add the following code inside the file using your favorite editor (I recommend Notepad++):

# Protect .htaccess file
<files .htaccess>
Order allow,deny
Deny from all
NOTE: Remember to do add this to ALL ".htaccess" files you have or create!

Now, lets secure your "wp-config.php" file by adding the code below inside of your ROOT ".htaccess" file:

# Protect wp-config file
<files wp-config.php>
Order allow,deny
Deny from all

Now, lets prevent hackers from browsing your directory structure by adding the code below inside of your ROOT ".htaccess" file:

# Disable directory browsing
Options All -Indexes

Now, lets prevent some SQL script injections by adding the code below inside of your ROOT ".htaccess" file:

# Protect from SQL injection
RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR]
RewriteCond %{QUERY_STRING} ^.*\.(bash|git|hg|log|svn|swp|cvs) [NC,OR]
RewriteCond %{QUERY_STRING} etc/passwd [NC,OR]
RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
RewriteCond %{QUERY_STRING} ftp\:  [NC,OR]
RewriteCond %{QUERY_STRING} http\:  [NC,OR]
RewriteCond %{QUERY_STRING} https\:  [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|ê|"|;|\?|\*|=$).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(&#x22;|&#x27;|<|>|\|{||).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127\.0).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(request|select|concat|insert|union|declare).* [NC]
RewriteCond %{QUERY_STRING} !^loggedout=true
RewriteCond %{QUERY_STRING} !^action=rp
RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$
RewriteCond %{HTTP_REFERER} !^http://maps\.googleapis\.com(.*)$
RewriteRule ^(.*)$ - [F,L]

Now, lets block known bad hosts and agents with's blacklist by adding the code below inside of your ROOT ".htaccess" file:

# Begin Blacklist
RewriteEngine on
# Abuse Agent Blocking
RewriteCond %{HTTP_USER_AGENT} ^BlackWidow [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Bolt\ 0 [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Bot\ mailto:craftbot\@yahoo\.com [NC,OR]
RewriteCond %{HTTP_USER_AGENT} CazoodleBot [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^ChinaClaw [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Custo [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Default\ Browser\ 0 [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^DIIbot [NC,OR]
RewriteCond %{HTTP_USER_AGENT} discobot [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Download\ Demon [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^eCatch [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ecxi [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^EirGrabber [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailCollector [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailSiphon [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailWolf [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Express\ WebPictures [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^ExtractorPro [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^EyeNetIE [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^FlashGet [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^GetRight [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^GetWeb! [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Go!Zilla [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Go-Ahead-Got-It [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^GrabNet [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Grafula [NC,OR]
RewriteCond %{HTTP_USER_AGENT} heritrix [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^HMView [NC,OR]
RewriteCond %{HTTP_USER_AGENT} HTTP::Lite [NC,OR]
RewriteCond %{HTTP_USER_AGENT} HTTrack [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ia_archiver [NC,OR]
RewriteCond %{HTTP_USER_AGENT} IDBot [NC,OR]
RewriteCond %{HTTP_USER_AGENT} id-search [NC,OR]
RewriteCond %{HTTP_USER_AGENT} id-search\.org [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Image\ Stripper [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Image\ Sucker [NC,OR]
RewriteCond %{HTTP_USER_AGENT} Indy\ Library [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^InterGET [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Internet\ Ninja [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^InternetSeer\.com [NC,OR]
RewriteCond %{HTTP_USER_AGENT} IRLbot [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ISC\ Systems\ iRc\ Search\ 2\.1 [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Java [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^JetCar [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^JOC\ Web\ Spider [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^larbin [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^LeechFTP [NC,OR]
RewriteCond %{HTTP_USER_AGENT} libwww [NC,OR]
RewriteCond %{HTTP_USER_AGENT} libwww-perl [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Link [NC,OR]
RewriteCond %{HTTP_USER_AGENT} LinksManager.com_bot [NC,OR]
RewriteCond %{HTTP_USER_AGENT} linkwalker [NC,OR]
RewriteCond %{HTTP_USER_AGENT} lwp-trivial [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Mass\ Downloader [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Maxthon$ [NC,OR]
RewriteCond %{HTTP_USER_AGENT} MFC_Tear_Sample [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^microsoft\.url [NC,OR]
RewriteCond %{HTTP_USER_AGENT} Microsoft\ URL\ Control [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^MIDown\ tool [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Mister\ PiX [NC,OR]
RewriteCond %{HTTP_USER_AGENT} Missigua\ Locator [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Mozilla\.*Indy [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Mozilla\.*NEWT [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^MSFrontPage [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Navroad [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^NearSite [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^NetAnts [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^NetSpider [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Net\ Vampire [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^NetZIP [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Nutch [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Octopus [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Offline\ Explorer [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Offline\ Navigator [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^PageGrabber [NC,OR]
RewriteCond %{HTTP_USER_AGENT} [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Papa\ Foto [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^pavuk [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^PeoplePal [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^pcBrowser [NC,OR]
RewriteCond %{HTTP_USER_AGENT} PHPCrawl [NC,OR]
RewriteCond %{HTTP_USER_AGENT} PleaseCrawl [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^psbot [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^RealDownload [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^ReGet [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Rippers\ 0 [NC,OR]
RewriteCond %{HTTP_USER_AGENT} SBIder [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^SeaMonkey$ [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^sitecheck\.internetseer\.com [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^SiteSnagger [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^SmartDownload [NC,OR]
RewriteCond %{HTTP_USER_AGENT} Snoopy [NC,OR]
RewriteCond %{HTTP_USER_AGENT} Steeler [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^SuperBot [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^SuperHTTP [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Surfbot [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^tAkeOut [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Teleport\ Pro [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Toata\ dragostea\ mea\ pentru\ diavola [NC,OR]
RewriteCond %{HTTP_USER_AGENT} URI::Fetch [NC,OR]
RewriteCond %{HTTP_USER_AGENT} urllib [NC,OR]
RewriteCond %{HTTP_USER_AGENT} User-Agent [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^VoidEYE [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Web\ Image\ Collector [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Web\ Sucker [NC,OR]
RewriteCond %{HTTP_USER_AGENT} Web\ Sucker [NC,OR]
RewriteCond %{HTTP_USER_AGENT} webalta [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^WebAuto [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^[Ww]eb[Bb]andit [NC,OR]
RewriteCond %{HTTP_USER_AGENT} WebCollage [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^WebCopier [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^WebFetch [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^WebGo\ IS [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^WebLeacher [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^WebReaper [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^WebSauger [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Website\ eXtractor [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Website\ Quester [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^WebStripper [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^WebWhacker [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^WebZIP [NC,OR]
RewriteCond %{HTTP_USER_AGENT} Wells\ Search\ II [NC,OR]
RewriteCond %{HTTP_USER_AGENT} WEP\ Search [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Wget [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Widow [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^WWW-Mechanize [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Xaldon\ WebSpider [NC,OR]
RewriteCond %{HTTP_USER_AGENT} zermelo [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Zeus [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Zeus\.*Webster [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ZyBorg [NC]
RewriteRule ^.* - [F,L]
# Abuse bot blocking rule end
# End Blacklist

Now, lets secure your "wp-includes" folder. Limit access to this directory by adding the code below inside the ROOT".htaccess" file:

# Block the include-only files.
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]

Now, lets secure your "wp-content" folder. Limit access to this directory by creating a NEW ".htaccess" file inside this folder and then adding the code below inside (do NOT place code inside your root .htaccess!):

Order deny,allow
Deny from all
<Files ~ ".(xml|css|jpe?g|png|gif|js)$">
Allow from all

This code allows users to see images, CSS, etc … but will protect the important PHP files.

Now, lets secure your "wp-admin" folder with IP Restriction. Limit access to this directory by creating a NEW ".htaccess" file inside this folder and then adding the code below inside (do NOT place code inside your root .htaccess!):

# IP access for wp-admin
order deny,allow
allow from 
deny from all

This code denies access to the admin folder for everyone, with the exception of the IP address you have specified. Simply replace the default IP with your own.

NOTE: If you have a dynamic IP, you will need to regularly alter this file to avoid locking yourself out!

Make sure to Password Protect your 'wp-admin" folder:
Adding server-side password protection (such as BasicAuth) to your "wp-admin" directory adds a second layer of protection around your blog's admin area, the login screen, and your files. This forces an attacker or bot to attack this second layer of protection instead of your actual admin files. This, along with IP Restriction, are probably the 2 most effective ways to prevent your WP site from being hacked.

STEP #10

NEVER stop implementing security measures:

There are many other tweaks you can do and implement in order to secure your websites furtehr, such as forcing SSL, or renaming your wp-admin folder to hide the backend, ect... However, the methods listed here should protect most WP sites enough. I strongly urge you to implement AS MANY security features as you possibly can.


ALWAYS Remember These Simple Rules To Keep Your Website(s) HACK-PROOF

 1. Remove any plugins/addons or themes that you're NOT actually using. "Disabled" does not qualify as removed, please physically delete the files from the server!


2. Keep ALL of your WordPress scripts up-to-date and secured at all times. This is critical as updates from developers often patch security exploits and other vulnerabilities. 


3. Keep ALL plugins/addons and/or themes that you DO actively use, up-to-date/patched and secured at all times.


4. ALWAYS keep your own off-site backups available (CD-ROM, Portable Drive, ect..). When (not if) the worst happens, you will be ready.


5. Regularly SCAN your personal computer(s) and/or any other computer(s) used to access your hosting account and website with, using a leading Anti-virus and Malware/Spyware Tool.


6. ALWAYS connect to your hosting account using a secure connection such as FTPES (highly recommended) or using SFTP (if available), NEVER connect using plain unsecured FTP.


7. Please keep an eye on your websites! - Log into your cPanel hostintg control panel and browse your website regularly to monitor for malicious activity.


IMPORTANT: You are expected to use a Secure Connection when you connect to our servers and transfer files to and from your hosting account, such as FTPES (FTP Explicit over SSL/TLS)... Standard FTP is NOT secure and transmits your username and password in un-encrypted plain-text which should be avoided at all times. If you have SSH enabled on your account you can connect using SFTP (Secure FTP via SSH). Standard FTP is only available for legacy application requirements.
If you have any questions about any of this, please let us know. Keep in mind that managing your WordPress installations and their versions is YOUR responsibility. We can often offer advice but we generally will not perform the labor of upgrading and/or securing your installations for you for free. You are welcome to review our Support Scope which outlines clearly what we will and will not support and what is or is not your responsibility.
Remember to perform regular scans on your own Personal Computer (and any other computers used to access your account) with a leading Anti-Virus & Spyware/Malware Tool. This is a very common entry point for attackers, as they can easily gain FTP/cPanel account passwords using Trojan viruses, keyloggers, and other Spyware/Malware bots infecting your PC. No amount of security in WordPress or on your web server will make the slightest difference if there is a keylogger on your computer. Always keep your operating system and the software on it, especially your web browser, up-to-date and secured.
  • 5 Users Found This Useful
Was this answer helpful?