10 Ways to Secure Your WordPress Based Website

If your WordPress site has ever been hacked, or you'd like to prevent it from being hacked, here are a few tips on how to secure your WordPress based blog. Please contact me if you require assistance with any of the tips below.

1. Use Secure Passwords

I hope this is obvious to most of you, but passwords like "password" or your pet's name are not secure. You should be using a password that's at least 10 characters long, and it should contain uppercase and lowercase letters, numbers, and special symbols. The more characters there are in your password, the less chance you have of getting hacked.

One of the best ways to get a secure password is to use an online password generator.

2. Don't Use Admin As Your Username!

If you are using admin as your username, change it immediately! If your username is admin, hackers already know half of what they need to log in.

Create a new account for yourself in the Users panel of WordPress. Log in to that new account, then delete the admin account. When you delete the account, make sure to attribute the posts to your new account!

3. Keep Up To Date

If you're using an old version of WordPress, there are likely many security vulnerabilities that could result in your site getting hacked. The same is true for plugins, so keep those up to date!

4. Change Permissions

Generally, permissions for files and folders should be set as follows. Use a FTP client like FileZilla to make these changes.

  • Folders: 755
  • Files: 644

5. Hide WordPress Version

Your WordPress version gives hackers ideas about how to best attack your site. Place this code in your theme’s functions.php file to hide the WordPress version.

<?php remove_action('wp_head', 'wp_generator'); ?>

6. Add Authentication Keys

Take a peek at your wp-config.php file and see if it includes authentication keys. If it doesn't, visit the WordPress API and grab your random keys. Here's what an example file would look like:

define('AUTH_KEY',         'N4 <I0 ~l70/=<y>BTvm9m.zX^N+4L@OK~;=,JqXZb58V6exiR_R^QSm|z0-Ts+N');
define('SECURE_AUTH_KEY',  '=j+({-GRWxYbAU[-|tfU@_2[p>:Yl(VV3uq}ZdM) h)cG+/anf}c,}{@oVD8 kzl');
define('LOGGED_IN_KEY',    'wK:WK:)[0.d`5k;r&[~8.3DcuOee?:W9!b$]odZ^v/(IiMdb0O?<IB?mdHf3`VCC');
define('NONCE_KEY',        'mG-VUfq/A4:?3}a|B<*NdGyk^wE*_`zRJX[VVfvm&y/B;%9O[bX/A5j3rkW*d.jA');
define('AUTH_SALT',        '2>N6igpu*Idk+%=&6]Z4Vc)-;/BOdiec0=N?sgcWK4$|T8kJP1>]/Nn%r*QP9|n^');
define('SECURE_AUTH_SALT', 'F#9^SVxj6ZO_*J0%CGUFK}P !q-v<N(Is|h@<N,ze6sQ+%n@fk[-y-zBJQS!:hIs');
define('LOGGED_IN_SALT',   'evjn3aEM0UA8UF|du|I]WSG.i_B|@)^=.-5-qY)p}m9[kwVD|gjVOj[l_(?S9W%<');
define('NONCE_SALT',       ':YLC?hr7D<))Jt9S;U#+7c9Nsk148rImy;M8NWHCEYaqr0he]tE}JV9vrRtE/ppe');

7. Hide Login Errors

While it's useful to know why you can't log in to your blog if you entered your password wrong, it's also useful to hackers. Place this in your theme's functions.php file to hide the error message:

add_filter('login_errors',create_function('$a', "return null;"));

8. htaccess Security Rules

Place the following rules in your htaccess file. These rules protect the htaccess and wp-config.php files, disables directory browsing, and disables the server signature.

# Protect htaccess
<files .htaccess>
order allow,deny
deny from all

# Disable server signature
ServerSignature Off

# Protect config
<files wp-config.php>
order allow,deny
deny from all

# Disable directory browsing
Options -Indexes

9. Install Security Plugins and Services

Some of my favorite security plugins are WP Security Scan, Wordfence, and Login Lockdown.

Website Defender is a service that scans your server for any changes that have occurred. It will send you an email if there is something suspicious going on so you can investigate further.

10. Change Database Table Prefix

This can be completed simply with the WP Security Scan plugin. Select the Database tab under the plugin, and back up your site first. Enter a new prefix and hit Start Renaming.


  1. says

    Hi Mitchell,

    I'm guilty of using admin as my username. :-( When creating a new username, do I want to create that one as an administrator?

    Thanks so much!

  2. says

    What a life saver you are! I just spent 20 minutes and changed several things! I hope that I'm unstoppable now that I have been hacked every day for the past week. I'll keep you updated! Thank you so much.

  3. says

    Hey Mitchell - great tips, especially for the most recent reports of "brute force" WordPress attacks. I've seen some sites recommending CloudFlare as extra precaution. Do you think this service is effective for safeguarding a site?

    • says

      Hey Ryan,

      I believe CloudFlare is good for a second layer of protection. I've had CloudFlare installed on this site and my frugal blog for about a year, and I've noticed it's blocking a lot of malicious requests ever since the brute force attacks started. Just over the last week, it's blocked about 10,000 threats on one site.

      Hope that helps!

Leave a Reply

Your email address will not be published. Required fields are marked *