22 Steps to Protect WordPress: Anti-Hacker Security

We have made a compilation of recommendations to protect your WordPress as much as possible. Being the most used content manager in the world, it is quite common for you to receive attacks from hackers, brute force, and robots. If you have all the options marked by default, you could have a security problem that leaves you without a web page or that includes malicious code. See which of these actions you can take to be much more protected.

1. Do not use the wp_ prefix for the database

From the first moment of the WordPress installation you have to specify a series of information that you have to enter so that WordPress communicates with the database.

Most of this information is provided by your hosting providers, such as the name of the database, and the username, and password of the same. But there is a decision to make: decide the prefix of the tables that will be created for WordPress.

You can create any website with WordPress using its drag-and-drop options. take a look at this website which is created through WordPress https://www.littlelittlesteps.co/ 

By default, on this screen the prefix offered is wp_, so your tables will be like wp_options, wp_comments, wp_posts, etc.

And, of course, this is something that every hacker knows, and it is free information that we give to any possible attacker, who knows that if you don’t do a secure installation, the WordPress tables – which are standard – will have those full names if you don’t change the prefix.

So the first place you should start to secure WordPress is before you even install it, in this step: change the default table prefix ( wp_) to something of your choice, for example, wptabla_or X1jM_or whatever you want. The important thing is not how long or complicated it is but, at least, do not leave the default prefix.

2. Do not use the admin user to access WordPress

Another decision that we have to make during the installation of WordPress is the name of the first user to access the administration of our website, a user that by default will have full management permissions.

For years WordPress has offered a default username which, of course, you should not use. So when choosing the name of your first user to access WordPress, do not choose those common names for this task, such as admin, Admin, root, etc., since they are the first ones that a hacker wants to take possession of will check. your website. 

3. Use a strong password

I know that it is difficult to get you to listen to me with this very basic trick, but you must be aware that the easier a password is to remember (for you), it will also be easier than automatic brute force access systems. of the attackers get it.

WordPress, in its latest versions, incorporates a strong password generator and “suggests” you use them. This will always be the best option. You can, however, skip that recommendation and put a simple, insecure password, but you would be making the main and most important security mistake of all possible ones.

Currently, it is unnecessary to use easy passwords since all browsers offer the possibility of remembering them for you on your computer. So always use strong passwords, containing lowercase letters, uppercase letters, numbers, and special characters.

If you have many registered users, you can even force the change of passwords so that they are all secure, including that of the administrators. For example:

4. Always use the latest version of WordPress

If there is something dangerous, it is working on a network with obsolete or insufficiently updated software. Hackers usually attack mainly sites with old versions, not updated, as they are usually more vulnerable by not incorporating enough protection against known types of attack.

Fortunately, WordPress offers an automatic update system, both for the WordPress core itself and plugins and themes.

By default, you will not have to worry about WordPress maintenance and security updates, as it does without your intervention. It will simply notify you when it has been updated. But you will have to carry out, even with a simple click, the updates to the so-called “major” versions.

For example, you do not need your intervention to update from version 4.3.1 to 4.3.2, WordPress updates them for you. But yes from 4.3.x to 4.4, although the process is as fast and as simple as pressing a button.

[Tweet “Hackers mainly attack websites with outdated versions because they are more vulnerable”]

5. Update installed plugins

WordPress is safe, and, normally, it is so because there is a large community that takes care of its maintenance, development, and growth, but the same does not happen with plugins.

No matter how widely used a plugin is, many times behind it there is a single programmer who, for obvious reasons, does not have the resources or the time to always have his plugin up to date.

It is for this reason that the main route of entry for attacks on a WordPress installation is mostly through un-updated plugins.

WordPress offers us a warning system and automatic updates of installed plugins, so when you see that one needs to be updated, don’t think about it.

If you do not use plugins from the official directory, it is possible that WordPress does not automatically identify if there are updates available. In that case, you should be aware of the developer’s website.

6. Update the active theme

Equally important is to always use an up-to-date version of the active theme, as hackers know that they don’t change very often, which gives them time to learn from your code and invent ways to make your life more complicated and even get you into trouble.

If you use a theme from the official directory, again, WordPress will notify you of updates. And if you use a plugin that you have acquired on another site, you must be aware of the news of its creator to update it when there is news.to enhance your website performance you should move to NPS Software, which allows you to collect customer feedback from time to time, through which you can track your website perfomance.

7. Don’t use outdated plugins or themes

One of the most important sources of vulnerability is plugins and themes that are outdated or abandoned by their developers. Frequently check the developer page of your theme and plugins to see if they have recently updated their product and, if not, look for an alternative that offers you the same benefits.

If you use themes and plugins from the official WordPress directory you will find all the information available, such as the date of the last update and compatibility with the latest versions of WordPress.

In addition, the official WordPress directory automatically removes plugins and themes that have not been updated for more than two years, which is an additional guarantee.

If you use themes and plugins downloaded from other sites, you should check it on your website and manually install any updates.

8. Delete plugins and themes you don’t use

In line with the previous action, it is a danger to have inactive plugins and themes installed, for the simple reason that we will pay less attention to them by not being active. Not only do they take up space in your hosting, but they are also a gateway to possible vulnerabilities on your website.

The only active theme you should leave installed is the latest WordPress default theme available ( currently Twenty Fifteen ), which is an additional protection rule for your website, since if WordPress detects a problem in your active theme and cannot load it will try to automatically activate the default theme if it finds it installed.

9. Download plugins and themes from safe sites

The safest place to download plugins and themes is the official directory, in whose addresses you have updated, verified, and safe versions of the latest developments. These are the themes and plugins that you can install from the installer included in your WordPress, and that you can also visit at the following addresses:

In addition, there are marketplaces for themes and plugins such as Envato, Woothemes, or Elegant Themes, of great quality and care for their products.

Of course, never download plugins and themes from P2P networks like Torrent or eMule, they are usually all infected with viruses and malware.

10. Protect the WordPress configuration file

The WordPress configuration file, the wp-config.php file, contains very sensitive information about your server:

  • Database name
  • Database user
  • Database password
  • The prefix of the database tables.

For this reason, it is vital to protect it from outside eyes and, of course, from unwanted modifications.

To do this, you can perform the following actions:

  1. Move it to a higher folder, so that if it is located in the  …/public_html/mydomain.es/ path, move it to the  …/public_html/ folder.
  2. Write-protect it by changing the permissions to 444.

Add the following rules to the Apache .htaccess file to prevent unwanted access:
<Files wp-config.php>

order allow, deny

deny from all

  1. </Files>

11. Protect the folder of uploaded files

The uploads folder, located in the path  yoursite.es/wp-content/uploads  where the images and documents that you attach to your WordPress posts are uploaded,  is the most susceptible to attacks. So it is very important to protect it to prevent viruses or malicious scripts from being executed from it.

WordPress does not allow executable files to be uploaded to this folder by default, but there are techniques hackers use to bypass this rule. So we must apply for extra protection, expressly defining what file extensions can be uploaded to it.

To do this, we will add the following lines of code to the hidden Apache .htaccess configuration file, located in the folder where you installed WordPress:

<Files ~ “.*\..*”>

Order Allow, Deny

Deny from all

</Files>

<FilesMatch “\.(jpg|jpeg|jpe|gif|png|bmp|tif|tiff|doc|pdf|rtf|xls|numbers|odt|pages|key|zip|rar)$”>

Order Deny, Allow

Allow from all

</FilesMatch>

12. Make backups

If there is a fixed rule in security, it is that no matter what measures you apply, there will always be some new vulnerability for which we are not protected, we will always be one step behind malicious attacks. So, in the event of a disaster, the only thing that can save us from an eventual loss of all our content is to have backup copies.

Check that your web hosting provider has full automatic backups. And, in addition, install a backup plugin like BackWPup, which allows you to schedule different backup tasks, being able to save your copies on another server, sending them by email, or even automate their saving in Cloud services such as DropBox, Amazon S3 or Google Drive, among others. 

13. Limit access attempts

Most of the current attacks against WordPress sites are carried out through massive access attempts through the login screen, so it is essential to protect internal access to your WordPress.

To do this, we can apply different security measures:

  1. Disable user registration, thus preventing malicious users from taking advantage of possible vulnerabilities to obtain extra permissions on your installation and the possibility of making changes to it.
  2. Add a human verification system like reCaptcha, which prevents unwanted access from automated machines trying to gain access to your site.
  3. Install a plugin to prevent massive access attempts such as Limit login attempts, JetPack’s Protect module, or similar utilities from most security plugins, so that they block this type of attack.

14. Install a security plugin

Many of the protection measures that we can apply to our WordPress installation are included in plugins specialized in securing WordPress.

Most of them contain settings to prevent brute force attacks, code injections, and system file modifications, including warning systems so that you are informed of any possible attack in progress.

The most recommended are the following:

  • WordFence
  • iThemes Security
  • bulletproof

15. Use secure file and folder permissions

By default, WordPress applies read and write permissions to files and folders, which can sometimes be modified, either automatically by some plugins, or manually by uploading files yourself from cPanel utilities or even through FTP clients.

The default permissions that files and folders must have in WordPress are the following:

  • Files: 644
  • Folders: 755

If any file or folder has more permissions, it would be a possible source of vulnerabilities. You will need to change them to the default permissions from the cPanel file manager or your favorite FTP client.

16. Use a reverse proxy like Cloudflare

A measure that will not only improve the security but also the security of WordPress is to use a CDN service, or remote content delivery network like Cloudflare, with a very complete free plan and plugins that facilitate its integration with WordPress.

In addition to offering a very powerful caching system, it also incorporates protection measures such as the following:

  • Email obfuscation, avoiding the capture of email addresses displayed on your website
  • Blocking IPs of visitors with behaviors suspected of being attackers
  • Always online, to show a cached version of your website even when you are being attacked in progress

17. Create an account in Google Search Console

The old Google webmaster tools, now known as Google Search Console, in addition to fundamental tools for analytics and analysis of your website, offers extra protection for your WordPress.

In short, you must register your site in the Search Console so that Google informs you of:

  • WordPress updates
  • code injections
  • Notices of usability problems
  • speed problems

Plugins like Yoast SEO or All in one SEO pack allow the integration of WordPress with the Search Console simply.

18. Prevent splogger access

If for some reason you allow user registrations in your WordPress, you must protect yourself against those known as sploggers, users who massively register on websites to try to access their configuration, add spam comments, or even inject malware.

The ultimate solution for this type of user is, of course, not to enable user registration (WordPress default behavior). But if you have registration enabled for loyalty or marketing reasons, you must install the best plugin that exists to detect and eliminate this threat: WangGuard.

19. Protect the .htaccess file

We have seen several actions that we can perform from the Apache .htaccess file, but for the same reason, it is equally important to protect this same file.

The .htaccess file is an Apache server file that applies rules to any application installed on your hosting, in our case WordPress, being able to apply security and safety measures, among others.

To also protect the .htaccess file from unwanted access you can include the following lines in the same file:

<files .htaccess>

order allow, deny

deny from all

</files>

20. Protect yourself from spam

One of the usual tasks of any administrator of a content management system, such as WordPress, is to control spam in comments. First, it is a source of distractions and unwanted links in the comment forms. And second, some hackers use these forms to inject code that could compromise the security of your WordPress installation.

For this we can, and must, apply different strategies:

  • Add a human Captcha verification system using Simple CAPTCHA plugins or the previously mentioned WangGuard.
  • Activate a spam checking plugin like Akismet.
  • Protect forms from the injection of special characters.

And, of course, and without the need to install anything, apply spam control rules from the Settings -> Comments of your WordPress installation:

  • Manually approving all comments.
  • Adding rules to automatically mark unwanted comments as spam.

21. Avoid pingback vulnerability

There is a specific vulnerability, called the pingback vulnerability, which deserves a special mention because, although easily fixed, it would disable important WordPress functions such as remote management, the use of mobile applications, or even the pingback and trackback system.

It is related to the XML-RPC protocol, which is what allows WordPress to connect, for example, with the WordPress application for iOS or Android, as well as offline editors and some content syndication systems, so in principle disabling this protocol does not seem recommended.

The bad thing is that it is an open path for possible code injections by attackers.

However, if you are clear that you are never going to use this type of application, the solution is as simple as deleting the WordPress installation file called XML-rpc.php.

The only problem is that when you update WordPress it will be recreated, so a more accurate measure would be to add these lines to the already familiar .htaccess file :

# protect xmlrpc

<Files xmlrpc.php>

Order Deny, Allow

Deny from all

</Files>

22. Check the changes in the files of your WordPress installation

You must bear in mind that security must be a permanent and active concern. But, fortunately, WordPress helps us to automate many of these tasks, and almost always for free.

And a great way to keep an eye on our WordPress installation is by using plugins like iThemes Security or WordFence, as seen above. These plugins will monitor for us the integrity and possible changes of the files of our WordPress installation, trying to avoid modifications and, when it is not possible, notifying us of these changes so that we can revert them and thus remain safe.

Do you know more tricks to improve security?

I hope all these tricks and actions to protect WordPress will help you. They are not all that exist but they are the most important. However, surely you know some more tricks, so don’t be shy and tell me about them in the comments.

Also, if you have any questions, I’m looking forward to hearing and answering them.