11 Simple Steps that Protects Your WordPress Website from Hacking/Vulnerability


11 Simple Steps that Protects Your WordPress Website from Hacking/Vulnerability

11 Simple Steps that Protects Your WordPress Website from Hacking/Vulnerability

1. Files and Database Backup

The most important step that we need to follow is to take a regular backups, even if everything goes wrong, we can rely upon the backup. Taking a backup can be done manually or we can use some readymade plugin to do it, plugins such as backup buddy. This plugin lets you export your entire database with images, files and whatever you have in your blog’s content folder.

2. Update WordPress

WordPress team release WordPress version update regularly, these version update contains patches which helps in fixing the security loopholes. We recommend the WordPress users to update their WordPress version regularly. You can view the WordPress forums for latest updates and details about the versions.

3. Change Password

The default WordPress password is “admin123” and all the hackers know about this. The best thing to do is delete the default admin and create a new custom login and change the password to something else that would be difficult to guess, password with uppercase, lowercase, alpha, numeric, special case etc. If your password is really strong, then you should be fine.

4. Install WP Security Scan

This plugin will scan the entire website for vulnerabilities and inform you if it finds any malicious codes etc.

5. Block Search Engine Bots from Indexing the Admin Section

Search engine bots crawl over your entire website and index every content. The easiest way to prevent the crawlers from indexing the admin directory, is to create a robots.txt file in your root directory. Then place the following code in the file:
#User-agent: *
Disallow: /cgi-bin
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins/
Disallow: /wp-content/cache/
Disallow: /wp-content/themes/
Disallow: /trackback/
Disallow: */feed/
Disallow: /
Disallow: /category/*

6. Change Database Table Prefix

The default table prefix for wordpress is wp_ . SQL Injection attacks are easier with the default table prefix because it is easier to guess. So, changing your database table prefix is highly recommended.

7. Protect your .htaccess

.htaccess (hypertext access) is the default name of directory-level configuration files, you cannot simply leave the .htaccess open itself to attacks. The code below prevents external access to any file with .hta . Simply place the code in your domain’s root .htaccess file.


order allow,deny
deny from all
satisfy allv

8. No Directory Browsing

Simply add the piece of 2 lines in your .htaccess in the root directory of your WordPress website ot prevent the users from browsing through the directory structure. # disable directory browsing Options All -Indexes

9. Limit Access to the Wp-Content Directory

Wp-content contains everything, this is a very important folder and you should secure it. You don’t want users to browse and get access to unwanted/other data. Users should be only able to view and access certain file types like images (jpg, gif, png), Javascript, css and XML. Place the code below in the .htaccess file within the wp-content folder (not the root).
Order deny,allow
Deny from all

Allow from all

10. Protect WordPress Admin Files

Wp-admin should be accessed only by you and your fellow members (if any). You may use .htaccess to restrict access and allow only specific IP addresses to this directory. Copy and paste the code below to the .htaccess in wp-admin folder (not root folder)

deny access to wp admin

order deny,allow
allow from xx.xx.xx.xx # This is your static IP
deny from all
The above code will prevent browser access to any file in these directories other than “xx.xx.xx.xx” which should be your static IP address.

11. Prevent script injection

Recently we found out from the WordPress forum that we can prevent script injection, and unwanted modification. We just need to copy and paste the code below to your .htaccess in the root

protect from sql injection

Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).script.(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

If you feel that your WordPress website is facing any kind of vulnerability issue and requires immediate attention, please feel free to Contact Us

Leave your thought here

Need Help? Chat with us
Please accept our privacy policy first to start a conversation.