Simple Steps To Protect Your WordPress Site From Hackers

Website security is a concern for every site owner.  And even if you don’t want to admit it, every site can be hacked.  It doesn’t matter if website is using WordPress, Drupal, Joomla or whatever; web security is a issue.  As a company that develops and maintains WordPress sites, we have a few simple steps that will help you keep your WordPress site safe.


WordPress Security Tips

  • Backups ~ Backups will save you hours upon hours of headaches.  With an adequate backup, you can restore your site to it’s previous working working condition.  Beware there are two types of backups.  There is a full back up that has your complete site files, including MySql/database, graphics, images and such.  The smaller of the backups is a MySql/database.  There are several plugin options that will allow you to schedule regular backs, such as:  WP Manager, Backup Buddy, or WordPress Backup to Dropbox.
  • Updated version of WordPress ~ Crucial to WordPress success is their updates.  WordPress’ security team is constantly releasing security updates to protect site owners from malicious attacks.  There are security patches that close security loopholes.
  • Change your user and passwords ~ The default user for WordPress is admin.  There’s a small advantage of changing the default user name, however your password should have special characters “!@#$%^&*()”, a mixture of capital and lower case and numbers.
  • WordPress Keys in wp-config file ~ Change the WordPress keys in the wp-config.php file.  Use the WordPress Key Generator and then look for the following lines within the file.
    •  define(‘AUTH_KEY’, ‘put your unique phrase here’);
    • define(‘SECURE_AUTH_KEY’, ‘put your unique phrase here’);
    • define(‘LOGGED_IN_KEY’, ‘put your unique phrase here’);
    • define(‘NONCE_KEY’, ‘put your unique phrase here’);
  • Change table prefix ~ The default table prefix for wordpress is wp_ .  Changing your database table prefix is highly recommended.  If you are not sure how to do this, I recommend you finding someone who is experienced with MySql to make the changes for you.
  • Disallow Search Engines from indexing admin section ~ Google and other search engines spiders crawl over your websites and index every piece of content unless they are told not to do so. We do not want to index the admin section as it contains your sensitive information. The easiest way to prevent the crawlers from indexing the admin directory, is to create a robots.txt file in your root directory.  You can use the Google Search Console to verify any changes.  Just add the following:
    • #
      User-agent: *
      Disallow: /cgi-bin
      Disallow: /wp-admin
      Disallow: /wp-includes
      Disallow: /wp-content/plugins/
      Disallow: /wp-content/cache/
      Disallow: /wp-content/themes/
      Disallow: */trackback/
      Disallow: */feed/
      Disallow: /*/feed/rss/$
      Disallow: /category/*
  • Protect your htaccess file ~ You will need to make a few changes and updates to the information in your htaccess file that will protect your website.  The changes are specific to your website and should not be done by a novice.
  • Limit Logins ~ This plugin will help defer brute force attacks on your site.  Limit Logins takes about 5 minutes to configure, however the benefits are long lasting.  Even a low traffic site will have hundreds of attacks.


I can’t guarantee that your site will be 100% protected, but I can say that the chances drop dramatically by following these few simple steps.  If you are still having issues with your site or need help, feel free to contact us for assistance!  We’re here to help.