13 Ways To Keep Your WordPress Website Secure From Hackers

WordPress security is often overlooked, and when a hack happens this can prove fatal to your blog or business website. A lack of security can often be attributed to a lack of understanding of how (or even why) someone hacks websites, and this is why it is so important to ensure your investment remains safe.

It was only after my first website got the full hacking treatment that I began to understand the importance of ensuring your website was not only rock solid, but that I always had a recent backup to correct the issue if anything did go wrong.

It was lucky that the website in question was not important to me, or this could have been devastating.

In 2013 Enable Security conducted research (just one day after the release of WordPress 3.6.1) and found that over 70% of the worlds most popular websites were considered “vulnerable” to an attack!

The research concluded a number of reasons for the vulnerabilities, but by far the major issue was failing to keep WordPress up to date.

OK! enough of the scare stories, lets discuss how to keep your website hacker free!

WordPress Backups

1. Backup Your Website Regularly!

Firstly, and arguably the most important is to ensure that you have a regular backup of your website. By backup I mean full backup (database, and everything). This will ensure that if something goes wrong (even if it goes wrong by installing a plugin meant to help your security) you have a way of fixing this with the least amount of hassle.

Many of the better WordPress hosting providers offer free daily backups, and as long as these are stored offsite (away from their own servers) then I honestly think this is the ideal method in which to ensure your backups are managed effectively. Though I still often keep my own backup in case of error (though this is only done on a monthly basis).

If you are happy with your host, or don’t want to have to fork out the excess money on hosting you can use a number of alternative services, such as Vaultpress (recommended).

Update WordPress

2. Update Your WordPress Installation

As mentioned above this offers the biggest risk to your website, and as long as you have an adequate backup of your website you will always be able to restore it if a WordPress update breaks the website. Not updating your installation is not an option, if your website falls behind on these updates it will only be a matter of time before a hacker takes advantage of the previous updates security flaws.

Again, a few of the better WordPress hosts manage these updates for you to ensure that you are always running the most current version of WordPress, an other alternative (if you are not happy doing these yourself) is to hire a professional maintenance company (though they can be expensive).

Update WordPress Themes

3. Keep Plugins & Themes Up To Date

Each WordPress plugin and theme that you install is a potential threat, as those with vulnerabilities could provide backdoor access to your websites admin. This is especially relevant when using popular templates or plugins.

So regularly look at the plugins and themes you have installed and consider whether they are necessary. Also check whether they have been updated recently, or are still being maintained by the author. If not you are best to delete them from your install.

Download WordPress Themes

4. Don’t Illegally Download Themes & Plugins

When you download a theme or plugin from anywhere but the original developers website (unless it is from WordPress itself or Themeforest) there is a risk that malware or other such goodies has been injected into the code.

File Permissions

5. Change Your Hosting File Permissions

According to WordPress and various other blogs that have previously discussed the matter you should avoid configuring directories with 777 permissions. You should opt for 755 or 750, instead, according to WordPress.org. While you’re at it, set files to 640 or 644 and wp-config.php to 600.

Security Plugin

6. Install A Specialist Security Plugin

There are a growing number of premium & free security plugins that you can use to help secure your WordPress installation, these add features such as; limiting the number of failed login attempts, strong password enforcement, changing the default login URL, and two step authentication (This means a password is required plus an authorization code that is sent to your phone in order to login to your site. Often, the second login code is sent via SMS).

None of these will guarantee that your websites security will not be breached, but they will individually block certain types of attack!

WordPress Hosting

7. Use the Best Hosting You Can Afford!

It has been said that 41% of all hacks were due to security flaws with the host themselves, so it is important to know that your website is being looked after by the best.

I am most comfortable trusting hosting that specialize in WordPress, as when hacks occur they are always quick to find the security hole and plug it – their whole business depends on it!

A managed hosting provider that specializes in WordPress is more likely to include a WP firewall, up-to-date PHP and MySQL, regular malware scanning, a server that’s designed for running WordPress, and a customer service team that knows WordPress inside and out.

Hide Usernames

8. Hide Authors Usernames

In a default WordPress installation a hacker can easily find the main administrators username by simply adding “?author=1″ to the main websites URL. Many great WordPress hosts hide this by default, but if you are on a shared hosting plan that does not specialize in WordPress it is unlikely.

You can choose to hide this by simply adding the following code to your functions.php file.

add_action(‘template_redirect’, ‘bwp_template_redirect’);
function bwp_template_redirect()
if (is_author())
wp_redirect( home_url() ); exit;

9. Restrict Access To Admin Area Using .htaccess

It is quite easy to restrict access to your administration area by simply only allowing logins from selected IP addresses. You can do this by simply creating a seperate .htaccess file and uploading it to the /wp-admin/ directory.

Note: Do not edit your Root .htaccess file, don’t paste these codes in there. It must be /wp-admin/.htaccess if you don’t see that file then create a blank file, name it .htaccess in your wp-admin folder.

You can add a single IP:

order deny,allow
allow from
deny from all
Or multiple IP’s:
order deny,allow
allow from
allow from 123.456.7.8
deny from all
(Be sure to change the IP address’ to those that you will be accessing your website from) If you wish to access your website from elsewhere you will need to login to your hosting and alter the .htaccess file.

10. Protect Your wp-config.php File

wp-config.php is the file in your root directory that stores information about your site as well as database details, you would definitely not want someone gaining access to this file..

You can protect this by again adding code to your .htaccess file – except this time you will want to add this code to the .htaccess file in your root directory (public_html/.htaccess/)

    <Files wp-config.php>
    order allow,deny
    deny from all

So your .htaccess file may look something like this:

# BEGIN WordPress

RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

# END WordPress
<Files wp-config.php>
order allow,deny
deny from all

11. Limit Login Attempts

Most of the advanced WordPress hosting providers often provide this as default, though there are also a number of good plugins that can help your protect yourself from a brute force attack.

These plugins basically limit the number of attempts that any user has to login, and if they get their login credential wrong repeatedly (a sure sign of a brute force attack) the IP range will be blocked for a predetermined amount of time.

The best thing about these plugins is that they provide a record of the IP address trying to breach your security – and therefore given you time to block them indefinitely using .htaccess.

Two popular free plugins that you can use for this functionality if Login Lockdown & Login Security Solution.

If you want to ban IP’s indefinitely simple add the following code to your .htaccess file (changing the IP addresses to those that you wish to block), these people will then not be able to view your site.

<Limit GET POST>
order allow,deny
deny from
deny from
allow from all

12. Prevent Access To Your wp-content Folder

Your wp-content folder contains all your websites images, themes, and plugins and is a good folder to add extra security to. The following snippet will allow users to view the contained files, but will allow users to view CSS, images etc, but will block access to core PHP files.

This will require its own .htaccess file in the /wp-content/ directory – simply create a file called .htaccess and add the following code.

Order deny,allow
Deny from all
<Files ~ ".(xml|css|jpe?g|png|gif|js)$">
Allow from all

13. Protect Your .htaccess File

OK, so now that we have used our .htaccess files to protect the various areas most likely to come under attack – we now need to protect this file, so that it cannot be breached.

This snippet basically stops anyone viewing any file on your site that begins with “hta”, this will protect it and make it somewhat safer.

<Files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all

You can either insert your code before # BEGIN WordPress or after # END WordPress – this will ensure that future WP updates can still update the code within these parameters.

This should be used within the top level .htaccess file.

Make sure you make a copy of your current .htaccess file before implementing any changes.


This post is by no means exhaustive, but provides a few ideas on how to protect your website from coming under attack. Until a website is hacked it is very likely that you will not take security seriously, it is only after this happens that you decide to make security your number one priority (I should know).

I plan on doing further posts where I will discuss further methods of using .htaccess to protect your website, however if you are a novice user or are unsure how to secure your website I would strongly suggest either upgrading your hosting to a specialist WordPress host, or alternatively investing in one of the premium security plugins available.

I spend days sorting websites for clients that have been hacked, and believe me you don’t want to risk your reputation by infecting your visitors computers with malware – the backlash can be more than your business can handle.