Home / Ten Tips To Make WordPress Hack-Proof

Ten Tips To Make WordPress Hack-Proof

Please Share...Print this pageTweet about this on TwitterShare on Facebook0Share on Google+0Pin on Pinterest0Share on Tumblr0Share on StumbleUpon0Share on Reddit0Email this to someone

Having your blog hacked isn't fun, and the standard WordPress installation is not impermeable.  Here I explain the whys, the whats, and the whatnots.

Not only does a hacked blog result in downtime, while you work with your ISP to track the problem and ensure it doesn't happen again, it can also mean you spend time, for instance, getting your e-mail client resolving properly once morewp_security_scan img. All in all, valuable time wasted.

Prevention is better than cure. Here are 10 tips to make WordPress hack-proof.

What You Need

Before You Begin

  • backup your files, using your FTP client
  • backup your database, using wp-phpmyadmin. If you don't know how to do that, check out this video tutorial:

Ten Steps to a Secure WordPress Installation

1. Upgrade WordPress  To the latest version. If you're using 2.7 or later, this can be done from your admin dashboard, at the click of a button, automatically. Just look for the "upgrade" button. If you're using an earlier version, read this.

2. Update Plugins  Make sure all are upgraded to their latest versions. If they're not, you are notified on your plugins admin page. Old versions can present a security risk.

wordpress prefix changing image

3. Change "wp_" Database Table Prefix

I use wp-security-scan, from the same guys that developed the popular All In One SEO Pack *, Semper Fi Web Design. Once activated, on the left-hand menu, click on "Database" in the "Security" drop-down. The page that loads allows you to easily change the prefix. If that doesn't work, instead throwing an error, do this:

  • i. Deactivate all WordPress plugins, as a precaution.
  • ii. Backup the database, as explained in the video above.
  • iii. Open the downloaded *.sql file with a text editor (where * is the name of your database.)
  • iv. Find and replace all instances of your "wp_" prefix with your new prefix.
  • v. Within your WordPress database, drop all the tables. DO NOT DROP THE DATABASE itself, only the tables. Wp-phpmyadmin is a great plugin to use.
  • vi. Still within your WordPress database, import your newly-amended *.sql file, the one you edited by changing the prefix. Wp-phpmyadmin or similar again.
  • vii. Open and edit your wp-config.php file, in the root blog folder, changing $table_prefix = ‘wp_’; to $table_prefix = ’yourNewPrefix_’;.
  • viii. Reactivate your plugins.

* Truth is, I prefer HeadSpace to the All In One, but that's another story.

4. Delete "Admin" User  Just to make hackers work harder, bin this. Create a new user with administration rights, and give the user a nickname (for public display) that is not the same as the username. Then log out, log back in as the new user, and delete the original "admin" user.

5. Use a Stronger Password  Bit obvious, this one. Mix it up with letters, digits and special characters, upper and lower case. I use RoboForm to remember (and encrypt) my passwords, and that's free.

6. Hide Your WordPress Version  From your theme's folder, open "header.php", search for the line…

<meta name=”generator” 
content=”WordPress <?php bloginfo(’version’); ?>” />

…and delete it.  It has no useful purpose.

7. Ensure WordPress Database Errors Are Turned Off  In recent WordPress versions, they are turned off by default. So upgrade.

8. Remove WP ID META Tag  Delete this tag from the WordPress core. After you activate and run wp-security-scan, this is done automatically.

9. Create a .htaccess File in "wp-admin/"  Open a new text file and paste this…

# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]# END WordPress

Save the file as .htaccess and upload it to your "wp-admin/" folder, i.e., to http://myblog.com/wp-admin/

10. Hide Your Plugins  If you're not sure whether they're hidden or not, navigate to http://myblog.com/wp-content/plugins. If you see a 404 error page, they're hidden. Otherwise, you'll see them listed. In that case, copy the following into a new .htaccess file, adding the file to your wp-content/ folder…

# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]# Prevents directory listing
IndexIgnore *
# END WordPress

Some Web hosts don't allow you to administer .htaccess files. If that's the case, instead of using a .htaccess file to hide the list of plugins, create an index.html file. You can write something about restricted access in there, if you like. Either way, this file will prevent a plugin listing.

Now navigate to http://myblog.com/wp-content/plugins. They should be hidden.

After You're Done

Just to be thorough, and because a few things have changed…

  • Backup your files again, using your ftp client.
  • Backup your database again, using wp-phpmyadmin.

That's it. Your blog is more secure, and way less hackable. Go make content!

Comment below, or e-mail me with questions and tips.

Powered by

About the_guv

  • This is a good read and well worth the effort to employ. Also let me add that changing the “powered by WordPress” to something different is also a good tactic to use. Thanks for posting this.

  • Part of the problem is the widespread use of Fantastico for installing WordPress in the first place. I will be updating my Fantastico Fix report to include the additional plugins you have mentioned, as well as the tweaks for securing WordPress regardless of the installation method.

    Good stuff!

  • Besides removing the admin account, you should also have each account use a different account name and nickname. Then set their posts to display nickname. Can’t hack an account name that doesn’t exist.

  • tx folks,

    appreciate those comments and tips.

    ..pleased you like my article.


  • That makes so much sense. admin is too easy – make it hard to figure out what the admin username is! Brilliant! Thanks!

  • Joe

    Hey these tips worked! Thanks

  • Thanks for the tips! I will try them out.

  • Some brilliant information, these tips are great, something many should follow. Thanks

  • Wow, so simple and yet completely out-of-the-box. I will definitely follow this great advice. Many thanks.

  • Excellant information. Many of us don’t do these inportant tasks. I will be more aware in the future.

  • Very good I will keep that in mind. I thank you.

  • Great tips and advice for WP bloggers. As said above, some I would never think of so I’m off to do it right now! 🙂

  • “Blog Security” is one of the top security blogs out there keeping an eye on all things blog security and WordPress.

    They’ve just released two great articles WordPress fans need to check out.

    First is news of a video and blog post by Guvnr called “10 Tips to Make WordPress Hack Proof. The effort involved tips from BlogSecurity’s popular WordPress Security Whitepaper, inspiring them to update and improve it soon.


  • tx all ..

    appreciate your kind words.

    and am glad you found this Guvnr.com tutorial handy.

  • Great WP tips!

  • Excellent Article, will be doing this in the AM. thanks much for the good security topic.

  • @TwitterTrends and LarryC

    pleased you like .. best to you.

  • Thanks, Guv. Followed a few of your tips – hope I don’t get hacked again! Thanks for writing this up.

  • A lot of of folks talk about this matter but you said some true words.

  • @Mike, Zedd, Bob N & empathype
    … many thanks for your kind comments. sorry for delay, but a Mighty Merry Christmas!!

  • Dave Korpi

    Wowieee! That is a lot of stuff to do…
    I like the videos and have it marked to do for my upcoming blog… But now I am a bit paranoid and at the same time chicken to try all that stuff!

    ADDITIONALLY.. I am not sure what folks do to hack it and why would they hack it anyway? Can you go over what hacking can result in?

    Do they figure out weak passwords and then just edit it like I would? Or, do they hack it by somehow getting to the files another way? Like why change the names and hide the version number??

    Just seems you describe something that really needs to be done but a quick example of what can go wrong if we do not would help little ole me out for sure!

    Also, why would I use wordpress MU for a blog that only is one one subject?

  • Adam

    Very timely article as I got hacked twice early this week right after upgrading to 3.0. I added an .htaccess file to my admin directory that limits what IP addresses have access to it. The only problem is my ISP has dynamic IP so I have to constantly change the file.
    Can you explain how the code in the .htaccess file for the admin folder you listed above works? Since it doesn’t involve an IP address, it seems like a better option for me.


  • Really informative, i got hacked two time while using wordpress. thank god you saved my time…

    Thank you the_guv

  • Until recently, I rarely updated plugins or my WP install. I’m getting quite concerned with security now and update everything immediately. These are good tips. The changing of the db prefixes may be a bit longer until I do that. I’ll look further into it though.