Wordpress developer

WordPress Protecting ways

Administrative area of any web applications has long been a favorite target for hackers, and developers extremely concerned about its safety. This also applies to WordPress: when registering a new blog, system creates an administrator account with a unique randomly generated password in real time. It’s blocking universal access to system settings, controlling it using the login page.

This article focuses on the issues of the WordPress security enhancement – both admin panel and blog settings implying all the content of «wp-admin» folder, which is shown only after login. We have deliberately singled out the phrase “after login” – you must be aware that only one simple request separates “evil hackers” and the admin panel of all your blog or website! And the latter is protected as hard as powerful password you chose. To make it harder for hackers by several times, we offer a set of operations that you can perform manually. These solutions cannot guarantee 100% protection, but with their help you may significantly improve the security of your blog.

Change your username

It you still “admin”? When creating a site, it puts more often. This is the first thing that is checked by bots, seeking security holes. Log into the administrative part and create a new administrative account with some other name. Then exit control system, re-enter and delete the “admin” account.

Avoid free themes

Many sites offer you to download a ready-made theme for the design of your web resource. There are hidden unpleasant “surprises” in some of them. Use only trusted sites, like WordPress.org to download one or create your own using free frameworks.

Beware of plug-ins

Certainly, plugins give you different functionality from the basic’s, however, some of them are opening the door to hackers. Download them only from the official WordPress site and pay attention to all the warning appears. Also, do not forget to update the plug-ins. “Less is better”, when it comes to any add-ins and add-ons. As an administrator, you must make sure that you have installed and active, only those plug-ins that you really need. Each plug-in – this is a potential security risks and threats, as they are developed by foreign WordPress plugin developers.

Make regular database backups

Not all cyberattacks can hurt you, but even one successful may spoil your blog’s life. Make regular backups of your site! Many hosts enabling this feature by default, and in case of problems, you can restore a site from a copy of the monthly, weekly, yesterday’s “freshness.”

Backup – another important part of your safety. The consequences of hacking are different: your reputation may suffer, the domain can lose, data that was stored on site in a single copy may disappear (let alone all those hours spent on the design and publication of pages and materials are simply lose their meaning). Backup successfully solves half of the problem, and WordPress supports different scenarios both paid and free backups.

Plugin WP-DB-Backup – one of the most popular tools of its kind. Among other things, it allows you to configure automatic backup, which will then be sent to your email. If you use Dropbox cloud data store, then WordPress Backup to Dropbox – another great way to cover up the rear. The plugin connects to Dropbox on the OAuth authentication protocol that provides limited access to protected resources without using its sensitive data (login and password).

Scan your computer for viruses

It is necessary to monitor not only your website on WordPress, but also for your own computer. You must have frequently updated antivirus. Do you want you to infect your site, placing there some virus files?

SFTP is not FTP

All downloads on your site should be via SFTP, if your provider allows you to do it. If not, go to a more secure hosting provider. The connection will take place over a secure protocol and the “bad guys” will not be able to intercept it.

Hide the entrance in the admin panel

Log in to the admin panel can be masked by installing WordPress into a directory with some catchy name. It could be your mother’s maiden name and any “ILoveSeoVeryMuch”. The name does not matter, the main thing – to change the address of the entry point. An important thing: if you have changed the installation path of “WordPress”, you must go to the “Parameters – General” and indicate in the “Address WordPress (URL)» box a new path to the CMS-system, and in the “site address (URL)» – real address (http : //example.com/), by which the customers will see your site.

Hide the WordPress version

Version of your CMS-system – a very valuable information for intruders. By default, it is available to everyone, but it’s easy to fix. If you’re a web developer, the easiest way is making changes in functions.php file, but if the programming is not for you, you can install the popular plugin Better WP Security and hide the version of “WordPress” with its help.

Protect your wp-config.php file

Not all ISP servers allow you to transfer data at higher levels than the root directory. In other words, not everyone have enough rights to perform the previous step. Or for other reasons: for example, if you have multiple blogs, at a certain folder structure you do not succeed to put in the root of all the files because their names are the same for each of the blogs. In this case, we may prohibit access to wp-config.php file externally using the .htaccess file. Here is the code for this:

[code]# protect wpconfig.php

<files wp-config.php>Order deny,allowdeny from all


It is important to make sure that the .htaccess file is in the same directory as the wp-config.php file. Also, starting with version 2.6, WordPress allows you to move the wp-config.php file to a higher level. Due to the fact that the file contains much more valuable information than any other, and because there is always much more difficult to gain access to the server’s root folder, it makes sense to store it is not in the same directory as the other files. WordPress automatically turn to the highest folder in the wp-config.php file search. Any attempt by the user to adjust the way useless.

The configuration file WordPress wp-config.php contains some site settings and information to the database access. Also, there are other settings related to security (they are presented in the list below). If such values in this file isn’t present, or are only installed by default, you need to, respectively, add or modify them:

  • Security Keys: starting with version 2.7, there are four key security in WordPress, which must be properly installed. WordPress saves user from the trouble of making up these lines by himself, automatically generating these keys from a safety point of view. You just need to insert the key in the wp-config.php file line. These keys are required to ensure the safety of your blog.
  • Prefix of the re-installed WordPress blog table should not be the standard «wp_». What is the value of prefix more difficult, the less likely possibility of unauthorized access to tables of your MySQL database: Bad: $ table_prefix = ‘wp_’ ;. Much better: $ table_prefix = ‘wp4FZ52Y_’; Do not be afraid to forget this value – you’ll no need to enter it later.
  • If you have the SSL encryption available on server, it is recommended to enable it to protect the administrative area. This can be done by adding the following command in the wp-config.php file: define ( ‘FORCE_SSL_ADMIN’, true). You can also regulate other system settings in the configuration file.

Protect your .htaccess file

It looks a little strange that someone would change this file, but it is the heart of your defense, so better take care of it in advance. Lock every door, what you can.

Put to the code:

<files .htaccess>

order allow, deny

deny from all


Restrictions by IP address

If you have a static IP-address, you can restrict access to the administrative part of the site. This is a great way to protect yourself. In the .htaccess file, add the following lines:

AuthUserFile /dev/null

AuthGroupFile /dev/null

AuthName “Access Control”

AuthType Basic

order deny, allow

deny from all

allow from ??.???.???.???

At the root of your blog delete files “readme.html” and “license.txt”. You don’t need them: some scammers use it in order to know the version of your WordPress engine and much more useful for hacking.

Also in the header.php file of your blog topics remove the line:

<Meta name = “generator” content = “WordPress 3.9.1” />

This line also shows the version of WordPress.

The prohibition of the HTTP header tracking

Add these lines to .htaccess:

RewriteEngine On


RewriteRule * -. [F]

Protection against SQL-injection

This is the most common WordPress websites attack form. Many hosting providers close these possible “holes” in the protection, but you do not interfere and defend themselves. Again, add these lines to .htaccess:

RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC, OR]

RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0 – 9A-Z]{0, 2}) [OR]

RewriteCond %{QUERY_STRING}  _REQUEST(=|\[|\%[0 – 9A-Z] {0,2})

RewriteRule ^(.*)$ index.php [F.L]

Change the prefix in the tables in your database

This step is only for new installations. Removing the default prefix “wp”, you will greatly complicate a search for intruders. Open the wp-config.php file and locate the line concerning the prefix. Change it to something else: for example, ‘$ table-prefix = ‘movie _’;

How to change the prefix already working sites? You will need a PHPMyAdmin and Dreamweaver (to download a database dump, search, replace and upload the dump again).

Protect your folders from viewing

To make hackers unable to view the folder on your server by typing their full path, protect them using .htaccess (add to Options -Indexes) or place in the directory an empty file “index.html”.

Disable errors displaying on the login page.

WordPress login page is the door to the administration area of your blog, which becomes available after the faultless verification passage. Each user has an infinite number of login attempts, and each time WordPress will complaisantly indicate, where was an error. That is, if the entered login will be wrong – WordPress tell it. This is convenient for the user, but also for the hacker.

It is not difficult to guess how quickly accelerates the probability of a login/password combination, when the system indicates the exactly thing entered incorrectly. A simple line of code will help solve this problem, simply add it to your functions.php file: add_filter(‘login_errors’,create_function(‘$a’, “return null;”));

Rename the “wordpress” folder

Starting with version 2.6, it became possible to change the path to the wp-content folder. Unfortunately, it is still inapplicable to the wp-admin folder. Bloggers, thinking about the security have reconciled and hope that this will be possible in future versions. Until that happens, we propose to use the following alternative solution. After unpacking the archive with WordPress files, you will see the «WordPress» folder – rename it (ideally to something strange like “wordpress_folder_Qa135”) and then configure accordingly wp-config.php file located in the root directory.

What this change gives us?

Firstly, all the WordPress files are not mixed with other files in the root of the site, so we will increase the clarity of the root level.

Secondly, a lot of WordPress copies can be installed simultaneously in folders with different names except their cooperation, which makes it ideal for testing.

A third advantage is directly related to security: administrative area (and the blog as a whole) is no longer in the root folder, and for any hacking activities, first it will need to find. This is problematic for people, but for bots – a matter of time.

Remove the Administrator account

During the WordPress installation process, system creates an administrator account with the «admin» default nickname. On the one hand it is quite logical, on the other – a user with the nickname known, that is ID – 1, has administrative rights, is a quite predicted target for hackers with their password guessing programs. From this it follows our advice:

  • Create another user with administrative privileges and your nickname.
  • Complete the work session.
  • Login with your new account.
  • Remove the “admin” account.

If you don’t have a new blog and under admin account you already published posts or comments, from the options at the time of deletion, select “Assign all the entries and references to:” and select the name of a new user.

Note: Ideally, it is desirable that the new user login was differed from user name displayed in the posts, that no man know your username.

Choose a strong password.

Probability and frequency of potential attacks is directly dependent on the popularity of the blog. And up to this point, it is desirable to make sure that your site does not remain the weak links in the security chain. Most often it is the passwords. Why? Methods of password choice in the majority of users are often careless and spoiled. Many Investigations have shown that the majority of passwords – existing monosyllabic words typed in lowercase letters, which are not hard to find. The password guessing programs, there are even lists of the most commonly used passwords.

We recommend using at least seven characters that combine upper and lowercase and use service digits such as! “? $% ^ & ().

Limit the number of failed login attempts.

WordPress does not keep statistics of authorizations, both successful and not. It is very inconvenient for the administrator, because he does not have the opportunity to see whether there were unauthorized access attempts to take any action if they become more frequent.

We offer two solutions: plugins Login LockDown and Limit Login Attempts. After installation, they are not just log authorizations, but also limit the number of failed login attempts by blocking a certain time trying to IP.

Keep the current version.


WordPress developers are usually very quick to react if they find vulnerabilities in the engine. So stay tuned for update as possible. Fortunately, WordPress notifies the release of the new version. This also applies to plug-ins – keep their current version.



However, all these procedures can be replaced with one single load.

I don’t favor the use of plugins stack, but there are some that really help. For example, the plugin “All In One WP Security & Firewall”, which helps to make a lot of steps towards the WordPress website protection from hacking, spam, etc. This protection seems to me more as a prevention rather than special aid.

A small spoiler that can be done with the help of “All In One WP Security & Firewall”:

  • Replacing username admin
  • Protection from password guessing and login to your site
  • Manually enabling registered users
  • Protecting the database
  • Blocking IP address and user agents
  • Placing the Firewall
  • Protecting from “bruteforce” attacks
  • Decreasing the spam comments
  • Finding out about changes in system files
  • Protecting your content from copying
  • Enabling maintenance mode


We are Sydney based web design, development and digital marketing agency and have experienced WordPress developer, Magento developer and  WooCommerce developer  in our team. We can handle website development project of any size. We also offer affordable website design and small business websites packages to keeps your overall website costs down.