Wordpress & Web Development

6 Things You Can Do To Secure Your WordPress From Hackers

Christian Cawley 27-04-2012

6 Things You Can Do To Secure Your WordPress From Hackers muo 6wpsecure introRunning a WordPress-based website is often a pleasure, enabling you to focus on content and building relationships with readers and other websites.


However, not everyone on the web is as friendly as you. Somewhere out there is a list with your blog’s name on it, where it sits, waiting to be targeted by hackers. When they get around to your blog, they’ll try various tactics to gain access to it, perhaps with the aim of selling legal drugs or infecting your visitor’s computers with malware.

Fortunately, there are various ways in which you can protect your WordPress blog from hackers.

Regularly Update WordPress

One of the most powerful but oft-overlooked solutions for keeping WordPress safe from hackers is to make sure it is regularly updated.

Obviously there is a down-side to this – some of your best WordPress plugins The Best WordPress Plugins Read More might stop working if WordPress is updated – but at the same time it should be looked upon as an opportunity to refresh your plugins, find replacements that themselves are secure and reliable and basically tighten up your website or blog. Sticking to plugins that are found in the WordPress directory is also a good way to keep things under control.

Updating WordPress is possible from within the Dashboard, but always take a backup of your database before doing so.


Keep Regular Backups

An important procedure for all WordPress blog owners is to ensure that backups are made regularly and that they can easily be restored should the worse happen.

Solutions are plentiful, but Cloudsafe365 is one of the most powerful, combining cloud backup (Dropbox can be used) with various secure protection tools against techniques such as cross site scripting, SQL injection, and even monitors content theft.

Cloudsafe365, available from the WordPress plugins site , comes in three flavors. A free option covers the things listed above, while the paid options offer further features such as protection against code injection and brute force attacks.

Install an Encrypted Login Plugin

Protecting the actual act of logging on to your WordPress-based website is best effected by using an encrypted login plugin, as the website software doesn’t have this facility by default. Probably the best solution for this – perfect for protecting your blog login details from packet sniffers on wireless networks – is Chap Secure Login, which uses the SHA-256 algorithm to protect your username and password.


6 Things You Can Do To Secure Your WordPress From Hackers muo 6wpsecure4

Meanwhile the Login Lockdown plugin is a useful way of blocking IPs that record repeated failed attempts to access your site.

Other login protection steps you can take includes installing a strong CAPTCHA  plugin. RetinaPost is a particularly impressive plugin, requiring users to enter highlighted characters from a phrase rather than try and decipher screwed up text images or do maths challenges. Any attempts to disrupt your blog using the comments system can be markedly reduced using this plugin.

Hide “Powered by WordPress”

Hackers have a different tactic for each of the various types of website software that is in use, but you can make things tougher for them by not advertising the fact that your website is “Powered by WordPress”.


6 Things You Can Do To Secure Your WordPress From Hackers muo 6wpsecure3

By default this information can be found in the footer.php file, reached by entering your blog’s Dashboard, selecting Appearance > Editor to edit within the browser window. Different themes will require different methods for removing this text, so you should check online to find the best approach (if plain text is used to display the legend, then delete this; if PHP code is used, tread carefully unless you know what you’re doing).

Change Admin Username

One way in which hackers can find a way into your site is by using brute force software that will attempt multiple logins using common words and phrases as passwords, coupled with a selection of obvious usernames.

The administrator username in WordPress can be selected when the software is setup, but in the rush to get things done many users leave it at the default choice of “admin”. As obvious usernames go, this comes at the top of the list, which is why changing it is important.


Two ways exist for changing the admin username. First, you can create a second administrator account with a username which isn’t obvious, and then delete the original user. Note, however, that this might have an effect on any articles written under the administrator account (they’ll perhaps be unpublished until a new name is set, or display an error on the post page).

Probably the most effective way to do this is to access your site’s phpMyAdmin, select the WordPress database, find the wp_users table (“wp_”is a default prefix which may have been changed at installation) and use the Browse icon to find the “admin” username.

6 Things You Can Do To Secure Your WordPress From Hackers muo 6wpsecure1

Once discovered, find the user_login column, click the edit button on the appropriate row and then change “admin” to your preferred administrator account login name, clicking Go when you’re done.

Move the wp-config File

A glaring issue with WordPress is that the key security details are stored in a single, unencrypted file that can be hacked and used to take control of your blog. The wp-config.php file contains the admin login details as well as the username and password for the MySQL database.

Therefore, securing this file is paramount if you wish to protect the site from hackers.
6 Things You Can Do To Secure Your WordPress From Hackers muo 6wpsecure5
One thing you shouldn’t do, however, is delete wp-config – this would leave your site unusable (and rather blank). So how do you protect your site from this bizarre vulnerability?

Since the release of WordPress 2.8, blog owners have had the ability to move the file to the root web directory on the server. What this means, for instance, is that if you have your site installed in www.mysite.com/wordpress, the wp-config.php file can be moved up a level, to the mysite directory.


Regardless of how technical or non-technical you are, if you run a WordPress blog there is no excuse not to implement any or all of these tools to protect your website from hackers.

After all, what is the point in putting in all of that hard work only to find that someone has taken over the site and is now costing you your regular visitors by advertising Viagra?

These steps can be implemented in just a couple of hours – perhaps a single weekend morning if you’re pressed for time – so don’t ignore, act now.

Related topics: Webmaster Tools, Wordpress Plugins.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Jack
    October 27, 2017 at 4:52 am

    Just a smiling visitor here to share the love (:, btw great style and design. “The price one pays for pursuing a profession, or calling, is an intimate knowledge of its ugly side.” by James Arthur Baldwin.


  2. Jack
    October 11, 2017 at 4:58 am


  3. Aung Thu Htet
    September 13, 2012 at 2:36 am

    I use wordpress for now and your post is very useful for me.

  4. Liza
    August 23, 2012 at 5:22 am

    Just a hint/tip, hiding "Powered by WordPress" actually doesn't help, as there are many other ways to know right off the bat whether a website is WordPress-powered.

  5. Access control Cape Town
    August 13, 2012 at 9:56 am

    great tips provided and really helped me to market my product. thank you for the product

  6. Jamie VanRaalte
    June 26, 2012 at 4:24 am

    I think the hiding powered by wordpress and not having the admin username as ADMIN are probably the two most important!

  7. Dave Jackson
    May 22, 2012 at 3:14 pm

    ''Hiding'' or deleting the “Powered by WordPress” does nothing. It is a quick peek at the source code which will tell you WP is being used ... the theme, the CSS location, etc.

    • Christian Cawley
      May 22, 2012 at 8:13 pm

      Hiding or deleting the phrase does an awful lot for protecting your site against any targeting bot that searches the web for the phrase "powered by WordPress".

  8. Joshua Lockhart
    April 28, 2012 at 4:54 am

    Thanks for writing this, Christian. A site I help run was recently attacked. This would have been nice to know.

  9. Ankur
    April 28, 2012 at 3:44 am

    I have a doubt. What if my site is xyz.com and I want to protect wp-config.php. I cannot move it up another level

    • Ewebpedia
      April 28, 2012 at 5:23 am

      yah, this trick seems to only be applied in site where wordpress is installed in sub-domain or sub-page but not in main domain.

    • Christian Cawley
      April 29, 2012 at 11:08 am

      There are various ways of doing this, from taking the bulk of the contents and using an include to point to a new file in a new location, but if you're on the most reason of WP it *should* (and I'm not a WP developer so don't shoot me if it doesn't work!) allow you to you move it.

      You should also clear this with your hosting provider, however, as:

      *They should be considering offering this automatically as part of the installation (assuming you have fantastico or similar automation)
      *Their a/v solution may not like having wp-config in the root directory

      • Ankur
        April 29, 2012 at 12:26 pm

        Thanks for your reply. However, I am a bit confused at what you have said. You mean there is a way of moving wp-config one directory up when you have xyz.com as WordPress site