HostOnNet Blog

Securing WordPress Site

WordPress is the most popular content management system (CMS) on the web. This article will explain how you can best protect your WordPress site from malware and cracking, without having deep security knowledge.

1. Create a backup of your site.

If you have cPanel you can do this with the backup manager.
If not, you can use “backup buddy”, a WordPress plugin.

2. Update WordPress Version

This is critical because WordPress issues updates that close security vulnerabilities.

3. Change Your Login/Password

The default WP username is “admin” and hackers know this. So you should change it to strong passwords.
(These should incluse UPPER and lowercase letters, numbers, and symbols)
Most hackers try to brute-force your passwords so if it is really strong you should be fine in that regard.

4. Change your WordPress Keys!

Many people overlook this step but it is an important one as these keys work as salts for cookies and ensure better encryption of data.

Use the WordPress Key Generator to generate mentioned keys. Now edit your wp-config.php file and fine the lines that look like:


define(‘AUTH_KEY’, ‘put your unique phrase here’);
define(‘SECURE_AUTH_KEY’, ‘put your unique phrase here’);
define(‘LOGGED_IN_KEY’, ‘put your unique phrase here’);
define(‘NONCE_KEY’, ‘put your unique phrase here’);

Replace them with the ones from the Key Generator and save.

5. Install WP Security Scan

This plugin is great and makes securing your site simple. It scans for security vulnerabilities and informs you of any malicious code.

6. Prevent .htaccess Hacks

.htaccess (hypertext access) is the default name of directory-level configuration file that provides decentralized management of configuration while inside your web tree.

.htaccess files are often used for security restrictions on a particular directory.

So let’s secure your .htaccess!

First we want to protect the .htaccess file itself so add the following (Do this for all .htaccess files you have in root and or create)


# STRONG HTACCESS PROTECTION

order allow,deny
deny from all
satisfy all

Public_html .htaccess below

Now lets secure your config.php by adding:

# protect wp-config.php

Order deny,allow
Deny from all

Now lets prevent the hacker from browsing your directory tree by adding


# disable directory browsing
Options All -Indexes
Lets prevent some script injections now:


# protect from sql injection
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]
Go to your /wp-content folder. Lets limit access to the wp-content directory by creating a .htaccess in the wp-content folder and adding:


Order deny,allow
Deny from all

Allow from all

Go to your /wp-admin/ folder. Now if you have a static IP I would recommend creating a .htaccess in your wp-admin folder with the following .


# deny access to wp admin
order deny,allow
allow from xx.xx.xx.xx
deny from all
Replace the X’s with your IP.


About Annie

I've been working in Technical Section for over 10 years in a wide range of tech jobs from Tech Support to Software Testing. I started writing blog for my future reference and useful for all.
Posted in Windows. Bookmark the permalink.