Home / Blogging / 10 Tips to Protect Your WordPress Site From Hackers

10 Tips to Protect Your WordPress Site From Hackers

Of all the worries, safeguarding your WordPress site from hackers finds the top spot. With the skill set of hackers expanding its horizon, it has become crucial for bloggers and WordPress site owners to take preventive measures in protecting their WordPress site from hackers.

Some people learn from their mistakes, but in this business, you just can’t afford one. You cannot estimate the loss an intrusion of your website would cost you. As bloggers, we occupy ourselves with projects concerning content creation and are so focused on making the content top notch that the security of our WordPress site is more than often neglected.

You don’t want to wake up some fine day and find your WordPress site hacked and your blog security mocked by some hacker. You don’t want that to be your wake-up call, do you?

Let’s see some tested and efficient ways to protect your WordPress site.



  1. Creating a backup

Before you roll up your sleeves and put your brain to work, remember to not skip the first step – creating a complete backup of your WordPress site. This is extremely important as having a backup will come handy should any changes go south on you. There are basically two ways of backing up your WordPress site: manually and using plugins.

Acquaint yourself with these methods by reading the article on this blog related to the topic.


  1. Updating your WordPress version

Make sure your WordPress site is updated to the latest version. Every time you see an update available, it means that the WordPress team has fixed the security holes present in the previous version. Following BlogSecurity and WordPress Development will keep you updated with the latest release of a new fix.

This was the basic stuff that you need to start off with. Let’s now see the real thing!


  1. Secure Your Login

There are a few things that need to be considered to secure your login.

  • Changing your login and password
  • Creating custom login links
  • Limiting login attempt


Changing your login and password:

“admin” is the default WordPress login. You know that and they know that (hackers). You should change the login to something else that would make a hacker go crazy trying to guess it. Anything that might seem irrelevant, something out of the blue, but make sure You remember it.

Also choose a strong password with a small case and upper case letters, numbers, and symbols. An example of such a password is this – “iwbgfMT23$$”.

People in your social circles know you well, now I am not saying they would guess your password easily, but why take chances?

To create a strong password I recommend you a technique. Consider a sentence that you would remember if set as password. Take the initials of the words in that sentence and add few digits and symbols to it. Such a password is almost impossible to guess as it has no meaning to it.


Creating custom login links:

What is the URL you type into login to your WordPress admin panel?

Is it your site URL with something like this /wp-login.php?

If yes, why do you think your site is secured if I know your login URL?

If a hacker manages to crack your password, then with this login URL there is nothing that could stop your site from being hacked. Fortunately, there is a way around this. And that is creating custom login links. Install a plugin called Stealth Login using which you can create custom URLs for registration, logging in, logging out and administration of your WordPress site. Not only that, but it also allows you to prevent users from directly accessing the “WP-login. PHP” file, enabling its “Stealth Mode”.

This would also protect your wp-login.php file from bots.


Limiting login attempts

If a hacker thinks he knows your password, he may try to guess it and you know never know, he may hit the right chord. To protect your WordPress site from such attempts by hackers, you’ve got to limit the login attempts.

Limiting the login attempts will definitely reduce the chances of a hacker guessing your password correctly and if you follow the tips above for choosing a strong password then there is no way a hacker could guess your password in limited attempts.

For doing this you can use a plugin called Limit Login Attempts. When a user enters a wrong password and exceeds the login limit, the plugin locks out the user for a specified time. This can be configured from your wp-admin panel.


  1. Secure your wp-config.php file

You know what wp-config.php is – your blog’s configuration and highly sensitive data which, if messed with would cause you a lot of problems. So you must secure this by denying access to it.

Now’s when your .htaccess file comes to your rescue. In your root directory locate .htaccess file and click edit. Now, just add the following code and sit back and watch your .htaccess do the trick.

# protect wp-config.php
<files wp-config.php>
Order deny,allow
Deny from all

Everyone is denied access to the wp-config.php file including you. But hey, you know how to undo it!


  1. Secure your .htaccess

Now that you have tweaked your .htaccess file to protect wp-config.php, the question is what if the hacker gets access to .htaccess? He would easily remove the code protecting the wp-config.php file leaving your WordPress site prone to attacks.

So protecting your .htaccess should also be one of the top priorities. Here’s a trick. Place the following code in the root .htaccess file of your domain.

<Files  ~ “^.*\.([Hh][Tt][Aa])”>
Order allow,deny
deny from all
satisfy all


  1. Keys in wp-config.php

WordPress keys are crucial to your data’s better encryption. An important security measure, WordPress keys should not be overlooked. To get these keys, you can use WordPress Key Generator and once you have them do this:

  • Open your wp-config.php file
  • Scroll down to this part of the file –
  • Replace these with the ones generated by WordPress Key Generator

Well, that’s it!


  1. Change your WordPress site’s Table Prefix

Change the obvious configurations like the one I said above – your login URL. There are many things that are set by default and we tend to leave them the way they are. (They aren’t amazing just the way they are!)

A hacker knows the default table prefix for your WordPress is wp_. So it wouldn’t take much time for the hacker to launch an SQL Injection attack on your site. In such a scenario where all the data in your database is at stake, changing the default table prefix becomes a must. Doing it manually would seem an uphill task if you’re a newbie, so I recommend you use the WP Security Scan Plugin.

In the Database tab of this plugin, you will find an option to rename the default table prefix. Make sure it’s difficult to guess.


  1. Protect wp-admin files

This is the area with sensitive data and must be accessed by the owner(s) only. Again, you’ve got your buddy .htaccess to prevent other users from accessing these files.

Open the .htaccess file present in the wp-admin folder and add the following code.

#deny access to wp admin
order deny,allow
Allow from xx.xx.xx.xx # This is your static IP
deny from all


Now what this code does is it prevents all the users other than the one with the “xx.xx.xx.xx” IP (which is your static IP) from accessing the files in wp-admin.


  1. Block Search Engine Spiders

Do you know who will index the content on your blog (every bit of it) and won’t stop cuz it’s their party? Search engine spiders!

Your blog is a great place for them to crawl and index the content on. You’ve got to stop them from doing so. Tell them, it’s not their party and they can’t do what they want to!

To prevent them from indexing your admin directory, simply create a robots.txt file in the root directory. Once created, place the following code in the file.

User-agent : *
Disallow: /cgi-bin
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins/
Disallow: /wp-content/cache/
Disallow: /wp-content/themes/
Disallow: */trackback/
Disallow: */feed/
Disallow: /*/feed/rss/$
Disallow: /category/*


Once you have this code in the robots.txt file save it and you’re good to go. One thing less to worry about.


  1. Protect your blog from script injection

Protecting your blog from script injection is simple with this code that I’ll give you now. You can also prevent unauthorized modification of _REQUEST and GLOBALS using this code.

Put your .htaccess file to some use (yet again)

Copy this code and paste it in the .htaccess file present in the root directory.

# protect from sql injection
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]


Hit save and your blog is protected from script injection!


Well, these were the 10 tips to protect your WordPress blog from hackers. Hope this helps you improve your blog security and keep the intruders at bay.

About Nikhil S

He is one of the co-founders of TBT. He loves to write about WordPress & SEO tutorials also he is a Computer Science Engineering Graduate.


  1. It’s an remarkable piece of writing designed for all the internet visitors; they will obtain benefit from it I am sure.

  2. Good post. I learn something new and challenging
    on sites I stumbleupon everyday. It will always be helpful to read through
    content from other authors and use a little something from their web sites.

  3. Hello, I enjoy reading through your post. I wanted to write a
    little comment to support you.

  4. Excellent post. I was checking continuously this blog and I’m impressed!

    Very useful information specially the last part 🙂 I care for such
    information much. I was looking for this certain information for a very long time.
    Thank you and good luck.

  5. I just want to mention I’m beginner to blogging and site-building and certainly liked this blog site. Likely I’m planning to bookmark your blog . You really come with excellent articles. Kudos for sharing with us your website.

  6. Hey Nikhil, protecting your WP site from any external threat or attack is very important. Apart from the ways mentioned here, you can also go for a secure WordPress hosting by a trusted provider. Go for a Plesk powered WP hosting as it provides complete security to your WP environment.

  7. Very interesting subject, appreciate it for putting up.

Leave a Reply

Your email address will not be published. Required fields are marked *