Securing WordPress is a big issue these days. A lot of sites/blogs get hacked on daily basis. How to secure WordPress from being hacked is what I will teach you in this article. In the very beginning let’s discuss some of the causes of being hacked
Causes of WordPress Hacking
- Using Nulled or Free Downloaded Premium Theme ? Why would someone give premium and paid themes for free? Of-course they have malicious codes hidden in them which can hack your blog, or use it for adding their link s automatically in your blog
- Wpconfig.php has no security keys defined in it.
- wpconfig.php is not secure it can be secured in a lot of ways, we will discuss them later in this post
- Database password does not contain any of the alphabets-numbers and characters. Make a strong password eg V!r2U3s$
Security Tip #1
Goto your cpanel >> File Manger >> Root Folder in which look for .htaccess file, open it and add this at the end
# protect wpconfig.php<files wp-config.php>order allow,denydeny from all</files>
Security Tip #2
If you want to make your wpconfig.php file more secure you can place it one level up from the root folder. This is for high traffic and scaled blogs , for those who want things done in the most secure way. The method is long but I can give the idea. You have to download wpconfig.php and rename it then upload it on a level up eg before public_html or www folder make a folder in your cpanel put that file in there, then make another wpconfig.php file and include the old wpconfig.php file in it. This work needs high level of knowledge, I can work out on a complete new post for this if anyone needs it.
[ad]
Security Tip #3
These are default secureity keys in your wpconfig.php file
define('AUTH_KEY', 'put your unique phrase here'); define('SECURE_AUTH_KEY', 'put your unique phrase here'); define('LOGGED_IN_KEY', 'put your unique phrase here'); define('NONCE_KEY', 'put your unique phrase here');
Replace the security key section of your wpconfig.php file with the code you get visiting by the link below, it is an official API from WordPress
Visit the official secret-key generation service and paste the results into your wpconfig.php file (replace the four lines beginning with “define”)
Security Tip #4
For New Installations
In
wpconfig.php file you will find the line stating the table prefix change it to something new if you are installing new WordPress$table_prefix = 'wp_';
Change it to whatever you want but it has _ after it eg
$table_prefix = ‘yoursomethingwp_’;
For Running Blogs
If you have a running blog and you want to change your database prefix then easy way to do it is using pluigns. Use this plugin WordPress Security Scan Then Goto WSD Security >> Database >> Now change the prefix from the options you view.
Security Tip #5
Use this plugin WordPress Security Scan it is a great security notifier. Any change that occurs in your site will be notified to you on your admin Email ID.In short if I list out its features, it will check your website/blog for security vulnerabilities and suggests corrective actions such as:
[ad1]
- Passwords
- File permissions
- Database security
- Version hiding
- WordPress admin protection/security
- Removes WP Generator META tag from core code
Security Tip #6
Keep your WordPress Installation up to date. Keep yourself aware of the latest trends. If you see any strange changes in your blog look for your funtions.php file. InWordPress Exploit Scanner and TAC plugin to verify your code is correct or not.
Appearance >> Edit >> Theme Functions (functions.php). You can also installYour Turn:
I am quite wiped now, going for a break to get some coffee in the meantime tell me
- What are your views about sites’ being hacked an why?
- Did you manage to do all what I explained?
- Any comments, suggestions compliments?
[ad]
106 replies on “How to Secure WordPress From Being Hacked”
Well the tips looks promising. Gonnna implement all the methods explained in the article. Was looking for similar kind of tips from a long time. Thanks for the share.
I A̅m new to wordpress . Pls I want U to explain tip 2 very well for me cos I dont want my blog to get hacked..
Ahmad first of all it’s very nice and helpful article. can you please explain Security Tip #2? i need to know it.
Thanks
Ahmad much needed article. One question for you is that I have two .httaccess files one in root folder and other is in my blog folder. In which file should i add the code.
Make these changes in you blog’s .htaccess file.
Joshi I hope they will harden your blog, in a good way.
I will write a complete post over it. After your request. It needs good deal of explaintion.
Ahmad, Thanks to the brief and wonderful post and hope it is very useful for me to implement some security measures.
good tutorial….thanks Ahmad Awais…
Great walk through thanks, I’m sure we can all use the help at better securing our sites.
Welcome bro. Keep visiting.
I will write another post over its explanation.
All the tips look quite practical.Good content :-)
Recently my website was hacked, They redirect it to porn site for 4 day, I call hosting office and make their class :) ,I think it may drop down my rankings :(
I hope after these hacks it will not be hacked ever.
I ma coming with more tips very soon.
Thanks G
Hey thanks for the catch :)
I got your mail
ya really very useful and hope full tips thanks sharing this informative post :)
Hai Ahmad
Nice Article, I followed all steps except 2nd one
i have small question regarding first tip
I add the code above “end of wordpress” is it right? or should i add that code below “end of wordpress” in .htaccess file
Looking forward from you
Thanks
what a post ahmad , I will definitely try your security tips on my blog.
Hi,
Seems like hackers can reach anywhere and everywhere and to combat that intellectuals are toiling to come up with sophisticated tools. All the 6 security tips have been jotted down for my benefit. Thanks Ahmad
Amit from ItechCode.
worthy WP tips Ahmad!
Using login dock is also good option!
I thought I knew it all till I read more tips here. Thanks for sharing this valuable information, Ahmad! You rock.
you just forget to mention admin id and how to restrict no of login attempt. besides this if we any how be able to hide wordpress.information from the source code than it would be much better.
Thank you. I’ve had a real problem with hackers hitting my htacess file and I’ve been able to delete the malicious code but your post finally gave me some tools to actually stop them coming back in. Thank you so much.
I hope so Alex my tips wil solve your issues :)
Keep visiting.
Yes, you are right !
In this post I focussed over the code snippets. Will consider your suggestion soon.
You don’t need to hide WP information!
It is a big myth that hiding WP version can save you :P
There is a read me file with WordPress that can easily show your WP version :) Just keep it up to date.
Yes Login lock down is a good suggestion.
You are right !
If a hacker is desperate to hack your site, there is no way out.
Why not they all are worth giving a try.
Thanks for liking :)
Add it below #end of wordpress :)
Tell me if it works well?
My friends blog hacked more than 10 times. I will recommend all this tips to him. Hope it will get fine. Thanks for share..
.This really helped me bro . Can u plz tell me how can i include old wp-config with new one? . .
i also downloaded the nulled script and now after 3-4 days it started giving ads on my site .. plz help bro how to remove those ads..
Hello Ahmad
nice article.
I ignored my WordPress security for a long time , until I heard about the hacking of labnol. You have shared some very useful tips with us. I will implement them right away
Thanks for sharing this with us
Bryan
Remove the nulled script. We don’t support it.
Use FREE ones or pay for the scripts.
I’m really confused, why did you write about such important topic on your blog so late? Or you have also written about this topic before?
Anyway, thanks for sharing the tips.
These are my personal tips. I shared it with all. Is it prohibitted :P
Thank you for these tips.
I recently had problems with my account on a self-hosted WordPress version. I will try to avoid hacking and this article fits perfectly to my needs.
Best regards, ATYQ
Ahmad,
Could you please give me information on How to restriction access to wp-content/uploads.
I want to secure that folder from Public viewing & want to display a custom Page for that
Look that is very easy !
Just go to your cpanel >> then to wp-content>> then in uploads folder ! there add index.html file.
In that index.html file write anything , it will be displayed when someone will browse that location.
If you don’t know, about HTML, then go to learn HTML lectures Click Here
Security was not a concern for me. But now after reading this, I am worried about the foolishness I was doing. Thanks for sharing by.
I hpoe so you will learn a lot mroe here.
Hello Ahmad,
Don’t you think these instructions would be a bit confusing for some readers out there. I would like to mention what I have written on my blog. There is a plugin which secures our blog from many security vulnerabilities like Brute force attacks and etc in just one click.
Hi Ahmada can you give some idea about the security tips # 2
I just need some steps to follow this security tip
so pls explain some steps by replying my comment
thanx in advance
Thanks to the brief and wonderful post and hope it is very useful for me to implement some security measures…..
Thanks for liking the content. It is really helpfuul try it out.
Making an article over it.
I mentioned three plugins in ths article.
But the point here is you cna never trust third party plugins. I never trust them. I do things myself to keep my blogs at the safe end.
Do tell him about these tips.
Thanks for liking.
All things you should do to completed to protect your website is one thing: install wp security plugin. This plugin will help you do all above tasks.
You can never trust a third party plugin !
am new to wordpress and am finding it much easier than drupal which i used to use
thank you so much for these valuable tips
Really Ahmad useful post I cam here from FB. Thanks Imporved my WP security.
I hope so these tips help you out.
Yes it is simpler and easier for beginners.
Thanks for the tips, I’ll have to spend some time this weekend locking down my wordpress installs.
Great post and some great info … I’ve always used plugins to boost security a bit. 2 I recommend are
1) Block Bad Queries (BBQ)
2) Semisecure Login Reimagined
Ever used them?
I don’t turst third party plugins. That is why I wrote about this manual method.
I hope so they work good at your end.
will use these tips thanx i am new helped me alott. :)
Umm I’l be certain to give it a whirl then …. I hope your there when I scream help . I’m a bit scared of opening the bonnet! :)
Good to know that.
Don’t worry we have got your back
Really That Helped me alot in saving my blog from hackers. Thanks!
Good to know that
Thank you Ahmed Bhai, this article will help to resolve security concerns for my site. keep it up.
Thanks for sharing the tips specialy the the first one security tip # 1
You are most welcomed.
You are welcomed
Till now I have been just using captcha during login and comments but I think few of the tips mentioned above must be used else things can go worse any given day..
BTW you have an awesome blog would surely bookmark it.. Thanks for sharing such a valuable piece of information..
Will be sharing more tips in future as well.
So you write this great article and not a lot of people answered the “your turn” section :)
So here goes!
1. Sites in general are being hacked for: data theft, defacing, a place to store code or just to troll. There are probably far more reasons but these onces came to mind.
WordPress sites – not so much. Maybe except from the storing code part. The uploads folder is a great target. With all the flexibility of WP the uploads folder is mostly overlooked.
The fact is WP is open source; great for rapid development but the downside is the code is available for bad people. I believe by now the WP core files are hammered shut but like you mentioned the third part plugins are not. Ok I know how to code and i am not the prime audience for WP. Because you can set up WP without knowing anything about coding. But when you need a plugin to do something you can only choose from what is out there. I rarely use third party plugins myself because they rarely never do precisely what i want. So I end up writing them myself. But I understand that that is not for everybody. And why on earth would somebody who want to make a blog about their cats think about hacking.
Ignorance is bliss they say(I don’t mean that to offend people) but that is where hackers are hoping for. A side note – never ever use the same password for more than 1 website.
Just know what you are working with! And know how a webserver works. Ok not a webserver but in which layers i can be dissected. Hacks by bots(clever scripts running from (maybe another WP)hacked site) are most common. These bots target the broswer view part. So login forms and included libraries. There are more levels but I don’t wanna explain these here. Not relevant and all. Because if a webserver is hacked you can do nothing about that(without the knowledge). Or even if a website is hacked on the shared server you are working of.
But lets set a little scenario!
Your not WP site is hacked by a brute force attack via a login form. They can enter and do something with the single account the forced entry.
WP scenario!
The same as above. But WP is all about user experience. So you don’t need a FTP client to alter scripts if the write permissions are set for the editor files. And with this a lot is possible. drop database tables, insert bad code or redirect traffic.
BTW about brute force. If you use a plugin which counter it. Make sure it is random and not just adds a second for the login. A bot can learn and will and has more time than you!
2. Yup and more.
My suggestions
– Protect more files – complete wp-admin folder, uploads folder( you can make a custom one but that is still visible in HTML source code)
– Don’t use admin as username(mentioned above)
– If the name of the blogger is visible don’t use the admin user for the blogging. Create another account for that with less authorities.
– maybe not in the scope but don’t blog on an insecure network from the coffeeshop.
– WP doesn’t have restrictions on the length of passwords. Use a MD5 + salt generator to encrypt your password. I do the same for the wp_ prefix. ( I know md5 isn’t secure anymore with rainbow tables and all but for this it is perfectly oke)
– Delete all unnecessary files, themes and plugins. If you don’t use them they have no business being on your server.
– DuckduckGo is your friend, maybe yours is google :) Use it. Coding isn’t a black magic. Do you want to alter your look with a functions.php file search for the functions you want to use and always look for recent posts!
Hope this makes any sense :) had to wait on a security scan for a WP website so i searched and came here. Yes I try to hack them but with consent and even get payed for it :) So really bored and wanted to share my thoughts on this. I go further but for people who just want to have a place on the internet this is all I can think of.
English is not my native language so bare with me for the grammar mistakes
i used plugins for protection of my blog is it ok or should i uninstall those security plugins and follow the steps which you have posted
Thanks for this great set of pieces of advice.
Plugins are fine, but these steps will harden your security. Never trust third party plugins.
Name please those plugins ?
Tahir, I have mentioned the plugins.
Ahmad first of all am really impressed with your blog template and secondly the way you deliver the content :)
This post provides some tips which a newbie as well as experts need to implement to protect their sites.
Thanks for liking.
Im googling and it brings me to the right blog. I have wordpress websites and this is very useful for me. Im following you now on twitter. keep up the good works. thanks
Good go for that.
Sir you did simply a great Job. Your work should be appreciated at every forum. I have a suggestion, if you mention the step by step PrintScreen images in the post, this will put more clarity in your writing. Any How Excellent :o) Thumbs Always Up !!!
I don’t know why but I thought the same thing :)
The tips are nice Ahmad. My question was that I’m using a WordPress plugins called Better WP Security. So the plugin must be doing all the things mentioned above automatically yah?
I wrote in the article. Never trust a third party plugin. That is the whole point of writing this post. Secondly, I edited your comment. Such things in comments are not allowed here.
was editing the wp-config file i changed the first four keys but what abt the other 4 i.e
define(‘AUTH_SALT’, ‘put your unique phrase here’);
define(‘SECURE_AUTH_SALT’, ‘put your unique phrase here’);
define(‘LOGGED_IN_SALT’, ‘put your unique phrase here’);
define(‘NONCE_SALT’, ‘put your unique phrase here’);
waiting for ur help
and please can u tell me what are the best file permission numbers .. i got 755 by default and which folders and files are important on which file permissions should be used
These are meant to be changed
You explained & guide very beautifully. Thanks
Very Awesome post.. lots of wp sites are being hacked daily but now i think we can make it secure
ultimate post ….will try some tips from here
What about WordPress bullet proof plugin that can help also or not?
Read complete article I mentioned why and why not to use the plugins.
Hello Ahmed awais, very nice and informative post specially for newbie,thanks for the nice information
This is indeed an awesome post, just recently one of my blogs was hacked and now i know the importance of securing a WordPress blog.
Smart and intelligent tips to keep a blog secured. Well done to finding those secret keys and prefixes.
Hello Ahmed! This really a useful post, Thanks a lot for sharing.
i m already using premium theme for my blog and your post is really Good and helpful for me one more thing where i m not using premiums themes there i will use soon for my blog safety
sir any security tips for securing blogspot website…….
Can’t say, Just secure your Gmail
Hi Buddy, I don’t understand this section of WordPress security.
Security Tip # 3
when I opened Wp-config file, I found there are no keys defined in it, I never did it for any of my blog, Is this a required thing? how it will protect my blog from being hacked. You didn’t write any detail about it, kindly explain.
One more question. Now WP-Security Admin tools showing me every point in green color, does it mean my wp blog is now secure ?