Plugins Themes

How to Secure WordPress From Being Hacked

Securing WordPress is a big issue these days. A lot of sites/blogs get hacked on daily basis. How to secure WordPress from being hacked is what I will teach you in this article. In the very beginning let’s discuss some of the causes of being hacked

How to Secure WordPress From Being Hacked

Causes of WordPress Hacking

  • Using Nulled or Free Downloaded Premium Theme ? Why would someone give premium and paid themes for free? Of-course they have malicious codes hidden in them which can hack your blog, or use it for adding their link s automatically in your blog
  • Wpconfig.php has no security keys defined in it.
  • wpconfig.php is not secure it can be secured in a lot of ways, we will discuss them later in this post
  • Database password does not contain any of the alphabets-numbers and characters. Make a strong password eg V!r2U3s$

Security Tip #1

Goto your cpanel >> File Manger >> Root Folder in which look for .htaccess file, open it and add this at the end

# protect wpconfig.php
<files wp-config.php>
order allow,deny
deny from all
It will protect your WordPress wpconfig.php file from bad requests.

Security Tip #2

If you want to make your wpconfig.php file more secure you can place it one level up from the root folder. This is for high traffic and scaled blogs , for those who want things done in the most secure way. The method is long but I can give the idea. You have to download wpconfig.php and rename it then upload it on a level up eg before public_html or www folder make a folder in your cpanel put that file in there, then make another wpconfig.php file and include the old wpconfig.php file in it. This work needs high level of knowledge, I can work out on a complete new post for this if anyone needs it.


Security Tip #3

These are default secureity keys in your wpconfig.php file

define('AUTH_KEY', 'put your unique phrase here'); define('SECURE_AUTH_KEY', 'put your unique phrase here'); define('LOGGED_IN_KEY', 'put your unique phrase here'); define('NONCE_KEY', 'put your unique phrase here');

Replace the security key section of your wpconfig.php file with the code you get visiting by the link below, it is an official API from WordPress

Visit the official secret-key generation service and paste the results into your wpconfig.php file (replace the four lines beginning with “define”)

Security Tip #4

For New Installations

In wpconfig.php file you will find the line stating the table prefix change it to something new if you are installing new WordPress

$table_prefix = 'wp_';

Change it to whatever you want but it has _ after it eg

$table_prefix = ‘yoursomethingwp_’;

For Running Blogs

If you have a running blog and you want to change your database prefix then easy way to do it is using pluigns. Use this plugin WordPress Security Scan Then Goto WSD Security >> Database >> Now change the prefix from the options you view.

Security Tip #5

Use this plugin WordPress Security Scan it is a great security notifier. Any change that occurs in your site will be notified to you on your admin Email ID.In short if I list out its features, it will check your website/blog for security vulnerabilities and suggests corrective actions such as:


  1. Passwords
  2. File permissions
  3. Database security
  4. Version hiding
  5. WordPress admin protection/security
  6. Removes WP Generator META tag from core code

Security Tip #6

Keep your WordPress Installation up to date. Keep yourself aware of the latest trends. If you see any strange changes in your blog look for your funtions.php file. In Appearance >> Edit >> Theme Functions (functions.php). You can also install WordPress Exploit Scanner and TAC plugin to verify your code is correct or not.

Your Turn:

I am quite wiped now, going for a break to get some coffee in the meantime tell me

  • What are your views about sites’ being hacked an why?
  • Did you manage to do all what I explained?
  • Any comments, suggestions compliments?


By Freakify Editorial

The post was written by the Freakify Editorial Team. used to be managed by Awais, Maedah and their team before its acquisition.

106 replies on “How to Secure WordPress From Being Hacked”

Well the tips looks promising. Gonnna implement all the methods explained in the article. Was looking for similar kind of tips from a long time. Thanks for the share.

I A̅m new to wordpress . Pls I want U to explain tip 2 very well for me cos I dont want my blog to get hacked..

Ahmad much needed article. One question for you is that I have two .httaccess files one in root folder and other is in my blog folder. In which file should i add the code.

Ahmad, Thanks to the brief and wonderful post and hope it is very useful for me to implement some security measures.

Recently my website was hacked, They redirect it to porn site for 4 day, I call hosting office and make their class :) ,I think it may drop down my rankings :(

Hai Ahmad
Nice Article, I followed all steps except 2nd one
i have small question regarding first tip
I add the code above “end of wordpress” is it right? or should i add that code below “end of wordpress” in .htaccess file
Looking forward from you


Seems like hackers can reach anywhere and everywhere and to combat that intellectuals are toiling to come up with sophisticated tools. All the 6 security tips have been jotted down for my benefit. Thanks Ahmad

Amit from ItechCode.

you just forget to mention admin id and how to restrict no of login attempt. besides this if we any how be able to hide wordpress.information from the source code than it would be much better.

Thank you. I’ve had a real problem with hackers hitting my htacess file and I’ve been able to delete the malicious code but your post finally gave me some tools to actually stop them coming back in. Thank you so much.

You don’t need to hide WP information!
It is a big myth that hiding WP version can save you :P
There is a read me file with WordPress that can easily show your WP version :) Just keep it up to date.

Yes Login lock down is a good suggestion.

.This really helped me bro . Can u plz tell me how can i include old wp-config with new one? . .

i also downloaded the nulled script and now after 3-4 days it started giving ads on my site .. plz help bro how to remove those ads..

Hello Ahmad
nice article.
I ignored my WordPress security for a long time , until I heard about the hacking of labnol. You have shared some very useful tips with us. I will implement them right away
Thanks for sharing this with us

Thank you for these tips.
I recently had problems with my account on a self-hosted WordPress version. I will try to avoid hacking and this article fits perfectly to my needs.
Best regards, ATYQ


Could you please give me information on How to restriction access to wp-content/uploads.

I want to secure that folder from Public viewing & want to display a custom Page for that

Look that is very easy !
Just go to your cpanel >> then to wp-content>> then in uploads folder ! there add index.html file.

In that index.html file write anything , it will be displayed when someone will browse that location.

If you don’t know, about HTML, then go to learn HTML lectures Click Here

Hello Ahmad,

Don’t you think these instructions would be a bit confusing for some readers out there. I would like to mention what I have written on my blog. There is a plugin which secures our blog from many security vulnerabilities like Brute force attacks and etc in just one click.

Hi Ahmada can you give some idea about the security tips # 2
I just need some steps to follow this security tip
so pls explain some steps by replying my comment
thanx in advance

I mentioned three plugins in ths article.
But the point here is you cna never trust third party plugins. I never trust them. I do things myself to keep my blogs at the safe end.

All things you should do to completed to protect your website is one thing: install wp security plugin. This plugin will help you do all above tasks.

Thank you Ahmed Bhai, this article will help to resolve security concerns for my site. keep it up.

Till now I have been just using captcha during login and comments but I think few of the tips mentioned above must be used else things can go worse any given day..
BTW you have an awesome blog would surely bookmark it.. Thanks for sharing such a valuable piece of information..

So you write this great article and not a lot of people answered the “your turn” section :)

So here goes!
1. Sites in general are being hacked for: data theft, defacing, a place to store code or just to troll. There are probably far more reasons but these onces came to mind.

WordPress sites – not so much. Maybe except from the storing code part. The uploads folder is a great target. With all the flexibility of WP the uploads folder is mostly overlooked.

The fact is WP is open source; great for rapid development but the downside is the code is available for bad people. I believe by now the WP core files are hammered shut but like you mentioned the third part plugins are not. Ok I know how to code and i am not the prime audience for WP. Because you can set up WP without knowing anything about coding. But when you need a plugin to do something you can only choose from what is out there. I rarely use third party plugins myself because they rarely never do precisely what i want. So I end up writing them myself. But I understand that that is not for everybody. And why on earth would somebody who want to make a blog about their cats think about hacking.

Ignorance is bliss they say(I don’t mean that to offend people) but that is where hackers are hoping for. A side note – never ever use the same password for more than 1 website.

Just know what you are working with! And know how a webserver works. Ok not a webserver but in which layers i can be dissected. Hacks by bots(clever scripts running from (maybe another WP)hacked site) are most common. These bots target the broswer view part. So login forms and included libraries. There are more levels but I don’t wanna explain these here. Not relevant and all. Because if a webserver is hacked you can do nothing about that(without the knowledge). Or even if a website is hacked on the shared server you are working of.

But lets set a little scenario!
Your not WP site is hacked by a brute force attack via a login form. They can enter and do something with the single account the forced entry.

WP scenario!
The same as above. But WP is all about user experience. So you don’t need a FTP client to alter scripts if the write permissions are set for the editor files. And with this a lot is possible. drop database tables, insert bad code or redirect traffic.

BTW about brute force. If you use a plugin which counter it. Make sure it is random and not just adds a second for the login. A bot can learn and will and has more time than you!

2. Yup and more.
My suggestions
– Protect more files – complete wp-admin folder, uploads folder( you can make a custom one but that is still visible in HTML source code)
– Don’t use admin as username(mentioned above)
– If the name of the blogger is visible don’t use the admin user for the blogging. Create another account for that with less authorities.
– maybe not in the scope but don’t blog on an insecure network from the coffeeshop.
– WP doesn’t have restrictions on the length of passwords. Use a MD5 + salt generator to encrypt your password. I do the same for the wp_ prefix. ( I know md5 isn’t secure anymore with rainbow tables and all but for this it is perfectly oke)
– Delete all unnecessary files, themes and plugins. If you don’t use them they have no business being on your server.
– DuckduckGo is your friend, maybe yours is google :) Use it. Coding isn’t a black magic. Do you want to alter your look with a functions.php file search for the functions you want to use and always look for recent posts!

Hope this makes any sense :) had to wait on a security scan for a WP website so i searched and came here. Yes I try to hack them but with consent and even get payed for it :) So really bored and wanted to share my thoughts on this. I go further but for people who just want to have a place on the internet this is all I can think of.

English is not my native language so bare with me for the grammar mistakes

Ahmad first of all am really impressed with your blog template and secondly the way you deliver the content :)
This post provides some tips which a newbie as well as experts need to implement to protect their sites.

Im googling and it brings me to the right blog. I have wordpress websites and this is very useful for me. Im following you now on twitter. keep up the good works. thanks

Sir you did simply a great Job. Your work should be appreciated at every forum. I have a suggestion, if you mention the step by step PrintScreen images in the post, this will put more clarity in your writing. Any How Excellent :o) Thumbs Always Up !!!

The tips are nice Ahmad. My question was that I’m using a WordPress plugins called Better WP Security. So the plugin must be doing all the things mentioned above automatically yah?

I wrote in the article. Never trust a third party plugin. That is the whole point of writing this post. Secondly, I edited your comment. Such things in comments are not allowed here.

was editing the wp-config file i changed the first four keys but what abt the other 4 i.e
define(‘AUTH_SALT’, ‘put your unique phrase here’);
define(‘SECURE_AUTH_SALT’, ‘put your unique phrase here’);
define(‘LOGGED_IN_SALT’, ‘put your unique phrase here’);
define(‘NONCE_SALT’, ‘put your unique phrase here’);

waiting for ur help

and please can u tell me what are the best file permission numbers .. i got 755 by default and which folders and files are important on which file permissions should be used

Very Awesome post.. lots of wp sites are being hacked daily but now i think we can make it secure

Hello Ahmed awais, very nice and informative post specially for newbie,thanks for the nice information

i m already using premium theme for my blog and your post is really Good and helpful for me one more thing where i m not using premiums themes there i will use soon for my blog safety

Hi Buddy, I don’t understand this section of WordPress security.
Security Tip # 3
when I opened Wp-config file, I found there are no keys defined in it, I never did it for any of my blog, Is this a required thing? how it will protect my blog from being hacked. You didn’t write any detail about it, kindly explain.

Comments are closed.