Portal Home > Knowledgebase > General > Security > The WordPress Security Guide

The WordPress Security Guide

The WordPress Security Guide:


Step 1

Create a backup of your site.

If you have cPanel you can do this with the "Backup Manager".

If not, we would recommend "Backup Buddy" you can find this with a Google search.


Step 2

Update WordPress Version

This is critical because WordPress issues updates that close security vulnerabilities.

Step 3

Change Your Login/Password

The Default WP login is "admin" and hackers know this. So you should change it to something more personal (eg. "RocketRanger416" or "James86").

Suggestion: Add that new user, make it an admin then delete the original login of "admin".

We suggest really strong passwords! (These should incluse UPPER and lowercase letters, numbers, and symbols) Like "Rocket!2@" or "jessieNOMAD12#4"

Most hackers try brute force on your passwords - so if it is really strong you should be fine.


Step 4

Change your Wordpress Keys

Many people overlook this step but it is an important one as these Keys work as salts for cookies and ensure better encryption of data.

Use the WordPress Key Generator to generate mentioned keys.

Now edit your wp-config.php file and fine the lines that look like:

define(‘AUTH_KEY’, ‘put your unique phrase here’);
define(‘SECURE_AUTH_KEY’, ‘put your unique phrase here’);
define(‘LOGGED_IN_KEY’, ‘put your unique phrase here’);
define(‘NONCE_KEY’, ‘put your unique phrase here’);

and replace them with the ones from the Key Generator

Save. Done


Step 5

Install WP Security Scan

This plug-in makes securing your site simple. It scans for security vulnerabilities and informs you of any malicious code and so on.

If the plugin shows your text green you should be good. Howerver, if they are not green you will have to fix the problem to make them green.


Step 6

Change Table Prefix

Warning make a backup of your database Before continuing.

The default prefix for a WP bsite is "wp_" This makes it so sql injection hacks are easy for the hacker because it is easy to guess.

A good prefix would be "march26_" or "magnol1a_" this is a highly recommended change and you can do this with the WP Security Scan Plug-in.

WP Security Scan has a tab called "Database". Once you open that tab you have the option to rename your entire prefix to something secure.


Step 7

Prevent WordPress Hack by blocking search engine spiders from indexing the admin area

Spiders crawl all over your site structure unless they are told not to.

The easiest way to prevent spiders from indexing the admin area is to create a robots.txt file in your public_html folder with the following lines of code.

User-agent: *
Disallow: /cgi-bin
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins/
Disallow: /wp-content/cache/
Disallow: /wp-content/themes/
Disallow: */trackback/
Disallow: */feed/
Disallow: /*/feed/rss/$
Disallow: /category/*


Step 8

Prevent .htaccess Hacks

.htaccess (hypertext access) is the default name of directory-level configuration file that provides decentralized management of configuration while inside your web tree.

.htaccess files are often used for security restrictions on a particular directory.

Lets secure your .htaccess

First we want to protect the .htaccess file itself so add the following (Do this for all .htaccess files you have in root and or create)


order allow,deny
deny from all
satisfy all

Public_html .htaccess below

Lets secure your config.php by adding:

# protect wp-config.php

Order deny,allow
Deny from all


Lets prevent the Hacker from browsing your directory tree by adding:

# disable directory browsing
Options All -Indexes


Lets prevent some script injections now:

# protect from sql injection
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

/wp-content .htaccess below


Lets limit access to the wp-content directory by creating a .htaccess in the wp-content folder and adding:

Order deny,allow
Deny from all

Allow from all

/wp-admin below


If you have a static IP, we recommend creating a .htaccess in your wp-admin folder with the following (replace x's with your STATIC IP)

# deny access to wp admin
order deny,allow
allow from xx.xx.xx.xx
deny from all


Step 9

Last but not least...

You can install "Wordpress Firewall 2" which prevents most hacking attempts.

Caution: Use with Care! You can lock yourself out of your site!


Need Additional Help? Go to "Live Chat" on the Hostwinds web site if you require further assistance.






Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read
Hostwinds Support Pin (Views: 370)
cPanel Virus Scan (Views: 639)