WordPress security Guidelines : How to protect your website from hackers?

Sharing is caring!

Introduction to WordPress Security Guidelines

Welcome, everybody!

In this mini-course or article, you will learn the following topics :

  • How to secure your WordPress website.
  • Protect your site from hackers and malicious code.
  • Protect website files and folders.
  • Deny access to certain areas of your website, and much more!

In brief, you will learn everything you need to implement protecting to your WordPress website.

Understanding the default WordPress installation risks.

Here is a list of the common security risks that can face your website:

  • Database deletion.
  • username changes
  • Kill SEO that you implemented on your website.
  • Infect site visitors which may cause an untrusted relation with your customers and visitors leading to full website damage.

Securing your site!

Alright, here is the most important part. we will cover everything you must do to protect your website :

1. Creating a Strong Password.

Creating a secure password is essential for protecting your online identity and protecting your
website. When you create a password, there are a few simple rules to follow that will help ensure
that your password cannot be easily guessed or cracked using a brute force attack.

Here are some points to keep in mind while creating a password:

  • Do not use your name, or other personal data such as birthdays, the names of relatives, etc.
  • Do not use words that can be found in a dictionary of any language.
  • Use at least one uppercase letter.
  • Use special characters, and/or begin and end with something like “,,,”
  • Intentionally misspell a word that you will remember.
  • Use a phrase and mold it into a strong password.

Go check your password strength at one of the following sites:
Microsoft’s Password Strength Checker.
Kaspersky Lab Secure Password Checker.
Intel’s Password Grader.

And at last, don’t forget to change your passwords periodically and avoid using common usernames like “admin” and “webmaster”

2. Always be updated

Updates are meant for addressing issues and vulnerabilities with the current version of WordPress or plugins that you have.

So, in general, we have three types of updates for WordPress :

  1. Core updates
  2. Plugins updates
  3. Themes updates

what you have to know is that threats in plugins and themes are always increasing so try to update whenever the update is released to address any security vulnerabilities and don’t wait for a security alert!

By staying up to date you keep your site more secure.

and try always to get plugins and themes from a trusted source. since many paid themes and plugins may be offered in some places for free, take care since these may contain malicious code.

3. Change the default database prefix from wp_ to something unique.

keeping the default database and table names may allow attackers to do some SQL injections on your website so try to change the default name into something unique for your website.

You can do that in two ways :

  1. Changing directly from phpadmin or using SQL script(somehow tedious)
  2. Using a plugin, Go to plugins and search for “change prefix”, then install and activate “change DB prefix” plugin, then go the plugin settings and put your unique prefix.

4. Protect the admin login with a second layer of protection.

Now we will see a plugin that can add some protection layer to your administration area.

Go to plugins: search for “graphic password”.Then install and activate “wp-admin graphic password”.

This plugin allows you to select a certain image and select two points in it, and then whenever you login it will ask you for the image pattern that you saved, it’s somehow an additional layer of security for the admin login.

5. Stop search engines from indexing your admin page.

Indexing you admin page in search engines can be actually a security thread, and you must avoid that.

To do this follow these steps:

  1. Connect to your site using FTP.
  2. Go to the root website directory (public_html)
  3. Create a text file called (robots.txt)
  4. Write the following statement in it :

    Disallow: /wp-*

This will prevent search engines from indexing any page starting with wp.

A robots.txt file tells search engine crawlers like Google where they can index content.
You may think of granting them full access will help your SEO efforts, but there are certain places you
simply should not allow them to access.

6. Disable directory browsing.

It’s obvious that you don’t one anyone to browse your sensitive directories!

so for that, you have to disable directory browsing, you do that by editing the .htaccess file located on your website.

And add this code snippet :

#Disable directory browsing - comment
Options ALL -indexes

7.Using .htaccess to Add Additional Security to your Site

Modifying or creating .htaccess files can greatly improve the security of your WordPress installation.
Through this file, we can limit access to files and folders, perform redirects, disable directory
browsing, and much more.

Edit .htaccess files with a text editor. Often times you will not be able to save the file locally on
your machine as .htaccess. If this is the case for you simply save it as htaccess.txt, upload it to
your server, and then rename it to .htaccess.

So let’s look at what your .htaccess file probably looks like.
Using an FTP program (FileZilla is free and multi-platform) download your .htaccess file from the
root folder of your site and open it in a text editor such as Notepad on Windows or TextWrangler
(free) on Mac. It should look something like this:

# BEGIN WordPress

RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

# END WordPress

Now, when editing this file keep in mind that WordPress accesses this file and can modify anything
between the BEGIN WordPress and END WordPress lines, so leave those as is. All of our additions
are going to be entered on the lines after the # END WordPress line.


To protect your configurations file, add the following to your .htaccess file.

# Prevent Access to wp-config.php file
<files wp-config.php>
order allow,deny
deny from all



These files generate an error when trying to be accessed directly anyhow, but it doesn’t hurt to add
another layer of protection. To make sure nobody can access your .htaccess files add the following
to it.

# Prevent Access to .htaccess
<Files .htaccess>
order allow,deny
deny from all


order deny,allow
allow from
deny from all

8.Installing and configuring wordfence plugin.

What do wordfence do?

  • Network and Geolocation blocking
  • Protect your server with machine learning capability.
  • Source code verification and other security stuff.

So it’s a good practice to install wordfence and configure it to protect your website.

9.General recommendations

  • Remove the default admin account that hackers may use to guess passwords.
  • Always backup your website files and databases.
  • Scan any downloaded plugins and themes for viruses before installing and uploading to your website.
  • Clear and remove unwanted plugins and themes (clear the plugins folder from unwanted plugins)
  • Remove unwanted user accounts and be sure to set appropriate permission to each user (admin, publisher…)
  • Secure your website will SSL certificate and try to avoid connecting using FTP but instead use SFTP or Secure FTP.

Sharing is caring!

Leave a Comment

Your email address will not be published. Required fields are marked *