How to Protect WordPress from Hackers
WordPress security is crucial for any website. Even when using plugins like iThemes Security, it’s important to keep WordPress core, plugins, and themes updated while implementing additional protective measures.
First layer of security: installation
Many attacks can be prevented during installation:
- Avoid using admin as the default administrator username.
- Create strong passwords with uppercase, lowercase, numbers, and symbols.
- Change the database table prefix (
wp_
) to a custom one, e.g.xy_12
. - Add unique salt keys in the
wp-config.php
file (from WordPress Salt Keys Generator).
Advanced security measures
Remove the “admin” user
Create a new administrator account and delete the default admin user to reduce brute-force risks.
Use strong passwords
Longer and more complex passwords significantly increase the time required to crack them. Always use unique credentials.
Change database table prefix
Update the $table_prefix
in wp-config.php
and rename the tables in phpMyAdmin after performing a full backup.
Set salt keys
Update wp-config.php
with generated salt keys to strengthen cookie and session security.
Disable file editor in dashboard
Add this line to wp-config.php
:
define('DISALLOW_FILE_EDIT', true);
Hide WordPress version
Insert in header.php
:
<?php remove_action('wp_head', 'wp_generator'); ?>
Disable error display
To avoid exposing server paths, add this to wp-config.php
:
error_reporting(0); @ini_set('display_errors', 0);
Change login URL
Modify the default /wp-admin
login path via wp-config.php
, functions.php
, and .htaccess
. Alternatively, use a plugin to simplify the process.
Protect wp-config.php
Add the following rules in .htaccess
:
<Files wp-config.php> Order Allow,Deny Deny from all </Files>
Set read-only permissions
Change wp-config.php
and .htaccess
permissions to 644 via FTP (e.g. FileZilla) to prevent unauthorized edits.
Regular backups
Even with all precautions, backups remain the ultimate safeguard. Tools like UpdraftPlus allow automated backups of files and databases to remote storage (Dropbox, Google Drive, etc.), with simple one-click restore options.