, ,

7 ways to prevent your wordpress website from being hacked

Today this is most important task to prevents your websites from being hacked, because hacked may be perform many harmful activities for your website. So, in my blog I want to guide you to prevent your website from hackers.


1. Backup

This is the first step and the most important. Before you plan on making any changes, make sure you backup your entire DB. You can do this manually or use an available plugin. I recommend backup buddy which backs up your entire wordpress blog. Unlike free plugins which only backup your database, backup buddy exports your entire database with images, files and whatever you have in your blog’s content folder- Pretty sweeet!


2. Update WordPress Version

Second crucial step after backing up your blog is to update it to the latest version. You should always make sure that your blog’s version is up to date. WordPress team creates patches to help fix security holes. Follow wordpress feed to find out about the latest updates or you could simply login to your admin.

I would also recommend that you follow WordPress Development and BlogSecurity as they will inform you whenever a new patch/fix is released.


3. Change your Login/Password

The default wordpress login is “admin” and most hackers know that. We should change this to something else that would be difficult to guess. Something like “rogers12” or “donhoe2” is good examples. The best thing to do is delete the default admin and create a new custom login.

I suggest that you use strong passwords which include upper/lower keys, numbers and symbols. Something like “rockSTAR19!@” or “Anabel2@!” is a great example of a strong password.

Most hackers try to brute force the password so if your password is really strong as I mentioned earlier, you should be fine.


The default table prefix for WordPress is wp_ and of course the hackers know that. When this knowledge the hackers then know all the table names of the most important tables in your WordPress installation . This makes SQL Injection attacks so much easier. So change this wp_ to something else of your own choosing (not your domain name!). see this link for some good instructions on how to make this change.



So why is this important clients ask ? well say for example you set the index.php file on your site with permissions that anyone in the world can update it. A hacker could then update this file and redirect every visitor that comes to your site to their own malicious site. Okay we could do a full post just on this topic (we will make sure we do soon) and it is a key one in how to ‘prevent your wordpress website from being hacked’ so here is some quick notes and guidance on locking down the access to files and directories on your WordPress installation.

A good rule of thumb is … All files should be 664. All folders should be 775. wp-config.php should be 660 or even better move it out of your WordPress public_html directory. Okay that is just the real basics and we would recommend you fully read up here before adjusting your file permissions, as if don’t do it correctly you could put your whole site offline from visitors.


Doesn’t my hosting company handle this clients ask ? No ! They want to make it as easy as possible for you to make your website and want as few support tickets as possible. Unfortunately this mix means they also leave your site’s server configuration in an open state the hackers love. You need to take responsibility and make a few changes to secure up these vulnerabilities. Here are a few rules we recommend you look into and add for your particular web server:

  • Find out what Web server you are using and learn about your web servers configuration files. Apache web servers use the .htaccess file, Nginx servers use nginx.conf, and Microsoft IIS servers use web.config. Most often found in the root web directory that you have access to (and the hackers do if they are not secured), these files are very powerful. These files allows you to execute server rules, including directives that improve your website security.
  • Prevent directory browsing: This prevents malicious users from viewing the contents of every directory on the website. Limiting the information available to attackers is always a useful security precaution. When cleaning sites we often see in the logs that hackers have been freely checking the websites wp-content/uploads directories trawling for all sorts of files that the owners would not want them to have
  • Restrict PHP execution in directories that hold images or allow uploads.


Yes we understand the temptation and it is cheaper on your pocket choosing the ‘unlimited’ hosting plans with your hosting company and putting all your websites on a single server. Unfortunately this is like finding a candy store for the hackers. In terms of security it is a way to make your life a nightmare. As security experts would say it ‘creates a very large attack surface’. This basically means it offers hacker many more ways to break in to your sites. If the hacker can then get into one of the sites he can take over all of your sites on that same server.

For example, on a unlimited server package server you have might placed 10 or your websites. Say one of those sites you don’t really ever check or keep updated. The hacker can use this weakest link to break into that one sites and have full and complete access to take over your other 9 websites. With their tools they usually have a lot more access than you have with your WordPress admin console.

When we protect a site with our SharkGate WordPress Protection we will recommend we apply the same protection to all the sites you have on your server. Stopping the hacker using any of your sites to infect the others.


Mohit Saini is a freelancer and is actively engaged with several websites providing with articles on technology. He likes to stay updated with the current tech news related to Web Hosting and Domain Registration. For any questions, mail him 11mohitsaini@gmail.com

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

5 × 5 =