It seems that a week never passes without some report of a major website being hacked, or a DDOS attack. What slips through the headlines are even more frequent cyber assaults on smaller websites. Although WordPress was designed with security in mind it is just as susceptible to attack as any site is and like many content management systems (CMS) it is open source. Which means that hackers are aware of possible WordPress vulnerabilities to look for and to exploit. Website hacking is on the icrease which is largely due to the use of freely available hacking tools and scanning software. Its not enough to solely rely on WordPresse’ own security. Your WordPress site must be setup with additional security measures, be regularly maintained and monitored for suspicious activity.

You might consider that your site has nothing of value to others but every website has value to hackers. You may hold sensitive data. Your site may be used to send spam or attack other websites or even site users computers (viruses/malware). Your site could be used to advertise inappropriate goods or services. Businesses and individuals must now take security seriously, more than they ever have in the past!

In this article we describe 12 steps we routinely deploy on every new WordPress site. There is no such thing as perfect security but following these steps will greatly increase security and make a site much harder to hack. Although this article directly concerns the security of WordPress sites, the principles behind the following apply to most websites.

  1. SSL – HTTPS. Before you install WordPress obtain an SSL certificate. Install Hyper Text Transfer Protocol Secure (HTTPS) over your current insecure HTTP domain using the SSL certificate. HTTPS is an encrypted protocol over which data is sent between your browser and the website that you are connected to. Changing a WordPress HTTP site to HTTPS site at a later date can be frustrating and time consuming. In some countries HTTPS is a legal requirement for online stores or for a site that aggregates customer data. Customers are more likely to trust and complete purchases from sites that use HTTPS. This will also benefit your Google page rank.
  2. BACKUP. OK, it might seem obvious but it’s surprising how many website owners don’t have a backup plan in operation. Most hosting plans come with Cpanel and backup is usually an option. If your Cpanel includes an Apps installer, chances are that you can setup a WordPress install and backup plan in seconds to to create a fresh WordPress install and back up the whole site and database. For not so busy sites we recommend a site backs up once a week and for busy sites, every day. Set backup rotation to at least 8 backups. Never rely on your hosting company’s automated backup as its likely their backup isn’t performed as often as you’d like. With a Cpanel Apps Installer/backup you can replace a hacked site in a minute, depending on size. For peace of mind, we also periodically download complete site backups (content and database) onto our local system in case a host server is attacked or fails.
  3. WP ADMIN USERNAME AND PASSWORD. Never use the CMS default Admin username. This is like giving a hacker a 50% clue to access your site. Try to pick a user name that isn’t in a dictionary. For passwords use upper and lower keys and symbols like this: s5G”?}{PX-jR. If you’re stuck for inspiration, try a password generator ( ). A strong password will hold off brute force attacks. Never ever use familiar names such as pets, kids, location or hobbies.
  4. WP POST USERNAMES. Make sure that usernames on WordPress posts are not the admin username. Hackers will use that username and try passwords by brute force to gain access to your admin account. Always write blogs under a username that doesn’t have admin rights or entirely remove usernames from your theme’s template.
  5. SOFTWARE UPDATES. Always keep your WordPress versions up to date. Either update manually or automate through your CMS dashboard options. Updates usually include code patches and security updates, helping to keep your site abreast of common threats. More on updates at
  6. DATABASE TABLE PREFIX. The default for WordPress is WP_ and if left makes SQL Injection attacks far easier. We know this, the hacker knows this too. So we need to change this to something that’s really tough to guess like “quiznos739_”. Again, far easier to do on an install rather than change later on. This is easy to do whilst installing WordPress, just change the default option. If you need to change an existing WordPress install you’ll need to make the changes using phpMyAdmin found in cPanel. This article explains how to do this
  7. WORDPRESS KEYS. Improve your WordPress site’s user data encryption by generating your own keys in wp-config.php using a WordPress Key Generator ( ) whose output look like this;-
    define(‘SECURE_AUTH_KEY’, ’48bxAJ`.AwdLkp7bh)|p(V6YWZtT{yBfclj6OYf-@ q!`!#fR6`|)|MBX-?N)-oe’);
    define(‘LOGGED_IN_KEY’, ‘xQRnb@7Rcd2>`df.Q}o$&MSJ=13+A5t2-XY^.gb8+QY3srXaUS5>_[B[bHzI/01O’);
    define(‘NONCE_KEY’, ‘5;|8:THMagL a:e%?r6;?1|DweHiBU3:k;gm]h+6<6h5Z4~~0=?.w9/uF+=s3p6N’);
    Replace the same wp-config.php fields with the generated versions.
  8. BLOCK SPIDERS from indexing the WordPress’ Admin and any sections containing sensitive information. If you don’t already have a robots.txt file in your, create a text file in Notepad (Windows) or Notes (Apple) add the text below and save as robots.txt in the root of your website. Without a robots.txt file search engine spiders will eventually crawl your entire site. Add as many Disallows as you need.
    # User-agent: *
    Disallow: /cgi-bin
    Disallow: /wp-admin
    Disallow: /wp-includes
    Disallow: /wp-content/plugins/
    Disallow: /wp-content/cache/
    Disallow: /wp-content/themes/
    Disallow: */trackback/
    Disallow: */feed/
    Disallow: /*/feed/rss/$
    Disallow: /category/*

It should be noted not all spiders will honor robots.txt instructions but reputable search engines will.

Next… Ringfence your WordPress site