Tips for securing your WordPress site

WordPress is a great platform for building websites. Given the free engine and rich functionality, a large audience of webmasters has managed to appreciate the platform. But not everyone thinks about the safety of their work and live in happy ignorance until the first hacker attack.

What can happen to a web resource

When creating blogs, many webmasters start stuffing them with various “useful” plugins and a huge amount of text or graphic content. But focusing on the development of the site, for some reason, no one thinks about hackers, who can easily damage any unprotected web resource. Most often, a blog is hacked to host ads or malware. Cases of assignment or complete removal are not uncommon.


One ​​of the most primitive ways to save data is through a backup. The fact is that the WordPress database contains every post, link, and comment on your blog, which means that periodic backups are a reliable way to save all changes on the site. Of course, the method does not protect against hacker attacks and does not prevent data loss, but it allows you to save the result of your work and restore the functionality of the web resource as soon as possible.

How to back up

Many hosting providers provide backup services for hosted sites. If such services are not provided, you can also copy data “manually” using various FTP clients. But it is still much more convenient to do this with the help of special synchronization programs. For example, WinSCP allows you to synchronize with your web resource and will be able to copy the latest versions of files and content to your hard drive.

Plugins for backup

It should be noted that the backup feature is included in the core functionality of WordPress. It can be found in the “Tools-Export” section. Thus, you can save an XML file containing the text information of your web resource. Restoration is carried out in the “Import” section.

In order to make regular WordPress database backups, you can use Simple BackUp, BackUp WordPress, WP Remote, Online Backup and VaultPress plugins.

Protection for WordPress during installation

Of course, backups are the first step to quickly recover a damaged site. But it is much more important to avoid such situations. Therefore, first of all, you should perform some actions immediately after installation.

Tip 1: Update

When working with WordPress, you should use the most up-to-date version of the engine, which must be downloaded only on the official website: developers are trying to learn about new vulnerabilities and fix them as soon as possible in updated versions. It is important to remember that timely updating of the engine and installed plugins allows not only expanding the functionality, but also reducing the number of security holes, so you should not neglect the update.

Tip 2: Don’t use “admin” as your username

You should change the admin username right away. The default username in WordPress is “admin”. It is not difficult to guess how much time this will save the cracker. In addition, for reinsurance, you can register a new administrator profile by deleting the old one. This is done so that the attacker cannot recognize the nickname by ID: initially, the administrator will be listed under the number “1”.

Tip 3: Choose strong passwords

Of course, you should also take care of the complexity of the password, which should consist of a large number of characters of different case. Also, to complicate the password, you can use numbers and punctuation marks. You can change your password through the admin panel, in the menu on the left. To do this, go to the “Users” tab and select the “Your profile” item.

Tip 4: Protect your admin

The next step is to secure the admin area. As a rule, most hackers use software that works according to certain patterns. Most often, attackers try to query the “wp-login.php” and “wp-config.php” files. To protect against such actions, it is enough to rename “wp-login.php” to a new name, which may contain a random set of numbers and symbols, in the format XXXXXXXXXXXX.php. This action will allow you to change the address of the admin panel: initially, the standard address “blog name/wp-login.php” or “blog name/wp-admin” is used to enter the admin panel.

It is important to note that you must rename all files with this name (including those that are in the file itself), and this name should also be entered in the wp-includes/general file -template.php You can do this by opening the files with a text editor. By the way, almost all key folders can also be renamed (for example, some webmasters prefer to rename even the wp-content folder). After that, access to files can be restricted via “.htaccess”:

   order allow,deny
   deny from all

You can also protect the wp-admin folder with a .htaccess file, and almost any folder or file. It should be noted that you can also protect the “.htaccess” file, but this action may cause a conflict with some themes or plugins.

It will not be superfluous to restrict access to the contents of the directory folders from viewing by the browser, for this you can create empty index.html or index.php files and drop them into all folders and subfolders. You can disable viewing certain directories on the server with the “Options All -Indexes” command.

Tip 5: Hide your WordPress version

Another preventive step is to remove all unnecessary information. The fact is that even information about the version of the engine can become a reason for hacking if an attacker finds out that you did not have time to update the version of the WordPress system, and some vulnerabilities are still open. First, there are files license.txt and readme.html in the root of the site. These files do not affect the operation of the site in any way, but if they get into the hands of an attacker, they can provide some useful information. You should also remove the version information that is available to all users. To do this, go to the “Appearance” tab, then select “Editor” and open the “header.php” file. In it, you need to remove the line in the code:

Plugin Protection

A lot of problems can be avoided by following the preventive measures described above. However, you can protect your web resource from professional attacks only with the help of special plugins. In addition, some plugins will save you from having to do some of the above actions: just check the necessary checkboxes in the settings. And this will eliminate the possibility of making a mistake, which is especially important for beginners who do not understand all the intricacies of program codes. For example, the Lockdown WP Admin plugin is able to change the admin address if you go to the settings, find the “WordPress Login URL” field and enter a new address in it. As you can see, you won’t have to edit many files. The plugin can also hide the “wp-admin” directory and give a 404 error when requested.

If we talk about ways to hack web resources, then the most popular of them is password guessing. Since WordPress does not keep statistics on unauthorized access attempts, and does not stop such attempts, we have to solve this problem with plugins.

Login Lockdown is a plugin that can capture all failed attempts to login to the admin area. The statistics store the time and IP address of such attempts. But the most useful feature – the plugin is able to block access to the site for a certain time, if the number of such attempts exceeds the specified value. If you go to the Login Lockdown settings and understand all the points, you can configure:

  • number of admin login attempts;
  • time period for retrying;
  • time for which access to the admin panel is blocked;
  • accounting for incorrect login input;
  • masking input errors (when it is easier for an attacker if he made a mistake when entering a login).

Limit Login Attempts is a plugin that offers much the same functionality, it is also able to block the IP from which unsuccessful login attempts are made.

Ask Apache Password Protect – plugin prevents possible attacks by working with “.htaccess” files. Notably, it works at the network level, without using php.

Sideways8 Custom Login and Registration – hides the operation of the built-in authorization option.

Login Dongle is an additional security shell for your admin area. Introduces an additional security question without changing the authorization page.

WordPress HTTPS (SSL) is a packaged solution for securing authorization and finding errors.

ALL IN ONE WP SECURITY – There is a lot to be said for this plugin. This is because it is a comprehensive security solution:

  • it is able to block failed logins and keep activity logs;
  • adds captcha when registering all blog users;
  • backs up the database;
  • restricts access to important WP files;
  • protects against spam;
  • protects against brute force attacks.

But perhaps the main advantage of the program is the firewall. It prevents hotlinks, blocks robots and provides security with an additional firewall. For an additional fee, there is also a scanner that monitors malware and file changes.

Scanners and antiviruses

Despite the fact that there are a large number of security plugins, they cannot guarantee complete protection. Indeed, in addition to simple password guessing attacks, there are other threats. In particular, these are viruses that are introduced into the site in the form of malicious code. It is not so easy to find it on your own. In addition, by securing your web resource with some of the tools presented above, you can leave other vulnerabilities that you did not take into account. Therefore, to search for vulnerabilities, you should use special scanners that will help you understand in which direction you should strengthen the defense of your blog. Antiviruses should be used to search for malicious code.


is a powerful solution to identify potential problems. After all, if you do not use their search, it is not a fact that hackers will not use such a program to find easy ways to your blog. So, due to what WPScanner gained popularity:

  • has an up-to-date updatable base;
  • shows the most complete information about the version of WordPress, and also talks about all the vulnerabilities;
  • scans for vulnerable topics;
  • shows a list of plugins and also highlights the most vulnerable.

In general, there are many scanners that determine vulnerabilities. But their problem is precisely in the presence of an up-to-date base. For example, Plecost is a good solution for scanning vulnerable plugins, but its databases have not been updated for a long time. Therefore, despite the fact that the functionality is preserved, the program will not find new features that can be used to damage the site.

Theme Authenticity Checker (TAC)< /strong>

– a plugin that is designed to check installed themes, as the name indicates. Using this solution, you can check WordPress themes for Base64 codes and hidden links in the footer. When detected, the path to the topic is immediately displayed, as well as the line number with a piece of suspicious code.

Exploit Scanner

– a tool that scans the site database for suspicious files. It detects signs of suspicious malicious activity, also checks filenames, but the decision to delete is entirely up to you.

Acuntetix WP Security

– Another plugin that provides a list of protective actions. Scans the blog for security errors, hides access to the blog engine version, checks permissions in the file system, can remove meta tags from the core code. Of the advantages – free and universal.

Sucuri Security

is a plugin that has proven itself in detecting malicious code. In addition, the plugin monitors files uploaded to WordPress, notifies about security, monitors the blacklist and more. You can also activate a paid add-on – a fairly powerful firewall.

– unlike most scanners, this is a plugin that protects a web resource in real time. Provides security against many known cyber attacks, scans for vulnerabilities, blocks the entire infected network upon detection.


– a plugin, interesting in that it allows you not only to scan the platform for viruses and various malicious threats, but also is able to remove all this. Features include both express scan and full scan. You can configure the removal of threats in automatic mode.

In general, there are quite a few antiviruses for WordPress.

For example, WordPress AntiVirus, WP Antivirus Site Protection, Antivirus For WordPress and others. Despite the similarity of names, they have some differences in design and operation, although they perform the same tasks:

  • scan for malicious code;
  • scan uploaded files;
  • remove malicious code and files;
  • monitor suspicious injections.

Of course, there are differences in the work, but you can stop at a particular solution only after working with it. It is also worth noting that it is better not to overload the engine with a large number of plugins, but to choose a few of the most optimal ones.

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    Main menu