≡ Menu

14 Ways To Prevent Your WordPress Blog From Being Hacked

prevent wordpress hack

There are over 5 million results in google for the keyword “prevent wordpress hack“. Everyone has their own opinion and I dont think all of these posts are updated frequently. It’s been a while I have posted here. If you have been following me on my twitter then you should know what I have been up to. First, here are few things you should know- I have made several changes to this blog.

Recently, some of my blogs were hacked. It was funny how the index file had an image of a smurf showing the middle finger with a text saying “where’s your security?” I was glad the hacker left his email address so I could thank him for mocking the security of my blogs and so, I did. The amazing part- This guy didn’t even touch the database; he didn’t even inject any shit virus. I felt it was weird but after checking out each files, I found they were all clean.

I was so involved in other projects that I didn’t pay much attention to security which is actually the most important thing here. If this dude didn’t breach my security, I wouldn’t have known it was vulnerable and hence wouldn’t have bothered to take action. Whatever it is, I have sent him a “Thank You” Note ;)

I have removed some shitty plugins, transferred to HostGator, tweaked codes and more…Today, I have decided to write a post on how I did what I did- that is, strengthen the security of my blog to keep off hackers and all creepy people. I will have a video tutorial created for this later this month but for now, check this out. Some basic tweaks can help protect all your hard earned content. Check out the following tips to prevent wordpress hack.

14 Tips To Prevent WordPress Hack

 

1. Backup

This is the first step and the most important. Before you plan on making any changes, make sure you backup your entire DB. You can do this manually or use an available plugin. I recommend backup buddy which backs up your entire wordpress blog. Unlike free plugins which only backup your database, backup buddy exports your entire database with images, files and whatever you have in your blog’s content folder- Pretty sweeet!

2. Update WordPress Version

Second crucial step after backing up your blog is to update it to the latest version. You should always make sure that your blog’s version is up to date. WordPress team creates patches to help fix security holes. Follow wordpress feed to find out about the latest updates or you could simply login to your admin.

I would also recommend that you follow WordPress Development and BlogSecurity as they will inform you whenever a new patch/fix is released.

3. Change your Login/Password

The default wordpress login is “admin” and most hackers know that. We should change this to something else that would be difficult to guess. Something like “rogers12” or “donhoe2” is good examples. The best thing to do is delete the default admin and create a new custom login.

I suggest that you use strong passwords which include upper/lower keys, numbers and symbols. Something like “rockSTAR19!@” or “Anabel2@!” is a great example of a strong password.

Most hackers try to brute force the password so if your password is really strong as I mentioned earlier, you should be fine.

Do not use birth days, names, pet names or hobbies as passwords. People who are close to you know a little more about you; you don’t want any wild guesses :)

4. WordPress Keys in wp-config.php

I didn’t know much about wordpress keys but it is another important security measure. These keys work as salts for WordPress cookies thus, ensuring better encryption of user data.

Use the WordPress Key Generator to generate these keys. Now open up your wp-config.php, find the lines that look like below and simply replace with the generated ones:

define(‘AUTH_KEY’, ‘put your unique phrase here’);
define(‘SECURE_AUTH_KEY’, ‘put your unique phrase here’);
define(‘LOGGED_IN_KEY’, ‘put your unique phrase here’);
define(‘NONCE_KEY’, ‘put your unique phrase here’);

Save and you are done!

5. Install WP Security Scan

 

Wp Security Scan

This plugin is the real deal. It’s simple and automates stuff. It will scan your wordpress blog for vulnerabilities and inform you if it finds any malicious codes etc. If the texts are in green in the admin panel then you should be good. However, they will not just be green; sometimes you have to make them :). And I will tell you how.

6. Change Table Prefix

How to Change WordPress Table Prefix using Wp Scan

The default table prefix for wordpress is wp_ . I know that, you know it and I am sure the hacker does too. SQL Injection attacks are easier with the default table prefix because it is easier to guess. A good prefix would be “mashjg23_” or “sasdoe265_”. Changing your database table prefix is highly recommended and you can do this in two ways. The manual way requires some work and is not suitable for newbie; here’s when WP Security Scan Plugin makes your work much easier. It has a tab called “Database”. Once you are in it, you have the option to rename your entire table prefix to something that is tough to guess. Do this and you will be a step closer to strengthening your blog’s security.

DB Password: How strong is your database password? Both your wordpress login password and database password should be strong. Include upper/lower keys, numbers and symbols.

7. Prevent WordPress Hack by Blocking Search Engine Spiders from Indexing the Admin Section

Search engine spiders crawl over your entire blog and index every content unless they are told not to do so. We do not want to index the admin section as it contains all the sensitive information. The easiest way to prevent the crawlers from indexing the admin directory, is to create a robots.txt file in your root directory. Then place the following code in the file:

#
User-agent: *
Disallow: /cgi-bin
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins/
Disallow: /wp-content/cache/
Disallow: /wp-content/themes/
Disallow: */trackback/
Disallow: */feed/
Disallow: /*/feed/rss/$
Disallow: /category/*

8. .htaccess Hacks

.htaccess (hypertext access) is the default name of directory-level configuration files that allow for decentralized management of configuration when placed inside the web tree. .htaccess files are often used to specify the security restrictions for the particular directory. This is not an exact tip that falls under the list but you should know about .htaccess because you can do a lot with it to prevent wordpress hack. I am not going to get in depth for this term but I found out some sweet .htaccess hacks which can tighten your wordpress security. See them below

9. Protect your .htaccess

After tweaking your .htaccess to protect your blog from hackers, you cannot simply leave the .htaccess open itself to attacks. The hack below prevents external access to any file with .hta . Simply place the code in your domain’s root .htaccess file.

# STRONG HTACCESS PROTECTION</code>
<Files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</Files>

10. No Directory Browsing

Its not a good idea to allow your visitors to browse through your entire directory. This is an easy way to find out about directory structures and this makes it easier for hackers to lookout for security holes.

In order to stop this, simply add the piece of 2 lines in your .htaccess in the root directory of your WordPress blog.

# disable directory browsing
Options All -Indexes

11. Secure wp-config.php

Wp-config.php is important because it contains all the sensitive data and configuration of your blog and therefore we must secure it through .htaccess. Simply adding the code below to the .htaccess file in the root directory can do the trick

# protect wp-config.php
<files wp-config.php>
Order deny,allow
Deny from all
</files>

The code denies access to the wp-config.php file to everyone (including me :()

12. Limit Access to the Wp-Content Directory

Wp-content contains everything. This is a very important folder and you should secure it. You don’t want users to browse and get access to unwanted/other data. Users should be only able to view and access certain file types like images (jpg, gif, png), Javascript, css and XML.

Place the code below in the .htaccess file within the wp-content folder (not the root).

Order deny,allow
Deny from all
<Files ~ “.(xml|css|jpeg|png|gif|js)$”>
Allow from all
</Files>

13. Protect WordPress Admin Files

Wp-admin should be accessed only by you and your fellow bloggers (if any).  You may use .htaccess to restrict access and allow only specific IP addresses to this directory.

If you have static IP address and you always blog from your computer, then this can be a good option for you. However, if you run a multiple user blog then either you can opt out from this or you can allow access from a range of IPs. You can refer to Apache’s documentation on mod_access for complete instruction on how to set this up.

Copy and paste the code below to the .htaccess in wp-admin folder (not root folder)

# deny access to wp admin
order deny,allow
allow from xx.xx.xx.xx # This is your static IP
deny from all

The above code will prevent browser access to any file in these directories other than “xx.xx.xx.xx” which should be your static IP address.

There is another way you could restrict access to the directory and that is by using a password in the .htaccess. I am planning to write a detailed .htacess hack where I will include all of these.

14. Prevent script injection

I found this code on wprecipes and it works like a charm. Now you can protect your WordPress blog from script injection, and unwanted modification of _REQUEST and/or GLOBALS.

Simple copy and paste the code below to your .htaccess in the root

# protect from sql injection
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

Bonus

Safe file permission for WordPress blog

Take a note at the files permission. Wp Security scan shows this in a nice way. Browse the specific files on your root using your favorite ftp client and Chmod the files if required.

Last but not the least; you can install WordPress Firewall 2 which actually protects your blog from malicious hackers. It blocks the attempts of the hacker and notifies you when abused. Only the negative point of this plug-in is, it sometimes even blocks our action. This can really get annoying and I do not really recommend this plug-in unless you have SUPER Hackers and bots screwing up your blog. Stick with the .htaccess hacks since they do the job pretty well and your blog should be just fine.

Furthermore, Check out these amazing wordpress security posts written by others to prevent wordpress hack :

  1. WordPress Security
  2. 11 Best Ways to Improve WordPress Security
  3. How to Stop Your WordPress Blog Getting Hacked

Verdict

 

Prevention is better than cure. I cannot personally guarantee that your blog will not get hacked after implementing the methods I have mentioned but, I am sure the chances of getting attacked will be very less.

How secure is your wordpress blog? If you have a tip or a piece of code you would like to contribute then use the comment box. I bet after reading this post, you will know how to prevent wordpress hack to some great extent

Comments on this entry are closed.

  • http://how-to-conceive-a-boy.blogspot.com/ Anita

    Hm, this article is a little over my head at this time, and it will need some rereading, but I’m interested to know how come you came to HostGator? Is it because it is considered safer? Is there a “safe” host?

    • http://www.salmanahsan.com Salman Ahsan

      Im not sure how safe is hostgator but I always wanted to check them out. The fact is, I have 4 different hosting accounts and this blog was formerly hosted by JustHost. They are good but I think my blogs deserve hostgator? :) Btw, WpWebHost is awesome for blogs too. I have hosting with them for almost 2 years now and rarely had downtime issues. Web Hosting do matter when it comes to security and making some additional tweaks to your blog can be beneficial. If you ask for recommendation, I would say Gator and WpWebHost are real sweet for hosting wordpress and they don’t hurt your wallet

      • http://how-to-conceive-a-boy.blogspot.com/ Anita

        Thanks for replying! I’m using HostGator and I think they’re good but again they are my first hosting company so…:)

  • Pingback: 5 Simple Tricks to Prevent Wordpress Spam Comments

  • Pingback: Need better blog script than WORDPRESS - Webmaster Forum

  • http://www.quickdollarcash.blogspot.com topblogger

    how about in blogger.com domain? it is safe to apply on my Blog?

    • http://www.salmanahsan.com Salman Ahsan

      i guess not :( . .you can try but this stuff is for wordpress :)

  • Pingback: How To: Backup and Migrate your WordPress site with BackupBuddy

  • Pingback: Prevent your Wordpress Blog from being Hacked

  • Pingback: Got hacked? Blame it on your web hosting, NOT!

  • http://www.pinkelixir.com Chris

    thanks sooo much very well written and helpful too!

  • http://Blissfulinterfaces.com Thanushka

    My WordPress site (blissfulinterfaces.com) was hacked a few weeks ago (just couple of days after it came live), since I had not changed the WordPress keys.. Even though the site is not hacked anymore, I still see those hacker web domains directing to my host. When I go to those domains, they direct to my web site Pages with their domain in the URL. as an example, this below URL directs to my contact page under the domain name ‘muggeltd dot com’.
    muggeltd dot com/index.php?page_id=227

    Do you know a way to prevent these stripping domains from redirecting to my server? These domains even appear on google search and I’m worried that it will affect my site’s Seoul ranking…if you have any tips on how to prevent this, please help. Thank you in advance..

    • http://www.salmanahsan.com Salman Ahsan

      First of all, scan your server for any security holes and worms. You need to remove them if found. Install the wordpress security plugins I mentioned. Try to modify the htaccess. As for redirecting, anyone can redirect to whatever they want :) at least that’s what I know. I don’t see much cases like that but if the problem still exist and you want to discuss this then use the contact tab on top and shoot me an email :) cheers

  • http://www.husainibrahim.com Husain

    Dear Salman,
    I did not manage to insert all the code into .htaccess in the root folder. It ended up my blog displaying
    “Internal Server Error

    The server encountered an internal error or misconfiguration and was unable to complete your request.

    Please contact the server administrator…bla..bla..bla”

    I just copied the code from your blog here and pasted into .htaccess in the root folder but it failed. Seeking for your advice, please?

    Thank you.

    • http://www.salmanahsan.com Salman Ahsan

      You blog seems to load OK. Did you copy the code properly and paste it onto notepad? If you are still facing problems then use the contact tab on top and shoot me an email. I will try to put all the codes together and compile a htaccess and will post the download link here for convenience.

      • pranoy sinha

        Dear Salman,

        Read all your useful tips. Very informative and useful.
        I also have the same issue as Hussain had faced regarding the .htaccess issue. Can you pls post it as a downloadable link here. It would be a great help if you.

        Best regards,
        pranoy

        • Salman Ahsan

          I appreciate you like my posts. And since you requested, I will update the post shortly with a downloadable .htaccess file which I use on my blogs. :) Hope everyone is doing great

  • Yogesh

    When I am trying your number 12 method, all the css and designing part of my site used to stop working. Rest all working fine. Can u fix this problem?

    • Adam

      I had this happen to me too, but I never did step 12. Turns out it was the WebsiteDefender WordPress Security plugin. As soon as I disabled it, all the css worked again. However, the WP – Security Scan by the same guy didn’t have this problem.

      • http://www.salmanahsan.com Salman Ahsan

        you have to be careful with what plugins you install. Some are buggy while some may overlap

        • Web Aesthetics

          Hi, Thanks for all the great advice. But I am having the same problem as Yogesh when I do step 12. Any guess why this is happening?

          • Salman Ahsan

            there was a typo which is now fixed :)

            • Web Aesthetics

              Hi Thanks to the update, but still having the same problem even when the typo is removed. Any guess why this is still happening?

    • Peter

      Number 12 has a typo for file type jpeg:

      change to:

      Awesome post Salman! Thank you.

      • Salman Ahsan

        thanks for contributing :)

  • Pingback: First Post – J

  • john

    cant most of this stuff be prevent by firewall

  • Pingback: J – Affiliate Marketing Site Updates – Dropping in the rankings like MAD! | Two Crazy Men in their Online Marketing Entrepreneurial Pursuits to Escape 9 to 5

  • Pingback: | SeoFuturity

  • http://www.seofuturity.com Seo Futurity

    One of the best article on the web about Hacking problems in wordpress.

    I write post especially about problem, also mention this blog post as a great solution to this wordpress hack problem. Great Image also.

  • http://athomepinay.info Angel

    hi, my site was hacked just 3 days ago and now its back. Im just new to wp blogging. can you teach me how to prevent those spam comments? please and thank you…

    • Salman Ahsan

      Did you read the post? I have pretty much mentioned everything that you can do.. what is it that you don’t understand?

    • Carol Cody

      Try Askimet for preventing comment spam.
      http://akismet.com/

  • http://ajnabii.com Ajnabii

    Hello Dear Salman,

    You done very well done Job on you blog, nice blog and really helfull posts, after reading this post i have learned many new things how to protect wordpress blog from hackers, thanks for writting this nice article.

  • http://saieshwar.tk saieshwar

    Awesome man,it helps me much,how can I restore my data if my site is hacked and total database becomes empty(i have back up in my system)

    • Salman Ahsan

      well of course, and with backup buddy its pretty easy. You just have to upload the backup to the root and then using the plugin click a few buttons and get your site restored :)

  • Phil Tyler

    Thank you soooo much.

  • http://phonearenaindia.com Phone Arena India

    whew.. wish i had come upon this article a bit sooner. Had three sql injections carried on in th past couple of weeks and my site was totally messed up. Just spent the last hour implementing all the 14 steps mentioned above. Hopefully, my site’s a lot more secure now. Fingers crossed.

  • http://onyou.ch onyou

    extremely useful tips.. thanks

  • Pingback: Top 5 WordPress Security Tips: Protection From Hackers | The Effectx Journal

  • Pingback: hacked off, can't hack it or just plain hacked! - lord roxy - can U believe it...

  • Pingback: some cool links which helps you to make you full programmer | myjunk.in

  • http://www.soccerwidow.com/ Soccerwidow

    Very well written article, very logical and helpful. Thank you!

    I implemented most of it and hope my blog will be now a little more secured. Thanks again :)

  • http://www.christopherstephenbarnard.com Christopher Barnard

    Great post – WP Security can be a real problem.

    Implementing No 12 though blocked my images on my site. Any ideas how to resolve that?

    • Salman Ahsan

      you can just leave out #12 for now. Several people are having issues with it. :) I will be writing another post on wordpress security and will include a downloable custom .htaccess

  • Pingback: Trucos para tener un Wordpress seguro gracias a htaccess | Algo Entre Manos

  • Pingback: Status Update: Loose Ends « The Underground Librarian

  • Pingback: How To Disappear From Google In 5 Simple Steps | 123SEO

  • Pingback: 6 Reasons Why Every Student Should Start a Blog!

  • http://optimizemediamarketing.com jocelyn

    My website was hacked last Saturday by devilhacker and that’s what led me hear. My website (http://optimizemediamarketing.com) was defaced and the hosting company I’m using was not available to talk on the phone on weekend. It was a total disaster because I do wp web design but I don’t do the hard core programming so I don’t really know where to look for the malicious code that was installed on my website. (Fixed now)

    I have the plug-in that supposed to protect my site but it’s annoying because even myself can’t modify the contents.

    I also recommend hostgator for their excellent customer service. They are available 24/7 on phone/chat and email.

    Thanks for posting this article. Now I know what to do to protect every website I’m managing.

    • Salman Ahsan

      I hope your blog is healthy and live. Let me know if you need any assistance. Good luck

  • http://www.electrosome.com Ligo George

    Thanks for the share…………………..Very useful……………..

  • Pingback: Hacked!

  • http://www.primeinspiration.com/ Primeinspiration

    Dear Salman,

    This article was really nice. Is hostgator really good in their customer service? want change my sites too on that. Most of the things (wp admin files and preventing script injection sections) are really new to me and very useful. Thanks

    • http://websthatrock.com Michael Rock

      Yes, Hostgator is a VERY good host. I’ve researched a lot of them and tried a few and Hostgator came out on top. They are available 24/7 every day and go above and beyond what they are supposed to do.

      • L A Stiglich

        I used Lunarpages for 10+ years for my husband’s site and found the tech support staff totally awesome. However, they aren’t big on WP so I signed up with Hostgator for a new site I am developing. Sales person was very nice and quite knowledgable. However, as a newbie to WP I had a number of questions. Spoke with 3 different tech guys. Unfortunately, all three were very curt, abrupt, and didn’t want to deal with a WP newbie. After the incredibly helpful techs at Lunarpages, I was totally dismayed. Perhaps they were just having an off day, but it was so off-putting I closed the account even though I had paid for the year for both the domain name and web hosting. Am glad to learn that others have not had a similar experience.

  • http://www.smellslikeinfinitesadness.com/ Michael

    Nice article…I recently received an email notifying me that WP firewall detected/prevented a Mysql attacks, so figured it’s a good time for me to fortify my site a bit more. On #14, where do I paste the code snippet in the .htacess file? top, bottom, in-between? Thanks so much

    • Salman Ahsan

      Check out the latest blog post on wordpress malware prevention

  • http://basketballchat.co.uk George

    Hi Salman
    Great post, extremely thorough.

    Apologoies if I am being a newbie but I have posted the code into my htaccess file and uploaded but then I cannot access the site and it returns Internal Server Error
    The server encountered an internal error or misconfiguration and was unable to complete your request.

    Any help would be appreciated, I think the stress of malaware hackers may have addled my brian!!
    Many thanks in advance

    This is the code I am using:

    #BEGIN WordPress

    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ – [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]

    # END WordPress

    ## protect wp-config.php

    Order deny,allow
    Deny from all

    ## STRONG HTACCESS PROTECTION

    order allow,deny
    deny from all
    satisfy all

    ## disable directory browsing
    Options All -Indexes

    ## protect from sql injection
    Options +FollowSymLinks
    RewriteEngine On
    RewriteCond %{QUERY_STRING} (\|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
    RewriteRule ^(.*)$ index.php [F,L]

    • Salman Ahsan

      Check out the new blog post on prevent wordpress malware attack :) Hope that helps

  • http://basketballchat.co.uk George

    Thanks for that, another excellent article.
    Your blog is EXACTLY what happened to me. It has taken 3 weeks to get back to recover. Your advice is invaluable.

    I have downloade your htaccess file but still my wesite returns server error when I upload it.
    Any advice would be appreciated.

    htaccess file below:

    AddDefaultCharset Off

    BEGIN WordPress

    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ – [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]

    # END WordPress

    RewriteEngine On

    # proc/self/environ? no way!
    RewriteCond %{QUERY_STRING} proc/self/environ [OR]

    # Block out any script trying to set a mosConfig value through the URL
    RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]

    # Block out any script trying to base64_encode crap to send via URL
    RewriteCond %{QUERY_STRING} base64_encode.*(.*) [OR]

    # Block out any script that includes a tag in URL
    RewriteCond %{QUERY_STRING} (|%3E) [NC,OR]

    # Block out any script trying to set a PHP GLOBALS variable via URL
    RewriteCond %{QUERY_STRING} GLOBALS(=|[|\%[0-9A-Z]{0,2}) [OR]

    # Block out any script trying to modify a _REQUEST variable via URL
    RewriteCond %{QUERY_STRING} _REQUEST(=|[|\%[0-9A-Z]{0,2})

    # Send all blocked request to homepage with 403 Forbidden error!
    RewriteRule ^(.*)$ index.php [F,L]

    Options +FollowSymLinks
    RewriteEngine On
    RewriteCond %{QUERY_STRING} (\|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
    RewriteRule ^(.*)$ index.php [F,L]

    #Options +FollowSymlinks
    RewriteEngine On
    RewriteCond %{http_host} ^basketballchat.co.uk
    RewriteRule ^(.*) http://www.basketballchat.co.uk/$1 [R=301,L]

    # Protect from spam bots

    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} POST
    RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
    RewriteCond %{HTTP_REFERER} !.basketballchat.co.uk.* [OR]
    RewriteCond %{HTTP_USER_AGENT} ^$
    RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]

    # STRONG HTACCESS PROTECTION

    order allow,deny
    deny from all
    satisfy all

    CheckSpelling On

    # disable directory browsing
    Options All -Indexes

    order allow,deny
    deny from all

    • http://tvland.tk Televizoare

      Mixed. Rewrite each option again. One by one!

  • http://hostinpk.com Hostinpk

    Thanks for such a nice post. Actually, wordpress sites are getting hacked due to outdated versions. We have more than 2000 wordpress installations on our servers and hacked day by day. However, I am sending an email to all clients about this tutorial and I hope that it will prevent hack attempts to some extant.

  • Pingback: Basic WordPress Maintenance & Security: Do the small things or face a large headache | Blog - BA Web Solutions

  • http://thestockmarketinvestmentadvice.wordpress.com/ Alex

    Ahmad, Thanks to the brief and wonderful post and hope it is very useful for me to implement some security measures.

  • http://hostforeach.com Daryl Austman

    Boy, sure wish I had found this information earlier. I’ve been hacked several times on 3 of my sites. I’ve spent countless hours removing “pharma” links from within posts (most recently they were the –ads– type that seems to hide in an invisible link and which is attached somehow to a hackers bogus .htaccess file.
    TONS of wasted time which I hope some of these helpful hints are going to make harder for that crud to infiltrate my sites.
    Thanks!! this is appreciated probably a lot more than you think.

    • Salman Ahsan

      I really appreciate your appreciation :)

  • Pingback: How to avoid Wordpress Hacker? - Marketing Forums

  • http://www.englishlc.com/ Stephan Rees

    Many thanks for the article. Excellent advice on beefing up WordPress security. Points 1-9 I had implemented already, but 10,11 & 14 were just what I was looking for.

    However, I have been unable to implement #12 ‘Limit access to WP content directory files’, as when I copy the modified code (to include pdf) into the WP content .htaccess file I am unable to access public pdf files.

    Order deny,allow
    Deny from all

    Allow from all

    Also, I am cautious about implementing #13 ‘Protect WP Admin’, as I sometimes travel and log on from other IP address. Also, I have a forum where users can register, so I imagine that could cause difficulties for registered or guest users?

    • Salman Ahsan

      You can skip the ip restriction as it wont make much differences. If you don’t want to mess with the htaccess, simply use “Better WP Security” plugin and give it access to modify your htaccess. With just a click of a button, you will be able to protect your directories and tweak a lot of other security stuff :)

  • Pingback: J.R. Ward Virtual Signing, WordPress Security, Posts Of Interest and More - Fiction Vixen Book Reviews

  • http://AshleyTisdale.org AshleyTisdale.org

    This article sounds very helpful!

    However, if you don’t mind, I’d like talking to you about our site’s situation. We recently moved from cutenews to wordpress and since that, we’ve been hacked twice in less than 1 week. The first time happened after we launched the new sites look, only 2 days after, and the 2nd time was today but weirdly the site got back safe and as usual.

    What would you suggest us to do to keep the hacker away? Apparently the hacker is the same person who hacked us the first time.

    Please a help would be REALLY appreciated.

    Thanks for your time… keep up the great work!

    • Salman Ahsan

      do you have some personal issues with the hacker? :) just asking. Usually there is no reason for someone to hack your stuff. Did you also implement all the tips mentioned on this blog. If the problem continues, you may want to check out Sucuri

      • http://ashleytisdale.org/ AshleyTisdale.org

        Well, not that we are aware of lol… but apparently the situation has calmed down. We haven’t been hacked/attacked by that hacker since when we changed a few things in the site access.

        But thanks so much for your tips- we did get backup buddy anyway, just to feel safer and protected :)

  • http://www.tipsbychris.com chris

    Uggghhh…Hacked again for about the 12th time. I’ve been doing all the basics like making sure I update everything, and clean out all the stuff not used, updated passwords and logins etc…. I feel like I am a target to hackers.

    Thanks for posting these tips and taking the time to be very detailed. I am so glad there are advanced things I can do to stop the hacking! I sure hope it stops it once and for all!

    You have no idea how much your efforts are appreciated. Having something more to do gives me hope! It so much better that not knowing if there is more I can do and then get hacked again. I have over 20 sites to repair everytime it happens. What a nightmare.

    • Salman Ahsan

      did you implement all the tips? its really weird that you are experiencing this very often. Are you sure you know whats going on? I am not doubting your skills or expertise but you may want to check out Sucuri and hire them for monitoring your blog network. If you know the hacker, you can easily block them. If its a range of bots then you can block the ip range. Unless I know the specific problem, the solution might be vague.

  • Shahnawaz

    This is amazing article on wordpress security to protect wordpress from assholes hackers

  • http://brian-lowell.com Brian

    Just giving a heads up:

    Order deny,allow
    Deny from all

    Allow from all

    — Gives an internal server error

    # deny access to wp admin
    order deny,allow
    allow from xx.xx.xx.xx # This is your static IP
    deny from all
    — Gives a forbidden error even when not on the admin page (yes, I changed the IP too, haha)

    • Salman Ahsan

      Thanks Brian, appreciate the contribution. I will check out all the codes and update this post very soon.

  • DG

    Thanks Salman for your specific details.You are different from other “experts” who just write general stuff like “install anti-virus” blah blah.

    I have a non-wordpress site that has been hacked,and I will implement your tips.

    • Salman Ahsan

      Thanks DG :) If you know a little coding or have some skills then you can easily modify this htaccess and use it on any non wordpress related sites

  • http://www.mediastreams.ca Pesi

    Amazingly useful information! Thanks – this was a real life-saver for my friend’s WordPress site which was constantly getting hacked by morons who had nothing better to do with their lives!

    The only tip that did not work was no. 10 – which caused the site to not be visible for some reason (?)

    • Salman Ahsan

      I will be checking out #10 . Expect an update very soon with tighter security tips :)

  • http://www.findsr.com/ Saurabh Rai

    thats quite nice tips. I must admire this post because earlier I just found similar content related to the same topic. Everyone was posting the same tips to prevent blog from hacking. But I got some unique things here, thanks for sharing it :)

  • http://websthatrock.com Michael Rock

    I can’t seem to do anything about the admin user. WordPress does not allow me to edit or delete it. So how did you take care of this?

    • Salman Ahsan

      You can use Better Wp Security plugin. It can remove the admin with a click :)

  • http://chaetakadai.com/ DRG

    Great info thanks :)

  • http://www.techeverytime.com Ankur

    Very useful tips. Definitely helpful in strengthening my wordpress blog.
    thanks !!

  • Pingback: Comment protéger son blog Wordpress contre le piratage - PubContact

  • Gabrio

    Great, post, lots of invaluable tips… i had issues with point #12 like other people, and just to know, let’s say you have the blog on a folder like “blog” and not in the root, then i would put for example the wp-config secure trick on a .htaccess that is on the blog’s folder and not on the root of mysite.com, i did it and everything seems to work, actually… but other tricks such as “protect your .htaccess” and “no folders browsing” can be applied to all the .htaccess on the server, makes sense no?

    • Salman Ahsan

      I think it should work :)

  • Pingback: Securing Wordpress | The-IT-Blog

  • Joel Kumwenda

    Thanks for the wonderful post, I have suffered severely with hackers who have been hacking my WP blog barely few hrs after hosting. I have hosted 7 times the same blog. I have just implemented the tips and will be back with feedback after a week.

    • Salman Ahsan

      Let me know how it goes :)

  • Pingback: What Getting Hacked Means for Your Brand | Buckeye Interactive

  • http://listverge.com Salman Ahmad

    Well the tips looks promising. Gonnna implement all the methods explained in the article. Was looking for similar kind of tips from a long time. Thanks for the share.

  • http://17inchlaptopreviews.com Dale Kennedy

    What a great bunch of tips. I had some blogs hacked and it was driving me insane. I think they used SQL injection tactics. I just got my sites back online and I will be implementing these tips. Also my host told me it is a good idea to use only premium WP themes on your sites due to the free themes out there having big security holes in them.
    Have you found this to be true as well?
    Thanks again for this great resource, I am not very techy but I can definitely handle these… Actually we have no choice BUT to do this.
    Once you have been hacked you will ‘find the time’ to learn this stuff!
    Thanks Salman. I appreciate it, big time.

  • Ariel

    Hello Salman Ahsan, I have two questions.

    1- I if use the wp better security plugin not need to do anything of these you have posted or even with that plugin there are things to do manually?

    2- What about installing wordpress manually? is it better or is the same?

  • http://www.wikinaira.com Abiodun lash

    what you shared here is great, Prevention is better than cure so they say. I think setting the wp-config file and httacess file to 444 permission also help… You didnt mention that… either way .. your content are first class!! not many of us are born writer

  • http://www.dnwahyudi.com Yudi

    My blog being hacked twice.

    This is really important for me.. Start doing it right now…

  • Pingback: Blogging: A Comprehensive List of Links to Help | Writing My Truth

  • http://www.breezego.com Vishak N Kumar

    Thanks for this excellent blog…I was looking for a code to prevent .htaccess file from hackers and I got it from your post..Once again I am thanking you for strengthening my wordpress.

  • Chathu

    Hi!

    I have one question. If I protect the /wp-content/ using your .htaccess file method, some plug-ins not working. For an instance WordFense. Also I need to know, it will affect the W3 Total Cache plug-in?

    Thanks!

    • Salman Ahsan

      If you are having trouble with htaccess then simply install Better Wp Security plugin and with 1 click you will be able to secure your site (at least the basic)

  • http://digcms.com John

    Your information is really informative. I found another blog post which talks about wordpress hack and there fix

    http://wordpressapi.com/2013/05/22/if-wordpress-site-is-hacked-then-how-to-fix-issue/

  • http://easternvillage.nl janw.oostendorp

    #13 will break ajax calls, you should exclude admin-ajax.php even on the frontend: http://codex.wordpress.org/AJAX_in_Plugins

    • Salman Ahsan

      Thanks for the tip :)

  • Pingback: Why not Updating Your Blog Can Make Strange Critters Appear

  • http://www.hackerninja.com Surendra Mishra

    Making wordpress website is easy but protecting it from malware attack is really very difficult. You share very good knowledge here.

  • http://tvland.tk Televizoare

    Thank you!
    My password is now “rockSTAR19!@” because it is great!
    Was a joke :)

    @George, thanks to you, because you shared yours htacces. I just copy-paste it on my site. No changes! It’s great! :))

    Seriously, thanks to all who distributes information about site security! When we talk about security, we must help each other.

  • http://www.onlinepnrstatus.in/ Mohd Shoeb

    From long time i was looking for such kind of solution to secure my WordPress blog. And my search end here. Thanks for writing this informative article to make us aware of this great info.

  • http://www.getpnrstatus.co.in/ PNR Status

    First of all, thanks for sharing such a valuable piece of information. I appreciate your effort, this resource is really useful for me as well as every reader read this post. I am a regular reader of your blog and thanks for giving us all these knowledge of securing WordPress.

  • http://www.deduplicationsoftware.com Mathew Rotlen

    Back up of blog data is most considerable idea when think to prevent blog from being hacked. You have given such a great solution for wordpress bloggers to keep them blog secure and prevent from being hacked.