There are over 5 million results in google for the keyword “prevent wordpress hack“. Everyone has their own opinion and I dont think all of these posts are updated frequently. It’s been a while I have posted here. If you have been following me on my twitter then you should know what I have been up to. First, here are few things you should know- I have made several changes to this blog.
Recently, some of my blogs were hacked. It was funny how the index file had an image of a smurf showing the middle finger with a text saying “where’s your security?” I was glad the hacker left his email address so I could thank him for mocking the security of my blogs and so, I did. The amazing part- This guy didn’t even touch the database; he didn’t even inject any shit virus. I felt it was weird but after checking out each files, I found they were all clean.
I was so involved in other projects that I didn’t pay much attention to security which is actually the most important thing here. If this dude didn’t breach my security, I wouldn’t have known it was vulnerable and hence wouldn’t have bothered to take action. Whatever it is, I have sent him a “Thank You” Note 
I have removed some shitty plugins, transferred to HostGator, tweaked codes and more…Today, I have decided to write a post on how I did what I did- that is, strengthen the security of my blog to keep off hackers and all creepy people. I will have a video tutorial created for this later this month but for now, check this out. Some basic tweaks can help protect all your hard earned content. Check out the following tips to prevent wordpress hack.
14 Tips To Prevent WordPress Hack
1. Backup
This is the first step and the most important. Before you plan on making any changes, make sure you backup your entire DB. You can do this manually or use an available plugin. I recommend backup buddy which backs up your entire wordpress blog. Unlike free plugins which only backup your database, backup buddy exports your entire database with images, files and whatever you have in your blog’s content folder- Pretty sweeet!
2. Update WordPress Version
Second crucial step after backing up your blog is to update it to the latest version. You should always make sure that your blog’s version is up to date. WordPress team creates patches to help fix security holes. Follow wordpress feed to find out about the latest updates or you could simply login to your admin.
I would also recommend that you follow WordPress Development and BlogSecurity as they will inform you whenever a new patch/fix is released.
3. Change your Login/Password
The default wordpress login is “admin” and most hackers know that. We should change this to something else that would be difficult to guess. Something like “rogers12” or “donhoe2” is good examples. The best thing to do is delete the default admin and create a new custom login.
I suggest that you use strong passwords which include upper/lower keys, numbers and symbols. Something like “rockSTAR19!@” or “Anabel2@!” is a great example of a strong password.
Most hackers try to brute force the password so if your password is really strong as I mentioned earlier, you should be fine.
4. WordPress Keys in wp-config.php
I didn’t know much about wordpress keys but it is another important security measure. These keys work as salts for WordPress cookies thus, ensuring better encryption of user data.
Use the WordPress Key Generator to generate these keys. Now open up your wp-config.php, find the lines that look like below and simply replace with the generated ones:
define(‘AUTH_KEY’, ‘put your unique phrase here’);
define(‘SECURE_AUTH_KEY’, ‘put your unique phrase here’);
define(‘LOGGED_IN_KEY’, ‘put your unique phrase here’);
define(‘NONCE_KEY’, ‘put your unique phrase here’);
Save and you are done!
5. Install WP Security Scan
This plugin is the real deal. It’s simple and automates stuff. It will scan your wordpress blog for vulnerabilities and inform you if it finds any malicious codes etc. If the texts are in green in the admin panel then you should be good. However, they will not just be green; sometimes you have to make them . And I will tell you how.
6. Change Table Prefix
The default table prefix for wordpress is wp_ . I know that, you know it and I am sure the hacker does too. SQL Injection attacks are easier with the default table prefix because it is easier to guess. A good prefix would be “mashjg23_” or “sasdoe265_”. Changing your database table prefix is highly recommended and you can do this in two ways. The manual way requires some work and is not suitable for newbie; here’s when WP Security Scan Plugin makes your work much easier. It has a tab called “Database”. Once you are in it, you have the option to rename your entire table prefix to something that is tough to guess. Do this and you will be a step closer to strengthening your blog’s security.
7. Prevent WordPress Hack by Blocking Search Engine Spiders from Indexing the Admin Section
Search engine spiders crawl over your entire blog and index every content unless they are told not to do so. We do not want to index the admin section as it contains all the sensitive information. The easiest way to prevent the crawlers from indexing the admin directory, is to create a robots.txt file in your root directory. Then place the following code in the file:
#
User-agent: *
Disallow: /cgi-bin
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins/
Disallow: /wp-content/cache/
Disallow: /wp-content/themes/
Disallow: */trackback/
Disallow: */feed/
Disallow: /*/feed/rss/$
Disallow: /category/*
8. .htaccess Hacks
.htaccess (hypertext access) is the default name of directory-level configuration files that allow for decentralized management of configuration when placed inside the web tree. .htaccess files are often used to specify the security restrictions for the particular directory. This is not an exact tip that falls under the list but you should know about .htaccess because you can do a lot with it to prevent wordpress hack. I am not going to get in depth for this term but I found out some sweet .htaccess hacks which can tighten your wordpress security. See them below
9. Protect your .htaccess
After tweaking your .htaccess to protect your blog from hackers, you cannot simply leave the .htaccess open itself to attacks. The hack below prevents external access to any file with .hta . Simply place the code in your domain’s root .htaccess file.
# STRONG HTACCESS PROTECTION</code>
<Files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</Files>
10. No Directory Browsing
Its not a good idea to allow your visitors to browse through your entire directory. This is an easy way to find out about directory structures and this makes it easier for hackers to lookout for security holes.
In order to stop this, simply add the piece of 2 lines in your .htaccess in the root directory of your WordPress blog.
# disable directory browsing
Options All -Indexes
11. Secure wp-config.php
Wp-config.php is important because it contains all the sensitive data and configuration of your blog and therefore we must secure it through .htaccess. Simply adding the code below to the .htaccess file in the root directory can do the trick
# protect wp-config.php
<files wp-config.php>
Order deny,allow
Deny from all
</files>
The code denies access to the wp-config.php file to everyone (including me 
)
12. Limit Access to the Wp-Content Directory
Wp-content contains everything. This is a very important folder and you should secure it. You don’t want users to browse and get access to unwanted/other data. Users should be only able to view and access certain file types like images (jpg, gif, png), Javascript, css and XML.
Place the code below in the .htaccess file within the wp-content folder (not the root).
Order deny,allow
Deny from all
<Files ~ “.(xml|css|jpe?g|png|gif|js)$”>
Allow from all
</Files>
13. Protect WordPress Admin Files
Wp-admin should be accessed only by you and your fellow bloggers (if any). You may use .htaccess to restrict access and allow only specific IP addresses to this directory.
If you have static IP address and you always blog from your computer, then this can be a good option for you. However, if you run a multiple user blog then either you can opt out from this or you can allow access from a range of IPs. You can refer to Apache’s documentation on mod_access for complete instruction on how to set this up.
Copy and paste the code below to the .htaccess in wp-admin folder (not root folder)
# deny access to wp admin
order deny,allow
allow from xx.xx.xx.xx # This is your static IP
deny from all
The above code will prevent browser access to any file in these directories other than “xx.xx.xx.xx” which should be your static IP address.
There is another way you could restrict access to the directory and that is by using a password in the .htaccess. I am planning to write a detailed .htacess hack where I will include all of these.
14. Prevent script injection
I found this code on wprecipes and it works like a charm. Now you can protect your WordPress blog from script injection, and unwanted modification of _REQUEST and/or GLOBALS.
Simple copy and paste the code below to your .htaccess in the root
# protect from sql injection
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]
Bonus
Take a note at the files permission. Wp Security scan shows this in a nice way. Browse the specific files on your root using your favorite ftp client and Chmod the files if required.
Last but not the least; you can install WordPress Firewall 2 which actually protects your blog from malicious hackers. It blocks the attempts of the hacker and notifies you when abused. Only the negative point of this plug-in is, it sometimes even blocks our action. This can really get annoying and I do not really recommend this plug-in unless you have SUPER Hackers and bots screwing up your blog. Stick with the .htaccess hacks since they do the job pretty well and your blog should be just fine.
Furthermore, Check out these amazing wordpress security posts written by others to prevent wordpress hack :
- WordPress Security
- 22 Tips To Prevent Your WordPress Blog Being Hacked
- 11 Best Ways to Improve WordPress Security
- How to Stop Your WordPress Blog Getting Hacked
Verdict
Prevention is better than cure. I cannot personally guarantee that your blog will not get hacked after implementing the methods I have mentioned but, I am sure the chances of getting attacked will be very less.
How secure is your wordpress blog? If you have a tip or a piece of code you would like to contribute then use the comment box. I bet after reading this post, you will know how to prevent wordpress hack to some great extent
Follow us
Like us
{ 19 comments… read them below or add one }
Hm, this article is a little over my head at this time, and it will need some rereading, but I’m interested to know how come you came to HostGator? Is it because it is considered safer? Is there a “safe” host?
Im not sure how safe is hostgator but I always wanted to check them out. The fact is, I have 4 different hosting accounts and this blog was formerly hosted by JustHost. They are good but I think my blogs deserve hostgator?
Btw, WpWebHost is awesome for blogs too. I have hosting with them for almost 2 years now and rarely had downtime issues. Web Hosting do matter when it comes to security and making some additional tweaks to your blog can be beneficial. If you ask for recommendation, I would say Gator and WpWebHost are real sweet for hosting wordpress and they don’t hurt your wallet
Thanks for replying! I’m using HostGator and I think they’re good but again they are my first hosting company so…:)
how about in blogger.com domain? it is safe to apply on my Blog?
i guess not
. .you can try but this stuff is for wordpress 
thanks sooo much very well written and helpful too!
My Wordpress site (blissfulinterfaces.com) was hacked a few weeks ago (just couple of days after it came live), since I had not changed the Wordpress keys.. Even though the site is not hacked anymore, I still see those hacker web domains directing to my host. When I go to those domains, they direct to my web site Pages with their domain in the URL. as an example, this below URL directs to my contact page under the domain name ‘muggeltd dot com’.
muggeltd dot com/index.php?page_id=227
Do you know a way to prevent these stripping domains from redirecting to my server? These domains even appear on google search and I’m worried that it will affect my site’s Seoul ranking…if you have any tips on how to prevent this, please help. Thank you in advance..
First of all, scan your server for any security holes and worms. You need to remove them if found. Install the wordpress security plugins I mentioned. Try to modify the htaccess. As for redirecting, anyone can redirect to whatever they want
at least that’s what I know. I don’t see much cases like that but if the problem still exist and you want to discuss this then use the contact tab on top and shoot me an email 
cheers
Dear Salman,
I did not manage to insert all the code into .htaccess in the root folder. It ended up my blog displaying
“Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator…bla..bla..bla”
I just copied the code from your blog here and pasted into .htaccess in the root folder but it failed. Seeking for your advice, please?
Thank you.
You blog seems to load OK. Did you copy the code properly and paste it onto notepad? If you are still facing problems then use the contact tab on top and shoot me an email. I will try to put all the codes together and compile a htaccess and will post the download link here for convenience.
Dear Salman,
Read all your useful tips. Very informative and useful.
I also have the same issue as Hussain had faced regarding the .htaccess issue. Can you pls post it as a downloadable link here. It would be a great help if you.
Best regards,
pranoy
I appreciate you like my posts. And since you requested, I will update the post shortly with a downloadable .htaccess file which I use on my blogs.
Hope everyone is doing great
When I am trying your number 12 method, all the css and designing part of my site used to stop working. Rest all working fine. Can u fix this problem?
I had this happen to me too, but I never did step 12. Turns out it was the WebsiteDefender WordPress Security plugin. As soon as I disabled it, all the css worked again. However, the WP – Security Scan by the same guy didn’t have this problem.
you have to be careful with what plugins you install. Some are buggy while some may overlap
cant most of this stuff be prevent by firewall
One of the best article on the web about Hacking problems in wordpress.
I write post especially about problem, also mention this blog post as a great solution to this wordpress hack problem. Great Image also.
hi, my site was hacked just 3 days ago and now its back. Im just new to wp blogging. can you teach me how to prevent those spam comments? please and thank you…
Did you read the post? I have pretty much mentioned everything that you can do.. what is it that you don’t understand?