Stop Hacker! Secure your WordPress website

2 November 2016

Author :

We are sure that a hacker attack on your website after first month of its existence will NOT bring a joy to you! In this article we are giving you some simple but effective tips for how to ensure maximum security on your website, without risking to loose any valuable data and website reputation in search engines.

Checklist for testing the security level of your website on WordPress:

  • Was “WordPress” folder renamed?”

  • The folder name should be changed to something like “WordPress_secure_Ds7T”. After that the wp-config.php file should be adjusted and located in the root directory.

  • Whether the security keys added in the “wp-config.php” file?

  • Whether file “wp-login” is protected?

  • Protective measures:

    Copy the wp-login.php file and rename for example to “super-login.php”
    Replace all text “wp-login.php” to “super-login.php” in the “super-login.php” file.
    Block access to wp-login.php through htaccess:

    Order Allow,Deny Deny from all

    Block out POST requests to the wp-login.php through htaccess:

    #Prohibition POST requests to the wp-login.php RewriteCond %{REQUEST_METHOD} POST RewriteCond %{REQUEST_URI} ^/wp-login\.php$ RewriteRule .? - [F]

    Now use the “” address for entering to admin panel.
    You can read other ways to secure the “wp-login” file here:

  • Whether file “xmlrpc.php” is protected?
  • “xmlrpc.php” file is often used in different attacks, it is also recommended to prevent access. Prescribe the following lines in the “.htaccess” file:

    Options -Indexes order allow,deny deny from all %

  • Whether table prefix was changed from standard “wp_” to more complex?

  • Whether the SSL-encryption is on?
  • To do this, open the “wp-config.php” file (in the root of the site) and add the following line:

    define('FORCE_SSL_ADMIN', true);

  • Whether the user with username “admin” is removed?

  • Create a new user with a unique username instead of the default.

  • Is the password is strong enough to access the admin panel

  • Use at least 8 characters (preferably 12) combining upper and lower case, use special characters such as! “? $% ^ & (). Change your password from time to time to protect password from hacking. Never save passwords in the browser and ftp client.

  • Whether the folder «wp-admin» is protected?

  • «Wp-admin» folder is protected by “.htaccess” file which is located in «wp-admin» folder along with .htpasswd file, which stores the username and password.
    In order to quickly and easily generate the .htaccess and .htpasswd files, you can use this service .

  • Whether errors displaying is forbidden on the login page?

  • To do this, add the following code to your theme’s “functions.php” file:

    [php]add_filter('login_errors', create_function('$a', «return null;»)); [/php]

  • Whether the number of failed login attempts is limited?

  • Possible solutions: plugins Login LockDown and Limit Login Attempts.

  • Whether updated version of WordPress and its components?

  • Whether WordPress version is hidden?

  • Remove the meta tag similar to the following:
    <meta content="WordPress” />

  • Whether access to the following files is limited:

  • wp-config.php – contains a database name, user name, password, and tables prefix;
    readme.html и ru_RU.po – include WordPress version
    xmlrpc.php – put this:

    Options -Indexes order allow,deny deny from all

  • Whether protected “wp-includes” folder?

  • Create “.htaccess” file in the “wp-includes” folder with the following content:

    order deny,allow deny from all allow from all

  • Whether Removed unused plugins and themes?

  • Whether correctly the rights set access to files and directories?

  • Usually, WordPress installs all necessary rights in the installation stage, but if necessary chmod can be set manually. For directories – chmod 755,
    For files – chmod 644.
    Rights 777 assigned only those objects that need it (sometimes it is necessary for the normal functioning of some plug-ins).

  • Whether registration of new users is disabled, if this is not necessary?

  • Whether the site is protected from XSS attacks?
  • Use a plug-in Anti-XSS attack.

  • Whether WordPress is protected from hotlinking?

  • Write the following in the “.htaccess” file:

    # Replace? Mysite \ .ru / to the address of your website RewriteCond %{HTTP_REFERER} !^http://(.+\.)?mysite\.ru/ [NC] RewriteCond %{HTTP_REFERER} !^$ # Replace /images/nohotlink.jpg the name of your picturesRewriteRule .*\.(jpe?g|gif|bmp|png)$ /images/nohotlink.jpg [L]

  • Whether the site is protected from the iFrame?

  • Whether SFTP is used instead of FTP (if supported hosting)?

  • WordPress security may not be very effective, if your computer is not properly protected. Especially PC/Windows based computers. The Mac is generally considered to be safe and secure and do not require any additional antivirus software. The Mac operating system is Unix-based, and Unix offers a number of security features built in.

    The most important points are:

  • Install and use reputable antivirus software.
  • Do not go to suspicious online resources and do not download suspicious files.
  • Pay special attention to mailbox content and use anti-spam protection (SpamAssassin and others)

  • Always update the software on your computer, especially browsers.


Perfectorium IT company is fastest growing web developing company in Ukraine, is offering you a wide range of services: Website Design & Development, SEO, Mobile Applications.

With our extensive industry experience, Perfectorium understands how to help you to realize your business dreams and maintain your online and offline presence. Feel free to contact us and see what we can do for your business. Our experts can schedule a Skype conference call and give you a brief overview of our company services and make a preliminary assessment of a project cost. Book a free consultation with our website design consultant, fill out a simple form below this post.

The sooner we begin...

We're here for you! Reach out today.
Simply leave your contact details below and we'll get right back.