How to Secure and Harden WordPress Against Hackers

title-slide(Originally presented at Volta Labs Halifax, for the Halifax WordPress User Group on Oct.20, 2016.)

Though often overlooked, security measures should be integral to every WordPress install.  Due to its open-source nature, WordPress can be particularly susceptible to hackers. If you haven’t spent any time SECURING your site, this is your wake up call!

Having a site hacked can get you on the google ban list – which is difficult to get off of. Your site may also lose hard-earned traffic, and your company may lose face. Hackers choose the sites that are easy to hack and have no safeguards in place, so by spending a few hours here and there HARDENING your WordPress site – you can prevent future headaches!

I’ve been at this ten years now, and I’ve seen sites with spam injected, ad redirects, entire makeovers in Arabic, and more! Today we will cover the basics of securing your site, and also delve in to more advanced techniques.


slide2Back up often

If anything goes awry at any time, a recent backup of your site will be a godsend – you can simply ‘turn back the clock’ and restore your site to it’s proper state! I backup sites monthly in three ways:

1 – I pull the entire thing down via FTP
2 – I backup the MySQL database to a local drive
3 – I export the WordPress site structure

An ounce of prevention is worth a pound of cure here!

slide3Keep WordPress up-to-date

WordPress updates often patch security holes in the software. Again, the open-source nature of WordPress is a double edged sword – because when updates are released, details of the patches (and security flaws) are published openly to the public…. including hackers. By keeping your CORE, THEMES and PLUGINS up-to-date, you can mitigate potential hacks.

Delete plugins and themes you are not using

Be ruthless. Don’t just DEACTIVATE plugins – it’s not enough. Frankly, each plugin you have is a potential backdoor into your site – close as many of these doors as you can! Also, be sure to delete plugins that are not frequently updated, or haven’t been updated in 1 year or more. (Consider replacing these plugins with more stable and frequently updated ones with the same or similar functionality.)

slide5Do not use ‘admin’ as any username on the site

This is where hackers begin. A simple change to your username can make a world of difference.

Change your password often – and make it a good one every time!

Lots of people use random strings of letters and numbers for a password – which are okay. In fact, there are lots of password generators online that can generate these strings for you:

– Password Generator
Norton Password Generator

slide6However, I find a group of 4-5 random words to be the best password. The longer a password is, the more exponentially secure it is. In my experience a random string is hard for humans to remember, but easy for something like Brute Force to parse. Something like ‘table light projector security remote’ is hard for machines to parse, but easy for us humans to remember.

Also, consider using cloud-based password-storage software. These apps store your passwords, and you need know only one password to unlock anything and everything you do online. I used a package called ROBOFORM, but I hear LASTPASS is a great option as well.

slide7Move your login page

Most Brute Force attacks are automated with bots. These bots scrub the net looking for WordPress login pages. Change yours from or to something else. Then the bots can’t find your login page, and they move on to an easier target. I use the ‘LOCKDOWN WP ADMIN’ plugin for this, though a number of other security plugins with provide this feature as well.

slide8Limit Login Attempts

Programs like Brute Force try multiple logins in a short span until they gains access to your website. A simple way to combat this is to limit your logins attempts. Three failures, and than a lockout for an hour is a typical setup. I use the LOGIN LOCKDOWN plugin, though some of the major security plugins offer this as a feature as well.

Use a different database prefix -> not wp_

‘wp_’ is the default mySQL prefix that hackers look for in databases to identify WordPress sites and file structures. Setting the prefix to something else makes it harder for them to figure out what you have going on under-the-hood. Setting the prefix should be done at site install. If not, the ALL IN ONE WP SECURITY plugin has this feature and many others. If there’s one plugin I recommend you install to begin beefing up your security, this is it.

slide10Keep your computer updated

Believe it or not, hackers can sometime worm their way into your site via a compromised computer. Everything is connected nowadays, so try to keep all the conduits to your information in the cloud as secure as you can. Ensure you update your desktop software when required and run an anti-virus program at home. For Windows 10 machines, I recommend MICROSOFT SECURITY ESSENTIALS. It’s relatively lightweight, and free. Other options include AVG FREE and AVAST!


So now we’ll delve into some more advanced techniques to harden your WordPress site against hackers. For those comfortable with php code, this is the way to do it. A few code additions to some of your core files can do a lot of work for you.

For those uncomfortable with coding, I recommend using a plugin like ALL IN ONE WP SECURITY that can help implement some of these security measures without having to delve into the codebase. But remember, in WordPress, the more plugins, the more backdoors – so it’s BEST to do stuff in the code if you can.

slide12Set your FILE PERMISSIONS

This will secure the files so that they are ‘locked down’ to outsiders. This is done via FTP software like FILEZILLA. Login to your server via FTP and see what your permissions are set to and change as needed. WordPress recommends the following settings:

– Directories – 755 or 750
– Files – 644 or 640
– Wp-config.php – 600


slide13WordPress ships with special security codes called keys and salts that help secure your site. They are used to double-verify your site ownership – keeping the passwords in the config file and out of the database. This means a hacker will have to gain access to BOTH of these places to get in, not just one. Unfortunately, these are not active right out of the box on your WordPress install.  Open up your wp-config.sys file and look around line 30-40. You should see:

define(‘AUTH_KEY’, ‘put your unique phrase here’);
define(‘SECURE_AUTH_KEY’, ‘put your unique phrase here’);
define(‘LOGGED_IN_KEY’put your unique phrase here’);
define(‘NONCE_KEY’, ‘put your unique phrase here’);
define(‘AUTH_SALT’, ‘put your unique phrase here’);
define(‘SECURE_AUTH_SALT’, ‘put your unique phrase here’);
define(‘LOGGED_IN_SALT’put your unique phrase here’);
define(‘NONCE_SALT’, ‘put your unique phrase here’);

To update, you can create long random keys yourself – or just obtain new random keys from WordPress Central at:

To implement, simply replace the lines in your wp-config.php with the ones you generate here. For example:

define(‘AUTH_KEY’, ‘m=x$pSozxu(lkwS1tA$HWj1Y%p:EqW-:THd-@Op5Fo MJI$b+I*G0Ru~IWY c1uT’);
define(‘SECURE_AUTH_KEY’, ‘-(]afKYj,myC>C2QQT%N`w7oXu/^4Z+.{;0>U+1I|~=`R?=8g,-zL@!Y{FT$Jd:S’);
define(‘LOGGED_IN_KEY’, ‘|YLBico]F=>!JQJ69]e*r:%v>j`]KyP,QFI%@w(,;Tp1F;(m!J=vo8F;|MfdR#4t’);
define(‘NONCE_KEY’, ‘ZvmD9 w x*%Xl`2&,|_#6.|cgr:zIXF^`Oq@K+H&Q?| pU`e8q@8H7f?/,dyT^P+’);
define(‘AUTH_SALT’, ‘sg<*#Q%hPc?+quT<[rgtU9[BR=4n}Q_6J{^rgy]ko,K}0&1~2r__o*)N,2Yv,i:{‘);
define(‘SECURE_AUTH_SALT’, ‘UqH6~1!2mS|0MpfZrG+O/+JVac*w]1#&&;KYw!>w+p+3QSL_!Cri}Y2Rhh@%*g%_’);
define(‘LOGGED_IN_SALT’, ‘BE|zX_g@Lbr@VH:M-9 bf.xj|xfE&Vv;/asi@qBC_pNbzqw=y-t_|Q{RW|$q#Now’);
define(‘NONCE_SALT’, ‘{Sg#m-4*|ze7b!.tu*>:~)ciiGL itj`;(c=+Qe(yWVllA%c,T5c|Nd7Smf}rG]+’);

slide14More wp-config.php editing

Now that you’ve got your wp-config.sys open to check on those keys and salts, we can begin making some more additions to this file to add further functionality.

Turn off the plugin and theme editor

If you’re not using WordPress to edit the PHP code of your theme and plugins, you should turn this off. Most developers edit off-site on a downloaded copy in their own software, and then use FTP to zip the completed file back up. The built-in editor is clunky and really kind of an afterthought IMHO. It allows logged in users access to your file system. To disable it for you (and any hackers who’ve wormed their way in) you should insert the following code in your wp-config.sys file:

define( ‘DISALLOW_FILE_EDIT’, true );

Automate core, plugin and theme updates

Don’t login in often? Hate updating themes, plugins and the core manually like a sucker, but want your site up-to-date? Automate! Simply add this code to your wp-config.php file:

# Enable all core updates, including minor and major:
define( ‘WP_AUTO_UPDATE_CORE’, true );
# Automatically update plugins:
add_filter( ‘auto_update_plugin’, ‘__return_true’ );
# Automatically update themes:
add_filter( ‘auto_update_theme’, ‘__return_true’ );

slide15.htaccess editing

The .htaccess file is a powerful little file that lives at the root directory of your site. It stands for HyperText Access, and common uses include redirects, URL rewriting, and to blocking access to certain files. We can add some code and do the following:

Hide wp-config:

order allow,deny
deny from all

Make site directories non-browsable:

Options All -Indexes

Restrict access to IP:

order deny,allow
Deny from all
# allow access from my IP address
allow from

Block IPs:

order allow,deny
deny from
allow from all IPs:

slide16Hide author usernames

When someone inputs ‘?author=1’ after your url they are redirected to homepage when you add this to your functions.php file:

add_action(‘template_redirect’, ‘bwp_template_redirect’);
function bwp_template_redirect()
if (is_author())
wp_redirect( home_url() ); exit;

Install a plugin like: All In One WP Security

My final recommendation is to install a security plugin like ALL IN ONE WP SECURITY to fill in any further gaps.