How to Secure WordPress Easily

These tips will teach you how to secure WordPress (self hosted blogs) without spending hundreds of dollars in tools and software.

WordPress has been downloaded 20,706,485 times (as of this moment) which means it’s a constant target for hackers and spammers.

Getting your website hacked is not a pretty sight.

In fact, it can cause loss of revenues, bad reputation for your business, and other headaches that could have been prevented if you simply took some preventive measures in securing your wordpress websites.

The Solution is quite simple. Implement preventive measures rather than cure the problem later on.

Learn How to Secure WordPress by following these Simple Steps

1. Never use the default “admin” username because it will be an easy target for hackers using brute-force technology.

Most of us are still guilty of using admin, administrator, etc as default usernames for our WordPress blogs, and this simply invites hackers to brute force and hack your website. Don’t use easy to guess passwords as well. Choosing your anniversary or birthday as passwords is not a wise thing to do.

If you need help in choosing a stronger password, you can use’s password generator tool and use it as well to help store usernames and passwords for all the websites that you visit.

But if you’ve already created and used an admin password, WordPress allows us to easily change that by adding a new user name and transferring all posts from your old username to your new one.

*Before migrating this, I would recommend that you backup your website first because there’s a possibility that you might lose some or all of your existing content if this is not done properly.

Follow these steps to create a new “Administrator” user and transfer your old user content to this new one.

  • Login to your wordpress Dashboard using your “default” account.
  • Go to Users -> Add New -> Complete details. Use a Hard to guess username for your new user account. Don’t forget to choose Administrator in the Role Dropdown. Save.
  • Go to Users -> Check the default admin username that you would like to delete. Change the Role of this account to Editor from the drop down menu. Delete account
  • You will be asked to migrate all your posts to another user. Choose the NEW Administrator account that you’ve created.

Change Role to Editor

2. Always have a Backup copy of your database and entire website content.

This is especially true if you have a large website and you’ve added years of content to your blog.

The last thing that you want to happen to your online business is to lose everything that you’ve worked for.

One site hack or database corruption can mean years of irrecoverable data. The best solution is prevention or at least have a backup copy of your entire site. There are tons of ways to backup your website, but I like solutions that actually make it a lot easier. It also allows me to “clone” websites easily, and the plugin that I use is Backupcreator or you can try a free plugin called “Duplicator”.

If you don’t want to use other WordPress plugins and paid solutions, WordPress has a basic backup functionality called “Export tool”. But this tool only allows you to backup posts and pages, and not your entire website, so use this option only as a last resort.

Use the Export tool to get an XML version of all the pages and content on your site.

Wordpress Post Export

3. Monitor your Website and get notified immediately if it’s not receiving any traffic

One of the easiest ways to check if your site got hacked is when your traffic suddenly drops to zero visits per day (this is only true if you were receiving traffic or visitors previously). There are many “uptime” monitoring tools out there, but I like to use Google Analytics to track traffic visits to my websites, and use Google Analytics’ custom alert to get notified by email or SMS.

Custom Alerts

Here’s how to setup Google Analytics to notify you immediately via email if your site’s traffic is down to zero.

a. Make sure you have Google analytics stored and working on your website.

b. Login to your Dashboard and Click Admin on the Upper Right Corner.

c. Navigate to the Profile that you’d like to track.

d. Click on Custom Alerts and set an alert that will notify you if traffic to your site went down to zero (0).

e. Copy these settings

f. Click Save alert. If your site dropped in traffic, Google Analytics will notify you via email.

How Safe is Your Site? – How to Secure WordPress Easily

5. Protect your .htaccess file

This is probably one of the easiest ways how to secure wordpress from hackers and spammers. Chances are you’re running wordpress hosting on an Apache server. Apache server has a configuration file called .htaccess which you can easily modify to secure and strengthen your website.

You’ll need FTP access using CPANEL or an FTP Software to access the .htaccess file from your domain’s root folder.

Get your CPANEL Username and Password. If you know how to setup FTP, you can use your FTP account, username and password to access the root folder of your site.

The Root Folder is the Main URL in your website. Usually it’s the public_html folder.

You can now edit .htaccess using a simple notepad

Here are the .htaccess codes that you can use

If you want to disable people from hotlinking to your images and files, add this code to your .htaccess. Hotlinking refers to people directly linking to your images and files and while they don’t cause any security issues, they slow down your server because it eats up on your server’s bandwidth

#disable hotlinking of images with forbidden or custom image option
 RewriteEngine on
 RewriteCond %{HTTP_REFERER} !^$
 RewriteCond %{HTTP_REFERER} !^http://(www\.)?*$ [NC]
 #RewriteRule \.(gif|jpg)$ – [F]
 RewriteRule \.(gif|jpg)$ [R,L]

If you have a static IP Address (your ISP assigns only 1 IP address to your Internet Connection, you can configure .htaccess to only allow wordpress admin (wp-admin) access from your own IP and deny all other IP addresses.

order deny,allow
 allow from a.b.c.d # This is your static IP
 deny from all

If you’re constantly being bombarded by spammers and spam comments, try adding this code to your .htaccess file to prevent “bot comments”

RewriteEngine On
 RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
 RewriteCond %{HTTP_REFERER} !.** [OR]
 RewriteCond %{HTTP_USER_AGENT} ^$
 RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]

The most VULNERABLE file in wordpress is your wpconfig.php. Protect it by adding this line of code to your .htaccess

# protect wpconfig.php
 <Files wp-config.php>
 order allow,deny
 deny from all

WordPress Folders are vulnerable to spammers and hackers. It’s easy for someone to browse and see your files and folders if you haven’t disabled Directory Browsing for your wordpress websites.

# disable directory browsing
 Options All -Indexes

And last but not the least, protect .htaccess itself.

<Files ~ “^.*\.([Hh][Tt][Aa])”>
 order allow,deny
 deny from all
 satisfy all

Follow these simple steps to How to Secure WordPress immediately. Remember it’s better to prevent site hacks and downtimes than to cure the problem later on.

This article was originally posted on our blog