Complete WordPress Security Guide


The WordPress attack attempts increase as soon as your blog starts to grow. So, in order to provide security to your WordPress blog, you need to follow some guidelines and tweaks.

I have listed some of the WordPress recent security attacks. How to prevent them from happening to your blog and some WordPress security plugins, security tips to be followed and implemented.

Below methods involve editing .htaccess file and others. Editing .htaccess and others involve risk. So make sure that you back up the things before proceeding.

Brute Force Attack

One of the popular methods of hacking WordPress blogs is the brute force attack. In brute force attack, the hacker tries to login to a WordPress account with every possible combination of characters. Some softwares that are meant for the brute force attack will do this.

Plugin: Login Security Solution, can track the IP addresses from where login attempt is made and we can block those IP addresses, isn’t it cool?

Here are some more WordPress security best practices to avoid brute force attack.

Treat username as your password

The default username of the WordPress database is admin, change that to your name or set the username to something unique, so that it is not easier to judge for hackers. If hackers know your username, it will be further easier for them to carry out the attack.

If the username is like a password, then it is impossible to carry out the brute force attack.

Keep your passwords safe, secure and strong

Strong passwords secure your account from brute force attacks. It is difficult to implement a brute force attack on accounts with secure alpha-numeric passwords.

Keep your passwords as long as possible, and include special characters and numbers in it. Make use of WordPress password strength checker while setting the WordPress password.

In brute force attack, hacking a WordPress account with a secure alphanumeric password is almost impossible.

Enable Captcha for Login and Registration Pages

Enabling captcha for your login page makes it impossible for hackers to carry out a brute force attack on your account, as the captcha is reloaded after every attempt.

Also enabling captcha and other extra fields to the registration field avoids spam users.

To make this possible, you could use SI CAPTCHA Anti-Spam or alternatively you can use Cimy User Extra Fields plugin.

Limit login attempts

In order to prevent brute force attack. You may have to limit the login attempts to your WordPress account. This can be done with the help of a WordPress security plugin called limit login attempts, in which the WordPress account will be locked after some preset failed attempts and time. This ensures that your WordPress account is safe as far as a brute force attack is concerned.

Or alternatively, without any plugins, you can add some code to functions.php. as described in this blog post.

Enable IP based login

There are plugins that offer you to set whitelist IP addresses which can only login to your site. Include a current IP address and the IP address of the place where you frequently travel in whitelist so that you can login to your WordPress account in those locations only and secure the WordPress account from brute force attacks.

Plugin – WP Login Security 2

Alternatively, you can manually create a separate .htaccess file for the wp-admin folder listing the allowed IP addresses.


AuthName "Access Control"
deny from all
# IP addresses of my Computers
allow from
allow from
allow from
allow from

The above code limits login attempt only to the 5 IPs mentioned as Let them be your home IPs and work IPs.

Malicious Script Injection

Malicious scripts or sometimes injected into the WordPress database. It is very difficult to find the bad scripts in the WordPress database. These malicious scripts can act as key loggers and as well as SEO juice suckers. They act like Trojans, which appear as useful in the front and carry out its malicious activities in the background. Here are some tips to prevent it.

Scan your site and block IP addresses known for hackers

Sounds tough, right? For me too without this plugin. WordFence security is the best security plugins for WordFence, which alone has the capacity to cope with hackers. On installing, it thoroughly scans for any vulnerabilities in your WordPress account. It contains many options in the free version and a plethora of options in the premium version.

It also contains inbuilt who is lookup, which helps you to find out the who is details (Website, telephone no, address of the person associated with the IP address)

Also offers you the facility to block the IP addresses trying to login to your account, block the network, etc. It will automatically track down the IP addresses from which the hacker tries to hack your site. It also adds those IP addresses to its database and blocks those IP addresses on all the sites that are running WordFence.

That means a WordFence user is not only protecting himself but also the WordPress users using WordFence.

Avoid 3rd party plugins

Installing plugins from other than trusted sources like nulled plugins injects malicious scripts to your WordPress database.

Plugins and themes have become the major target of hackers to inject malicious scripts, steal the credentials of WordPress users. Always use plugins from WordPress or other trusted sources, which are thoroughly scanned before releasing.

Use anti-malware plugins

Removing malicious scripts manually is a nearly impossible task for an user. There are numerous anti-malware plugins available in WordPress, that scans your WordPress database regularly for malicious scripts and remove them with your permission.

Sucuri WordPress Security Plugin
Anti-Malware (Get Off Malicious Scripts)

You can also do it manually by inserting some code into your .htaccess file, but back up your .htaccess file before editing it.

Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

Scan for malicious scripts in multiple .htaccess files

Infected .htaccess files are being injected into the WordPress database to achieve redirections to some other websites unknowingly. This leads to Google marking your website as spam. Take a full backup of your WordPress database regularly to ensure that you are safe.

You can also use plugins such as bulletproof security to scan htaccess files for malicious scripts.

Choose a good hosting service

There are some hosting services, which offer free hosting services. But at the same time, they may inject malicious scripts into your WordPress database for the process of tracking and promotion. Therefore, avoid these un-trusted hosting service providers.

Go for trusted hosting providers that may be complimentary or paid.

HostGator is one of the best hosting service providers out there. It ensures that your site is up all the time and also the security given by this hosting giant is good.

Avoid Pirated Themes

The themes available from other than WordPress are untrusted and are more likely contain malicious scripts that will be injected into your WordPress database.

Install the themes that are trusted and from WordPress. You can even purchase a premium theme to avail SEO and features benefits.

Numerous theme providers claim that they give premium themes for free, simply avoid them.

Other important tips

There are other methods that hackers use to hack a WordPress account. It is necessary to take some extra important steps to secure your WordPress account. Some of the important of them are listed below.

Enable two factor Authentication

Two-factor authentication is an extra security feature offered by many plugins.

You can enable two-factor authentication by using Google Authenticator or Secret question.

Alternatively, you can also use Login Dongle that gives you bookmarklet, you need to click on the bookmarklet every time after logging in with your credentials.

Set Privacy locked for your WordPress Admin files

By default, WordPress set its admin files visible to the admin only. However, sometimes, it may be necessary to set the privacy manually. So set the privacy of the WordPress admin files visible to the admin only in to cpanel. If you set the privacy of your WordPress admin files to the public, then it is easy for the hacker to snoop into your WordPress database structure and it will be easier to hack.

Use robots.txt to disallow access to admin files in your WordPress database. Add the below code into robots.txt file.
#User-agent: *
Disallow: /cgi-bin
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins/
Disallow: /wp-content/cache/
Disallow: /wp-content/themes/
Disallow: */trackback/
Disallow: */feed/
Disallow: /*/feed/rss/$
Disallow: /category/*

The most dangerous feature is CHMOD 777, which enables public and all visitors to view, edit or modify the WordPress database. The malicious scripts can even alter these settings so it is important to consider your privacy regularly.

Require Login for Comments or disable links in the comments

Nearly 70% of the comments are spam. It’s better to allow only registered users to comment on your blog posts.

Alternatively, you could also disable links or HTML in the comments with the help of plugins like  Disable Author URL and Comment Links.

Update all the things

The older WordPress versions are vulnerable. So the newer versions of WordPress are released to fix the bugs and vulnerabilities. If you are in the outdated version of WordPress, you are vulnerable to hackers.

Likewise, do not forget to update the outdated plugins. Older plugins are more vulnerable to attacks. Avoid plugins that are updated for about two years and which does not have enough ratings.

This is one of the best practices to be followed.

Remove anything that exposes your WordPress version

You may have discovered that the particular WordPress version is vulnerable and the latest version fixed that. Hackers look at the WordPress version and its vulnerabilities to hack. Make sure that you do not expose the WordPress version to the public. Remove anything that exposes WordPress version. If possible, remove everything like, Powered by WordPress, etc. To remove a WordPress version number manually, you should add the following code to the functions.php file.

If possible, remove everything like, Powered by WordPress, etc.

To remove a WordPress version number manually, then you should add the following code to the functions.php file.
remove_action('wp_head', 'wp_generator');

Change Default WordPress database prefix


When creating WordPress database, it will ask you to set WordPress database prefix. Use WordPress databases prefix other than “wp”. Open WP-config-sample.php, find the prefix area, and change it to something that you desire. Just look at the screenshot above.

Disable file editing in WordPress dashboard

By default, you can edit theme files by going to Appearance > Edit files. When the intruder gets access to these files, guess what he can do.

If you are an FTP user, you can disable direct editing of theme files from WordPress dashboard. For doing this you need to keep the FTP password strong and use it to edit files directly.

For disabling dashboard editing, open the wp-config.php file.

Add the line,

define( ‘DISALLOW_FILE_EDIT’, true );

You are telling WordPress to disallow file edit from it.

Keep WordPress audit security logs

WP Security Audit Log keeps a log of everything happening on your WordPress blog. It is easy to track suspicious activities. This plugin generates warning log entries for every major change in your WordPress account.

It keeps a log of every major activity like WordPress updates, password changes, users, roles, logins, etc.. It also keeps a log of IP addresses from where logins were made.

It literally logs every activity in your WordPress account makes the analysis and prevention of WordPress exploit easier.

Hide the reporting feature of WordPress

Sometimes you may have come across the error or warning messages like “Warning in /home/www/… – Line 123”. This can be merely a warning or error message for you.

But as far as hacking is concerned this is an absolute disaster. Because hackers are constantly searching for sites with vulnerability and depreciation issues.

Turn the feature of PHP error and warnings reporting mechanism off. Open wp-config.php.

Add the lines,

define('WP_DEBUG_DISPLAY', false);
define('WP_DEBUG_LOG', true);
define('WP_DEBUG', false);

The above code, instead of displaying errors and warning mechanism, logs them. It’s your duty to look into the log files periodically for error and other messages.

Backup your site

It’s a good idea to regularly backup your site. In case of any hacks, or server crashes, the backups of your site can play a savior role.

There are many free good backup plugins for WordPress like WordPress Backup to Dropbox,which backs up your site directly to Dropbox directly using the Dropbox API.

UpdraftPlus Backup and Restoration that lets you backup your site to cloud like Google Drive, Dropbox, and lets you restore the backup.

Akshay recommends:
1. 32 WordPress Plugins that Boost your Productivity
2. 5 Must Have WordPress Affiliate Plugins

Final words

These are some of the tips to be followed to make your WordPress site, bulletproof.

Limiting login attempts, IP based login, two-factor authentication are the steps that should be taken to secure your WordPress site. Regularly check your whole site for malware, using scanners such as Sucuri, Exploit Scanner, Theme Authenticity Checker, etc.

I hope you enjoyed this post on the guide to secure your WordPress account. If you follow all these above WordPress security guidelines, it will be very tough for a hacker to break into your site.

If you are following any methods to secure your WordPress blog. Please do share them. I personally took 7 hours to churn out this guide on WordPress security and best practices, then why can’t you take a minute to share or at least like this post?