How to, Wordpress

10 Simple tweaks to secure your WordPress site and prevent it from getting hacked!

The widely used blogging platform and CMS ,WordPress ,though updated regularly , hackers find some gap to intrude into it.The security features are improved at every release.But yet there are some little tweaks to be done to make it secure on your part.

The tweaks discussed below would be really useful for all WordPress Self-hosted users.

Remove the WordPress generator tag:

Fed up hearing this? May be.Most of them think that just deleting the wordpress generator meta tag from the <head> region enough to do the trick.So they just delete the meta tag or use the PHP code remove_action('wp_head', 'wp_generator'); in the functions.php file to remove it.To say the truth this does not solve the problem.Because clever hackers would search for the wordpress version from other places like RSS feed.So you must be clever enough to use the code below.Just open up your theme’s functions.php and add the code below…

// Removing the WordPress Generator MetaTag
function remove_generator() { return ''; }

if (function_exists('add_filter')) {
$types = array('html', 'xhtml', 'atom', 'rss2', /*'rdf',*/ 'comment', 'export');

foreach ($types as $type)
add_filter('get_the_generator_'.$type, 'remove_generator');

The need to do this is mainly because,hackers look for the version of wordpress you use in order to use the hacking method that suits your version of wordpress.If you don’t do this tweak of hiding the version of wordpress,You would be helping the hackers to make their work simple.So are you going to help them or place the small snippet in your functions.php file and protect yourself?

Change the admin username:

The mistake many wordpress administrator do is setting their username as admin.Of course you are the admin that is obvious but why do you want to show off by setting it as your username? Hackers trying to hack your site using tools such as Bruteforce or some method that tries different combinations of password will feel it easier when you use your admin username as admin.If you have such username,Change it at once by following the steps below.You will have to edit your database using phpMyAdmin to do the trick.

  1. Login to your phpMyAdmin dashboard.
  2. Select the database you use for your WordPress from the list on the left side panel.
  3. Now under the Structure tab,look out for the table named wp_users.
  4. Now click on the Browse button [browse icon] against that table.
  5. Now a list of records in the table will be shown.Find the admin (mostly the first one) and click the Edit button[]
  6. Now in the form shown,change the value for user_login to anything other than admin.
  7. Click Go.You can close when done.

Great you just changed the admin username! Or do you prefer the easiest way? Then run a SQL query.

UPDATE wp_users SET user_login = 'Your New Username' WHERE user_login = 'admin';

Changing the Table prefix:

Using the default table prefix wp_ is considered to be unsafe by many.This would make it easy for the hacker to know the table prefix.Changing this is somewhat complicated unless you are a genius.Yet the plug in mentioned below would help you fix this.Keep reading…

Limiting login attempts:

Again this is to tackle the hackers trying to break in using software such as Bruteforce.Limit Login Attempts is a plugin for wordpress that disables login for a particular IP that failed to login within few attempts.The access will later be enabled.So don’t worry.Get the plugin from HERE.

Hide login errors:

Errors that show up when something goes wrong in login attempt may be good for you if you forgot your password.But it would even be good for hackers trying to hack your account.So disable the errors from showing up by editing your your theme’s function.php file and adding this code…

add_filter('login_errors',create_function('$a', "return null;"));

Protecting wp-config.php with .htaccess:

WordPress’s wp-config.php file is a file of high value as it contains all your server and database information.The passwords to all.So do you feel its importance? What about securing it? then edit the .htaccess file in the wordpress root to pace the code below.

<files wp-config.php>
order allow,deny
deny from all

Forced SSL usage:

You can force your wordpress to use SSL protocol if your Host supports it.If you feel that your site needs SSL connection open your wp-config.php file and paste the code below.

define('FORCE_SSL_ADMIN', true);

Back up Your site regularly!

This is very important to do and every wordpress must do it.Taking a back up of your files and database would help you tackle any case.It might be any like,you deleted a file by accident,you were hacked and such.With the back up you can alway be up again.And you have a cool worpress plugin that automatically backs up your database and files.BackUpWordPress is the plugin and you can get it from HERE.It automatically backs up your files everyday and you can download it any time.

What are your Chmods?

Your chmod values for each directory of your wordpress matters for your security.See to that the chmod of yours match with the required ones listed below.

root directory ../ 0755
wp-includes/ ../wp-includes 0755
.htaccess ../.htaccess 0644
wp-admin/index.php index.php 0644
wp-admin/js/ js/ 0755
wp-content/themes/ ../wp-content/themes 0755
wp-content/plugins/ ../wp-content/plugins 0755
wp-admin/ ../wp-admin 0755
wp-content/ ../wp-content 0755

WP – Security Scan plugin:

This plugin does a lot for your security.It detects few common security flaws and reports you.Scans your WordPress installation for security vulnerabilities and suggests corrective actions.The above mentioned,changing table prefix can be done with this plugin.You can get it from HERE.

Hope the tweaks were useful.Please support by Sharing the link in Social medias.Leave a comment with your views.

About the Author

Tharun is a bit attracted towards computers and stuff.He loves to blog,share and know more about computers and technologies.He shares what he feels is something good on this site...Stay connected.
Tharun is on: Facebook , Google+ , Twitter

Green Pro
Green Pro

Now a day most of bloggers and webmaster are recommending WordPress. WordPress is very easy CMS blogging platform. I am also using WordPress for one of my client blog. Thanks for sharing such an important 10 tweaks regarding WordPress security. These tweaks are very useful.


Really security means a lot and thanks for the post

Arjun @TechField
Arjun @TechField

Wow ! Really Nice Tharun ! I will make my site secure as well !


Hi Akash, 755 is the recommended chmod