How to protect your WordPress installation

5 September 2016 / Published in:  from Ivan Messina
No comments

Years ago only hackers were able to damage a website. Recently everyone can find a tutorial on how to hack a vulnerable script.

We take security very seriously, that's why we have implemented a system to avoid your application being hacked. In any case we can't guarantee a complete protection of your account as it may depend from non secure code on your account.

Here we explain how to protect your wordpress install.

Important notes

  • Always keep wordpress updated at the last version, the same goes with themes and plugins
  • Avoid using admin as administrator username
  • Change your administrator password periodically
  • Only use plugins that are mantained from the developer
  • Change the default prefix of wordpress tables, instead of using "wp_". If you have already installed wordpress you can use this plugin

Increase WordPress security

Here is a list of improvements to make wordpress more secure.

1) Hide wordpress version. You can use this plugin: https://wordpress.org/extend/plugins/hide-wordpress-version/

2) Limit access protecting "wp-admin" folder with a password

For the step 3 you will have to edit the .htaccess file. make this modification outside tags # BEGIN WordPress and # END WordPress. Everything included inside these 2 tags will be overwritten from wordpress.

3) Protect wp-includes access. This is usually used from hackers to upload malicious files on your account. You can add the following code:

# Block include-only files.

RewriteEngine On

RewriteRule ^wp-admin/includes/ - [F,L]

RewriteRule !^wp-includes/ - [S=3]

RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]

RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]

RewriteRule ^wp-includes/theme-compat/ - [F,L]

# End block include-only files



NOTE: this will not work with wordpress multisite since the row

RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]

will not allow the file ms-files.php to generate images. You can eliminate this row if you have a multisite install.

4) Don't allow search engines to look in your directories. Google and other search engine may index urls that you don't want to be found. You can add this code to the robots.txt file (not all robots follow the instructions) inside public_html folder (if the file is not present you can create it:

User-agent: *

Crawl-delay: 5

Disallow: /feed/

Disallow: /trackback/

Disallow: /wp-admin/

Disallow: /wp-content/

Disallow: /wp-includes/

Disallow: /xmlrpc.php

Disallow: /wp-*

Bruteforce attacks

This kind of attack is getting more and more common and is also a cause for temporary account blocks from our automated system.

To solve this issue you should:

  1.  Access to wp-admin
  2. Install and activate the plugin wp-login

The plugin will ask you to use a custom url, for example /securelogin

once set you will be able to access your website from mydomain.com/securelogin

Tha you have to edit your .htaccess file adding:

<FilesMatch "wp-login.php">

Deny from All

ErrorDocument 403 "Forbidden"



As an additional security you can use the plugin Bruteprotect.

Extra precautions

You may also want to install the following plugins for further security, only the one that are good for your needs:

Leave a Reply

Your email address will not be published. Required fields are marked *