WordPress Security

WordPress is an excellent content management system. It's easy to install, has great pre-designed themes (including our Limitless theme), is fairly simple to customize, and even a complete novice can use it to add posts and pages to a site. But WordPress can be a security nightmare. Hackers continuously exploit weaknesses, and if you install WP without taking security precautions there's a good chance your site will eventually be hacked.

Hackers will often add links to your WP pages, but they'll set it up in such a way that you and your users won't see these links. Only Google will. This gives them the value of the links to help them rank better, and often destroys your ranking in the process. You'll have no way of knowing your site was hacked, and likely won't understand why it's no longer ranking. Other hacks will install malicious code on your blog, infecting your visitors.

What can you do to protect your site? Fortunately, a lot. The steps below will only take you a half hour or so. But following them will save you many hours in dealing with the destruction left by a hacker, and may save you a great deal of money by ensuring your site doesn't get de-indexed or sabotaged.

No Admin User

When you install WordPress you'll be prompted to enter a username. The default primary username is admin, and most people leave it that way. Hackers know this, and it makes it much easier to get into your control panel, as by knowing your username their automated programs are already 50% there. Start with a different username and you'll shut down a common, automated entry point.

Username Creation

Moving WP-Config

The wp-config.php file normally resides in the root directory of your WordPress installation. Hackers look for it there. WordPress works if your wp-config.php file is one directory above the installation directory, so putting it there will stop automated attempts to find it in the installation directory. So for example, if WordPress is installed at www.your-site.com/blog/, move the wp-config.php file to www.your-site.com/. It's a move that won't take you more than 30 seconds in total, but goes a long way in protecting you from getting hacked!

Removing WP_ Database Prefix

When you install WordPress it creates database tables, and each table has a wp_ prefix. Hackers use automated programs to find these common files. By changing the wp_ prefix in your database, they won't be able to find these files due to the uncommon names.

In order to change your table prefix, you'll need to go into your database. Most hosts will allow you to access your database using phpMyAdmin. If you don't have your username and password handy, you can find them referenced in your wp-config.php file (which you'll need to edit in a moment anyway). Make sure you have a backup copy of your original database file in case you mess something up! Here's what you'll see in phpMyAdmin:


Click on the Export tab at the top of the page, and you'll be brought to a page like this, where you'll click the Go button:

Database Export

Open the your exported database in your favorite text editor, and do a find-and-replace, replacing wp_ with some other prefix of your own making:

Find and Replace

Go back to phpMyAdmin, check all of your current tables, and select the option to drop them:

Drop Tables

Import your new, updated database tables, where you changed the prefix from wp_ to somethingdifferent_, by clicking on the Import tab, selecting your updated file, and clicking the Go button:

Database Import

Now, your database prefixes will be updated. You need to be sure to change them in your wp-config.php file, in the following line:

Database Prefix

Simply upload your updated wp-config.php file, and you're done. Now, if a hacker is able to get into your database with an automated program and attempts to guess your table prefixes, you'll be protected.

Limiting Admin Access

This tip comes from . To stop hackers from getting into your WordPress admin folder, or getting anywhere near your control panel, you restrict access to the admin folder by putting an .htaccess file there that limits access to only your IP address. Here's the code you need in the .htaccess file:

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
order deny,allow
deny from all
#IP address to Whitelist
allow from xx.xxx.xx.xxx

Obviously, you'll need to replace the "x" with your IP address.

WP Security Scan Plugin

The plugin does a number of things to help protect you from hackers. It scans your WP installation and performs various checks and tasks including making sure you have the latest version of WP, checking to see that you've changed your table prefixes (and can fix them for you if not), hides your WP version listed in the portion of your code, removes the WP ID Meta tag, etc. Highly recommended.

WP File Monitor Plugin

is another great security plugin. This one will send you an automatic email any time files in your WP folders are changed, added, or deleted. So if you haven't made any changes and you get an email notification, you'll not only know you've got trouble, but also which files the hacker changed. If you do all of the steps above it's highly unlikely you'll get hacked, but it's handy to know you'll be informed if you are.


This is an obvious one, but many people fail to do it. Keep your WordPress installation current! As soon as an updated version of WP is released, update it. You should also keep all your plugins current. Many WP and plugin updates are released to deal with security vulnerabilities. Leaving the vulnerabilities on your site is just asking to get hacked.