How to find vulnerabilities and protect your WordPress site from hack attack


The vast majority of security problems that WordPress sites face are actually easy to control. The core of this system has passed a long way of development and is quite safe now. It may seem unexpected to many users, but the developers are serious about security and release patches very quickly. One of the strengths that WordPress has is that it is easy to be updated and its development cycle is processed at a high speed.

Many of the problems are caused by the end user`s poor judgment, by the choice of themes and plugins with unsafe code, as well as by poor hosting quality. This guide will help you to ensure security for WordPress sites and eliminate the most common gaps that are used by hackers.



Keep your WordPress up to date


Developers do not patch the holes in old-fashioned versions. Keeping CMS and plug-ins updated with new patches is essential for site protection. In most cases, you just need to click the update button.

Additionally, to avoid security problems you have to update all installed plug-ins and themes regularly. An effective approach to this issue is as follows: wait for no more than 2-3 days from the moment when the updates became available. Check the forums for problem reports, and if you have not found any of them, do not hesitate to update the site.

It is unlikely that an update will cause some breaks. But if it is the case, return to the previous version (via a shell or SFTP access), or restore the site from a backup.



Maintain Internet connection security on your computer


For many of us it is obvious, but if there are keyloggers and malicious programs in your PC or Wi-Fi router, the attackers will have no difficulties in hacking your site.



To install plugins and themes use only official repository


It's not surprising that plugins and themes downloaded from Google or any random site are likely to be infected with the hostile programs. A recent study has shown that 8 of 10 top Google search results for "Free WordPress themes" are infected with the malicious software. Upload themes and plug-ins from the official repository and other authoritative sources. Using material that was downloaded from random Internet sites, you jeopardize the safety of your own resource.



Choose a reputable hosting service


A good hosting service does not only back up your site, but also prevents cross-contamination of resources located on the same server. Unfortunately, such phenomena are quite common even among large hosters, so the issue of choice should be approached thoroughly.

Aside from the competent administration of servers, it is also worth paying attention to the professionalism of the support service, as its employees must be competent enough to respond to security issues quickly and resolve them in a timely manner.

Check your hosting provider regularly to make sure that it uses the latest version of the operating system and server-based software.



Think of a really good password


Many people have a bad habit of using easy passwords. However, it's worth using long and complex combinations to protect really important things. Here are some ideas of excellent passwords that may consist of:

  1. A randomly generated set of numbers, letters and special symbols.
  2. Phrases consisting of unrelated words (RightHorseBattery).
  3. The first letters of each word from a memorable sentence with the numbers and punctuation marks in some places.

If you cannot remember your password or you are afraid of losing it, there are various browser extensions, as well as third-party applications that will store this info for you.

It is important to think of a separate password for each site, otherwise it will be much easier for jailbreakers to hack your accounts.



Delete the default Admin login


The default administrator login and its privileges are an easy target for any exploit. This user`s account should be deleted immediately after installing WordPress on the hosting. For this purpose you need to go through the following steps:

  1. To log in to the basic Admin account.
  2. To create a new user`s account with a unique name and provide it with the administrator rights (this  is very important).
  3. To log in to a new user`s account and delete the Admin account.

Moreover, during the installation process, you can change the default user name from Admin to another one.



Change your nickname in WordPress


Bots constantly scan sites, trying to detect the tags of created by the authors of messages, and then to use the detected names as logins. This is a very effective attack vector for cracking with a brute force. To remove this vulnerability, log in to your account and set a public nickname that is different from your actual login.



Configure a scheduled backup


For all those who take care of the safety of their sites this procedure is simply necessary. It will be a great idea to set up a scheduled backup of the WordPress database, as well as of server disk content. There are a number of plug-ins and services that allow you to save backups. Besides, it is worth asking your hoster if a backup is being performed.

The backup copies should be checked at least once a month to make sure that they are correct, and you won`t have any difficulties in restoring the site if necessary.



Get WordPress security keys


This system uses encrypted security keys for information that is stored in cookies. These keys go to your A key random number generator can be found on the official WordPress website at Follow this  link and refresh the page in your browser to get new keys and copy them to your



Change the database prefix (only before the process of installation!)


This technique is only suitable for newly created sites. If the procedure is not properly executed, the work resource can be completely ruined. If you launch a new installation, you will have an option “to change the database prefix”. WordPress sets the prefix "wp_" by default and it makes any cracker`s work much simpler. By changing this prefix to something unique, you will provide your site with a a sufficient security level.

In addition, it is advisable to delete the test database, as wells as users of an anonymous database. Make sure that the main database is not accessible on the Internet.



Limit the number of plugins and themes that are being used


In addition to the fact that many themes and plugins are unsafe, a large number of them slows down the work of a website. Reduce the number of plugins and themes that are being used, and delete those that you do not need anymore. Keeping your system clean will not only reduce the chances that intruders will exploit the vulnerabilities of the website, but it will also help to fix problems if malware infection has occurred.



Move the WP-config file to one directory up and lock it


The file contains all your credentials for accessing the site database. You can move it higher by placing it outside the root directory that is accessible on the Internet. It will help you to protect the configuration file from any browser-based attacks. Moreover, it will be a good idea to change the access rights to it by setting the value 600.



Limit the number of logon attempts


Using plug-ins in sake of security may be a belated decision. Additionally, trying to protect the site relying on something that is already unsafe is a bad idea. On the other hand, the Limit Login Attempts plug-in is a very good choice, as it prevents a brute-force attack, limiting the number of unsuccessful attempts to log on to the site. It can also detect the ip-addresses from which the hackers tried to enter your database.



Check the access rights to files and directories


Access rights to files and directories can be fully depended on the hosting settings. In most cases, access rights to the file must be set to the value 664 or 640, and for folders the values should be 755 or 750. Do not set the value to 777, until your host is configured. The golden rule for setting access rights consists in the following: set the lowest possible values, which allow the site to function. The last digit of the the access must always be 0, 4 or 5, never 6 or 7.



Hide version information


Hiding information about the installed version of WordPress is a fairly simple step that prevents bots from scanning your site. In the function.php file of your theme, you should place the following info:


// remove version info from head and feeds

function complete_version_removal() {

    return '';


add_filter('the_generator', 'complete_version_removal');



Enable SSL authorization


If your site has an SSL certificate, do not forget to enable this authorization protocol. You can only install it to log on to the system or for the entire administration section in your WP-config.php file. SSL encrypts information that you send to WordPress and protects against "man in the middle" attacks.



Do not let web spidersto browse your catalogs


Google search can scan for unnecessary addresses and open them for hackers. It will be better if you disable Google bot or any other bots, the following robots.txt instructions (not all bots support them), so that they will not be able to index anything other than your content. The robots.txt file is located in the root folder of your site and it is a simple text file.



Disable user registration


If you are keeping a personal blog or creating a site, where not many users are allowed to publish the material, you should disable the logging capability in the admin section. For commentators, use social network accounts.



Disable the users` capability to edit and update themes and plug-ins


It is necessary to deprive the users of the right to edit and update important files through the administrator interface



Set the rules for .htaccess


There are some basic rules listed below that you can add to the .htaccess file in the root partition. The more progressive rules are described in the extended manual. Their absence can cause the crack of your site.

//limit indexing of directories

Options All -Indexes


//protect the htaccess file,

//this is done by default with apache config file,

// but you never know.


order allow,deny

deny from all


//disable the server signature

ServerSignature Off


//limit file uploads to 10mb

LimitRequestBody 10240000


// protect wpconfig.php.

//If you followed step 6 this is not necessary.


order allow,deny

deny from all



Delete Readme and other unnecessary files


In the root directory of WordPress there is a file readme.html, many plugins and themes also have similar files. It will be a good idea to delete such files, since they can be used for fingerprinting or snooping. Moreover, they often contain version information. Clear your site's folders from these and any other unnecessary files.



Create a separate version of a site to test developments


Use a copy of the site to test updates and new features before applying them to the primary resource. If you do not want to pay for additional hosting, it may be even a local installation of WordPress on your computer or laptop.



Do not process confidential information unless necessary


Credit card data, social security numbers, medical and other confidential information should not be stored on your website unless there is a valid reason for doing so. Very often hackers  choose to crack those resources that contain such information. If you do not have it, your site is less likely to become a target for cybercriminals.



What should you do if your site has been compromised?


You should always be ready that your resource can be hacked. Having a clear guide of what to do in such a situation, you can stop the attackers and prevent negative consequences in the shortest time.

  1. Take the site offline (maintenance mode). It will deprive the attacker of the opportunity to increase the damage to the site or prevent your attempts to regain control over the web resource.
  2. Report the hacking to your hosting provider so that it can help you.
  3. Make a backup copy of the hacked site if you want to research it later.
  4. View the server logs to determine how the attacker has managed to hack the site. It will help you to learn how to fix this problem, and it will be necessary to find out what the cracker has succeeded to do.
  5. Update everything you can update.
  6. Delete all files, pages, messages, comments or processes added by the hacker. If you are not sure whether you have managed to detect everything, create a new WordPress site from scratch, and then restore the last backup made before the hack on a new recourse.
  7. Change all passwords that have been used on the site. Change the passwords to the database and hosting as well.