wordpress security

How to secure your wordpress website and prevent it from getting hacked?

WordPress site hacked? Are you worried about wordpress security?

Are you stuck with WordPress Security? In this article, I will describe how to secure your wordpress website and prevent it from getting hacked? Most often I see posts in various forums about the WordPress site hack. Someone asks for site restoration and lots of service providers available who provide WordPress site hardening and hack restoration. But it is not very difficult to keep your site secure and maintain security. If you really follow the following rules then I hope you will be benefited if you are suffering from hackers and worried about the WordPress security.

Step by step WordPress website security checklist and hardening process.

  1. Remove the Readme.html and Licence.txt from the root directory and install.php file to prevent it from information leakage.

  2. Add this code in function.php to remove the wordpress version.

function wp_remove_version(){

return ' ';


add_filter( ' the_generator' , 'wp_remove_version')

you can also use this simple code to do that.

add_filter(the_generator, __return_false);
  1. Check-in function.php for the auto-create user after the theme activation. If there any function exists and remove if you found any function like add_user().

  2. Check all file folder permission if there is any 777 and make those appropriate the suitable one also do not forget to change the permission to 444 for the wp-config.php and .htaccess.

  3. Check-in .htaccess for redirection if you found any verification or redirection or rewrite make sure those are for your site and if any unnecessary anything found remove those.

  4. Hide the default backend for login wp-admin to the desired one like security-wordpress.

  5. Scan for core wordpress files and check if it is modified or not, you make take the help of many plugins for this like wordfrence and sucuri.

  6. Check every wordpress file for encoded texts there or not if you found any base64 encoded text then remove those.

  7. Check for hidden input in the form and pages of your theme files.

  8. Check for strong passwords and enforce users to use strong passwords.

  9. Check for admin users in the database and take care if there is more than one admin user.

Minimum steps to keep your WordPress security.

  1. Keep backup of files by hash like a backup buddy or all-in-one wp migration.

  2. Connect the site with git like bitbucket or GitHub for code repository.

  3. Scan automatically for malware in the files using any malware scanner or antivirus.

  4. Enable WAF like blacklist IP, exploitation check, check for the blacklisted IP address, bad bot access denied, backdoor location denied, DDoS attempt recognize, fake bot access, evasion access denied, spam request block, scanning tool block, and many more.

  5. Change database default prefix wp_ to any desired one.

  6. Change the default wp-content directory to any desired one.

  7. Change default uploads directory to any desired one folder.

  8. Change admin user with database index 1 to another but not less than 100 indexes.

  9. Disable the file editing option in the wordpress default editor.

  10. Enable auto-update of plugin and core wordpress.

  11. Disable PHP execution on the uploads directory.

  12. Limit login attempts and enable lockdown options for IPs.

  13. Enable white list IP for your one if needed.

  14. Password protects the admin page and third-party authentication for login like two-factor authentication.

  15. Enable google captcha in dashboard login for robot verification.

  16. Disable directory listing and browsing in .htaccess.

  17. Disable XML-RPC in WordPress for API requests.

  18. Automatically log out Idle Users in WordPress after a certain period.

Follow the below steps for more hardening

  1. Add Security Questions to WordPress Login Screen to verify the user.

  2. If hacked please replace all core wordpress files and then just keep only the uploads and theme folder also remove all plugins from the plugins directory and install the previously installed plugin also check the uploads directory for malware code.

  3. keep records of files and plugins and themes installed and also the active theme when and by whom.

  4. Edit  style.css to remove the theme info and version disclosure.

  5. Spam comment block.

  6. Add a captcha in contact form 7 and also in the comments option and also in any form submission to prevent sending email and auto spamming.

  7. Find all CSS hidden properties and check for which reason this is added.

  8. Remove meta tag and wordpress version to detect the server and wordpress information.

  9. Option for wordpress heart bit enable disable.

  10. Disable wordpress username enumeration.

  11. Disables wordpress plugin enumeration.

  12. Change default hash salt in wp-config.php.

  13. Enforced transport layer encryption for administrative tasks.

  14. Email option for all alerts to admin.

  15. Install a malware scanner to checks core files, themes, and plugins for malware, bad URLs, backdoors, SEO spam, malicious redirects, and code injections.

  16. Real-time malware signature updates via the Threat Defense Feed.

  17. Compares your core files, themes, and plugins with what is in the WordPress.org repository, checking their integrity and reporting any changes to you by the plugin.

  18. Repair files that have changed by overwriting them with a pristine, original version. Delete any files that don’t belong easily within the wordpress interface.

  19. Check your content safety by scanning file contents, posts, and comments for dangerous URLs and suspicious content.

  20. Check to see if your site or IP has been blacklisted for malicious activity, generating spam or another security issue.

  21. With Live Traffic, monitor visits and hack attempts not shown in other analytics packages in real-time; including origin, their IP address, the time of day, and time spent on your site use google analytics.

  22. Audit error log and notify user or admin.

  23. Audit Trail & User Activity Logging

  24. Import/Export of options across sites and backup the settings.

  25. Most important thing is to keep a log of every change and install security patches as soon as possible. You can use Patchstack they maintain log and firewall and updates security patches.

WordPress Security Patchstack-App

WordPress Security Patchstack-App

  1. Nowadays most hosting service providers providing a two-step verification login to the hosting panel. Please enable two-step verification for extra security. For extra security you can go with WordPress.com hosting or direct managed WordPress hosting, they update security patches and maintain file security.

Read More Why are many wordpress sites being hacked every day?