Preventing WordPress hacks 2019


WordPress is the most popular blog software and the most popular content management system. No wonder so many attackers are trying to attack and hijack WordPress installations and servers indiscriminately.

1 – Secure your website with a cloud Web Application Firewall

Cloudflare’s WordPress plugin brings all the benefits of Cloudflare into your WordPress dashboard for configuration, including a one-click application of default settings specifically optimized for WordPress.

By enabling Cloudflare on your WordPress website, you’ll find performance and security gains such as doubling your page load speeds, DDoS protection, web application firewall with WordPress-specific rulesets, free SSL, and SEO improvements.

2-  Preventing WordPress Attacks with Wordfence

Wordfence includes an endpoint firewall and malware scanner that was built from the ground up to protect WordPress. Our Threat Defense Feed arms Wordfence with the newest firewall rules, malware signatures and malicious IP addresses it needs to keep your website safe. Rounded out by a suite of additional features, Wordfence is the most comprehensive security option available.

3 – General measures

In any case, it is necessary and essential to use a strong password for your WordPress admin user, so you can hedge WordPress with little effort and protect against attacks. Furthermore, never use the same password multiple times, neither within a WordPress installation for multiple users nor use identical passwords for various services and applications!

One of the simplest security measures is to delete the default user with the identity number 1 and the user name »admin«. Because the name of the author with the index 1 can very easily by calling the URL

The admin area on your server should also be provided with directory protection. Otherwise, you can simply call the login screen as follows:

4- How to create directory protection for the admin area:

Store a password file outside the directory to be protected and outside the main directory, named with .htpasswd.

For username, you choose any user name that does not match your WordPress username.  The easiest way to create the contents of this file is with a htpasswd generator .

Then create a file named .htaccess in the wp-admin directory of your WordPress installation, which has the following content:

AuthType BasicAuthName “Password protected area”AuthUserFile /path/to/file/.htpasswdAuthGroupFile /dev/ nullrequire valid-user

Now also ban the access from outside to the file wp-config.php in the path of WordPress, because in this file we can find all important access information such as the database user and the associated password in it. There is an htaccess file in the same directory or folder as wp-config.php . In this file you complete the following lines at the end:

# Prohibit access to wp-config.php from the outside<files wp-config.php>Order deny, allowdeny from all</ Files>

These measures should bring noticeably more security , so that you can effectively protect WordPress against hackers!

5 – Update plugins and WordPress regularly

The dashboard reports when an update is available. Often, updates contain security measures or code to close security holes. If you find manual updating too cumbersome, you can add the following line in the wp-config.php file to enable the automatic update:

// Enable all automatic updates
define( ‘WP_AUTO_UPDATE_CORE’, true );

6- Even more security tips

So that attackers or hackers can not directly read out the WordPress version,  add the following line of code in the file functions.php at the very end:

remove_action ( ‘wp_head’, ‘wp_generator’);

You can edit the file via the admin panel, Design -> Editor .

If you want to protect WordPress further, add the following line to the end of the file wp-config.php:

define (‘DISALLOW_FILE_EDIT’, true);

This prevents the editing of PHP and CSS files via the WP editor in the admin panel by hackers. However, changes to these files should only be prohibited if you do not want to change files yourself via the editor in the panel (for reasons of convenience). However, you can also change all these files directly on the web server, for example via FTP or Shell.

7 – Two-factor authentication

With the help of a plugin, a two-factor authentication can be provided at login. For this you need in addition a Google App. In addition to the actual WordPress login you have to be entitled to the smartphone. The plugin is called Google Authenticator – Two Factor Authentication (2FA) .


8 – Limit number of login attempts

Incredible, but true: By default, anyone can do any number of login attempts in your admin area! In the sign of WordPress Security you should install a plugin like Login Lockdown to install a limit. After installation you will find under Settings -> Login Lockdown the options of the plugin. In particular, you can set how often someone can try one after the other to log in, ie how many failed attempts he has. After these attempts have been reached, it is no longer possible to log in for 5 minutes from the same IP address. You can also configure this time. Now, villains have to work harder if they want to hack!

Also very useful is the setting Mask Login Errors . You should set it to Yes . Then the attacker gets no information why his login failed. Otherwise, it will be reported if the username known, but the password was wrong or if the username was wrong. Further information can be found in the WordPress practical manual by Gino Cremer .

9- Change the table prefix

Normally every table starts with the prefix wp_ . This makes it easy for SQL Injection attempts to read or manipulate table contents from the database. Before installing, you can change that prefix by editing the wp-config.php file. If the installation has already been done, then the plugin Change DB Prefix will help .

10- Protect or delete readme and license files

The files readme.html and license.txt are located in the main directory of the installation and contain information about the WordPress version. They provide a good starting point for attackers to evaluate the attack target. Either delete these two files, because they are not needed for the operation. Or the htaccess file located in the root directory to extend the following lines:

# Protect readme.html File
<Files readme.html>
order allow,deny
deny from all

# Protect license.txt file
<Files license.txt>
order allow,deny
deny from all

11- Backup of your WordPress installations

Of course, you should regularly make a backup of your WordPress installations , just copy the installation directory to a local drive. In no case store the backup on the same server where you have installed WordPress or upload via FTP! Incidentally, the aforementioned plugin creates a backup of your database! One-time measures, such as customizing htaccess to secure installations and other security settings described above, protect you well from getting hacked. Very important are the updates that are offered for plugins and themes. In any case, read the change log and if any security holes have been closed, be sure to install.

If you create themes yourself or change existing templates, then make sure that you do not open any security holes in web design. Please inform yourself, before you use external JavaScript libraries, if they are considered safe.