WordPress Security tips: Avoid getting your site hacked

Here is a check list for your next WordPress installation to improve the changes of the site begin hacked.

  • Change your database prefix “wp_”
  • Don’t use the username “admin”
  • Use a strong password 8+ characters symbols letters and numbers
  • Change the wp_settings.php file permissions to 0644
  • Whenever possible move the wp_settings.php file one directory up.
  • Install the Login LockDown plugin
  • Change the default secret keys in the wp_settings.php file
    define('AUTH_KEY', '');
    define('SECURE_AUTH_KEY', '');
    define('LOGGED_IN_KEY', '');
    define('NONCE_KEY', '');
  • Add this code to your functions.php file.
    //remove WordPress Version from front-end
    remove_action( 'wp_head', 'wp_generator' );
    //force https for admin area, only if you are using SSL
    define('FORCE_SSL_ADMIN', true);
  • Add this code to your .htaccess file
    RewriteCond %{REQUEST_URI} /(comments-post|setup|thumb|_tbs|timthumb|install)\.php$
    RewriteCond %{HTTP_REFERER} !.*domain.com.* [OR]
    RewriteCond %{HTTP_USER_AGENT} ^$
    RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]
    <files wp-config.php>
    Order deny,allow
    deny from all
    </files>
  • Upgrade to the latest version for WordPress.
  • Always, always backup your site, files and database
  • If you site has been hacked check WordPress’ hacked recovery checklist