Stop WordPress from Being Hacked: Protect Your Site Against Attacks

by Tammy

Stop WordPress from Being Hacked: Protect Your Site Against Attacks

Secure WordPress from hackers by locking things up tight.
Image: Norebbo

WordPress is a great script for blogs and full websites. It is incredibly versatile and can be used in so many ways that it’s almost made straight-out HTML sites a thing of the past.

As with many good things, however, there’s usually some bad that goes along with it – like security holes that allow others to sneak in and add malicious codes to your source files.

There are several things you can do to keep this from happening, but listed below are some of the easiest and most common tricks to protect WordPress from attacks.

Update WordPress, Plugins, and Themes

One good way to prevent your website from being hacked is to stay updated. Always make sure you are using the latest WordPress script, as well as the most current plugins and themes. If you have a plugin or theme installed that you are no longer using, delete them. They are only taking up space and could leave a small window open for hackers to crawl inside.

Change Your WP Login Name and Hide It

The default username in WordPress is admin. Everyone knows this, including your blog’s enemies. When you use it to log in, you have unknowingly helped the bad guys in winning half of the battle. They have your login name, now all they have to do is figure out your password.

The easiest way to change your login name is to create a new user in your WP Dashboard and delete your old one.

  • In the Dashboard, look for Users in the left sideline column, then click Add New.
  • As you fill in the information, give yourself a random username. Change Role from Subscriber to Administrator, then click the button to Add New User. You will need a different email address than the one you first signed up with.
  • Log out of WordPress, then log back in with the new Administrator sign-in information.
  • Go back to the Users section and click to view All Users.
  • Run your mouse over your old name (admin), then click Delete. When you are asked what you want to do with your old posts, DON’T DELETE THEM. Click to assign them to your new name.
  • Still in All Users, click your new username, then scroll down until you find “Display name publicly as.” You want this to be either your real name or the Nickname you typed in the box above that one. It doesn’t matter what you choose, just don’t select your login name.

Even after doing all of this, it is still easy enough to find a person’s username. Go to or /?author=2 (replacing the number with your own, depending on how many members your website has).

When you are there, notice that it shows your username in the address bar. To prevent this from happening, download a plugin like the old-but-still-works WP Author Slug. This will change the name in that URL to the one you selected to display publicly, which will keep your login name safe.

Stop WordPress from Being Hacked: Protect Your Site Against AttacksUse Hard-to-Guess Passwords

If your WordPress password is weak, you know what you have to do. Change it to one that wouldn’t be easy for someone to guess. Some of the most common passwords are those like password, 123456, qwerty, your child’s name, your birthdate, etc.

To come up with a good one, go to your favorite search engine and type in “password generator” (without the quotes).

When you find a generator you like, try it out, then copy and paste your new password into WordPress. Remember to keep a copy somewhere for yourself, too.

If you think your site has already been compromised, work on this step immediately, then jump to the next instructions to add secret keys, which will log everyone out of the site in order for your new password to make a difference. If not, anyone logged in can simply not log out and still have access.

As a general rule, it wouldn’t be a bad idea to change your password every 3-5 months, just to be on the safe side.

Add WordPress Secret Keys

If you want to increase your website’s security, adding secret keys to your wp-config file is the way to go. Doing this will force anyone currently logged in (such as hackers who found their way inside) to be logged out. When that happens, they won’t be able to get back in without having your new login name and password. They also improve password encryption, making them a lot harder to crack.

To add your own security keys, open wp-config.php, which is located in the same folder as your WordPress file directory.

Look for these codes:

define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');

Where it says to put your unique phrase, you will enter a special key phrase. You can generate secret keys at, then copy and paste each one into the wp-config file. Copy the entire string between ' and '. It will be long. Don’t worry that you will have to remember them. You will only use them one time.

When you are done, click to save wp-config.php, then upload it back into the WordPress directory. If you ever suspect your site has been hacked, change your password and repeat this step with new security keys.

Cleaning Malicious Code from WordPress

For those of you who know your website has been hit by a hacker, David Cox wrote a helpful article at dConstructing. What he has gone through is very similar to what we’ve all been through when trying to find the damaging code, and then trying to get rid of it.

Also visit the official WP page to help protect WordPress against attacks.

The best method, of course, is prevention, but sometimes we don’t learn about that part until it’s too late. When you’ve finished the clean-up, follow the steps above to keep the hackers out.