Steps and plugins to Secure your wordpress site

wordpress-security1. Change User Name: The first important fact you need to notice for your site security is “Admin User Name”. If your wordpress (wp-admin) “username” is “admin” please change it to a different one.

2. Password Strength: Please make your password more strong. For example joy-mpp*#bD@23 Or x^87F7O5p}#4TF6 something like that. This will make your password more strong and secured.

3. WordPress Version Update : Please always keep your wordpress version updated . Because, wordpress generally solved the previous issues in the latest version.
Please keep in mind, take a backup of your wordpress site (wordpress +database) while updating.

4 . WordPress Database Table Prefix : Generally while installing the wordpress to your hosting , the default Database Table prefix is “wp_”. To make your site secured please change that Table prefix from “Wp_” to any other else like “opc_abc_xyx_.

You can use this plugins Change DB Prefix

5. Captcha : you can use Captcha for user login

6. Contact Form 7 spam mail protection:  If you are using Contact Form 7 use Recaptcha to protect spamming form submission

7. Security Plugins:  For your site Security you can use this plugins
All In One Security

8.  wp-admin and wp-login.php url: Change Default Register and login url of wordpress to different one .  You can use this plguins Custom Login URL


9. Secured your  .htaccess file :  use the following code to secure your .htaccess file

*** please take a backup of ur .htaccess file before doing this

*** also change  to your own in the code

# BEGIN WordPress

# WPhtC: Disable ServerSignature on generated error pages
ServerSignature Off

# WPhtC: Disable directory browsing
Options All -Indexes

# WPhtC: Limit upload size to 10 MB
LimitRequestBody 10485760

# WPhtC: Protect WP-config.php
<files wp-config.php>
order allow,deny
deny from all

# WPhtC: Protect .htaccess file
<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all

# WPhtC: Protect comments.php
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.** [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]

# WPhtC: Disable image hotlinking
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?*$ [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ <a href=""></a> [NC,R,L]

# WPhtC: Setting mod_gzip
<ifModule mod_gzip.c>
mod_gzip_on Yes
mod_gzip_dechunk Yes
mod_gzip_item_include file \.(html?|txt|css|js|php|pl)$
mod_gzip_item_include handler ^cgi-script$
mod_gzip_item_include mime ^text/.*
mod_gzip_item_include mime ^application/x-javascript.*
mod_gzip_item_exclude mime ^image/.*
mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.*

# WPhtC: Setting mod_deflate
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/html text/plain text/xml application/xml application/xhtml+xml text/javascript text/css application/x-javascript
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4.0[678] no-gzip
BrowserMatch bMSIE !no-gzip !gzip-only-text/html
Header append Vary User-Agent env=!dont-vary

RewriteEngine on
# Unless you have set a different RewriteBase preceding this point,
# you may delete or comment-out the following RewriteBase directive:
RewriteBase /
# if this request is for "/" or has already been rewritten to WP
RewriteCond $1 ^(index\.php)?$ [OR]
# or if request is for image, css, or js file
RewriteCond $1 \.(gif|jpg|jpeg|png|css|js|ico)$ [NC,OR]
# or if URL resolves to existing file
RewriteCond %{REQUEST_FILENAME} -f [OR]
# or if URL resolves to existing directory
RewriteCond %{REQUEST_FILENAME} -d
# then skip the rewrite to WP
RewriteRule ^(.*)$ - [S=1]
# else rewrite the request to WP
RewriteRule . /index.php [L]
# END WordPress

10. Permission of WP-Config.php file : Change the permission of wordpress wp-config.php to 400.

11. Delete install.php : Go to your wp-admin folder, then  rename   install.php  to install-help.php and delete it.

12.  Remove unnecessary or unused theme:  If there is any unused theme in your wp-content theme directory, please remove it.

13.  Don’t use Crack or Null theme :  In internet you will get various Nulled or Cracked premium themes, don’t use such themes as they may contain malicious  codes.


14.  Change password regularly: Change the password of  Hosting, Cpanelwordpress admin  and FTP password regularly.


15. Site Backup:  Keep your site’s  wordpress and database backup regulardy . You can use   BackupBuddy plugins for this.

16.  Delete unused Plugins:  If you are not using any installed plguins, please remove it.

17. Change wp-content folder name:  If possible,  change the name of  wp-content folder.

If you have any issue feel free to ask me question here in comments section


Want me to help you personally ?CLICK HERE….

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: