Secure your WordPress


Attacks on sites running the WordPress content management system are now commonplace, despite the system’s well-secured core. In the following post, we offer you some simple tips that can significantly complicate their malicious intentions.

Change username “admin”

This is the default name when installing WordPress, which should never remain in its original form. Hackers use this bug quite often, and the best defense is to create a new administrator account and remove the default one.

Use a strong password

Phone number, date of birth, or even your name: a password in the form of a simple phrase gives an attacker the opportunity to take control of your site in minutes. An ideal option is to use an expression that is not available in the dictionary (a standard tool for so-called brute force attacks) and a combination of letters with numbers, such as 1d34ln3-h3sl0 .

Edit the .htaccess file

Changes in .htaccess require at least minimal knowledge of the issue, otherwise there is a risk of malfunction of the site or its components, so before editing it, it is advisable to make a backup of the original file. The example below shows how it is possible to block access to the WordPress administration panel for everyone except defined IP addresses in a simple but effective way. Paste the modified .htaccess into the wp-admin directory.

AuthType Basic
order deny,allow
deny from all
# vasa domaca IP adresa
allow from
# vasa IP adresa v praci
allow from

Update the system

One click to eliminate the potential risk of your site being compromised through hidden system errors. The system’s kernel developers are constantly fixing its bugs, and you shouldn’t hesitate for a moment, especially with security updates.

Only upload “clean” files

Make sure that the files you are going to upload to the server do not contain a virus. Your hosting provider would definitely not thank you for such a piece, and you certainly don’t want a “reward” from Google in the form of a red page with a warning about dangerous content, right?

Install the security module

Offering a very decent service in its category, the Better WP Security module combines many security features and techniques into one package, BulletProof Security helps you with protection against XSS, RFI, CRLF, CSRF, Base64, Code Injection and SQL Injection attacks. Wordfence Security offers an integrated solution, a scanner for viruses and malicious URLs, and real-time data monitoring as a comprehensive solution.

Do not use obsolete modules

If you use one of the modules stored in the official WordPress repository , you will find a strong alert to this fact for each time that has not been updated for a long time (see the picture below). It is up to you whether you want to risk a possible incompatibility or security issue.

wordpress warning obsolete module

Back up regularly

If you don’t want to leave anything to chance, you should definitely not ignore this step. The rarer the content of your site, the more often you should back up its content, but the general recommendation is ‘once a day’. Focus mainly on the MySQL database and the topic used, these two items are the most common targets of attack (specifically the index.php file and the database tables wp-user and wp-usermeta ).

Of course, the mentioned 8 points is not a summary of all available options for securing WordPress. You may know other ways to defend yourself against attacks on the site, and we’d love for you to briefly describe them to us through comments.


Was this article helpful for you? Support me by sharing, please. 👍
WordPress Návod v PDF


Please enter your comment!
Please enter your name here