We all know that WordPress is the most popular CMS to create beautiful websites or a personal blog. And there is a good reason for it. WordPress is an open source CMS so it is very easy to develop a plugin or theme for it as the source code is out there for everyone. But because it is open source, it is the favorite CMS for hackers too.

It is not possible to make a WordPress blog or site 100% hacking proof. As there are so many plugins comes with some vulnerabilities. And the bad thing is a user don’t know if this plugin is safe or not. A lot of time I saw that users use an outdated plugin or nulled theme. Well, You have to know that these are the backdoors of your sites. However, If you are not using any nulled theme, This post will show you how to protect your WordPress site or blog to be hacked.

1. File Permission

Do you know that a lot of guys never ever check their file permission? They simply install any security plugin, configure it and think that “my site is secure”. Well, You are not my friend.
Log into your cPanel and Click on File Manager. Locate “Public_html” and check it’s permission. Is it “0750” or “0755”? In most servers, it is set to “0750” for security reasons. If it is set to “0755”, Please change it to “0750”. To change the permission, click on “public_html” and click on “permission” from the ‘top menu’. Uncheck ‘read’ and ‘execute’ for ‘World’ as per screenshot.
Warning!- Some of you might get an error while opening your site. In that case, leave this step but must follow the bottom of this one.

It’s time to hide your config file. For WordPress, open “public_html” and scroll down a bit. Locate “wp-config” and change it’s permission too. By default, it is set to “0644” which is not good. Change it’s permission to “0600” and you are done with permission. You have to uncheck ‘read’ for ‘group’ and ‘world’.

2. Install AIOWPS (All In One WP Security)

I have tried a lot of plugins. But AIOWPS is the easiest security plugin available right now. Log into your WP dashboard and locate ‘Plugins’ on the left menu. Click on add new.
Search for ‘All in one WP security’ and Install it.

One done, Activate it and locate ‘WP Security’ on your left menu Click on ‘User login’ and let’s start.

-User Login

Activate Login Lockdown. It blocks the IP of a hacker if he is not submitting current login details. In simple word, It protects you from Brute force attacks. You can configure it by yourself.

-User Registration

Only use this feature if Registration is enabled in your WordPress. By default, registration is disabled. You can check it by going to ‘Settings>General–‘.

-Database Security

By default, the prefix for MYSQL database is set to ‘wp**’ which is not good. You must change it to some random six-digit letters. You can simply generate a new one.

-File System security

Warning! This plugin will give you the recommendation to change your ‘public_html’ and ‘wp-config’ permission. Ignore that, Don’t click on set recommended permission. I will tell you later why.

It will help you to protect from different sources attacks. Simply follow the screenshots and enable these things.
-Brute Force

By default, the login URL for WordPress is ‘htts://yoursite.com/wp-admin’. Think what will happen if you hide it. This option will help you to rename your login URL. Once done, ‘wp-admin’ will no longer functional.

Now You did most of the work. I don’t want to make this post big so stopping here. I will publish the part-2 tomorrow, same time.
Remember, You can only be safe if you want to be safe.

If you found this post useful, Please do share. If you getting any error, Please post comments. I will be happy to fix them.


Please enter your comment!
Please enter your name here