WordPress Tip: How to secure your installation

Ed: This article is part of the 21 Days of WordPress Tips

There have been a lot of security issues with WordPress in the past and, if you don’t setup your installation correctly, it can be wide open to hacker attacks. Here’s a few things I’ve seen:

  • Embedded spam links – A hacker will add code to your site that will show hundreds of spam links in the footer/header of your site. This is often hard to catch as the code will only show these links to Google and other search engines so you only realize something is wrong when your traffic numbers tank because you’ve been pulled from the search results.
  • Phishing pages added to your site – Spammers that are sending out those phishing emails trying to trick people into giving away their bank account information will add html pages to your site that they then link to. This is big time bad news as you’re IP will get flagged and traffic will again nose dive.
  • Database edited or deleted – In many instances this could be the worse thing to happen. You can recover from getting pulled from search engine results, however you may not recover from your database and files getting deleted. (I should also mention here that you should be doing regular backups of both)

While there are plenty of things that hackers can do when they gain control to your site, those are the most common ones I’ve seen. So how can you possibly defend against these attacks when even Al Gore’s site is getting hacked?

Follow these tips and you’ll be well protected:

1. Download and install the WP Security Scan plugin

This is the best security plugin I’ve come across. It checks several of the common things that make your site easily hackable (I go over a couple of these below), it scans all of your directories to make sure they have the correct permissions set and it has a simple tool for creating extremely strong passwords.

If you only do one thing to help protect your WordPress site from hacking, download and install the WP Security Scan plugin.

Tip: The popularity of WordPress often works against it. Since the default installation of WordPress does a lot of things the same way, hackers often use this as an advantage. For instance, everyone has an “admin” user, has a table prefix of “wp_” and puts the version of WordPress in the <head> of the HTML. This is knowledge that hackers use to find vulnerabilities in your site. The above plugin fixes some of it and only checks others. Below I address how to fix several of these issues.

2. Change your default “admin” user

Open up your database administration tool. In most cases this will be phpMyAdmin. Open up the “users” table and edit the row for “admin”. Simply change the “user_login” field to something else and save it.


This will protect your site from brute force password attacks. If there is no user “admin” then the hacker will be forced to guess both the username and the password which is virtually impossible.

3. Change your table prefix from “wp_” to something else

Be very careful with this one and, as with any time you are making changes, backup your database.

What we are going to do here is change all your table names from wp_options, wp_users, etc to something like wp_3jd73_options, wp_3jd73_users, etc. This will make it extremely difficult for a hacker to run rouge SQL queries since they will not have the name of the tables.

Thankfully, this is very easy to do if you followed my advice in step #1. There is already a tool in the WP Security Scan plugin to do this.

Also, be sure to check that all your plugins are working correctly once you’ve made this change. Some very old or poorly written plugins may be directly referencing your tables with “wp_”. If this is the case, I suggest either deleting the plugin all together or upgrading to the newest version.

4. Move the wp-content folder to a different location

Moving your wp-content to a different location helps in a couple different ways.

First, and most importantly, it guards against hackers trying to access the folder.

Secondly, it makes upgrading your WordPress installation a breeze because you won’t accidentally overwrite you wp-content folder if you upload all the WordPress core files at once.

Once you’ve made the move, you need to let WordPress know where it’s located now.

Add this line to your wp-config.php file:

define('WP_CONTENT_DIR', 'http://www.mysite.com/7h3j6d/wp-content');

As with step #3, you may have some plugins that are directly referencing wp-content/ in the root of your site. So be sure to check all the functionality and delete/upgrade your plugins accordingly.

Lastly, use some common sense

Most of the security issues with WordPress (including the ones I’ve dealt with) can be prevented or easily fixed by doing all the normal things that everyone should. Keep strong passwords, backup regularly, keep WordPress core/plugins up to date, etc.

By following these tips you’ll have a safe and secure installation of WordPress that will make it so difficult to find a vulnerability that it will keep the hackers moving on to someone else’s site.

Tim Grahl
Tim Grahl
Tim Grahl is the author of Your First 1000 Copies and the founder of BookLaunch.com. He has worked with authors for a decade to help them build their platform, connect with readers, and sell more books. He has worked 1-on-1 with over a hundred authors including Daniel Pink, Hugh Howey, Barbara Corcoran, Chip and Dan Heath, Sally Hogshead and many others. He has also launched dozens of New York Times, Wall Street Journal, and Washington Post bestsellers.