How To Make Your Wordpress Sites {Almost} Unhackable

I thought I'd put together a little guide for everyone on the warrior forum who use wordpress for their websites.

I had to put {Almost} in the title, because obviously nothing is unhackable. But, if you follow these steps, you will be pretty much more protected than you are now.

The first thing you need to do is NOT use fantastico! I see everyone saying to use fantastico, and I have never seen anyone actually telling you the right way to do it so you are protected.

The reason why you do not want to use fantastico to install wordpress on your site is because by default it sets "wp_" as the prefix for each wordpress table name.

Hackers know that most people use fantastico, so it's easy for them to send malicious code targeting your wp_ based tables. Doing that, they can change the look of your site, redirect your url to their site, and im sure many more things that we don't want happening to our sites.

So how do we install wordpress if we can't use fantastico?

Well we do it manually and it really isn't hard at all. It just takes a few more steps, and maybe 5 minutes once you get it down.

How To Manually Install Wordpress And Change The Default Wordpress Table Prefix:

1. Download the latest version of wordpress from WordPress › Blog Tool and Publishing Platform
2. Log into your hosting and create a mysql database and user with all privileges (how to do this step below)
a. Click on MySQL Databases
b. Create a new database
c. Create a new user (remember your pw because you will need it)
d. Add user to database and check all privileges
3. Unzip wordpress, go into the wordpress folder, find the file named wp-config-sample and rename it to wp-config
4. Open wp-config (the one you just edited) and fill in the database fields with the info you just created (database name, database user, and password)
NOTE: You will have to right click on wp-config and choose to edit with a text editor. I use Notepad++ Notepad++ | 5.9 but just notepad should work fine.
5. Scroll down a little more and change the table prefix 'wp_' to 'newtableprefix_'
6. Save the file and close it
7. Upload all wordpress files to the root of the domain either with ftp or using your hosts ftp (don't upload the actual wordpress folder, just whats inside it)
8. On your favorite browser go to domain.com/wp-admin/install.php (domain.com would be your websites domain)
9. This starts the regular wordpress setup (Do NOT use admin as the username)

There that's it for manually installing wordpress and changing the default table prefix. It honestly looks like a lot and a little confusing on paper, but it's not.

I went ahead and created a video showing you step by step how to manually install wordpress and how to change the wordpress table prefix. You can watch it in HD on youtube


Next up you can create a file that only lets you see your wordpress admin log in page. I started doing this on all of my sites and quickly found out I couldn't do it anymore because my ip address changes often.

So this method is for people if you know your ip address doesn't change. If someone tries to go to your admin log in page they will only see a blank page.

Here is how you do it:

1. Open up notepad
2. Paste in

order deny,allow
deny from all
allow from xx.xx.xx.xx

3. Change xx.xx.xx.xx with your ip address
4. If you don't know what your ip address is then go to What Is My IP Address - Shows Your IP Address
5. Copy what they tell you your ip address is (make sure you aren't using any proxies at the time) and paste it over xx.xx.xx.xx
6. Save the text file as .htaccess
7. Upload it to your websites wp-admin folder through ftp
8. You may have to edit the name because for me when I upload it it changes to .htaccess.txt so just edit the name and take off the .txt part
9. Go to yourdomain.com/wp-admin, if it loads fine then you are good to go
10. If you only see a blank page then something went wrong, don't panic just go back into your ftp and make sure you put the right ip address in the .htaccess file
11. If you still can't figure out whats wrong then just delete the file

This method blocks everyone trying to go to your admin log in page unless their ip address is allowed in the .htaccess file. You can add more than 1 ip address in the file if you need to. Just add in another allow from xx.xx.xx.xx in the next line.

Next, I'll talk about some wordpress plugins that will help you with making your wordpress site *almost* unhackable.

The first one is called Login LockDown. WordPress › Login LockDown « WordPress Plugins

This is a great plugin if you can't use the method above. What it does is record every failed login attempt and will block anyone with 3 failed login attempts within 5 minutes. Basically it prevents brute force password discovery.

The next plugin is called Secure Wordpress. WordPress › Secure WordPress « WordPress Plugins

This plugin is pretty cool. It just does a lot of little things to help you be more secure. One of the best things I think is that it removes the wordpress version from being seen.

If your site is using an older version of wordpress, it makes it much easier to hack. If the hacker has no clue what version you are using they probably won't even try. You can see the other things this plugin does on its wordpress page using the link above.

The last plugin I want to share is WP-DBManager. WordPress › WP-DBManager « WordPress Plugins

This plugin will allow you to set up scheduled backups of your wordpress database. It's better to be safe than sorry, so please make sure you are keeping backups of all of your sites. I suggest creating a brand new gmail account just for getting scheduled backups, and creating filters in your email account for each website.

Also, in your wordpress settings, make sure that your wordpress username is not the name that shows up publicly when you make posts or comments. To change it follow these steps:

1. Log in to your wordpress site
2. Click on users
3. Edit your username
4. Create a nickname that isn't the same as what you use to log in
5. Change "Display name publicly as" to your nickname
6. Click "Update Profile"

I hope this post helps you make your wordpress sites more secure. Any and all comments very appreciated!

Brent