Change the WP database table prefix
By default, WP prefixes its database tables “wp_”. Change the table prefix to a random string to make it difficult for a hacker to execute remote <link>SQL injection attacks</link>.
If you haven’t installed WP yet
You can change the table prefix to any random string (preferably more than 3-4 characters). Make sure you add an underscore (_) after the string so your tables are easier to read.
If you have already installed WP
You will need to edit wp-config.php and enter the new database prefix. Export the entire database, and using a text editor, replace the prefix of every table to a random string (preferably more than 3-4 characters). Make sure you add an underscore (_) after the string so your tables are easier to read.
Table names are stored in the CREATE TABLE ‘NAME’ or CREATE TABLE IF NOT EXISTS ‘NAME’ lines. After the changes, drop your WP database on your web host, and import your updated database.
Secure Folder and File Permissions
All directories should, at mod,t have a 644 permissions, while files should have, at most, a 755 permissions. This can be changed thru cPanel’s File Manager, under the Perms column.
An exception to this rule is the wp-config.php file. The permissions to this file should be 600 to prevent other users on the server from reading it.
For added security, add the following line to wp-config.php. This prevents users from editing your WP and theme files via the administrator dashboard.
Choose new authentication keys and replace the old keys with the new one you generated. Here is the link for generating authentication keys -
Prevent Directory Browsing
To test if your WP directories are well protected, enter the following URL in your browser and replace “your domain” to your own website’s domain -
If it shows a blank page or a 404 Forbidden page, your WP directories are safe. However, if you see something similar to the image below, your directories are not safe from browsing.
To prevent access to directories, place this code inside your .htaccess file.
Options All - Indexes
The .htaccess file is a hidden file so, for cPanel users, you may have to go back to cPanel’s Home Page to check “Show Hidden Files” in the “File Manager Directory Selection” when you click on the “File Manager” icon.
Deny Access to Files via IP
To block access to specific files or directories by IP, you can use either of three methods:
Deny from All
Allow from [IP]
- OR -
Deny from All
Allow from [IP]
Here are some examples:
Protect the /wp-content Directory
The wp-content directory holds all your media files, themes, and plugins. In order to protect this directory, you need to create a separate .htaccess file inside /wp-content and insert the following codes:
Deny From All
Allow From All
Do Not Use Admin User
Using a user “admin” should be avoided at all times. If it is already being used, create a new administrator with a non-“admin” or non-“administrator” username and delete the existing “admin” or “administrator” user.
Restrict Admin Access to ONLY Required Users
WP provides varying degrees of roles and associated permission. Do not provide administrator credentials to users who will only write posts or edit/post articles. Here is a rundown of WP’s user access control:
- Administrator - has permission to modify anything in the administration area
- Editor - Can write, edit, and publish
- Author - Can write, edit
- Contributor - Can write
- Subscriber - Can follow posts
Good Maintenance Practices
- Keep your WP core files and plugins updated.
- Minimize the number of plugins you use
- Deactivate and remove unused plugins
- Choose passwords that are difficult to guess
- Do regular data backups
Install a Security Plugin
There are many plugins out there which can offers to protect your WP site. Here are a few references:
References and Further Readings