BeTips to Keep Your WordPress more Secure

wordpress security

BeTips to Keep Your WordPress more Secure


When setting up a new WordPress installation, you should always
choose the latest stable version. Before installing it, follow these
two simple web security steps in the wp-config.php file:

  • Change the database prefix
  • Use authentication keys

By default, all WordPress installations use the prefix wp_ for their database. This is consistent throughout WordPress, so it’s recommended to change the prefix for each site to prevent possible attacks related to the database.

To alter the WordPress table prefix, change the following line in the configuration file, wp-config.php, with the prefix that you would like to use:
$table_prefix = ‘wp_’;

For example:
$table_prefix = ‘newsite_wp_’;

This change will also allow you to have several WordPress installations on the same database, as long as you do not repeat the prefix.

If your site is already installed and you didn’t change the default prefix during the installation process, it’s not too late. Use a plugin such as Change Table Prefix to make modifications. You can also do this manually, but I don’t recommended it if you are not familiar with performing database changes.

WordPress has secret keys, called Keys and Salt, that are stored in the wp-config.php file. They protect open sessions by encrypting the session data in the browser’s cookie. Before beginning the installation, you should generate the secret keys.

Like with the database prefix, you can change the secret keys on an existing site, at any time, a task that I recommend you perform routinely in order to invalidate active sessions and force all users to log in again.

Although you can generate your own keys manually, I recommend using the official WordPress service found at and replace the keys with the ones in your wp-config.php file.

Before moving on to the next tip, I have one more piece of advice about WordPress secret keys for live sites. In the unlikely scenario where you need to deny any type of access to the admin panel, even with login credentials, you can configure keys to invalidate every microsecond by replacing them in the wp-config.php with the following:

define(‘AUTH_KEY’,          microtime());Lorem
define(‘AUTH_KEY’,          microtime());Lorem
define(‘AUTH_KEY’,          microtime());Lorem
define(‘AUTH_KEY’,          microtime());Lorem
define(‘AUTH_KEY’,          microtime());Lorem
define(‘AUTH_KEY’,          microtime());Lorem
define(‘AUTH_KEY’,          microtime());Lorem
define(‘AUTH_KEY’,          microtime());Lorem

Remember to routinely update these keys as a preventative measure or to end active sessions.


    Once you’ve finished installing your new WordPress site, you should delete the admin profile used during installation and create a new user with admin permissions, as well as any other necessary user


Avoid weak usernames like admin or administrator which are common in all WordPress installations and remember to use a strong password.

Disable the pingbacks and trackbacks notifications on your admin panel (Settings > Comments), as they can be an entry for possible DDoS (Distributed Denial of Service) attacks on your site.

Protect files from attacks and intrusions by adding the following lines of code in the htaccess file. Ideally, this should be done at the beginning of the file located at the root directory of your site:

Deny Directory Listing
Options – Indexes
#Block sensitive files
Order allow,deny
Deny from all
<files wp-config.php>
Order allow,deny
Deny from all

You should block access to any unnecessary files by creating a new .htaccess file in the /wp-admin directory and adding the following lines of code:

#Block installation files
<files install.php>
Order allow,deny
Deny from all
<files setup-config.php>
Order allow,deny
Deny from all

I recommend reviewing the robots.txt file, which is located in the root directory of your site. This file tells search bots what should and shouldn’t be analyzed on your site, so be sure to check that it doesn’t show any sensitive information about your WordPress installation, for example, your wp-admin folder.


Make sure files and directories in your WordPress installation have the appropriate permissions to prevent attackers from taking control of your site.

Go to WordPress Tools > WordPress Toolkit > Select the installation > Fix Permissions.

Permissions for all the directories should be set to 755.
Permissions for all the files should be set to 644.

To restrict the access even further, you should protect these two files in your WordPress configuration in the following way:

wp-config.php file: set permissions to 600
.htaccess file: set permissions to 604

These permissions are referred to as View, Write, and Execute as defined in Unix operating systems.


Although WordPress installations block PHP file uploads through the admin panel by default, you should block the option to execute PHP code in that folder. You should also limit the unnecessary execution of PHP code in other folders used by WordPress that shouldn’t be accessed directly.

Create a new .htaccess file inside of your folders “/wp-content/uploads”, “/wp-content/plugins” and “/wp-content/themes”, and add the following lines of code to block PHP executions:

<Files *.php>
deny from all

Note: take into account that after every modification in a .htaccess file, you should check it in your installation. Flush the cache to confirm that the added rules are working properly.



This step focuses on adding a layer of security to the admin panel to prevent unwanted intruders and limit mistakes made by authorized users.

To disable the file edit option in the WordPress admin panel, use the following line of code in the configuration file, wp-config.php:

define( ‘DISALLOW_FILE_MODS’, true );

This code is equivalent to removing the ‘edit_themes’, ‘edit_plugins’, and ‘edit_files’ permissions for any registered user on the site.

You can add an additional layer of control for live sites if you don’t want users to install themes and plugins on their own. To do this, add the following code to the configuration file – wp-config.php:

define( ‘DISALLOW_FILE_MODS’, true );

Remember to deactivate it by changing the directive to false if you need to perform tasks on the WordPress installation.

All modifications on the wp-config.php file above the following line of code:

/* That’s all, stop editing! Happy blogging. */


Although we already know the benefits of a Content Delivery Network (CDN) service to improve your website performance, using a DNS-type CDN (before your web server) can improve your web security in the following three ways.

  • It enables an active Firewall that is updated continuously against
    malicious behaviour like massive connections, tracking ports, etc.
  • It prevents brute force attacks by using the distributed server
    network of the provider which minimizes the impact and applies
    blocking rules to detect these kinds of attacks, usually DoS or
  • It hides the real IP of your server which prevents direct attacks
    against your site by masking the real IP where you are hosted.


We recommend using CloudFlare as your CDN to improve the security and performance of your WordPress website. All SiteGround hosting plans include a free CloudFlare account.



Although we hope you’ll never have to use this tip, it’s better to be
safe, and have a full backup of your site.

You rarely need to restore a full site backup, but in case you do,
SKY HOST  has a tool for backups and easy restores in cPanel Jetbackup Google Dirve, you’ll be able restore your site easily and quickly.

We recommend you follow the 3-2-1 rule as a strategy for backups that contain important data.

  • Keep 3 backups
  • In 2 different formats (minimum)
  • 1 of the backups should be in a different physical location

In case disaster strikes, it’s useless to have all your backups in the same format or location. Remember to always generate a new backup after you make any important changes to your WordPress installation.