14 Steps to Installing a WordPress Site with Hacker Protection, Part 1

WordPress is a fantastic platform to use for any kind of website.  Newbies can get started quickly and inexpensively.  Sophisticated web developers can do a lot with it as well.  Its flexibility and easy user interface is why we recommend it to most of our clients.   Not only is it a great tool, the WordPress team are cracker jack at keeping on top of security concerns that arise.

That being said, malicious hackers still break through and infect sites mostly because some simple security measures are not followed.

In order to protect our sites and the sites of our clients, we developed this 14 Step checklist to creating a hacker resistant WordPress site.

NOTE: Although most hosting companies offer automatic WordPress installation, we prefer a manual installation of WordPress, as it gives us more control over the setup.  For those of you who use an installations script provided by your hosting company, you may not be able to apply all of these steps.


Step 1:  Install the latest version of WordPress into a subdirectory, instead of your root.

Giving your WordPress its own directory will not only keep the clutter out of your root directory, if someone does hack into your site, your root directory is protected.

You can find instructions for a manual installation at http://codex.wordpress.org/Installing_WordPress

Some hackers target WordPress sites specifically, when installing WordPress, consider changing the default table prefix from wp_ as an advanced strategy for protecting your site.  If you use the Wp-Security-Scan plugin we mention later, it will also suggest this when evaluating your site for security holes.


Step 2: Change Your Index.php location

Changing your index.php location allows your blog to remain in the root directory, and creates a cleaner url.

Sign in to your wordpress site, and go to Settings, then General and change your “Blog address (URL) to the root url.  For example:  www.mywebsite.com.

Open your FTP client and copy the index.php file to from the subdirectory (where you installed WordPress), into the root directory.

Edit your index.php file to add in the WordPress subdirectory.  For example:

/** Loads the WordPress Environment and Template */

If you have questions about this, there is link right next to this field that will give you all the details you need to do this right.

Step 3:  Protect Your wp-includes folder

This step is simple, just copy your .htaccess file in to the wp-includes folder.  You may need to set your FTP client to view hidden files in order to see this file.


Step 4:  Protect your wp-admin folder

Upload your .htaccess file into the wp-admin folder

Upload .htpasswd into the root directory

Go to http://www.htaccesstools.com/htpassword-generator/ to create a password.

Edit the .htaccess file to have the proper path to your .htpasswd file.


Step 5:  Upload and activate security plug-ins

Currently, we use the following security plug-ins to protect our site.

Login-Lockdown: this plugin helps prevent “brute-force password discovery” by disabling the login function if a certain number of login attempts and failures are detected from a given IP address.

WP-Db-Backup:  this plugin will backup your core wordpress database and other tables (usually created by the plugins you are using).  You can schedule your backup or issue an “on-demand” backup when needed.

WP-Security-Scan: this plugin will scan your wordpress site for security vulnerabilities (most of which should be fixed by following the steps we have posted here.

Wp-MalWatch:  This plugin scans your site every night for signs of foul-play and will alert you where to go look if it finds a problem.

We are also evaluating WordPress Backup by Blog Traffic Exchange, as it will backup the upload directory, the plugin directory, and the current theme directory.  It is important to note that the database backup plugin we listed only backups databases, and that backing up the theme and images, etc should not be overlooked (see step 11 for more)

In the next post, I’ll go over step 6-14, you can see that post HERE.


AJ Yates is a Virtual Assistant providing creative business and web solutions for individuals and small businesses.  Fully grounded in traditional and online business needs, AJ helps her clients extend their office resources and get things done so they can focus on what they do best.  For more information on AJ and her Virtual Office Team visit VirtualOfficeAce.com


  1. Thanks for the great post Amy!

  2. This is great info. Thanks for sharing!

  3. Hi, thanks so much for this information. My wordpress site got hacked a month ago and it took me 2 weeks to sort it out. Big source of stress! All working great now though.

  4. Hi Douglas, It is a HUGE stress when a site is hacked, I know from experience. And if you aren’t prepared, it is even worst. No one wants down time.

    Following this checklist will help, and then after that maintenance is the key, including regular backups. Once a site has been successfully hacked, there is a good chance they will try again. (I’ve seen re-occurring attacks)

    If you have a good backup, that is the fastest way to get a site back up and running.

    These sites may help you assess and secure your code:
    # Google.com – Webmaster Tools Help
    # TopBits.com – Finding Security Vulnerability
    # Fority.com – Source Code Analysis
    # SecTools.com – Network Security Tools
    # Wikipedia.com – Code Injection

  5. Seems obvious but having a strong password would also be a good idea. And changing it at some interval wouldn’t hurt.

  6. Maybe I’m dense, but I’m trying to figure out in step 4 how to “Upload .htpasswd into the root directory”. Am I first supposed to create the .htpasswd file using the htpasswd generator referred to in the next line of the instructions? And how do I edit the .htaccess file to include the path to the htpasswd file location? The .htaccess file generated by htaccess Authentication (http://www.htaccesstools.com/htaccess-authentication/) looks nothing like the .htaccess file contained within WordPress.

    ?? Help!!

  7. Jay, does it make sense for me to build out my WordPress site at the root right now, then in a few weeks when I have a VA up to speed, have him/her do a backup and reinstall in a subfolder?

  8. Make sure you are using the Htpasswd Generator. The authentication tool is different.

    Once you fill out the fields it is asking for, it will generate the code to add to your .htpasswd file.

  9. You have done certain great points there. I did a search on the subject matter and found a lot of woman will have the same opinion with your website .

  10. The link in step 4 isn’t quite right. It’s close and you can get there from that error page but here it is: http://www.htaccesstools.com/htpasswd-generator/

  11. I really like your entire weblog. Thanks a lot and continue the good work.

  12. This is Great content! Very helpful! Does it make any difference if you are using Thesis?

  13. The tips work the same if you are using Thesis theme as well.

  14. Amy thanks for the good info! Thanks for sharing Jay!

  15. Thanks for all this information I got hacked twice I have my site installed in root but will change it today and put in subdirectories I did before and had no problems. Lesson learned some people have nothing better to do with there time than to make my life’s living hell , thanks again .

  16. Thanks a lot. This is exactly what I was looking for.

  17. Thank you! These are great tips, and timely too … Uhhh, not that ingot hacked, I mean, OK so I did. I installed one of my first (and better performing) sites in a sub directory and felt like a fool, but now I feel partially redeemed. Looking forward to reading the next tips …

  18. thanks, our site got hacked too and believe me I wish I had done all this before…