14 Steps to Installing a WordPress Site with Hacker Protection, Part 2

Now we are going to continue on to the final steps on installing a wordpress site with hacker protection.  If you would like to see part 1 of this article, please click here.


Step 6:  Change your Admin User

“Admin” is the default user that is assigned when installing WordPress.  To change it you must use phpMyAdmin and then update your config.php file.

Step 7: Use a Strong Password

You’ve heard it before, but it must still be said.  Use a strong password, that includes letters, numbers, and even punctuation where appropriate.


Step 8: Choose a supported theme

There are a lot of WordPress themes available that are free, but before you use it make sure you can get help if you need it.  This also is an indicator that the theme will be updated and not become a problem when upgrading to the latest version of WordPress.


Step 9:  Choose Plug-in’s wisely, the fewer the better

WordPress plug-in’s are available by the truckload, but that doesn’t mean you need to use all of them.  The fewer you use, the better.  Plug-ins tend to be more vulnerable to hackers than your WordPress software, so hackers go there to infiltrate and take you down.


Step 10:  Hide your Plugin directory

Anyone can see a list of your plug-ins by going to http://mydomain.com/wp-content/plugin. To hide this folder, just open your text editor, create a blank index.html page, and upload it via FTP into the wp-content/plugin folder.

Step 11: Setup your Backup!

There are two things you need to backup, your database (all your posts and pages) and your design (your theme, layout, etc).

How often you backup is determined by how much you are willing to use. We recommend that you set your auto-backup for as often as you post.  So if you post weekly, backup weekly, etc.

You should also run an “on-demand” database backup prior to upgrading software (both WP and plugins), just in case something breaks.

In addition, plan on using your FTP to download your site periodically – especially before and after you make significant changes to your site structure, theme, etc (this kind of backup does not include your database).

Ask your host how often they backup as well, there have been times that we have been able to go directly to the host and have them restore the entire site from a specific date.  Some guarantee their backup, others do not, so go find out!

If your site is hacked, and you have a recent backup, you can have your site up and running in no-time.

Step 12: Protect Your Files and Folders

Setting proper file and folder permissions can make a big difference.  You may not realize this, but if a file or folder is writable, then it is also considered insecure.  Your host will have its own level of security, so you may want to consult with them.  In general, we use the following file permissions

–          Directories permissions of 755

–          All files should have permissions of 644

–          Theme files 666 (if you want to use the built-in editor).

Occasionally a plug-in will require something else to function.  You can review that on a case by case level.

The simplest way to change these permission is to use your FTP client, like Filezilla.

Step 13: Change to “No Indexes”

Most people don’t realize this, but anyone interested can browse your directory and see all the files and folders you have, unless you change your index manager to “No Indexes.”  If you don’t see it, then contact your Host support.

You can also make changes to your .htaccess file.  This is a sensitive file, so make sure you download it completely off your site, make a copy, and then make the changes.

For more information on directory browsing and how to change your .htaccessfile, go read this article at “The Internet Patrol”.


Step 14:  Keep Your Software Current!

If you don’t upgrade your site to the most recent version, it is vulnerable.  It really is that simple.  If you can only do one thing to protect your site, upgrading your WordPress and WordPress plug-in software should be it.

Some web developers are concerned about upgrading to a new version without testing it with the current sites functionality.  This is a valid concern, but it shouldn’t keep you from waiting too long to upgrade.  We have had very few problems doing immediate updates, but it is not impossible.

However, if you have a very sophisticated site, then I definitely recommend setting up a test site.  Upload your current site into a test site, and simulate the version updates to ensure everything is going to work smoothly.

If you have a good Virtual Assistant, or Virtual Programmer, they can do the testing for you.  Incremental testing is the best approach.  That means you update one thing at a time so if something breaks you can tell what triggered it.

Regardless of whether you do a live update, or test the software first, you should do a complete backup.  This will give you peace of mind and save you from potential headaches that could come up.


Although, following these steps does not guarantee that your site will never be hacked, if you follow them it will strengthen your WordPress site security and reduce the risks.

Since applying these steps to our WordPress sites at the end of 2009, we haven’t had to repair any sites due to malicious attacks.

Some of the Resources Reviewed for this







AJ Yates is a Virtual Assistant providing creative business and web solutions for individuals and small businesses.  Fully grounded in traditional and online business needs, AJ helps her clients extend their office resources and get things done so they can focus on what they do best.  For more information on AJ and her Virtual Office Team visit VirtualOfficeAce.com