Blog Header Banner

Securing WordPress against the Hordes of Bots   no comments

May 10, 2016 @ 6:20am Web hosting


WordPress is one of the most popular, third party scripts used on websites.  Each and every time WordPress releases an update or a patch, the reasoning behind the update is publicly released but often its security related.  This is for all developers to be aware and update their code accordingly.  This factor alone, makes your site targeted.  Not to scare anyone reading this, however in a recent study WP White Security reported 70% of WordPress sites are vulnerable to attacks!

The majority of hacked sites are compromised for the sole purpose of sending spam.  TurnKey Internet and other web hosting services cannot guarantee your site will not become compromised due mainly to third party scripted plugins and modules that often modify or alter WordPress in ways that even the main security aspects of WordPress can’t anticipate.   TurnKey Internet makes sure your site is secured against a large scale of attacks and has a restoration plan if needed utilizing our multiple online cloud backup services we offer  with our hosting services .  The last thing a hacker wants to do is spend a large amount of time accessing your site.  The more road blocks, the faster the malicious user will lose interest and move on.

Before I get too far ahead of myself, let me first explain how your site becomes compromised.  I believe this is important when securing your site.  Understanding how malicious users are gaining access and what the user is doing.  While there is a vast scale of techniques a hacker can use, the main way a malicious user will gain entry to your WordPress site was grouped in the following categories by WP White Security:

41% – Security vulnerability on the hosting platform.  Nothing to worry about on TurnKey Internet’s web hosting server platforms, as we are constantly updating the servers with the latest security releases and patches.  As well as keeping all services on the server up to date in addition to having the most advanced firewalls and intrusion detection systems in place.  If you have a dedicated or VPS server and would like to TurnKey to review your server, shoot us a support ticket we’d be more than happy to investigate.

29% – Outdated WordPress Theme which can open security holes

22% – Outdated WordPress Plugins which can open security holes

51% of reported compromised sites are due to an outdated theme or plugin.  This is completely preventable!  When your plugin or theme is compromised, this makes it possible for a hacker to inject an eval base 64 decode code.  This allows the hacker to run a PHP function from the site.  These are PHP mailers the malicious user users to send spam from your account.

8% – Due to a weak password.  This is where brute force attacks are successful.  Hackers use a script to continuously generating random passwords, until they have gained access to your dashboard.

First and foremost, make sure everything is updated to the latest version.  Each time WordPress releases an update, the update is addressing a security threat.  This is why keeping the script updated is important.  As mentioned previously, due to the popularity of WordPress the exploits patched are publicly released.  This allows developers to adjust their coding accordingly.

In version 3.7, WordPress added in the feature to allow automatic updates.  This sounds wonderful, except by default it only applies to minor updates.  The WordPress team did this to prevent sites from automatically breaking when updated.  (Typically this happens if your plugins are not continually updated by the developer.)  You can add the following lines of code to the wp-config.php file and all updates will be automatic.

# Enable all core updates, including minor and major:

define( ‘WP_AUTO_UPDATE_CORE’, true );

Alternatively, if you would like to take control and complete all the updates yourself, you can add these lines instead.

# Disable all core updates:

define( ‘WP_AUTO_UPDATE_CORE’, false );

Since more than half of WordPress sites are hacked due to outdated themes or plugins, be picky as can be with the ones you activate.  Pay attention and investigate the themes and plugins you are using.

Not all plugins and themes are actively maintained by their developers.  Only use plugins that are updated regularly.  If the plugin or theme hasn’t been updated in 6-9 months, there is a good chance the developer is no longer maintaining their theme or plugin.  Stick with WordPress developers.  You can download tons of plugins and themes directly from

Do you honestly need that plugin?  If it is not necessary for your site, deactivate it and remove it.  Not only does it take your site longer to load, you’re providing more chances for a malicious user to find a backdoor.

Lock down who has access to your WordPress dashboard.  The easiest way to complete this is by adding a few lines of code into your .htaccess file.  As with all aspects of web hosting case sensitivity is important.  Please note where the capitalization is when implementing this code into your .htaccess file.

<Files wp-login.php>

order deny,allow

Deny from all

Allow from


You will want to exchange with the IP address of the machine you are connecting from.  If you are unsure of the IP, Google “what is my IP” from the device you would like the IP of.

Hey, that’s great but what if I need to access the dashboard from the office and from home?  No worries, you can add additional ‘Allow from’ statements.

<Files wp-login.php>

order deny,allow

Deny from all

Allow from

Allow from


Limit the number of login attempts an IP address can have before your server blocks the IP.  If this is a new install, using Softacoulous, there is an option ‘enable the number of login attempts’ listed in the preinstall screen.  If you have already installed WordPress, I recommend using the Limit Login Attempts plugin.

Do not use the default “admin” username.  On new installs you are given the ability to make the username.  If you already have WordPress installed you can change the username in the dashboard.  Once logged in, access account setting, and click the “change” link next to your username.  From there you can follow along with WordPress to change the username.

Change your passwords often and make sure you are using a strong password.  I know this can sometimes be overwhelming and often hard for some uses to remember.  However, it is extremely important to use.  A good way to remember the password is to use a short sentence or phrase.  Make sure to do something like replace vowels with number or make them capital.



The above are far more secure than using:




Change the WordPress default table prefix.  If you’ve noticed all your core WordPress files start with ‘wp’.  wp-config, wp-login, wp-admin, ect.  Changing the prefix can help prevent against SQL injections.

The table prefix is defined in the wp-config file.

$table_prefix = ‘wp_’;

PLEASE NOTE – Changing the table prefix in the wp-config file will not change the tables in the database.

In a fresh install you have the ability to set the table prefix to something other than wp.  If you have already installed WordPress, I have found the iThemes Security plugin to be the quickest way to compete this task.  If you prefer to not have a plugin complete this task, you can do so manually.  It is a bit time consuming and you will need to make sure to rename each WordPress table, update the usermeta table and update the options table.  Of course you will want to backup the database, before making any changes.

Make sure your file permissions are correct.  WordPress states only the following permissions should be used;

Directories should be 755 or 750

Files should be 644 or 640

Your wp-config.php should be set to 600

Your wp-config file is extremely important.  I recommend protecting this file in the .htaccess as well.  To do so place the following lines of code inside your .htaccess file:

<files wp-config.php>

order allow,deny

deny from all


Speaking of protecting important files.  The wp-includes directory contains the majority of files needed to run WordPress.  There is absolutely nothing in this directory a user will need.  With that being said, I recommend adding the following lines of code to the .htaccess file to protect these files as well.

# Block the include-only files

<IfModule mod_rewrite.c>

RewriteEngine On

RewriteBase /

RewriteRule ^wp-admin/includes/ – [F,L]

RewriteRule !^wp-includes/ – [S=3]

RewriteRule ^wp-includes/[^/]+.php$ – [F,L]

RewriteRule ^wp-includes/js/tinymce/langs/.+.php – [F,L]

RewriteRule ^wp-includes/theme-compat/ – [F,L]


Block out access to the xmlrcp.php file as well.

<Files xmlrcp.php>

order allow,deny

deny from all


xmlrcp.php, this file is the worst!  While the features of using this file sound neat.  (Connect to your blog via text or email, sends tracebacks or pings.) This file has been used to take down a large number of server by implementing DDOS attacks with this file.  You can read more on these attacks here –

Since we are already protecting our files in .htaccess, might want to protect .htaccess as well.  To do use this code.

<Files .htaccess>

order allow,deny

deny from all


Great, now my site is secured.  What about that restoration plan you mentioned earlier?

Backup, backup, backup!  I cannot stress this enough! If by chance a hacker is able to break through all these security measures we have put in place, the fastest way to get your site backup is by restoring a backup.

Depending on what service you have with TurnKey, we do provide backups.  However, it is not the responsibility of TurnKey to maintain your backups.  You should not rely on our backups and keep your own backups as well.  Our terms of service allows for you to keep one (1) full account backup stored on the server.  TurnKey recommends taking backups of your account weekly or even daily.  Connecting with an FTP client and storing the backup in a secure location.

While WordPress does off automatic updating services, we have disabled some of the PHP features required for this service to work on our shared hosting platforms.  The reasoning on this, we do not allow for the use of PHP execute.  This is for security purposes.

Inside your control panel you have the ability to take full account backups and database backups.  I strongly recommend doing so.

TurnKey also offers a backup add on service called TurnKey Vault which we highly recommend for anyone with a dedicated or cloud-based server, so you can protect your data If you need any assistance with competing any of the tasks listed in this blog, email our support team ( and we would be happy to assist you.

Happy blogging!

Share : Facebooktwitterredditlinkedinmail Follow Us : Facebooktwitterlinkedinyoutubeinstagram

Leave a Reply