It's only fair to share...Share on Facebook
Share on LinkedIn
Pin on Pinterest
Email this to someone
Tweet about this on Twitter

If you are reading this page, then you are on your way to being proactive in taking steps to help reduce the risk of having your WordPress site compromised by hackers or infected by Malware. While no one can promise that your site will never be hacker proof (as we’ve seen even Government sites getting attacked), we can work together to ensure that you minimize your risks.  We have FREE videos on our website that show you how to do most of the actions mentioned below.

Before making any changes to your website, first VERIFY that your Website is working properly and create a full backup in case something goes wrong and you need to restore the site.

WordPress security website

10 Actions to Protect Your WordPress Site from Hackers and Malware


6 Simple Quick Actions

1. Delete any Administrator accounts with the username “Admin” or “Administrator”

Hackers love to target these account names. If you have such an account, first create a new account with a username does is not obvious and give it Administrator access. Then login with your new account name and delete all accounts with the name “Admin” or “Administrator”.


2)  Change the WordPress passwords for all Administrator accounts at least every 3 months. 

Always use strong passwords that are at least 8 characters long and include a lower case letter, an upper case letter, a number, and a special symbol. Do not use dictionary words for your passwords. An example of a strong password is Psktk093@  Also see


3)  Delete ALL themes and Plugins that are not being used by your website

Deactivating a plugin is not enough. A plugin with malicious code can still be harmful to your website even if the plugin is not active.


4)  Continuously Update all your plugins, themes, and WordPress Core files

Outdated WordPress files and outdated plugins are the number one reason that WordPress websites get hacked and the leading cause for Malware infections.. On your WordPress Dashboard, you will see all the items that need to be updated.  Updates to plugins and themes are released every day. Therefore, it is important that you update all of your WordPress components as soon as an update is available.


5)  Run a virus scan on your personal desktop/laptop and keep your anti-virus up-to-date

In a lot of cases we see that websites are compromised via local environment (notebooks, desktops, etc..). This is why it’s important that you take a  few minute to run an Anti-Virus product. It doesn’t matter how many times your site gets cleaned, if your desktop is not clean, your site can get reinfected quite easily.


6) Change your Hosting Provider’s CPANEL / administrator password at least once every 6 months. *

Most people forget this, but its just as crucial a step. If you don’t have a CPANEL, we’re referring to the administrator account for your hosting provider. This is the holy grail key to your website.


The actions listed above are fairly quick and simple. Even a novice WordPress user should be able to perform all those actions in less than 30 minutes. We have free videos on our website that show you how to do all of the WordPress actions.



4 Advanced Actions

7)  Change your FTP, SFTP, SSH password for all such accounts at least once every 6 months.

Always use a good and strong password.  If you do not know what FTP means, then do not attempt to do this. FTP accounts are on your hosting server and they allow programmers and administrators to copy files directly to your website. It’s like a backdoor to your website. 


8) Change your WordPress database (MySQL) password.

this is done through the hosting server’s Cpanel or Administrator panel. After changing the database password, please be sure to update your WordPress configuration file – wp-config.php. This is not an automated process so you will need to know how to open that file and edit it manually. If you’re not familiar with handling changes in your database and configuration files, contact your host or your website developer.


9) Cleanup and remove old website directories and sub-directories not being used.

Too often the issues we see plaguing our clients are caused by “soup kitchen” servers. Old installations of their content management systems, themes or plugins. Over time these old installs become forgotten but grow ripe with Malware that’s ready to infest their entire server. Take a minute to separate those things that belong on a test, staging and production server. Read more here: A Little Tale About Website Cross-Contamination.



10) Change the file permission on important WordPress and Server Files

This last one is for very advanced users and administrators. Do not attempt to change file permissions unless you know perfectly well what you’re doing or you can lock out anyone from accessing your site.  you should change the permissions for the 5 files listed below as soon as you install your WordPress site.

File Permission Filename
600 -rw——-    /home/user/wp-config.php
604 -rw—-r–   /home/user/cgi-bin/.htaccess
600 -rw——-   /home/user/cgi-bin/php.ini
711 -rwx–x–x /home/user/cgi-bin/php.cgi
100 —x——  /home/user/cgi-bin/php5.cgi


Last but NOT least: We highly recommend using a WordPress maintenance service like WP-MONITOR.

We backup your site every night, we update all your WordPress files, we monitor your site to make sure it’s up and running, we clean your site of Malware, and we will restore your site is needed.

We hope that this information has been helpful and we look forward to continue to work with you to keep your site clean of any Malware infections!

Here are a couple of more articles by WordPress related to security:

Changing File Permissions

Hardening WordPress