How To Secure WordPress From Hackers

This post is intended to provide you with a list of plugins that I use to secure my various WordPress sites from hackers. I have had a few of my, and my friends sites hacked recently with most of them taking advantage of the timthumb.php exploit to inject malicious files and scripts into various location on my servers. These plugins will help you secure yourself from all kinds of potential attacks to give you piece of mind at night.

Timthumb Vulnerability Scanner

This plugin is a must if you are running a WooThemes theme on your WordPress site. WooThemes uses the timthump.php, or thumb.php script to dynamically resize images for your users. It will scan you server to instances of timthumb.php, look at the version installed, and give you the option to update the version to the latest, secure version all from the same settings window. Real easy to close this security hole.

Download the plugin here or just search for “Timthumb” from your WP admin dashboard, install and activate it.

Once installed, you will see a new menu item under the Tools menu:

They make it really easy to scan you site for out of date timthumb.php files. Just click “Scan!”, and wait for the results to show up:

If you have vulnerabilities (aka — scripts that are out of date), it will show you the list of files in the results window. All you have to do is check the checkbox at the top and click “Upgrade Selected Files” to automatically bring them up to the latest version.

It will also output a list of suspected files that have been compromised and should be deleted. Follow their instructions, as these are usually the injects .php scripts that the hacker uses to run code using your server resources.

BulletProof Security

BulletProof Security protects your WordPress website against XSS, RFI, CRLF, CSRF, Base64, Code Injection and SQL Injection hacking attempts. It also provides one-click .htaccess WordPress security protection. It protects wp-config.php, bb-config.php, php.ini, php5.ini, install.php and readme.html with .htaccess security protection. It gives you the ability to have one-click Website Maintenance Mode (HTTP 503). It also performs additional website security checks: DB errors off, file and folder permissions check.

This plugin provides the backend lockdown that isn’t there by default when you install WordPress out of the box. This plugin is very easy to install, activate and configure.

You can download it here or just search for “Bulletproof Security” from your WP admin dashboard, install and activate it.

Once you have it installed, you will see a new menu item on the left called BPS Security:

They provide a really easy process to create the backup default .htaccess file, and the secure .htaccess file. Just click “Create default .htaccess file” and click OK when you see the Pop-Up window. Then click on “Create secure .htaccess file” and click OK when you see the Pop-Up window again.

The next step is to “Activate Website Root Folder .htaccess Security Mode” which again is an easy, one click process.Select the “BulletProof Mode” radio button, and click “Activate” to make the secure .htaccess live.

Repeat these steps for the “Activate Website wp-admin Folder .htaccess Security Mode”, “Activate Deny All htaccess Folder Protection For The BPS Master htaccess Folder”, and the “Activate Deny All htaccess Folder Protection For The BPS Backup Folder” options.

Now, click on the “Security Status” tab along the top row, and look for any red items to address. If you see this:

all you have to do is click the “Backup & Restore” tab along the top menu bar to backup your .htaccess files. Just following the instructions in the window to make your backups.

Secure WordPress by Website Defender

This free plugin is a security tool that helps you secure your WordPress installation and suggests corrective measures for: strengthening passwords, securing file permissions, security of the database, version hiding, WordPress admin protection and lots more. Here’s a snippet of what is does for your WordPress installation:

Key security features:

  • Easy backup of WordPress database for disaster recovery
  • Removal of error-information on login-page
  • Addition of index.php to the wp-content, wp-content/plugins, wp-content/themes and wp-content/uploads directories to prevent directory listings
  • Removal of wp-version, except in admin-area
  • Removal of Really Simple Discovery meta tag
  • Removal of Windows Live Writer meta tag
  • Removal of core update information for non-admins
  • Removal of plugin-update information for non-admins
  • Removal of theme-update information for non-admins (only WP 2.8 and higher)
  • Hiding of wp-version in backend-dashboard for non-admins
  • Removal of version in URLs from scripts and stylesheets only on frontend
  • Reporting of security overview after WordPress blog is scanned
  • Reporting of file permissions following security checks
  • Strong password generator tool to protect from brute force attacks
  • Integrated tool to change the database prefix
  • Disabling of database error reporting (if enabled)
  • Disabling of PHP error reporting

You can download it here or just search for “Secure WordPress” from your WP admin dashboard, install and activate it.

The nice part about this plugin is it also has a form built into its admin area where you can quickly create an account with Website Defender to monitor your site malware, suspicious security issues, and much, much more. It will email you reports of plugins that need updating, files that are added or deleted, permission changes etc. Think of it like big brother that watches your server for you, and tells you when something is happening. A nice little watchdog!


Antivirus is a plugin that scans your files on your computer looking for malicious code that a hacker injects into your php files. This is a great tool to use if you have been hacked to track down hidden, know malicious code.

You can download it here or just search for “Anitvirus” from your WP admin dashboard, install and activate it.

Once activated, go to “Settings -> Antivirus” and click on “Scan the theme templates now” to have it check your template files. You can also configure it to scan daily, and email you the results so you are alerted if it finds new, malicious code.

You may find that Antivirus finds some false positives, so be sure to review its results, and click “There is no virus” so it ignores that piece of code in future scans.

 WordPress Firewall 2

This WordPress plugin investigates web requests with simple, WordPress-specific heuristics, to identify and stop the most obvious attacks. There are a few powerful, generic modules that do this; but they’re not always installed on web servers, and usually difficult to configure. This plugin is able to stop a lot of attacks on the way in, before they can be run against the WordPress server.

You can download it here or just search for “Firewall” from your WP admin dashboard, install and activate it.

Once activated, go to “Settings -> Firewall”. Leave the defaults filters configured, and make sure you enter your email address for attack reports to be sent. What this allows you to do is email the ISP abuse department with the hacker’s IP address so they can ban their accounts from their servers. I always send them a copy of the WP Firewall email to show what attacks they are launching from the ISP/Hosting providers servers.

One last tip is to ensure your public IP address is added to the whitelist field, or you may find yourself redirected to the home page when you are editing theme files, or plugins from the editor window in the admin dashboard. I ran into this problem, and it stumped me for a while before I found this post while Google searching.

Wrap Up

Well, there you have it. My shortlist of the must have WordPress Security Plugins to protect your site from hackers. If you have any that you use, please leave a comment below and make sure you share this with your facebook and twitter networks if you found it useful.