Step 1 : Create a backup of your site.
If you have cPanel you can do this with the backup manager.
If not we would recommend “backup buddy”, a WordPress plugin you can find with a google search.

Step 2: Update WordPress Version
This is critical because WordPress issues updates that close security vulnerabilities; it’s things like this that could keep your site healthy!

Step 3 : Change Your Login/Password
The default WP username is “admin” and hackers know this. So you should change it to something more personal for eg. “DanielStar” or “Keith23”. Best thing to do is to add that new user and make it a admin the delete the original login of “admin”

We would suggest really strong passwords (These should incluse UPPER and lowercase letters, numbers, and symbols) for eg like “D@ffd1ls” or “KangaR00#4”

Most hackers try to brute-force your passwords so if it is really strong you should be fine in that regard.

Step 4: Change your WordPress Keys
Many people overlook this step but it is an important one as these keys work as salts for cookies and ensure better encryption of data.
Use the WordPress Key Generator to generate mentioned keys. Now edit your wp-config.php file and fine the lines that look like:

define(‘AUTH_KEY’, ‘put your unique phrase here’);
define(‘SECURE_AUTH_KEY’, ‘put your unique phrase here’);
define(‘LOGGED_IN_KEY’, ‘put your unique phrase here’);
define(‘NONCE_KEY’, ‘put your unique phrase here’);
and replace them with the ones from the Key Generator.

Save and you’re good to go.

Step 5: Install WP Security Scan
This plugin is great and makes securing your site simple. It scans for security vulnerabilities and informs you of any malicious code.
If the plugin shows your text as green you should be good. However, if they are not green you will have to fix the problem to make them green.

Step 6: Change Table Prefix
— Warning! Make a backup of your database before continuing. —
The default prefix for a WP website is “wp_” This makes it so sql injection hacks are easy for the hacker because it is easy to guess.

A good prefix would be “myweb34_” or “nature20_” this is a highly recommended change and you can do this with the WP Security Scan Plug-in.

WP Security Scan has a tab called “Database”. Once you open that tab you have the option to rename your entire prefix to something secure.

Step 7: Restrict Search Engine bot to scan restricted areas
Prevent WordPress hacks by blocking search engine spiders from indexing the admin area. Spiders crawl all over your site structure unless they are told not to, and we don’t want that.

The easiest way to prevent spiders from indexing the admin area is to create a robots.txt file in your public_html folder with the following lines of code.

#
User-agent: *
Disallow: /cgi-bin
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins/
Disallow: /wp-content/cache/
Disallow: /wp-content/themes/
Disallow: */trackback/
Disallow: */feed/
Disallow: /*/feed/rss/$
Disallow: /category/*

[divider type=”smallmargin”]

Step 8: Prevent .htaccess Hacks

.htaccess (hypertext access) is the default name of directory-level configuration file that provides decentralized management of configuration while inside your web tree.

.htaccess files are often used for security restrictions on a particular directory.

So let’s secure your .htaccess!

First we want to protect the .htaccess file itself so add the following (Do this for all .htaccess files you have in root and or create)

# STRONG HTACCESS PROTECTION
order allow,deny
deny from all
satisfy all
Public_html .htaccess below

Now lets secure your config.php by adding:

# protect wp-config.php
Order deny,allow
Deny from all
Now lets prevent the hacker from browsing your directory tree by adding

# disable directory browsing
Options All -Indexes

Lets prevent some script injections now:

# protect from sql injection
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

Go to your /wp-content folder. Lets limit access to the wp-content directory by creating a .htaccess in the wp-content folder and adding:

Order deny,allow
Deny from all
Allow from all

Go to your /wp-admin/ folder. Now if you have a static IP I would recommend creating a .htaccess in your wp-admin folder with the following (replace x’s with your STATIC IP)

# deny access to wp admin
order deny,allow
allow from xx.xx.xx.xx
deny from all
Replace the X’s with your IP.

Step 9: Install WordPress Firewall
You can install WordPress Firewall 2 – this actually prevents most hacking attempts. Use with care, however, because you can lock yourself out of your site!

Hope this helps anyone having WordPress security issues, or people who DON’T want to have them.

Step 10: Remove the unwanted plugins and themes
The plugins and themes are most often the weakest link beyond brute force or stolen pw’s, not hacked wp core files. The path to the core is started by first exploiting the plugins/themes.
The best thing you can do to secure your wordpress is to delete all the old themes and plugins that you are not using. Then update the ones that you are using. If there are no recent updates, or your plugin hasn’t been supported for many moons, then de-activate and delete it. If your wordpress is up2date, but your old themes or plugins are not updates, it might prove as an exploit for hackers to take advantage of.

Delete old themes and plugins: This is an extremely common problem. People try out many themes, then choose one and activate it. Then they leave the others and ignore them. There are many popular exploits that take advantage of un-activated themes. Even the themes that come pre-packaged with wordpress are often easily hacked.