You can find below the list of safety hacks that you can apply on your WordPress Blog/Website to protect from being hacked. As we all know WordPress folders & Files structure is very easy to understand by any developers. And the hackers get benefit and inject the malicious code on the website core files. So, to protect your website from bot/hacker’s injection we can implement some safety hacks on our website.

Highly recommended: Please do take the complete Back-up of your website/blog files and database before implementing any below mentioned security hacks to be a safer side.

1. Protect your .htaccess file

Just place the below mentioned code on your website .htaccess file in the root directory:

 # STRONG HTACCESS PROTECTION</code>
<Files ~ “^.*\.([Hh][Tt][Aa])”>
order allow,deny
deny from all
satisfy all
</Files>

2. Secure wp-config.php file.

Simply adding the below code to the .htaccess file in the root directory:

# protect wp-config.php
<files wp-config.php>
Order deny,allow
Deny from all
</files>

3. Limit Access to the wp-content Directory

Place the below code in the .htaccess file within the wp-content folder (not the root):

Order deny,allow
Deny from all
<Files ~ “.(xml|css|jpeg|png|gif|js)$”>
Allow from all
</Files>

4. No Directory Browsing

In order to stop this, simply add the piece of 2 lines in your .htaccess in the root directory of your WordPress blog/site:

# disable directory browsing
Options All -Indexes

5. Prevent script injection by bot/hackers
Simple place the below code to your .htaccess file in the root directory:
# protect from SQL injection
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

6. Restrict access of wp-admin directory

Just placed the below mentioned code on the .htaccess file:

<FilesMatch “.*”>
Order Deny, Allow
Deny from All
Allow from [Add your IP address (es) here]</FilesMatch>

7. Allow access to WP admin/ Login to your IP

Just allow access to your website admin to your IP only through IP filtering, add the below mentioned code on the .htaccess file:

<Files wp-login.php>
Order Deny, Allow
Deny from All
Allow from [Add your IP address (es) here]</Files>

8. To prevent any malicious persons/bots from sending unwanted scripts straight to the heart of your website.

Add this before #BEGIN WordPressin your .htaccess file:

# Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ – [F,L]
RewriteRule !^wp-includes/ – [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ – [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L]
RewriteRule ^wp-includes/theme-compat/ – [F,L]
</IfModule>
# BEGIN WordPress

9. Disabling editing PHP files from dashboard
which is where the attacker will concentrate after hacking through an access point, just placed the below mentioned line into your wp-config.php

10. SQL injection-based attacks by changing its value from the default wp_
$table_prefix is placed before all your database tables. You can prevent

example: $table_prefix = ‘r235_’;

Note: You can use the plugin also, to change the your WordPress website database tables pre-fixes: https://wordpress.org/plugins/change-table-prefix/

11. Replace your WordPress Keys in wp-config.php
Just goto the WordPress Key Generator site to generate these keys. Now open your wp-config.php file &  find the lines that look  similar to the below mentioned lines and simply replace with the new generated ones: 

define(‘AUTH_KEY’, ‘put your unique phrase here’);
define(‘SECURE_AUTH_KEY’, ‘put your unique phrase here’);
define(‘LOGGED_IN_KEY’, ‘put your unique phrase here’);
define(‘NONCE_KEY’, ‘put your unique phrase here’);