First off, if you’re trying to learn how to hack WordPress I have to tell you upfront that you’re out of luck. Right out of the box it’s nearly impossible to hack WordPress for the average user, but there are still a number of ways to do it if you’re dedicated, or if the website owner has left the door open. So let’s start by looking what website owner should do to protect against people who want to hack WordPress, as well as how to hack into it if you’ve lost your keys.
To help protect your website further, take the time to install an external two step authenticator to your website. Two factor logins make it really hard to hack a WordPress website because it forces your website to rely on another service such as Google or SMS messaging to generate a unique, time sensitive code for users to log into your website.
Doyouhavethetimetolistentomywine (a simple play Green Day);
thereareatleastfivereasonsiloveyou (you’re free to guess what they are);
Remember that securing your WordPress website isn’t just about the user prompt for your WordPress admin, you also need to protect WordPress from hacking attempts in a number of other places:
your WordPress admin account;
your WordPress authoring account (yes, they should be separate);
your MySQL database password;
your SFTP login password;
your cPanel, hosting management, and billing login;
your doman name registar;
Protecting your WordPress files through proper management
Now that you’re reasonably sure your connection to the website is secure, and your hosting company is reliable, it’s time to look at how to protect your actual files from hackers because when it comes to hacking websites, this is the next place people will attack.
If you take the time to look at an average 404 error log (a 404 error is a file not found error), you’ll likely see a stream of errors for files such as timthumb.php, database.sql, or backup.zip. These are the results of bots (automated robots) scanning websites for known vulnerabilities. If you see these in your web logs, there is a very good chance that hackers are scanning for a backdoor into your site and it’s time to take action:
ensure none of your plugins are writing backups to your server;
be sure your hosting company is not doing backups directly to your public_html directory;
review the contents of your website directory regularly for backups;
remove any unused plugins, themes, or extensions;
set your WordPress file permissions properly;
Once you’re sure your website is as safe as possible, remember to move your wp-config.php file out of the public_html directory to protect it from hackers. Be default, WordPress will scan not only your hosting directory but the directory above it for your WordPress configuration file.