WordPress Security Measures That You Can’t Miss!

Get peace of mind by fully securing your installation of WordPress with these “need to know” tips and tricks! This guide literally includes *everything* you’ll need to fully secure your WordPress blog or website.

WordPress Security Tips On This Page:
  1. Rename “Admin” to Something Else
  2. Change your Default WordPress Database Prefix
  3. Be Fully Upgraded At All Times
  4. Use Robots.txt to Disallow Access
  5. Use .htaccess to Protect WordPress
  6. Create A Separate .htaccess File for WP-Admin
  7. Drop A Blank HTML File Into Your Plugin Folder
  8. Password Protect WP-Admin on the Server Side
  9. Remove All “WordPress” References
  10. Beware of CHMOD 777

Rename “Admin” to Something Else

Remove this generic name as your administrator login
Wordpress admin

When you first create a WordPress site or blog, the default login that most people create is a default account called “admin.” Be sure NOT to do this, since it’s not mandatory to name your admin account “admin.” Instead, use a different name as your administrator login.

If you use “admin,” you’re using the most common login that hackers will attempt to get in with, and you’ll make the job 50% easier on them if you do! If you’ve already named your account “admin,” simply go into your “users” menu, create a new user and give it administration rights, then remove the default account.

Change your Default WordPress Database Prefix
A 5 second change to remove yet another default
Wordpress database prefix

When installing WordPress, you’ll have the option of using the default “wp_” as your table prefix (i.e., wp_comments, wp_links, wp_posts, etc.) You can change this to something else if you’d like – it’s another measure toward straying away from default attributes.

It’s easy. Just open wp-config-sample.php, find the prefix area as seen in the screenshot, and change “wp_” to something else, like “me_” or “cool_” or whatever you want. It’s yet another measure that makes things very difficult on hackers. Don’t forget, this file will have to be renamed to “wp-config.php” before you install WordPress.

If it’s too late and you’ve already created a site with an active database, you can still make the change: here’s an in-depth article showing you how. It’s not too painful, either 🙂

Be Fully Upgraded At All Times
Being up-to-date = being secure
Update WordPress

Sorry to repeat the same thing you’ve already gotten drilled into your head – but by having the most recent version of WordPress and all of its plugins, you’ll make a huge stride toward having a secure site. Vulnerabilities are always exploited by hackers. When a new version of WordPress is out, it will notify you via a site stripe at the top of your admin panel. Now that WordPress has its own auto-upgrade function, it’s easier than ever.

Use Robots.txt to Disallow Access
Block places that search engines don’t need to index
Wordpress robots.txt

Robots.txt is used to tell search engines which folders of your site they should not look into for spidering purposes. You’ll want to tell them not to look into folders that are unnecessary for them, such as the “/plugins” and “/wp-admin” folders. Simply copy and paste the code below into a Notepad document, and save it as “robots.txt”, then add it to the root directory of your WordPress site:

User-agent: *
Disallow: /cgi-bin
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins/
Disallow: /wp-content/cache/
Disallow: /wp-content/themes/
Disallow: */trackback/
Disallow: */feed/
Disallow: /*/feed/rss/$
Disallow: /category/*

Use .htaccess to Protect WordPress

Add this code at the beginning of your .htaccess file to protect WordPress from script injections:

Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

Add this code at the end of your main .htaccess file to protect “wp-config.php” from bad bots:

<files wp-config.php>
order allow,deny
deny from all

Add this tiny line of code to disallow anyone from seeing a directory tree of your sub-folders:

Options -Indexes

Create A Separate .htaccess File for WP-Admin
Only YOU can get in, now!
Wordpress .htaccess

I’ve learned this one from Google engineer & popular SEO blogger, Matt Cuts. By creating an .htaccess file just for your WP-Admin folder, you can block all IP addresses except the ones you specify. If you don’t know what your computer’s IP address is, check it here instantly. Here’s what the contents of this file should look like (just open up Notepad, and copy & paste this in…then, replace the dummy IP’s with the ones from your other home or work computers):

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “Access Control”
AuthType Basic
order deny,allow
deny from all
# IP address of my 2nd home computer
allow from
# IP addresses of my two work computers
allow from
allow from
# IP address at my uncle’s house
allow from

Drop A Blank HTML File Into Your Plugin Folder
Give ’em the white screen of death
This is the oldest trick in the book. Open up Notepad. Don’t type anything in, and just save the blank page as “index.html.” Then, simply save this file into directories such as ..wp-content/plugins (new versions of WordPress SHOULD already have one in there, that says “Silence Is Golden” within it). By doing so, you’re preventing anyone from seeing a list of your plugins. Exploiting WordPress sites with outdated plugins is one of the most common attacks, and this will help mask some information.

Password Protect WP-Admin on the Server Side
A 2nd brick wall they’d have to get through
This will be a minor annoyance to you, but a great additional barrier for the security of your site! On your web server, get into your WordPress site’s account. Find the option for “Password Protect Directories” (this is what it’s called in cPanel, but it might be named differently on another platform). Password protect the directory “wp-admin.” Give it a unique password, and write it down.Now, if someone attempts to visit YourSite.com/wp-admin, they’ll get nothing but a white screen and a pop-up box from the server, asking for a username and password. Unless they know of these, they’ll never be able to see the WordPress admin log-in screen. Of course, this will now give you two passwords you’ll have to enter in order to edit your site (the server password and the WordPress admin password), but you can have your browser “remember” all of these so that you don’t have to type them in every time. Just don’t lose the passwords!

Remove All “WordPress” References
…because nobody needs to know it’s WordPress
This is a simple one: go into your footer.php file and remove anything that says “Powered By WordPress.” Remove any script that might be displaying what version you have, too. Hackers search the internet for “powered by wordpress” and will attack everything that comes up.As much as we all love WordPress, you might also want to refrain from putting anything in your footer that says “Proudly made with WordPress” or anything of that nature.

Beware of CHMOD 777
When giving too much permission goes bad

When you CHMOD your WordPress files, be sure you know what you’re doing, and what changes you’ve made. The most dangerous CHMOD code is 777, which gives all groups and users full read, write and execute permissions to a folder or file. This is the level of access that hackers would need in order to inflict a lot of damage on your site, depending on what it’s applied to.

Many folders need to be write-able (755) in WordPress in order for certain things to function. Just be wary of assigning a 777 to anything. For a more technical look at WordPress CHMOD defaults and security recommendations, see this section of the Changing File Permissions section.

WordPress Security Plugins
Keep WordPress trouble free with these plugins
WP Security Scan plugin
This free plugin will analyze your WordPress installation, and report back any vulnerabilities.
Bad Behavior plugin
Run this plugin alongside Akismet for the ultimate spam-stopping site! It’s free, of course.
Official WordPress CAPTCHA plugin
Force your commenters to fill out a CAPTCHA phrase before submitting a comment with this free plugin.
Feed Footer plugin
A free plugin that inserts a link to your site at the end of every RSS entry for your WP pages, so that content scrapers unknowingly link back to you!

More WordPress Security Measures
Further tweaks to secure your WordPress installation
Hardening WordPress
It’s a WordPress security tutorial written BY WordPress! A must-read.
Rename the /wp-admin folder to something else
This tutorial shows you how to rename the /wp-admin folder so that suspecting hackers (or people snooping around) won’t see anything if they visit “yoursite.com/wp-admin”. Has a few minor setbacks, though.
WordPress security tweaks
A list of several other advanced security tweaks for WordPress

Related articles

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s