WordPress Security – A Comprehensive Guide

WordPress SecurityKeeping your WordPress installation secure is usually not something a lot of people spend a great deal of time on. However, I believe WordPress security, tightening up the place should be your first priority every single time you install WordPress. No exceptions.

With the recent Pharma hack, more info about it plus a solution on Chris Pearson’s blog, going round I thought it was time to focus on WordPress security today. There are a lot of things you can do build extra layers of security for your WordPress installation.

There are a few different layers involved to secure your WordPress installation. I shall list them grouped together as much as possible.

Server-side & .htaccess

WordPress security starts of course by using a proper hosting company. If a server setup is not secure by default then no amount of security measures is going to keep unwanted visitors out. Please look around before you decide which hosting partner will work best for you.

.htaccess Lockdown

Your .htaccess file can be used for a lot of neat stuff, but most certainly should be deployed to stop hackers from getting in. The .htaccess lockdown allows for you to specify which IP addresses can be used to access your admin dashboard.

Adding the following lines of code will help you doing this:
[code]AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
order deny,allow
deny from all
#IP address to Whitelist
allow from 123.456.789.012[/code]

The 123.456.789.012 part should be replaced with your IP address. Not sure what your IP address is? A visit to What’s My IP will help you out. For an even more extensive solution visit Blog Security.

Disabling Directory Browsing

Some server setups will allow directory browsing, which means that you can see the contents of, say, your plugins folder at http://yoursite.com/wp-plugins/. Disabling this can be quickly done by adding the following piece of code to your .htaccess file:

[code]Options All -Indexes[/code]

Secure .htaccess

It should be obvious by now how important a secure .htaccess file is. Firstly you should restrict the file permissions to CHMOD 644.
Log onto your server with your favorite FTP browser and navigate to the root of your domain (Usually this in the public_html folder, unless you have setup your blog installation in its own folder). Find the .htaccess file and right-click the file and set permissions to 644.
The second method – and I would do both – is to add the following code to the very bottom of the content of your .htaccess file:

[code]<Files wp-config.php>
Order Deny,Allow
Deny from All

This is basically only allowing your .htaccess file to access your wp-config.php file.

For more specific and advanced Apache hardening techniques checkout Ask Apache on WordPress and Perishable Press 3G Blacklist.

Optimizing your wp-config file

Optimizing your .htaccess file is a good start, but next your wp-config.php should get some love.

Moving your wp-config file

Starting from WordPress 2.6, you can move your wp-config.php file to one directory above the current location. WordPress will check automatically if the wp-config file is not found in the WordPress directory one directory above the current one.

Change the WordPress table prefix

When installing WordPress the table prefix is wp_ by default. Upon installation it’s easy changing this so something custom, like i.e. blpro_, but it’s a bit harder to do when you already have your site up and running. This is where the plugin WP Security Scan comes to the rescue. This plugin will allow you to change the prefix to a custom one. This way you have given hackers trying to hack into your installation one extra hurdle.

Define Your Secret Keys

When you look in your wp-config file you will find a section that says this:

* Authentication Unique Keys.
* Change these to different unique phrases!
* You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/ WordPress.org secret-key service}
* You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
* @since 2.6.0
define(‘AUTH_KEY’, ‘put your unique phrase here’);
define(‘SECURE_AUTH_KEY’, ‘put your unique phrase here’);
define(‘LOGGED_IN_KEY’, ‘put your unique phrase here’);
define(‘NONCE_KEY’, ‘put your unique phrase here’);

The link mentioned here provides you with a new set of rules which you can replace the bottom four define rules with, like this:

[code]define(‘AUTH_KEY’,’lj+_ .[6c1=13n rhZBhjXd0o|miL<baCpYhqZrl}o2a|irZy-]Wy8PYW+a]zE]5′);
define(‘SECURE_AUTH_KEY’,’s8p1+WgH0{Ph/)Vr;pFggsp{xoh8Cy>>#/+]EJ|P|yQfS* /SJO7XuK#G3&f1rnZ’);
define(‘LOGGED_IN_KEY’,’h$eIl%#nZ|.}z-U)Z:O$u,y c[N;7^j-x,)Zs*wUHheGO-(KKpONVC664X$uO$Mt’);
define(‘NONCE_KEY’,’d=>/Uh@%RnZ|*<bGq[2<_R@spP*oE[7oE?<#%xyoowmU0XzxK DjhyLXLcifX32k’);[/code]

With this step you have made your login passwords a lot stronger than before. Don’t copy the line above, but simply visit https://api.wordpress.org/secret-key/1.1/ for you personal Secret Keys.

WordPress Security plugins

There are many WordPress Security plugins out there, thankfully. I will list the most important ones, plugins I all use on a day to day basis here.

WP Security Scan

WP Security Scan scans your WordPress installation for security vulnerabilities and suggests corrective actions. This is what the plugin will do and look at:

  • passwords
  • file permissions
  • database security
  • version hiding
  • WordPress admin protection/security
  • removes WP Generator META tag from core code

Download WP Security Scan

Login LockDown WordPress Security

Login LockDown records the IP address and timestamp of every failed WordPress login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range the login function is disabled for all requests from that range. This helps to prevent brute force password discovery.
Download Login LockDown WordPress Security

Stealth Login

This plugin allows you to create custom URLs for logging in, logging out, administration and registering for your WordPress blog. Instead of advertising your login url on your homepage, you can create a url of your choice that can be easier to remember than wp-login.php, for example you could set your login url to http://yoursite.com/login for an easy way to login to your website.
Download Stealth Login

AntiVirus for WordPress

AntiVirus for WordPress is a smart and effective solution to protect your blog against exploits and spam injections. Some of its features include: monitors possible platform vulnerabilities, virus injections, malicious links, etc. It can also send you email notifications and whitelisting.

Download AntiVirus for WordPress

General Precautionary Measures

This is just a short list of general precautionary measures:

  • Always have your WordPress software and WordPress plugins updated to the latest version.
  • Got any unused WordPress themes and WordPress plugins installed but not activated? Delete them!
  • Always use a strong password. Check out this guide on choosing a strong password at the Blog Herald.
  • Ditch that admin account and make it a lot harder for hackers to guess your login.
  • Use correct file permissions on your WordPress files. General rule is that Files should have a CHMOD value of 644 and folders 755.
  • Back up your WordPress database on a regular basis. Any of these plugins will do the job for you in an automated fashion

Sources & Extra Resources

5 Minutes and Counting

WordPress claim to a quick and easy installation of 5 minutes still stands. But, you can easily see how adding a few extra layers of security easily adds a bit of extra time after the installation. Time very well spent though. So what’s your thought? Have I forgotten your favorite WordPress Security tip?

Author: Remkus de Vries

Remkus de Vries is a Dutch WordPress specialist and also knows a thing or two about WordPress onderhoud.

Find out more about him on his personal blog.

Comment with Your Facebook Account


  1. Its so easy for us non-techies to just assume that WP is strong enough straight out the box. Probably because few of us want the extra learning curve.

    Very nice post with some great info. I had never even heard of anti-virus for WP before.



    • Agreed, there is a bit of a learning curve on some of these solutions, but you come out so much stronger when you do decide to implement as many as possible. Glad you liked it!

  2. Thanks for this, it’s very timely! I seem to be part of the odd QQ829.com attack from China and hope it’s not to late to lock down my site’s security.

    • It’s never too late to lock down. Just make sure you use the WordPress plugins I mention to check whether your security wall has been breached already!

  3. Rutger says:

    Another great blogpost! Thanks.

  4. Thanks for this post – I am doing everything on it! McAfee Site Advisor marks my site as dangerous – any ideas why? I have contacted them, but until they get back to me I want to do anything and everything to fix this.

    • I’m not familiar with McAfee Site Advisor, but if you get warnings when visiting your site in Chrome and Firefox as well, than most likely your site has been compromised. Be sure to you use the WordPress Security Plugins I mention to scan through your installation.

  5. thnks for all, nice object

  6. Well written article! I hope more WordPress users will be vigilant and care enough to implement these security measures on their blogs.

    Btw, another security plugin that you can install along with the ones you already listed is the WordPress Firewall plugin. It detects remote arbitrary code injection, directory traversal attacks and SQL injection attacks and more. Really effective plugin.

  7. That is a very good post. I have several blog powered by wordpress. I used all steps mentioned in wordpress community to secure my blogs. After reading your blog I am more knowledgeable to secure my blogs. Thanks

  8. Thanks for the tips, they are especially useful after being hacked over the weekend. heck I’ve written plugins, and designed themes, and thought it couldn’t happen to me – even us more experienced wordpress geeks are prone to attacks..

    I had a base64 encoded msg injected into the top of EVERY freaking php file on my server – which included 4 blogs… luckily godaddy has a good mechanism for restoring files to previous dates.. though their tech support sucks.

  9. Remkus,

    Most people simply implement WordPress without giving concern to security. They feel that WordPress is secure right out of the box. This is a great article to remind us of the extra steps for WordPress Security.


  10. I’m confused with ht.access. What happens if I enter a wrong IP address or if my address is a dynamic IP?

  11. Eyal Estrin says:

    Check out my step-by-step guide for hardening WordPress 2.9.2

  12. Mario A says:

    Fantastic article Remkus. Written for those who are not well versed in CSS. Easy to understand. Carefully chosen words. Fantastic. Thank you.

  13. Are there any suggestions for hardening wp 3.1? or even 3.11? I’m hesitant to upgrade to 3.11 until I know all my plug-ins will work, but would be curious to know if the tips on security and links to the hardening info would also apply to 3.1 and/or 3.11 – thanks1

  14. Pretty good list of security tips. For those who don’t think such tips are necessary to implement, check out this article about WordPress Security Statistics – that might give you some pause for thought.

    Here’s another one for folks who think that there’s no such thing as security through obscurity: WordPress Security Through Obscurity? .

    Thanks for the tips!

  15. PaulJ says:

    Some of these issues are tested with this free security scan http://hackertarget.com/wordpress-security-scan/

    I ran it against my hosted blog and found some serious issues. Its making me consider changing to a virtual server that I can manage.

  16. One of my sites got flagged for someone sneaking in a phishing page… can’t find it with the File Manager tool in Cpanel (it’s the site’s main URL/~novoor1/index19.htm) – any iideas? Is this something that would have been caught by one of these scans? The web hosting company support person is aware of the issue and can’t find it either to delete, but the URL ‘works’ and brings up a phishing page… 🙁

  17. This is one of the best answer so far, I have read online. No crap, just useful information. Very well presented.Thanks for sharing with us. I have found another nice post over the internet which also explained very well, check this link…


  18. thanks for share!

  19. Adoro me mostrar peladinha na web cam

  20. Great article about protecting your WordPress site, we have written something similar to this on our blog. http://www.lucidagency.com/wordpress/quick-guide-to-securing-wordpress-from-malware-and-hacking/

  21. WordPress Security is our speciality, great reading. I definitely enjoy coming over to bloggingpro to read some of the latest news on plugins for WordPress.

    You really did provide a good general overview of some tips and suggestions that people can do to protect themselves. Security is a huge thing nowadays – not just with large corporations but even eCommerce mom & pop stores that run online.

  22. Woah! I’m really enjoying the template/theme of this website.
    It’s simple, yet effective. A lot of times it’s hard to
    get that “perfect balance” between superb usability and appearance.
    I must say you have done a fantastic job with this.
    Additionally, the blog loads super quick for me on Chrome.

    Outstanding Blog!

Leave a Reply to Rutger Cancel reply


Please prove you're human *