Top 15 Ways to Secure Your WordPress Install

0 Flares 0 Flares ×

As the digital world starts taking over more of the real world; security or digital security to be more specific, is becoming more and more important. Then there’s WordPress; and WordPress is becoming more and more popular (currently 19% of the web). Even web applications are starting to be built on top of it.

Private information and even credit cards are flying around. So, obviously security is really important. There are a lot of steps to take to make sure our WordPress installs are secure.

Keep Everything Up To Date

Number one is kind of the obvious stuff. Keep everything up to date. Keep your WordPress install up to date. Keep all your plugins up to date.

As time progresses hackers figure out ways to breach the current software, while simultaneously the developers (most of them at least) are working to keep their code up to date with the latest standards. A lot of hacked sites are due to old out of date plugins or WordPress installs.

Don’t Use “admin” as a Username

Then, the next thing would be your admin login. You’d be surprised how much you can access from your admin login. You can access any of your theme files. PHP can be injected in there; they could take down your whole site just by having that login. So, you’ll want your user name not to be admin, which is the default. You want to change your user name to something more specific to you.

Strong Password

Also, the password needs to be a strong password, which today is upper case and lower case letters, with a sprinkle of various symbols and numbers as well. If you have one without a symbol and then you add a symbol, it’s adding that much more complexity; and is that much harder for a hacker to hack into that.

Hacking a password

Same thing goes for your database password, and user name, and your database name. Those should all be pretty encrypted as well.

Don’t Use Same Username & Password for Multiple Sites

I know a lot of this is common sense but so is eating healthy. So, moving along, you don’t want to use the same user name and password for any of your other sites. There is software such as 1Password and others that allow you to have and keep multiple passwords for multiple sites.

You can have a different login, a different user name, or even the same user name that is unique to yourself; and different very strong encrypted passwords that are unique to each and every site that this software can store for you, so you don’t have to remember and copy, and paste each and every one. You can just hit a button and it’ll automatically log you in.

This will not only help your WordPress site, but every site you have a username & login to; Your bank; Your email. Etc.

So that’s the “simple” stuff. On to some more “technical” stuff.

Protecting Against Directory Browsing

One step you may want to take is to make sure there is an empty index.php or index.html file in every folder that doesn’t have an index file. This is usually the case by default in WordPress, but doesn’t hurt to check. What this does is make it impossible to browse the folders directly, something that some web hosts support.

You could do the same thing by disabling directory browsing globally by adding the following code to your .htaccess file.

# Disable directory browsing
Options All –Indexes

SSL for Admin Interfaces

You can also force SSL on your admin interfaces within WordPress. This will make it a lot harder for potential bad guys to hack in. Although SSL won’t work without support from your host so you might want to contact them regarding this if your not sure. Some hosts may include this while others might charge for it.

It’s pretty easy to force SSL in your admin. Just add this code snippet to your wp-config.php file in your root WordPress directory.

define(‘FORCE_SSL_ADMIN’, true); 

Secure FTP

To add security when you are accessing your site via FTP, you might want to consider using SFTP instead, which is the same except the S stands for Secure. Again some hosts have this automatically, others you may need to contact to enable.

File Permissions

There are different file permissions and folder permissions that WordPress requires in order for it to run properly and to be able to properly access things through your admin dashboard, such as uploading images and files. Making sure that these files & folders have the appropriate permissions will go a long way.

So the files should be owned and writable by the user account and set to 644. Folder permissions should be set to 755. wp-config.php should be separately set to 600 (source). This will give you the maximum available protection, while also keeping everything that needs to be accessible, accessible. And of course, ask your host if you are unsure about these things. For more information you can visit here.

Change the Database Prefix

Just like changing your username from admin, we need to change the database prefixes from wp_. This is default for many WordPress installs including the convenient one-click WordPress install provided by many hosts. If you don’t change the database prefix, the table names of your site’s database are easily known to the person who is trying to hack your site.

In order to accomplish this you can follow the steps in this tutorial here or you can use a plugin like Change DB Prefix or similar.

Protect wp-config.php

*Update* Moving it outside of the root offers more protection but is only possible in root installs.

As we know now, our wp-config.php file contains all of the confidential details about our site. So it’s pretty important to protect this at all costs. An easy way to do this is by adding the following code to your .htaccess file.

<Files wp-config.php>
    order allow,deny  
    deny from all  

Protect .htaccess

We can now protect our wp-config.php file, but what about our .htaccess file? Don’t worry, we can use the same .htaccess file to protect itself from being preyed upon. You just need to place below code in your .htaccess file.

<Files .htaccess>
    order allow,deny  
    deny from all  

Hide Your WordPress Version

*Update* Hiding your WordPress version from the meta generator in the head doesn’t make sense as nowadays most properly coded themes add the WP version to styles and scripts.

Removing the generator meta which supplies which WordPress version you are running is important in protecting potential hackers. If you have enable the WordPress version then hackers will know when your version is out of date, and can attack accordingly. If you can absolutely not update your versoin of WordPress, this may be a good failsafe to at least hide the fact that your not running the most current version.

To hide your version of WordPress place this in the functions.php file of your current theme.

remove_action('wp_head', 'wp_generator');

Also remove it from RSS feeds using this:

function wpt_remove_version() {  
    return '';  
add_filter('the_generator', 'wpt_remove_version');

Authentication Unique Keys and Salts

Authentication Unique Keys and Salts are located in your wp-config.php file and should already be there, but its good to double-check this. They are located below you database username & password requirements. Actually when you manually install WordPress on a server, you also need to manually add this. Within the commented out section is a link that will auto-generate a unique set of keys that you need to copy and paste back into the wp-config.php file.

Limit The Number of Failed Login Attempts

Limiting the number of failed login attempts could protect your site against anyone trying to guess your password or a bot trying to brute force its way in. The plugin that provides this functionality is Limit Login Attempts.

Regular Backups

If you’re not already keeping regular backups, you should be. This will not only give you peace of mind, but is almost like restoring Windows to a point in time before you downloaded that virus if you catch my drift.

Backups will not only help you recover if a hacker does succeed in accessing your site, but there are a plethora of other things that can go wrong. Its just a smart thing to do, especially if your running a business.

Some free plugins to help you keep regular backups are:
WordPress Backup to Dropbox


I think that’s it. I hope I don’t have to reassure you need to start taking security more seriously. If you’re not convinced here are some interesting yet scary statistics:

  • 600,000 Facebook accounts are hacked each day (that’s about 7 accounts per second)
  • 100% of the top 100 paid apps on Android have been hacked.
  • 3 in 4 Americans have fallen or will fall victim to cyber crime due to being hacked.
  • 3 in 4 people use the same password for multiple accounts. Source

Put those last two together and I think we are on to something here…

You kind of have the idea by now. It’s just really important to be as secure as possible especially as the technology continues to develop even faster than most people can keep up with. The amount of security holes are probably growing as fast as the technology, so the amount of effort that we need to put into security would probably be growing over time as well.

About Frank Apicella

Frank Apicella is the founder of Snippet Central and HtotheML. He helps people make websites. However and whichever way he can accomplish it. With a strong background in Wordpress he can most certainly help you out.

Leave a Reply