Securing Your WordPress Installation

  • Secure Your WordPress Installation
WordPress is one of the most widely used content management systems on the web now, with an estimated twenty-five percent using the open-source framework. It’s not hard to see why either, what with its ease of setup, level of customisation and flexibility. Anyone can, and does, use WordPress, whether you’re an individual wanting blog, a small businesses showcasing your portfolio, or a news site that reaches a global audience like TechCrunch, The Official PlayStation Blog or Wired. It’s used as sub-domain blog sites for the likes of CNN and the New York Times, whilst acting as portfolios for Sony and Samsung.

However, in its early years, security was a stringent bug-bare for WordPress. Vulnerabilities were prevalent and sites were targeted via specific exploits of the CMS. No website is unhackable, nor is it wise to think that because a service is widely used that it is therefore secure. You must be proactive in ensuring that your websites are as secure as they can be, and take the necessary precautions. WordPress’s security has made leaps and bounds in the last four years (since its last major exploit), to the point where there are now only minimal security issues.

So what’s the best way to go about securing your WordPress site? Well, having recently been on the end of an unfortunate hack, I went about improving my own security knowledge in order to lock down my WordPress installations as best as possible. So without further ado, here are a few tips to help you create a rock solid site.

Stay Updated

Now this sounds obvious, but it’s surprising how often this is the main cause of security breaches. According to WordPress statistics, only 8.3% of sites are using the latest version of the framework (as of writing). WordPress 3.0, which was released way back in June 2010 is the most commonly used version, but nearly 20% of sites are using versions below early than that. Often sites that are not used regularly are forgotten about, with the versions incrementing out of reach, but out-of-date software can lead to vulnerabilities.


The same can be said for any plugins or server stored scripts. Ensure your plugins and scripts are kept up-to-date, as they are increasingly the route in for unwanted eyes.

Remove SuperAdmin

Perhaps one of the easiest things is to remove the standard “admin” user - or the SuperAdmin. When you set up a new WordPress site, it will usually setup your primary admin account with the name “admin”. As with any system, the first port of call for a hacker is to try the username “admin” and the password “password”.


From version 3.0 you can change this during the initial setup, so be sure to pick another name instead; however, if you already have an admin account called admin, create a new admin account and delete the old one - making sure to assign all of their actions to the new one when prompted.

Strong Passwords

Something that goes for everything you do on the web - yet is incredibly uncommon - is: use strong passwords. Pick strong passwords for your site account, your MySQL database, your FTP logins, everything. Either come up with your own random numbers, letters and symbols password, or use something like Strong Password Generator to generate one.


Regular Password changes

Having scheduled password changes, whether that be monthly, quarterly or bi-annually is just as important as strong passwords. If, somehow, someone has managed to get a-hold of your password unbeknown to you, keeping those passwords new and fresh will help limit any damage they can do with this. If you ever notice any suspicious activity on your site, change your passwords immediately.


Be sure to also do this for your FTP, as server-based injections are difficult to trace and can cause havoc with your site.

Use Security Plugins

A fantastic way to help secure your WordPress installation is to use the variety of security plugins at your disposal. Here are a few that you should have on every installation:


WordPress Firewall 2 - a plugin which “investigates web requests with simple, WordPress-specific heuristics, to identify and stop the most obvious attacks.” Essentially the plugin protects your site from known attacks, whilst emailing you in the event of an attempt.

AntiVirus - an easy and safe tool to protect your blog install against exploits, malware and spam injections.

Secure WordPress - secures your site by removing error information on login pages, adds index.html to plugin directories, hides the WordPress version and more.

Login LockDown - logs failed login attempts and can even disable the login for a particular IP for a specified period of time. This helps prevent brute force password discovery.


How many times have you backed up your work? Be honest. It’s something that, until disaster strikes, few people actually do. Either manually, using a service like VaultPress, or by using a plugin, it is vital that you keep regular backups of both your site and the accompanying database.


Two useful plugins are WP-DB-Backup and BackUpWordPress.

Give WordPress Its Own Directory

Rather than installing WordPress in the root of your site, you can install it in its own directory. This means that, providing you don’t just put it under a /wordpress/ directory, you’ve raised your defenses from bots who automatically hunt across the Internet sniffing for login screens by adding /wp-admin/ to the end of every URL.


Hide Plugins

Simply by putting a blank index files inside your /wp-content/plugins/ folder, you will hide all of your plugins from preying eyes. With access to see what plugins you have, hackers can determine the best route into your site, especially if they see you have no security plugins installed.


By adding an empty index.html file into the folder it stops a hackers from looking into your site and are less likely to attempt a breach. The latest versions of WordPress seem to do this for you, but it’s something that an older site may not have.

Hide Your Wordpress Version

By default, WordPress displays the version of the framework that your site is using, primarily so they can measure each versions usage. However, this is like a flashing neon sign to hackers, as they’ll know in an instance if you’re running an out-of-date version.

If you’re using one of the security plugins, then they’ll most likely remove this for you, but just in case, add the following line of code to your functions.php files:

<?php remove_action(‘wp_head’, ‘wp_generator’); ?>

You also need to remove if from your RSS feeds. To do this, add the following code to your functions.php file.

<?php function wp_remove_version() {
return ‘WordPress’;
add_filter('the_generator', 'wp_remove_version'); ?>

Additionally, remove the readme.html files within the root directory as this also contains your WordPress version.

Remove wp-admin/install.php

Once you’re WordPress site is installed, there’s no further use for the install.php file and removing it eliminates the possibility of someone executing it again.

Custom Secret Keys

With all of the confidential information for your site stored in the wp-config.php within your root directory. Secret keys are one of those bits of information so be sure to set them/update them immediately. They are an added security feature for passwords including password hashing and cookie security.


You can use the WordPress API to salt the keys for you, just go here.

Change Your Database Prefix

Most WordPress sites will use the same database prefix of “wp_”. This makes it the first port of call for anyone attempting to gain access to it, so by changing this when setting up your WordPress site is an easy way to secure your installation further.


Use .htaccess Protection

Securing your site can be done through a number of ways, so it’s worth doing it as many ways as possible. By adding some simple bits of code to the .htaccess file on your server, you can add another layer of protection to your site.

Firstly, protect your wp-config.php file - the one with all of the confidential details in - even further by adding this code to your .htaccess file:

<Files wp-config.php>
order allow,deny
deny from all

It’s no use protecting the site and its files unless the .htaccess file itself is actually protected though. So simply add the following code:

<Files .htaccess>
order allow,deny
deny from all

Whitelisting your site allows your to manage who has access to which parts of your site. This is particularly useful for the admin folder. So using the .htaccess file found within the /wp-admin/ folder add the following code.

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “WordPress Admin Access Control”
AuthType Basic
order deny,allow
deny from all
# Whitelist Your IP address
allow from
#White Your Office IP address
allow from
#Add any other IPs that you need to allow

Don’t forget, this must be done to the .htaccess file within the /wp-admin/ folder not the root. All that’s left is to replace the “” with your IP address. If you’re unsure what your IP address is, simply use a service like

This means that you can only access the admin areas when logged in at one of the whitelisted locations.

The 5G Blacklist is another great way to secure your site. By using a "simple, flexible blacklist that checks all URI requests against a series of carefully constructed htaccess directives" it will blacklist just about any part of a potentially threatening request.

Define User Privileges

If you have multiple users working on your site, be sure to restrict their access correctly. Using a privileges plugin like Role Manager or part of the premium plugin White Label Branding for WordPress, you can control and assign different roles for different users, ensuring that can’t have access to anything you don’t want them to.


Check Yourself

Other than that, it’s down to you. Be sure to check your site regularly, moderate content and comments, check server logs for errors and ensure your site and plugins are up-to-date. Research plugins and scripts for vulnerabilities before installing them, and be as careful as you would with your bank card. Don’t hand out login details and be vigilant at all time.

blog comments powered by Disqus
David Howard
2 years ago
by David Howard
Web Designer/Developer for Harrington McDermott.

Sign up for our Newsletter