10 WordPress Security Tips That You Can’t Miss!

WordPress Security Tips

WordPress Security Tips: Get peace of mind by fully securing your installation of WordPress with these top 10 need-to-know security tips and tricks!

This guide literally includes everything you’ll need to fully secure your WordPress blog or website

#10 ..

WordPress Security Tips – Beware of CHMOD 777

When giving too much permission goes bad

Set File Permissions

When you CHMOD your WordPress files, be sure you know what you’re doing, and what changes you’ve made. The most dangerous CHMOD code is 777, which gives all groups and users full read, write and execute permissions to a folder or file. This is the level of access that hackers would need in order to inflict a lot of damage on your site, depending on what it’s applied to.

Many folders need to be write-able (755) in WordPress in order for certain things to function. Just be wary of assigning a 777 to anything. For a more technical look at WordPress CHMOD defaults and security recommendations . see Changing File Permissions section.

#9 ..

Use Robots.txt to Disallow Access

Block places that search engines don’t need to index

wordpress robot txt file

Robots.txt is used to tell search engines which folders of your site they should not look into for spidering purposes. You’ll want to tell them not to look into folders that are unnecessary for them, such as the “/plugins” and “/wp-admin” folders. Simply copy and paste the code below into a Notepad document, and save it as “robots.txt”, then add it to the root directory of your WordPress site:

User-agent: *
Disallow: /cgi-bin
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins/
Disallow: /wp-content/cache/
Disallow: /wp-content/themes/
Disallow: */trackback/
Disallow: */feed/
Disallow: /*/feed/rss/$
Disallow: /category/*

#8 ..

Remove All “WordPress” References

…because nobody needs to know it’s WordPress

This is a simple one: go into your footer.php file and remove anything that says “Powered By WordPress.” Remove any script that might be displaying what version you have, too. Hackers search the internet for the quoted sentence “powered by wordpress” and will attack everything that comes up.

As much as we all love WordPress, you might also want to refrain from putting anything in your footer that says “Proudly made with WordPress” or anything of that nature.

#7 ..

Drop A Blank HTML File Into Your Plugin Folder

Give ’em the white screen of death

This is the oldest trick in the article. Open up Notepad. Don’t type anything in, and just save the blank page as “index.html.” Then, simply save this file into directories such as ..wp-content/plugins (new versions of WordPress already have one in there, that says “Silence Is Golden” within it). By doing so, you’re preventing anyone from seeing a list of your plugins. Exploiting WordPress sites with outdated plugins is one of the most common attacks, and this will help mask some information.

#6 ..

Always ensure that you are fully upgrade at all times.

Being up-to-date = being secure

Sorry to repeat the same thing you’ve already gotten drilled into your head – but by having the most recent version of WordPress and all of its plugins, you’ll make a huge stride toward having a secure site. Vulnerabilities are always exploited by hackers. When a new version of WordPress is out, it will notify you via a site stripe at the top of your admin panel. Now that WordPress has its own auto-upgrade function, it’s easier than ever.

#5 ..

Change your Default WordPress Database Prefix

A 5 second change to remove yet another default

Wordpress Database Prefix

When installing WordPress, you’ll have the option of using the default “wp_” as your table prefix (i.e., wp_comments, wp_links, wp_posts, etc.) You can change this to something else if you’d like – it’s another measure toward straying away from default attributes.

It’s easy. Just open wp-config-sample.php, find the prefix area as seen in the screenshot, and change “wp_” to something else, like “me_” or “cool_” or whatever you want. It’s yet another measure that makes things very difficult on hackers. Don’t forget, this file will have to be renamed to “wp-config.php” before you install WordPress.

If it’s too late and you’ve already created a site with an active database, you can still make the change: we will add a guide about it. It’s not too painful, either 🙂

#4 ..

Use .htaccess to Protect WordPress

Add this code at the beginning of your .htaccess file to protect WordPress from script injections:

Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

This at the end of your main .htaccess file to protect “wp-config.php” from bad bots:

<files wp-config.php>
order allow,deny
deny from all

And this tiny line of code to disallow anyone from seeing a directory tree of your sub-folders:

Options -Indexes

#3 ..

Create A Separate .htaccess File for WP-Admin

Only YOU can get in, now!

wpadmin htaccess

I’ve learned this one from Google engineer & popular SEO blogger, Matt Cuts. By creating an .htaccess file just for your WP-Admin folder (not to be confused with your main .htaccess in the root directory), you can block all IP addresses except the ones you specify. Here’s what the contents of this file should look like (just open up Notepad, and copy & paste this in…then, replace the dummy IP’s with the ones from your other home or work computers):

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “Access Control”
AuthType Basic
order deny,allow
deny from all
# IP address of my 2nd home computer
allow from
# IP addresses of my two work computers
allow from
allow from
# IP address at my uncle’s house
allow from

#2 ..

Password Protect WP-Admin on the Server Side

A 2nd brick wall they’d have to get through

This will be a minor annoyance to you, but a great additional barrier for the security of your site! On your web server, get into your WordPress site’s account. Find the option for “Password Protect Directories” (this is what it’s called in cPanel, but it might be named differently on another platform). Password protect the directory “wp-admin.” Give it a unique password, and write it down.

Now, if someone attempts to visit YourSite.com/wp-admin, they’ll get nothing but a white screen and a pop-up box from the server, asking for a username and password. Unless they know of these, they’ll never be able to see the WordPress admin log-in screen. Of course, this will now give you two passwords you’ll have to enter in order to edit your site (the server password and the WordPress admin password), but you can have your browser “remember” all of these so that you don’t have to type them in every time. Just don’t lose the passwords!

#1 ..

Rename “Admin” to Something Else – WordPress Security Tips

Remove this generic name as your administrator login

Wordpress Security Tips admin username

When you first create a WordPress site or blog, the default login that most people create is a default account called “admin.” Be sure NOT to do this, since it’s not mandatory to name your admin account “admin.” Instead, use a different name as your administrator login.

If you use “admin,” you’re using the most common login that hackers will attempt to get in with, and you’ll make the job 50% easier on them if you do! If you’ve already named your account “admin,” simply go into your “users” menu, create a new user and give it administration rights, then remove the default account.

More WordPress Security Tips

Further tweaks to secure your WordPress installation

Hardening WordPress It’s a WordPress security tutorial written BY WordPress! A must-read.