on Articles Tips

10 WordPress security tips that could save your site

Tweet about this on TwitterShare on FacebookShare on Google+Share on LinkedInShare on RedditShare on StumbleUpon

WordPress is very popular platform these days (around 8.5% of all world’s websites are powered by WordPress!). As it is Open Source, everybody has access to its Source Code and can experiment with new cracking/hacking methods easily. Don’t get me wrong, WordPress is secure piece of software.

With little effort you can protect your WordPress site following this few easy steps to harden the security of your WordPress installation.

Did you know that more than one million WordPress sites were cracked last year. Was your site or your client’s site among them?

1. Don’t use ‘admin’ username

As of version 3.0, WordPress have the option to change your admin username into whatever you like. I encourage you to do so. Anybody who tries to get into your WordPress admin section will try with ‘admin’ as a username. If you change it, potential hacker has to hack both username and password.

If you are running older version of WordPress (which I do not recommend), you can change admin username directly in the database. Open your phpMyAdmin and run this query:

UPDATE wp_users SET user_login = 'your_new_login' WHERE user_login = 'admin';

2. Install Login LockDown Plugin

Login Lockdown WordPress plugin

Potential hacker will try to break your username/password combination using brute force or dictionary attack on your WordPress Login screen. Login LockDown Plugin will prevent that.

Login LockDown records the IP address and timestamp of every failed login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery.

Currently the plugin defaults to a 1 hour lock out of an IP block after 3 failed login attempts within 5 minutes. This can be modified via the Options panel. Administrators can release locked out IP ranges manually from the panel.

You can download Login LockDown plugin from here.

3. Install Secure WordPress plugin

Secure WordPress Plugin

There are many places inside your WordPress site that is telling a potential hacker a version of your WordPress installation, as well as other dangerous information.

Secure WordPress beefs up the security of your WordPress installation by removing error information on login pages, adds index.html to plugin directories, hides the WordPress version and much more.

You can download this plugin from here.

4. Move your wp-config.php file

In your wp-config.php file there is database connection info as well as other data that should be kept from anybody to access. From WordPress 2.6 you can easily move this file from root folder location.

To do this simply move your wp-config.php file up one directory from your WordPress root. WordPress will automatically look for your config file there if it can’t find it in your root directory.

This way, nobody except a user with FTP or SSH access to your server will not be able to read this file.

5. Change database table prefixes

By default, WordPress table prefix is wp_. As WordPress is Open Source, if you leave your table prefixes intact, everybody know the exact names of the database tables.

You can change your table prefix during installation by entering new prefix in your wp-config.php file. For changing the prefix after install, use WP Secure Scan plugin.

6. Change default secret keys

When you open your wp-config.php file, you will see 4 secret keys:

define('AUTH_KEY', '');
define('SECURE_AUTH_KEY', '');
define('LOGGED_IN_KEY', '');
define('NONCE_KEY', '');

I am amazed how many people, even experienced ones, do not change this keys. A secret key is a hashing salt that is used against your password to make it even stronger.

Simply visit https://api.wordpress.org/secret-key/1.1 and copy the 4 generated keys into your wp-config.php file. It’s that simple.

7. Update

Always update to the latest version of the WordPress, as it is the most secure one. Don’t forget to update your plugins and themes.

Updating your WordPress installation, plugins and Themes is really easy to do from your admin, so do it as soon as possible. WordPress is terrific piece of software and y updating you will rarely or never brake some site functionality.

8. Protect your wp-admin

AskApache Password Protect Plugin adds some serious password protection to your WordPress Blog. Not only does it protect your wp-admin directory, but also your wp-includes, wp-content, plugins, etc. as well.

9. Use strong password

This is the most trivial task to do to protect your WordPress installation. But, many people use weak passwords which are easy to break to modern brute force attack programs used.

There are many tips how to make a strong password, I personally like this Strong Password Generator. Read some tips over there to help you understand what a strong password is.

10. Backup your data regularly

This is not a security tip, but is related. If someone hacks your site and you don’t have a backup, it will be very difficult to return the site back to its previous state.

Regular backup is a must. There is a great list of WordPress Backup Plugins available here.

A few more general tips for securing WordPress installation:

If you don’t have time to follow all of the above tips, please follow at least two of them. It will help you to enjoy the effort you invested in your WordPress site.

Is your site secured? Have some more tips like these? Please, share your thoughts with me in comments section.

Tweet about this on TwitterShare on FacebookShare on Google+Share on LinkedInShare on RedditShare on StumbleUpon

  • Hi Zvonko, some great tips here. You often hear of people’s blogs being hacked. Thanks heavens it hasn’t happened to me. My hubby (and coder:) takes care of the security and always nags me to get a decent password:)

    • Hi Annabel, thanks for your comment.

      I hope that after you read this article, and especially the part about 1 million WordPress sites being hacked, you will get that decent password 🙂

  • Seems Login LockDown hasn’t been updated in a while. Have you been running it with more recent WP versions? If so, any issues of note?

    • Hi Vance,

      I am running it with the latest version of WordPress (3.2.1). No issues whatsoever.

      • Thanks for the response, and the original post of course!

  • Jenelle

    I am running the latest version of WordPress but it still tells me I can’t change my user name from admin. I went into phpMyAdmin and couldn’t figure out how to run the query. Can you advise?


    • Hi Jenelle,

      when you open phpMyAdmin, click on the SQL tab. Then copy the query from above into the SQL field, change the username in whatever you want, and click Go.

      • It also works to make the “admin” account just a subscriber. I like this, because it still lets them waste their energy and focus on trying to hack an account that won’t achieve much for them anyway :-).

  • Hey Z,

    Great article – It still amazes me how many people just leave their WP sites vulnerable.

    Just this past week I’ve been able to gain access to pretty much all of my client’s WP sites without asking for their username/password. Just by using admin/password combo.

  • Pingback: Link del giorno 30 August 2011 | Geppy.it notizie dalla community()

  • allaboutedu

    can u plz suggest a plugin that can automatically ban ip address if the site/blog gets more than x no of click in a given period of time or if an ip address visits too often. but before the ip is blocked i want to set the above statistics.

  • These are some good tips. There are plenty of users who leave their sites as default who are usually the ones who get hacked.

    I have a list of some tips that I use for WordPress Security here:

  • I have been hacked for the first time today !!!!
    I’ll follow your advice now !


  • Pingback: Sécuriser Wordpress, Cpanel et WHM.()

  • Athar

    Hi Zvonko,
    Sir yesterday someone hacked my website (ApnaKamoke.com). Now in future I will follow your nice advices. Please tell me one thing how can i secure my website made in html? Any article?

  • Andrew

    Great tips, hope all realize that the default setup has its security issues. I actually went one step further and disabled all file updates except for sitemap and the uploads directory. using the following commands in the wordpress directory:
    sudo chmod -R u-w *
    sudo chmod -R g-w *
    sudo chmod -R o-w *
    sudo chmod u+w sitemap.xml*
    sudo chmod -R u+w wp-content/uploads/*
    sudo chmod u+w wp-content/uploads

    This disables wordpress updates but one can open temporarily by the following command:
    sudo chmod -R u+w *

    Assuming that all files are owned by the correct user of course.

    I also disabled the execution of php files in the uploads directory by using the following Directory directive in the apache site config:

    php_admin_value engine Off

    Finally, apache actually recommends not using .htaccess files but Directory directives instead. One can disable .htacess files by “AllowOverride None”. This also disables wordpress from updating .htaccess files which is done when changing settings for permalinks, etc. (you need to update apache manually when this happens)

  • Pingback: 10 советов по усилинию безопасности сайта под управлением WordPress | ITPROGER()

  • dny

    most things here can simply applied using one better wp security plugin

    • I agree, but which one 🙂

  • This is a great list of things to do to secure your WordPress site…

    I recently had some security problems with my WordPress sites, and ended up doing a lot of research into securing WordPress sites…

    I have now written up my experiences in a WordPress Security Checklist which can be downloaded for free on http://www.wpsecuritychecklist.com.

    My checklist has a few more items and detailed steps for how to get the job done.

    Hopefully the checklist can help other people securing their WordPress sites…

  • Really useful, based on articles like yours we did a spanish translated compilation of security tips for wordpress, you may find it here: Consejos para mejorar la seguridad de WordPress

  • Dan Hulton

    I recently released a security plugin for WordPress called PanicPress (http://www.panic-press.com) that adds two-factor authentication to your blog and allows you to remote-control shut down the administration section.

    If you’re interested in a demo, email me at dan (at) danhulton (dot) com – I’d be honoured if you reviewed it on your site or even if you just had comments or suggestions about it!

  • wexler

    Thank you for your explanation and great share.
    I would like to add this point to my web site, if you would allowed me.

  • Pingback: How Secure is your WordPress site? | cateca()