10 Easy Ways to Secure your WordPress Blog

Securing your blog is important. With WordPress so popular these days, it's becoming a bigger and bigger target for hackers. In this post we'll look at ten easy ways to secure your WordPress blog.

Guest post by Alex Denning, a Twitter fan who recently launched his new blog, Nometech.com, where he blogs about WordPress, blogging and web design.

1. WP Security Scan

This very easy to use plugin will sort out some of the basic security issues with WordPress – it’ll change your database’s name and alert you to flaws in your installation’s security, amongst other features.


2. Protect your plugins

Plugins are an easy way for a hacker to get access to your blog if they’ve got flaws in them. An easy way for hackers to find out which plugins you’re using is to go to /wp-content/plugins/, and they’ll find all the plugins that you’re using. The solution? Put a blank index.html file in the wp-content/plugins/ folder.

3. Update WordPress

This is super-easy to do, but a surprising number of people don’t do it: update WordPress. If you’re super-security-conscious then don’t upgrade to the next big release immediately (ie 2.8), wait for the bug fixes to come in (ie wait for 2.8.1).

4. Pick a good password

Common sense. Use a good password. Don’t use the same password that you use on every site, create something that is easily memorable, with a mix of UPPER and lower case and some numbers in there too. Change your password regularly too.

5. Change the admin user name

By default, the WordPress user name is admin. [Lots]% of people don’t change it. Why should you change it? If a hacker has your username, he’s halfway there to getting into your site, he just has to guess your password. If the hacker has to guess your username as well, then that’s twice as much work to do. It’s super easy to migrate posts from one user to another, just create your new user and then delete the admin user. You’ll be given the option to migrate posts to another user.

6. Protect your WP-Config.php file

Your WP-Config.php contains your database name, database username and database password. It’s something to protect.

Just add the following code to your .htaccess file:

# protect wpconfig.php

order allow,deny from all

Source – Nometech.com

7. Hide your WordPress version

First off, go into your header.php file and remove the meta data (something like <meta name=”generator” etc). Trouble is, WordPress adds in the meta data automatically! How do you remove it? Paste this code into your functions.php file.

<?php remove_action('wp_header', 'wp_generator'); ?>

Source – ProBlogDesign

8. Limit the number of times user can enter their password (wrongly)

The Login LockDown plugin will lock out users if they enter their password wrong too many times. You can choose how many times users can enter their password and also how long they’re locked out for via a neat options page.

Source – WP Plugin Directory

9. Limit WP-Admin access by IP

This isn’t something that I do personally, as I blog on a fair number of different computers, but if you’re just on the one, with a fixed IP, then this is a great hack for you: you can restrict access to the wp-admin directory with a spluginimple .htaccess hack:

order deny, allow
allow from a.b.c.d. #your static ip
deny from all

Source – Nometech

10. Login via SSL

If your host has an SSL certificate then you can use this great little plugin to login via SSL. The Admin SSL plugin “secures login page, admin area, posts, pages – whatever you want – using Private or Shared SSL.”

Source – WP Plugin Directory, via MakeUseOf.com

And finally

It is very easy to get bogged down in plugins, but bear this in mind: a strong password that is changed regularly, and a couple of .htaccess hacks (this post might help) will keep the casual hacker out.

If you’ve enjoyed this post then please do take a look at Nometech.com, my new blog, and perhaps even subscribe to the RSS feed. If you’re on Twitter too then new followers are always welcome!

  • Pingback: SÃ¥ gör du din Wordpressblogg mer säker mot hackare | Webmastern.se()

  • Pingback: You are now listed on FAQPAL()

  • To be very true, I had all those flaws but my plugins directory was not visible because my host has some kind of security and it showed me some error page rather than that ftp style page showing all files. Thanks for sharing all those tips because they are mandatory.

  • Pingback: links for 2009-05-06 « It’s About Time()

  • Thank you for a post. I will definitely be utilizing some of these tips. This is especially good for those who are using a multi-user install. You definitely don’t want a multi-user site getting hacked.

  • Excellent security tips for WP blogs. While I am in the process of upgrading the theme, I should certainly take a look at improvising on security.

    Just tweeted this post

  • These tips are indeed very useful. Thanks i will definitely use those mentioned above.

  • Pingback: 10 премиум тем для WordPress | ПРО разное()

  • it is very true and thanks for the post.

  • Good, commense sense list – especially on the passwords. People are dangerously lazy with keeping a good password.

  • it’s very interesting… i wil try it..thank you very much for this post

  • OMG, I never considered the security holes on wordpress before. I thought it was secure. Putting an index file in a directory to prevent a list being seen on the screen is an old trick, but I never thought of using it for WP. I started reading this post and went to my site do it immediately. I then came back and saw the tip about protecting your wpconfig.php – that’s a new one me. ( I did that too).

    Thanks, you may have saved me a lot of time!

  • Wow. So someone can access a specific file that contains the login and password? I was about to go to bed but now I’ll need to check this out.

  • Great stuff as usual, thanks!

  • Well, I got my site’s dbase hacked down last week, it won’t show anything except the two number: “56”..
    One of my friend told me that i should change the database and backup my old content.. Now it is live again..

  • Great post man! This was very helpful, thank you very much.

  • I’ll try it…

  • Just wanted to come back a say thanks for the tips. I spent the other night fixing a couple flaws in my security across all my blogs.

  • Vic

    This is a very helpful post.
    I already experienced domain defacement in my previous blogs
    And I agree that a strong password is very important.
    We can include in our passwords not only numbers and letter but also hypens like @#$?*!!, to ensure security.

  • The ninth tip wouldn’t be advisable for those who have dynamic IP address. My current ISP provided me with a dynamic one, and there are times when my IP change. Nonetheless, this checklist is very useful to secure WordPress blogs.

  • Great tips, I am going to implement these on my blogs, some of them got hacked recently and google started showing malware warning. Not only I lost a couple of day’s income, they also lost ranking and followers in these days. Had to remove the iframe code from index.php, files in wp-content, wp-includes and theme pages.

    I am sure just removing the version code will prevent hacking bots that work on a particular version. I would add 11th way to this, keep looking for new versions and update wordpress version when a new version is available (it’s easy nowadays).

  • Pingback: 10-ways.net » 10 Easy Ways to Secure your WordPress Blog()

  • I think that it is very interesting tips.
    I want to produce a website while referring to it.
    I thank for a splendid entry.

  • thanks this tips are indeed very useful and i will definitely used in the mentioned above.

  • Why must we remove a WordPress version from metas?
    I really can not understand it.

  • @psd to html: You should remove the version because most hacks are targeted towards a particular version of wordpress. Many people also remove such info from their webserver and OS for the same reason.

  • Thanks for this info. I have just downloaded WP Security Scan, I hope that helps secure my site more.

    I already had most of the other checks in place.

  • Glad to read this info. I will apply these tips to secure my wordpress blog. Thanks for sharing this post!

  • Have you tried doing it? I says that any code “that isn’t permitted”, that doesn’t necessarily mean no code at all. I’ve been able to add HTML to the text widget just fine.

  • nice post, that is a good plugin, and with that and a good password you should be good until you get huge and attract a lot of attention. i think that if that happens then you can afford to upgrade but this should get you started and be fine for quite a while. good post.

  • thanks for the information,i will apply these tips

  • Good article,

    is there a way to change the wp-admin folder name?
    if not, would you recommend adding a htpasswd file in the wp-admin folder too?

  • Pingback: 10 Easy Ways to Secure your WordPress Blog » SEO Update()

  • hmm….It adds my knowledge about WP, because I am a newbie in WP…hehe…thanks for the nice info…

  • WordPress security issue is something that everyone should look after at the first place. There are so many hackers and vulnerabilities that can make you life very hard if you are not prepared for them. Thanks for sharing this great wordpress security tips.

  • nice tips. thanks

  • Didn’t know about #2 (plugins folder). What has happened to v2.8, thought it was due start of April – just went and checked again after reading your post but still no sign.

  • Thanks for the advice here. We have been having a lot of problems with hackers getting into our blogs. I am going to pass the information on to our web master. This is very helpful!

  • I want to have it so when I post on my blog at WordPress, it will automatically post the same blog on my MySpace page. I know there is a way to do this with forums and bulletin boards – posting on WordPress and having it show up in the forums.

  • Anders

    great post, but what about security against spam? plugins such as WP-SpamFree, Akismet and SpamTask should be mentioned, shouldn’t it? 🙂 I mean, spammers are some kind of hackers I believe. 😛

  • Wow I had no idea WordPress was so unsafe – I’m definately going to implement these tips. Thank you very much for this!

  • A good password is very important. And changing it often is a good traing for your own memory too.

  • I’ve installed and used the Security plugin, it works very easily and well.

  • Hi,
    Thanks for sharing this great tips.
    I never think about this area. I have not more information about blogging but after read your blog I think that we should all secure our blog.

  • A really nice tip you have here Sir! Also, you can add removing those footprints created by WP themes.

  • Thank you. This worked perfectly. =]

  • Excellent security tips for wp bloggers…


  • really useful information. Many of the described methods of protection are not known.

  • NIce tip, my brain is ever expanding with useful knowledge from this blog.

  • I am new to WordPress and I am glad I’ve come across this blog. Although these are not full proof but it will minimize problems later. Thanks for posting these tips.

  • Thanks i will definitely use those mentioned above. These tips are indeed very useful.

  • Great article. I just bookmarked it. Thank you so much for sharing it.

  • Lot

    It seems I still have a lot to learn in WordPress. Thanks for sharing.

  • With this post I have learnt a lot on wordpress.I am going to use the above methods. Very helpful. Few of the plugins are really nice.

  • Thank you for the informations! Especially the tip nr. 6 is great, to protect wp-config.php.

  • Pingback: Aparna’s Weblog » Blog Archive » 10 Easy Ways to Secure your WordPress Blog()

  • Great tips…thank you so much!

  • Pingback: Quick WordPress Links – Der Schockwellenreiter()

  • I’d add “don’t login from strange computers”. If you’re blog’s making some money buy a laptop and don’t use any other computer. You never know if there are any keyloggers on someone else’s computer.

  • How To Secure a WordPress Blog Please help me guys?

  • You offer some very important tips, because with how easy most hosts make it to set up a wordpress site, a lot of new bloggers don’t even think about security.

    Regarding #2, protect your plugins, can’t you also add Options -Indexes to your .htaccess file, to stop people from being able to view the contents of a directory?

  • Great post, I like it this site and thanks on Information

  • Nice plugin of WP Security Scan. Thanks for share good tips for secure wordpress blog. Good work.

  • It took me a couple sessions but I completed plugin my holes. Thanks again for sharing these risks!

  • Pingback: Inspirations - 31 Excellent Resources, Examples, Tutorials and More In June » De Web Times - Sharing Useful Resources.()

  • Nice list there.. Very little people bother to come up with this actually..

  • Good news for new bloggers like us. Now we know what mistakes to avoid. Most people would have hardly thought of these.

  • Thank you for sharing these tips. I need this to protect several of my wp blogs.

  • Thanks for the tips, very helpful.

  • Good list. I picked up a couple plugins I had not yet considered. Thanks.

  • Pingback: 10 Langkah Melindungi Blog Wordpress | Tarqy dot Com()

  • Nice to see that some one posted simple but extraordinary Article regarding to Secure Word Press blog. I specially liked the points 6 – Protect your WP-Config.php file and 7. Hide your Word Press version. I just applied these two points to my Blog.
    Thanks for sharing

  • Good tips. I’ll download wp security plugin for my wordpress blog. Are this types of plugins available of blogspot?

  • Thanks a lot for sharing this.

    I’ll go right now and update all my wordpress blogs and install the security plugins as well as protect all the plugin directories.

    I wish I discovered your post before one of my blogs got hacked, three weeks ago.

    Just dugg, tweeted and posted it on del.icio.us and I gonna share it on the forum I’m actively involved because I saw a lot of posts where wp blogs got hacked.


  • Thanks for the list. It’s amazing to me that blog owners have to go through all of this trouble to prevent worthless people from getting into our sites… Can you tell I’ve been hacked recently?

  • Thank you for this 10 items. I just starting to learn WordPress and this information is very helpful and important.

  • THANKS FOR THE MUCH NEEDED TIPS TO insure efficiency with WordPress!

  • Ten brilliant tips fo blog securing. I suggest number tip number 10 is the best one

  • Thanks for this information. I never even thought of some of these security flaws, like people looking at my plugins and finding out info about my site from the plugins I use.

  • very good Tips.. I will try, Thanks..

  • Klark

    I think there are some errors in your tips.

    6. Protect your WP-Config.php file

    should be

    order deny,allow
    deny from all

    9. Limit WP-Admin access by IP

    should be

    order deny, allow
    deny from all
    allow from a.b.c.d. #your static ip

  • Pingback: Seguridad en el wordpress | BLOG DEL MIRADOR()

  • Pingback: 7 steps to protect your Wordpress blog! | JrShohin`s Blog()

  • These are some good tips. There are also security products for wordpress but if you dont feel like spending money these tips will do. I think that keeping ones blog updated, I mean the version of wordpress updated is very important.

  • d 6th point.. for .htaccess file.. when i made the change, my site went down. exactly how do i put it?

  • I use the same technique as Wheelchair Guide.

    If you are already editing .htaccess, then a lot of vwork placing blank index.html files in every folder for which you wish to block browsing, is saved.
    One line of code is all you need!

    Also, don’t forget to protect .htaccess itself as well as the config file. Here are the three bits I’ve mentioned (these can be copied and pasted verbatim):

    # protect the htaccess file

    order allow,deny
    deny from all

    # protect wpconfig.php

    order allow,deny
    deny from all

    # disable directory browsing
    Options All -Indexes

  • Oops. Forgot the code tag:

    # protect the htaccess file

    order allow,deny
    deny from all

    # protect wpconfig.php

    order allow,deny
    deny from all

    # disable directory browsing
    Options All -Indexes

  • These tips are indeed very useful. Thanks i will definitely use those mentioned above.

  • Pingback: Plugins & .htaccess | Amalgamis()

  • This is definitely useful tips for wordpress users. I will learn these tips first so I can apply it correctly. Thanks Alex.

  • Thanks i will definitely use those mentioned above.

  • Pingback: 30+ Useful WordPress Tutorials()

  • Heads up. Your wordpress version is till showing. Nice list of tips. I’ll create my own top 5 secure wordpress tips and link back at this post.

  • Pingback: 10 cách Ä‘Æ¡n giản để bảo mật cho blog Wordpress | SEO()

  • Pingback: 10 Easy Ways to Secure your WordPress Blog | eBookTM | Free ebook download, video training, jetaudio skin()

  • Pingback: 5 Brilliant WordPress Articles | WPShout.com()

  • Pingback: 10 Easy Ways to Secure your WordPress Blog « .::z3rok::.()

  • Tommix

    Man if you have no idea about what you’re “writing” – please do not write.

    1 What a f***:
    # protect wpconfig.php
    order allow,deny from all

    this will denny acces to ALL files not wpconfig.php

    2. order deny, allow
    allow from a.b.c.d. #your static ip
    deny from all

    so where is backslash before dots??

  • Pingback: 10 TIPS Agar Blog Wordpress Aman | Make Money Blogging()

  • RWH

    Hey Alex, these tips are simply amazing! You’ve done a great job in putting such an extensive list all together. I am sure I am gonna try out most of them. Thesesafety tricks would definitely prove effective while safeguarding wprdpress powered sites. Thanks a bunch!

  • Wow,
    What a nice post,i just found this post story from my technorati profile news feeds section! I was searching for this since past 3 months and i am glad to see it here. Thanking you much


  • Hi Alex, I’m late to the party but can you please include the attribute to my original image as per the terms for usage of the image: http://www.flickr.com/photos/subcircle/500995147/

  • Thank you very much for these useful tips…

  • Very informative post.Thanks for all the tips for secure the word press blog.

  • Pingback: 10 Cara Melindungi Keamanan Blog Wordpress | adipedia.com()

  • sam

    thank you for you advice, I just use these tips in my blog.

  • Pingback: sadar blog » Blog Archive » 10 Tips agar blog wordpress aman()

  • Ron

    This is excellent advice. I am currently using Login Lockdown, and Have the file permissions set to the correct levels on my server. I am also using the blank index.html file in my plugins directory to hide that stuff.

    I am not however using the WordPress version hiding fuctionality. I have plug-ins that won’t work if the WordPress version is removed from it, and they are plug-ins I desperately need. I am not so sure hiding the version will help much though, as many of those automated bots will simply try the hack regardless of what version your running, if it don’t work they move on. This is akin to the major ports scans you see from bots on the net anymore.

    Nonetheless, I didn’t know about the WordPress Security Scan so I will have to check that out.

    thanks for the good information

  • Pingback: Taasti.com » Blog Archive » Secure Your WordPress blog from hackers !()

  • Pingback: Securitate sporita pentru WordPress | Cine Sunt ?()

  • Pingback: Hardening WordPress | erictopia.com()

  • Wow! I am damn sure that without implementing these tips none of the blogs can be secured. But i am too lazy to apply these……..

    But i will have to………

  • I have a wordpress blog. I didnt know that there is a way to protect wp-config file. A useful post for all wordpress users. Superb write.

  • Pingback: 10 Useful WordPress Security Tweaks - Smashing Magazine()

  • Very helpful tips for all WP users. These should be applied by all users to avoid being hacked. Although some of these are pretty basic/common sense (ie password, admin settings) but everything on the list are noteworthy. Thanks for sharing.

  • Pingback: Tous aux abris | Accent Circonflexe()

  • Thanks so much for this post! My site was just hacked and I’m now adding all of your above recommendations to make it as hard as possible for someone to hack in again. What a pain in the #$&%!

  • I’ve just started with my own website and I really love this template. Is it free or maybe one of those premium templates? Sorry, I’m new to this and just looking for suggestions. BTW, I check out your site nearly everyday.

  • Hi,

    In No. 7 you have written the function remove_action(‘wp_header’, ‘wp_generator’); this is not correct. For this reason I was in so much trouble. So please correct it.

  • thanks,i was also afraid of hackers,i have followed the tips you have listed.

    @ Arif – you are right that piece of php code is no longer working with new wordpress versions.Use plugins fot now 🙂