10 Easy Ways to Secure your WordPress Blog

by Alex Denning. 120 Comments -

Securing your blog is important. With WordPress so popular these days, it’s becoming a bigger and bigger target for hackers. In this post we’ll look at ten easy ways to secure your WordPress blog.

Guest post by Alex Denning, a Twitter fan who recently launched his new blog, Nometech.com, where he blogs about WordPress, blogging and web design.

1. WP Security Scan

This very easy to use plugin will sort out some of the basic security issues with WordPress – it’ll change your database’s name and alert you to flaws in your installation’s security, amongst other features.


2. Protect your plugins

Plugins are an easy way for a hacker to get access to your blog if they’ve got flaws in them. An easy way for hackers to find out which plugins you’re using is to go to /wp-content/plugins/, and they’ll find all the plugins that you’re using. The solution? Put a blank index.html file in the wp-content/plugins/ folder.

3. Update WordPress

This is super-easy to do, but a surprising number of people don’t do it: update WordPress. If you’re super-security-conscious then don’t upgrade to the next big release immediately (ie 2.8), wait for the bug fixes to come in (ie wait for 2.8.1).

4. Pick a good password

Common sense. Use a good password. Don’t use the same password that you use on every site, create something that is easily memorable, with a mix of UPPER and lower case and some numbers in there too. Change your password regularly too.

5. Change the admin user name

By default, the WordPress user name is admin. [Lots]% of people don’t change it. Why should you change it? If a hacker has your username, he’s halfway there to getting into your site, he just has to guess your password. If the hacker has to guess your username as well, then that’s twice as much work to do. It’s super easy to migrate posts from one user to another, just create your new user and then delete the admin user. You’ll be given the option to migrate posts to another user.

6. Protect your WP-Config.php file

Your WP-Config.php contains your database name, database username and database password. It’s something to protect.

Just add the following code to your .htaccess file:

# protect wpconfig.php

order allow,deny from all

Source - Nometech.com

7. Hide your WordPress version

First off, go into your header.php file and remove the meta data (something like <meta name=”generator” etc). Trouble is, WordPress adds in the meta data automatically! How do you remove it? Paste this code into your functions.php file.

<?php remove_action('wp_header', 'wp_generator'); ?>

Source – ProBlogDesign

8. Limit the number of times user can enter their password (wrongly)

The Login LockDown plugin will lock out users if they enter their password wrong too many times. You can choose how many times users can enter their password and also how long they’re locked out for via a neat options page.

Source – WP Plugin Directory

9. Limit WP-Admin access by IP

This isn’t something that I do personally, as I blog on a fair number of different computers, but if you’re just on the one, with a fixed IP, then this is a great hack for you: you can restrict access to the wp-admin directory with a spluginimple .htaccess hack:

order deny, allow
allow from a.b.c.d. #your static ip
deny from all

Source – Nometech

10. Login via SSL

If your host has an SSL certificate then you can use this great little plugin to login via SSL. The Admin SSL plugin “secures login page, admin area, posts, pages – whatever you want – using Private or Shared SSL.”

Source – WP Plugin Directory, via MakeUseOf.com

And finally

It is very easy to get bogged down in plugins, but bear this in mind: a strong password that is changed regularly, and a couple of .htaccess hacks (this post might help) will keep the casual hacker out.

If you’ve enjoyed this post then please do take a look at Nometech.com, my new blog, and perhaps even subscribe to the RSS feed. If you’re on Twitter too then new followers are always welcome!

Comments (120) - Leave yours

  1. You are now listed on FAQPAL said:

    10 Easy Ways to Secure your WordPress Blog…

    Securing your blog is important. With WordPress so popular these days, it’s becoming a bigger and bigger target for hackers. In this post we’ll look at ten easy ways to secure your WordPress blog….

  2. Allan | nike dunks said:

    To be very true, I had all those flaws but my plugins directory was not visible because my host has some kind of security and it showed me some error page rather than that ftp style page showing all files. Thanks for sharing all those tips because they are mandatory.

  3. links for 2009-05-06 « It’s About Time said:

    [...] 10 Easy Ways to Secure your WordPress Blog Securing your blog is important. With WordPress so popular these days, it’s becoming a bigger and bigger target for hackers. In this post we’ll look at ten easy ways to secure your WordPress blog. (tags: wordpress security) [...]

  4. Joshua Parker said:

    Thank you for a post. I will definitely be utilizing some of these tips. This is especially good for those who are using a multi-user install. You definitely don’t want a multi-user site getting hacked.

  5. Ajith said:

    Excellent security tips for WP blogs. While I am in the process of upgrading the theme, I should certainly take a look at improvising on security.

    Just tweeted this post

  6. 10 премиум тем для WordPress | ПРО разное said:

    [...] Постовой: хорошая подборка из 10 шагов по улучшению безопасности вашего блога; 27 плагинов для так популярного сейчас в [...]

  7. Paul said:

    Good, commense sense list – especially on the passwords. People are dangerously lazy with keeping a good password.

  8. Online Forex Brokers said:

    OMG, I never considered the security holes on wordpress before. I thought it was secure. Putting an index file in a directory to prevent a list being seen on the screen is an old trick, but I never thought of using it for WP. I started reading this post and went to my site do it immediately. I then came back and saw the tip about protecting your wpconfig.php – that’s a new one me. ( I did that too).

    Thanks, you may have saved me a lot of time!

  9. andi said:

    Well, I got my site’s dbase hacked down last week, it won’t show anything except the two number: “56″..
    One of my friend told me that i should change the database and backup my old content.. Now it is live again..

  10. Vic said:

    This is a very helpful post.
    I already experienced domain defacement in my previous blogs
    And I agree that a strong password is very important.
    We can include in our passwords not only numbers and letter but also hypens like @#$?*!!, to ensure security.

  11. Victor said:

    The ninth tip wouldn’t be advisable for those who have dynamic IP address. My current ISP provided me with a dynamic one, and there are times when my IP change. Nonetheless, this checklist is very useful to secure WordPress blogs.

  12. Jeet said:

    Great tips, I am going to implement these on my blogs, some of them got hacked recently and google started showing malware warning. Not only I lost a couple of day’s income, they also lost ranking and followers in these days. Had to remove the iframe code from index.php, files in wp-content, wp-includes and theme pages.

    I am sure just removing the version code will prevent hacking bots that work on a particular version. I would add 11th way to this, keep looking for new versions and update wordpress version when a new version is available (it’s easy nowadays).

  13. Jeet said:

    @psd to html: You should remove the version because most hacks are targeted towards a particular version of wordpress. Many people also remove such info from their webserver and OS for the same reason.

  14. Fast food statistics said:

    Have you tried doing it? I says that any code “that isn’t permitted”, that doesn’t necessarily mean no code at all. I’ve been able to add HTML to the text widget just fine.

  15. Graphic Design Seminar said:

    nice post, that is a good plugin, and with that and a good password you should be good until you get huge and attract a lot of attention. i think that if that happens then you can afford to upgrade but this should get you started and be fine for quite a while. good post.

  16. Catrin W said:

    WordPress security issue is something that everyone should look after at the first place. There are so many hackers and vulnerabilities that can make you life very hard if you are not prepared for them. Thanks for sharing this great wordpress security tips.

  17. British coast said:

    Didn’t know about #2 (plugins folder). What has happened to v2.8, thought it was due start of April – just went and checked again after reading your post but still no sign.

  18. Denver Colorado said:

    Thanks for the advice here. We have been having a lot of problems with hackers getting into our blogs. I am going to pass the information on to our web master. This is very helpful!

  19. Baby Boy Gift said:

    I want to have it so when I post on my blog at WordPress, it will automatically post the same blog on my MySpace page. I know there is a way to do this with forums and bulletin boards – posting on WordPress and having it show up in the forums.

  20. Anders said:

    great post, but what about security against spam? plugins such as WP-SpamFree, Akismet and SpamTask should be mentioned, shouldn’t it? :) I mean, spammers are some kind of hackers I believe. :P

  21. Mukundan said:

    With this post I have learnt a lot on wordpress.I am going to use the above methods. Very helpful. Few of the plugins are really nice.

  22. Kotlina Klodzka said:

    I’d add “don’t login from strange computers”. If you’re blog’s making some money buy a laptop and don’t use any other computer. You never know if there are any keyloggers on someone else’s computer.

  23. Wheelchair Guide said:

    You offer some very important tips, because with how easy most hosts make it to set up a wordpress site, a lot of new bloggers don’t even think about security.

    Regarding #2, protect your plugins, can’t you also add Options -Indexes to your .htaccess file, to stop people from being able to view the contents of a directory?

  24. SEO Company said:

    Nice to see that some one posted simple but extraordinary Article regarding to Secure Word Press blog. I specially liked the points 6 – Protect your WP-Config.php file and 7. Hide your Word Press version. I just applied these two points to my Blog.
    Thanks for sharing

  25. Google Conquest said:

    Thanks a lot for sharing this.

    I’ll go right now and update all my wordpress blogs and install the security plugins as well as protect all the plugin directories.

    I wish I discovered your post before one of my blogs got hacked, three weeks ago.

    Just dugg, tweeted and posted it on del.icio.us and I gonna share it on the forum I’m actively involved because I saw a lot of posts where wp blogs got hacked.


  26. Nick Tart said:

    Thanks for the list. It’s amazing to me that blog owners have to go through all of this trouble to prevent worthless people from getting into our sites… Can you tell I’ve been hacked recently?

  27. illmill said:

    Thanks for this information. I never even thought of some of these security flaws, like people looking at my plugins and finding out info about my site from the plugins I use.

  28. Klark said:

    I think there are some errors in your tips.

    6. Protect your WP-Config.php file

    should be

    order deny,allow
    deny from all

    9. Limit WP-Admin access by IP

    should be

    order deny, allow
    deny from all
    allow from a.b.c.d. #your static ip

  29. Abu Garcia said:

    These are some good tips. There are also security products for wordpress but if you dont feel like spending money these tips will do. I think that keeping ones blog updated, I mean the version of wordpress updated is very important.

  30. Strangely said:

    I use the same technique as Wheelchair Guide.

    If you are already editing .htaccess, then a lot of vwork placing blank index.html files in every folder for which you wish to block browsing, is saved.
    One line of code is all you need!

    Also, don’t forget to protect .htaccess itself as well as the config file. Here are the three bits I’ve mentioned (these can be copied and pasted verbatim):

    # protect the htaccess file

    order allow,deny
    deny from all

    # protect wpconfig.php

    order allow,deny
    deny from all

    # disable directory browsing
    Options All -Indexes

  31. Strangely said:

    Oops. Forgot the code tag:

    # protect the htaccess file

    order allow,deny
    deny from all

    # protect wpconfig.php

    order allow,deny
    deny from all

    # disable directory browsing
    Options All -Indexes

  32. Tommix said:

    Man if you have no idea about what you’re “writing” – please do not write.

    1 What a f***:
    # protect wpconfig.php
    order allow,deny from all

    this will denny acces to ALL files not wpconfig.php

    2. order deny, allow
    allow from a.b.c.d. #your static ip
    deny from all

    so where is backslash before dots??

  33. RWH said:

    Hey Alex, these tips are simply amazing! You’ve done a great job in putting such an extensive list all together. I am sure I am gonna try out most of them. Thesesafety tricks would definitely prove effective while safeguarding wprdpress powered sites. Thanks a bunch!

  34. Catherine Michael said:

    What a nice post,i just found this post story from my technorati profile news feeds section! I was searching for this since past 3 months and i am glad to see it here. Thanking you much


  35. Nick said:

    Hi Alex, I’m late to the party but can you please include the attribute to my original image as per the terms for usage of the image: http://www.flickr.com/photos/subcircle/500995147/

  36. Ron said:

    This is excellent advice. I am currently using Login Lockdown, and Have the file permissions set to the correct levels on my server. I am also using the blank index.html file in my plugins directory to hide that stuff.

    I am not however using the WordPress version hiding fuctionality. I have plug-ins that won’t work if the WordPress version is removed from it, and they are plug-ins I desperately need. I am not so sure hiding the version will help much though, as many of those automated bots will simply try the hack regardless of what version your running, if it don’t work they move on. This is akin to the major ports scans you see from bots on the net anymore.

    Nonetheless, I didn’t know about the WordPress Security Scan so I will have to check that out.

    thanks for the good information

  37. SMM Shamim said:

    Wow! I am damn sure that without implementing these tips none of the blogs can be secured. But i am too lazy to apply these……..

    But i will have to………

  38. Jamie said:

    Very helpful tips for all WP users. These should be applied by all users to avoid being hacked. Although some of these are pretty basic/common sense (ie password, admin settings) but everything on the list are noteworthy. Thanks for sharing.

  39. Lori Henry said:

    Thanks so much for this post! My site was just hacked and I’m now adding all of your above recommendations to make it as hard as possible for someone to hack in again. What a pain in the #$&%!

  40. Sheena Moulden said:

    I’ve just started with my own website and I really love this template. Is it free or maybe one of those premium templates? Sorry, I’m new to this and just looking for suggestions. BTW, I check out your site nearly everyday.

  41. Arif said:


    In No. 7 you have written the function remove_action(‘wp_header’, ‘wp_generator’); this is not correct. For this reason I was in so much trouble. So please correct it.

  42. pradeep said:

    thanks,i was also afraid of hackers,i have followed the tips you have listed.

    @ Arif – you are right that piece of php code is no longer working with new wordpress versions.Use plugins fot now :)

Leave a Reply

Your email address will not be published. Required fields are marked *

Please respect the following rules: No advertising, no spam, no keyword in name field. Thank you!