Secure your WordPress Blog

When anything gets big and popular there are always unscrupulous folk out there wanting to hack your site or as they put it showing you the security downfalls of the software. With that in mind you’ll need to secure your WordPress Site so they can’t get in and ruin your site. There’s a number of steps to follow, as shown here.

If you’re unsure about anything or you’re a little scared to do it yourself then please get in touch where I’ll be more than happy to help or provide a quote for securing your WordPress Blog. If you know of any other ways to increase the security on your WordPress Blog then please leave a comment below for others to see.

Remove the ability to browse directories

For example enter www.yourblog.com/wp-content/plugins/ into your browser. If you’ve not yet removed this access then you’ll see a list of all your WordPress Plugins. This isn’t good as hackers can locate plugins that have security issues and target them in their next attack.

Add the following text to your .htaccess file (usually located in your blog or site’s root directory):

Options All -Indexes

Remove the WordPress Version Meta Tag

Add the following text to your WordPress Theme’s “function.php” file (just above the line with ?>). Or use this remove wordpress generator meta tag plugin:

remove_action('wp_head', 'wp_generator');

Remove or disguise your “mailto” links

This doesn’t really affect the security of your site but merely helps to combat the ever increasing amount of SPAM you receive. A useful plugin for this is Spamshiv which masks any mailto links it finds on your site, automatically.

Set the minimum file and directory permissions

Your files will need a certain amount of permission rights for your blog to write files to your server. This can sometime leave them vulnerable especially with 777 set to your files and folders. Download the install the very useful WP Security Scan plugin which will tell you what your folders are currently set to and what they need to be set at to function correctly but also securing them at the same time.

Change or remove your “admin” username

Again, another one where hackers use the admin username and attempt a brute force password guessing attack. If you have a really secure password (minimum 12 characters using upper and lower case letters, numbers and symbols) then there’s no need to worry but it might be worth changing the username to something less generic. Go into the WordPress Users panel and see if there’s any posts attributed to the admin user. You can then delete that user but remember even if it says zero posts you may have created pages with that user so make sure you select “Attribute all posts and links to” and then select another user. Make sure you have another user on the list with administrator privileges. If there are then you’ll need to go into phpMyAdmin (accessible via your website’s cPanel) and locate your WordPress Database (from those listed in the left column). Locate the and click users (from the left column – should be something_users). Tick the user_login checkbox and select the Browse tab. Click Edit (Pencil icon) and change the user_login text to something else. This will change the username and also replicate those changes to your WordPress Admin.

Keep WordPress and your Plugins up to date

This can help with security vulnerabilities that may occur in an older version. You will be notified that an update to WordPress is available when you login to your Admin Site. Likewise, if there are Plugin updates available these will be shown in the Plugins Panel.

Change your WordPress Database Prefix

Firstly before doing this make sure you backup both your site and your SQL database – at least then if anything goes wrong you can revert back. By default WordPress adds a wp_ prefix to it’s database tables (if you haven’t installed WordPress yet then this can be prevented by searching for “wp_” in the wp_config.php file to something less obvious such as “pju12tr_” or whatever you like – you can then continue with your installation) this needs to be changed to something less WordPress orientated. Do this using the WP Security Scan plugin (mentioned above) or via phpMyAdmin in your website’s cPanel.

Deny access to you wp-admin directory

If you’re the only person that needs to access the WordPress Admin Panel and you do so from one location, then it might be worth denying access to all other IP addresses. Your IP address can be found at What is My IP then add the following to your .htaccess file, located in the wp-admin directory (If no file exists then create a plain text file, name it .htaccess and upload it to that directory). The xx below need to be replaced with your IP address.

allow from xx.xx.xx.xx
deny from all

Remove the readme.html and license.txt files from your WordPress root directory

There’s no need to have this on your server and it can contain version numbers and other useful info for hackers. Best to simply delete it.

Use secure passwords for Administrator accounts

It’s a pain, I know, but use secure passwords for your WP Admin User Accounts. It’s best to use a 14 character password including numbers, letters and symbols. Obviously you won’t be able to remember this password and that really is the point – it will therefore be increasingly difficult for hackers to get into your WP Admin Panel via this way. A great website that will create a secure password for you is Strong Password Generator. Another great website which includes additional features such as showing you how long it would take to crack the password on modern computers with a brute force attack and whether the password has appeared in a data leak in the past is the Experte Password Generator.

Limit the number of attempts of login

Install a plugin, Login Lockdown, that will limit the number of attempts from a given IP address within a certain time period. You can specify the number of attempts as well as time periods.