Client Login| Register| View Cart

How to Harden and Secure Your WordPress BlogWordPress-Security

The List of WordPress Blog Security Measures

A Word of Warning: Do note, having many plugins running will degrade the performance of your WordPress blog. Some of the plugins run only on demand while others are present and running all of the time, so your mileage may vary. Also, some of these plugins might not work well together.



Do Regular Backups – back up not only your database regularly but also be sure to take a full copy of your entire WordPress directory. The best way is to run a DB backup and then do a complete file backup since the DB backup is within your WP directory and will be copied when you download.

Scan Your Files for Oddities – You can use the Virus Scanner installed in your cPanel to scan your files for malware. There are also some plugins that can help with that like “WordPress Exploit Scanner” or “AntiVirus“.

Change Your Password – make it something difficult to figure out. Don’t use numbers in place of letters because everybody does that. Use special characters.

Rename Your Admin User – Got to yourdomainwp-admin/users.php and rename the username of admin with another login name.

Keep WordPress Current – This is a lot easier to do now with their built-in automatic upgrading utility inside the wpadmin area. You can also use softaculous auto installer (available inside the cPanel) to update your WordPress version.

Keep Plugins Current – 3rd party developers frequently update their plugins to fix holes or bugs. Be sure to stay on top of those.

Eliminate Unnecessary Plugins – plugins are security holes in themselves. You best bet is to minimize your risk by not having a bunch installed, or, at minimum, keep the ones you don’t really need disabled.

Rename your WordPress Database Tables – You can do this with the use of a plugin called “WP Security Scan” (which has a bunch of other great functions built into it like permission checking, version hiding and WP admin protection). NOTE: be sure that you back up your DB.

Hide the Contents of your Plugins Folder – There are a few ways you can do this. The easiest is to create a blank document called “index.html” within your plugins directory.

Don’t Let Search Engines Index your WordPress Folders – Create a “robots.txt” file and include the following line: Disallow: /wp-*

Protect Your Login Page – There are some plugins that let you move the location of your WP-Admin section. However, you can also protect the actual login page against “brute-force” attacks where an automated bot will try a variety of usernames and password in an attempt to log in. “Login Lockdown” allows you to configure how many attempts can be made and then can block repeated attempts.

Move Your WP-Config.php File Up a Level – you can safely move your WP-Config.php file to the directory above your WordPress directory. This allows you to make it just a bit harder to discover your MySQL information that is contained in that file.

Make your Directories Not Browsable – if when you go to a directory like /wp-content/uploads/, do you see a listing of files and directories? If you do, you want to probably turn off indexing. To do that, simply add “Options –Indexes” or “Options All –Indexes” to your .htaccess file in your site’s root directory.

Check Your Permissions – Generally, you want to really restrict who has access to your files on your server. For shared hosting, these are already configured for you. For others, you should probably restrict items to 755 or 644. You can start looking as some permission recommendations right on WordPress.

Lock Down phpMyAdmin – if you have self installed phpMyAdmin (a popular web-based MySQL management tool), be sure that you keep it current and secure it.

Hide Your WordPress Version – if the version of your WordPress blog is out in the open, a hacker can use that information to know what exploits or vulnerabilities exist for that particular version. You can manually hide this information yourself by searching in your theme’s header file for this line and delete it:
<meta name=”generator” content=”WordPress <?php bloginfo(‘version’); ?>” /> <!– leave this for stats –>

Scan Your WordPress Blog for Vulnerabilities – using the “WP-Scanner” plugin, you can scan your WordPress blog for vulnerabilities. (Note: as of this writing, the scanner was offline.)

Recommended security plugin – use Bullet Proof security plugin and secure your .htaccess files.