WordPress Security Doesn’t Need To Be Difficult

wordpress securityLet’s begin by making an especially radical statement: 100% security is impossible to achieve with WordPress! Why? because it would be both impractical and all but impossible to maintain. Nevertheless, there are many steps you can take which will render your blog a great deal more secure than the vast majority or WordPress blogs currently online.

The most important step, is, appropriately enough, NOT to install WordPress using Fantastico! It’s unfortunate how, on forums etc., everyone posts saying use Fantastico, while I seldom read anyone explaining why this is actually such a bad foundation for a new WordPress blog.

Why? It’s simple: by default, a Fantastico installation sets “wp_” as the prefix for each WordPress table name. Knowing this, hackers find it especially easy to send malicious code targeting your wp_ based tables. It’s as if you’ve put a ‘welcome’ mat at the door for them. This knowledge makes it a doodle for them to change the appearance of your site, redirect your url to their site, plus a whole host of other nasty things.

But, virtually everyone reading this already has WordPress installed and running on their servers, so let’s move forward with how you can not only remove that ‘welcome’ mat from the door, but also install a burglar alarm.

Here is a link to the actual WordPress instructions for what they call a “Five Minute Install“.

Your Own Computer

To begin, you need to take a realistic look at your computer. Is it free from spyware, malware, and virus infections? I promise you, you can implement the tightest security on your blog, but if you have a keylogger lurking somewhere on your computer, it won’t do you an iota of good. Malicious keyloggers are very similar to viruses and trojans; they are used by hackers to violate user privacy. Keyloggers can take the form of software, or, on non-wireless keyboards, lurk between the keyboard’s plug and the computer’s keyboard. port. Spybot Search and Destroy will detect and remove most keyloggers. It is absolutely free to use, although users can make donations to its author Patrick M. Kolla

WordPress Updates

As with most software packages today, in order to address security issues, WordPress gets updated regularly, so, let me begin by reminding you of the importance to always stay updated with the latest version. Since version 2.7, WordPress has featured automatic updates, made available for you to install through your Dashboard, and although many purists will insist you do it manually, I disagree.

Provided you always make it a habit to perform a full backup first, there is nothing wrong with using the automatic update option, especially if it’s the difference between updating “now”, or leaving it “until you have some spare time”. But note my caveat: a full backup. Many backups do nothing more than backup the blog’s MySQL database and these are of little use to you in the event of a catastrophic loss. I use and highly recommend the WordPress Backup To Dropbox plugin.

Plugins and Theme

Similarly, always keep your plugins and theme updated to the latest version and delete any you are no longer using. Delete any plugins and themes you are no longer using.
NOTE: I always keep the default theme which installed with WordPress, just as a fallback in the event of any issues suddenly cropping up with your chosen theme.

Change Your Theme File Permissions

This is one of the most secure moves you can implement, and it’s especially simple. After your blog is set up, just change your theme file permissions to 444. They can be read, but they cannot be changed (ie- hacked by an automated bot).

The ONLY downside to this is whenever, in the future, you need to modify your theme you will first have to change the permissions back to 666 temporarily. But, this is a small price to pay when it prevents your blog from being hacked.

Delete the ‘Admin’ User Account

Everyone who’s ever dealt with WordPress knows that ‘admin’ is usually the default user account for WordPress installations, and most people never delete the account. This makes it especially easy to employ brute force cracking techniques since the username is already known.

So create a new account with administrator privileges and delete the admin account; you will be given the opportunity to change attribution of all posts to your new administrator username.


Getting into the habit of using strong passwords is critical to security. You need to make it difficult for anyone to guess your password and hard for ‘brute force’ attacks to succeed. WordPress also features a password strength meter which is shown when changing your password in your Admin. Use this when changing your password to be certain your choice is adequate. Remember, your password is your ‘key’ to your blog.

When choosing a password, mix letters, numbers and symbols, and use case sensitivity (upper and lower case letters). This mixture is known as “pseudo-random alpha-numeric combination”; using this, it is almost impossible to “crack” somebody’s password. (i.e. instead of “password,” try “pAsS34%(6*2woRd,” etc.)

Install Login Lockdown. This plugin records the IP address and timestamp of every failed WordPress login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, the login function is disabled for all requests from that range. This helps to prevent brute force password discovery. Currently the plugin defaults to a 1 hour lock out of an IP block after 3 failed login attempts within 5 minutes. This can be modified via the Options panel. Administrators can release locked out IP ranges manually from the panel.

Use Secret Keys in your WP-Config File

The WordPress wp-config.php file is the file which stores the database information required by WordPress to make the connections correctly. This file contains the name, address and password of the MySQL database which stores all of your user info, blog posts and other important content.

Using a secret key, you can make it even more difficult for an evildoer to gain access to your account.

Worpress even provides you with an online generator. Go to https://api.wordpress.org/secret-key/1.1/ and copy the results into this section of your wp-config.php file if you haven’t already set up a secret key.

WP authentication key

Move Your Config File

Move the wp-config.php file up one level from ~/home/user/public_html/wp-config.php to ~/home/user/wp-config.php;

Keeping the config file in the expected ‘public’ place means sufficiently skilled hackers can inject malware or delete your site by compromising your WordPress configuration settings. Don’t worry, WordPress automatically knows to look for wp-config.php one level up.
NOTE: This trick will not work if your blog is located in a subdirectory (domain.com/blog) or as an add-on domain in cPanel. So beware, you can only do this if your blog is the original URL in your hosting account.

Hide Your WordPress Admin Login

NOTE: This method is for people who know their IP address doesn’t change. When in place, should someone a computer other than yours tries to login to your Admin, all they will see is a blank page.

To implement this:

  1. Use your FTP program to download a copy of your blog’s .htaccess file
  2. Below everything already in the file, paste in:
    order deny,allow
    deny from all
    allow from xx.xx.xx.xx
  3. Replace xx.xx.xx.xx with your IP address
  4. If you don’t know what your ip address is, just go to http://www.whatismyip.com/
  5. Copy the IP address they provide (make sure you aren’t using any proxies at the time) and paste it over xx.xx.xx.xx
  6. Save the text file as .htaccess
  7. Upload it to your websites wp-admin folder using FTP
  8. You may have to edit the name because sometimes, when uploaded, it changes to .htaccess.txt so just edit the name and remove the .txt
  9. Go to yourdomain.com/wp-admin, if it loads fine then you are good to go
  10. If you only see a blank page then something went wrong. Don’t panic, just go back into your FTP program and double check you put the correct IP address in the .htaccess file
  11. If you still can’t figure out whats wrong, just delete those lines of text from the file

This method blocks everyone trying to go to your Admin login page, unless their IP address is allowed in the .htaccess file. If necessary, you can include more than one IP address to this file. Just add another ‘allow from xx.xx.xx.xx’ in another line.

Turn Off Directory Browsing

One very common mistake many people make is failing to turn off directory browsing from their Cpanels. This is a very simple operation, and will prevent your web content from being stolen. People will not be able to browse the contents of your folders by typing their names into their browser. To give you an example, if you type in www.yoursite.com/wp-content/plugins and directory browsing is not turned off, you will see the contents of the entire folder.

To turn off directory browsing, simple log into your Cpanel account and look for the Index Manager icon.

index manager

Click on it. This will move you forward to another page where you can turn off directory browsing for individual folders, or for the entire site. To turn off indexing for the entire site you should click on the root folder, which is public_html

select folder

Finally, change the settings from “Default System Setting” to “No Indexing”. This will instantly protect your folders from malicious peeping toms forever.

no indexing

Recommended WordPress Security Plugins

As you may already know, I’m definitely against installing random plugins just because you read about them. But, I will list below three security plugins, all of which I recommend and encourage you to install.

  1. Login Lockdown: I’ve already explained above why you must install this plugin, just look under the Passwords sub-heading above.
  2. WordPress Firewall 2: This WordPress plugin investigates web requests with simple, WordPress-specific heuristics, to identify and stop the most obvious attacks. There are a few powerful, generic modules that do this; but they’re not always installed on web servers, and usually difficult to configure.

    This plugin intelligently whitelists and blacklists pathological-looking phrases, based on which field they appear within, in a page request (unknown/numeric parameters vs. known post bodies, comment bodies, etc.). Its purpose is not to replace prompt and responsible upgrading, but rather to mitigate 0-day attacks and let bloggers sleep better at night.

  3. WordPress Exploit Scanner: This plugin searches the files on your website, and the posts and comments tables of your database for anything suspicious. It also examines your list of active plugins for unusual filenames.

    When a website is compromised, hackers leave behind scripts and modified content that can be found by manually searching through all the files on a site. Some of the methods used to hide their code or spam links are obvious, like using CSS to hide text, and we can search for those strings.

The three plugins recommended above are all free. There is one more I would like to mention called WP Bulletproof Security, which allows one-click .htaccess website security protection from within the WP Dashboard. It is offered in a free version and a much expanded paid version priced (as I write) at $39.00. However, while researching this plugin, I came across one or two negative reports from people who had installed it when found they were unable to access their blogs.

It’s not a plugin I’ve ever used, while I use all three I’ve recommended in ALL my blogs, so the complainers may simply be using it, or setting it up incorrectly. I have to admit, they appear to offer a great deal of customer support, videos, etc.

wordpress security

Liability Disclaimer:

By reading this document, you assume all risks associated with using the advice given above, with a full understanding that you, solely, are responsible for anything that may occur as a result of putting this information into action in any way, and regardless of your interpretation of the advice.

You further agree that the author cannot be held responsible in any way for the success or failure of your blog as a result of the information presented above.

It is your responsibility to conduct your own due diligence and make a full backup of your blog to ensure a safe outcome should you apply any of the information and something unexpected or unforeseen occurs.

Anne Pottinger





  1. I’m new to this all on-line things and whilst I managed to setup my domain and weblog ot is really a battle to get site visitors heading on my site. I apreciate your ideas and posts, this 1 is really excellent and it willhelp me get websites targeted traffic simpler.

  2. I really like your blog.. very nice colors & theme. Did you make this website yourself or did you hire someone to do it for you? Plz reply as I’m looking to design my own blog and would like to find out where u got this from. thanks a lot

  3. I know this if off topic but I’m looking into starting my own blog and was curious what all is required to get set up? I’m assuming having a blog like yours would cost a pretty penny? I’m not very web smart so I’m not 100% sure. Any tips or advice would be greatly appreciated. Cheers

  4. Hey! I know this is kinda off topic nevertheless I’d figured I’d ask. Would you be interested in exchanging links or maybe guest authoring a blog article or vice-versa? My website discusses a lot of the same topics as yours and I feel we could greatly benefit from each other. If you are interested feel free to shoot me an e-mail. I look forward to hearing from you! Excellent blog by the way!

  5. Hello – thanks for commenting.
    Actually, this blog (and many more I have), cost me absolutely nothing. They are based on the WordPress CMS, with quite a few edits of my own. I am a very strong believer in “doing-it-myself”, and this method is the best teacher 🙂

  6. Hello Erich – thanks for commenting. This blog is all my own work, based on the WordPress CMS. I’m a firm believer in “do-it-yourself” 🙂

  7. WP security is really an issue
    every blogger should take seriously.

    I thank you for the lengthy post.

    I never knew Lock down plug in
    is a free one

  8. Thanks for this guide. I have a couple of questions about theme file permissions.

    1. Do we need to change the theme file permissions for the whole theme folder or only specific files in the theme folder? i.e. should we right click on the theme folder to change them or do we need to right click on the files.

    2. Should we only change the theme file permissions for the theme we are currently using or should they be changed for every theme installed i.e. the default TwentyEleven theme?

  9. Hi Mellow. You should only change the file permissions for specific files, not the entire theme folder. Several folders need to be accessed by programming in order to work, and changing permissions would bring the theme to a halt. I would actually change the necessary file permissions for all the themes you have installed, but I would also caution you to only maintain a minimum number of themes installed within one WordPress setup. Most themes are very good about notifying you when updates are available, but some may not, and having old versions of a theme in an installation can be yet another security issue. Personally, I only keep two themes in an installation, the one I’m actually using and the default TwentyEleven. I always keep this one installed because it can be a good fallback to test with should any issues occur.

  10. Thanks Anne for the info.

    Something im still unsure on. What specific files exactly in the theme folder need to be changed and which folders shouldn’t be changed? As you mentioned some folders need to be accessed by programming in order to work correctly.

    Also, what program do you recommend to use to change the file permissions? Is FileZilla recommended?

  11. FileZilla is good, but I usually do it through my cPanel hosting file access. If you are unsure of what you are doing, this is one of the last lines of defense for your WordPress blog; if you have most of the other features in place, you are already 99% safer than before you started 🙂

  12. OK. I’ll leave that as it seems too confusing.

    I have a couple of questions other parts of the guide.

    1. If you turn off directory browsing, can it be left turned off all the time? I was wondering if you do something like update WordPress or plugins would it need to be turned back on again.

    Also, if you click on the root folder, “public html” does this turn off directory browsing properly if you are using addon domains with your hosting or does that need to be done differently?

    2. I’m confused about the section “Use Secret Keys in your WP-Config File”.

    Is it just a matter of going to https://api.wordpress.org/secret-key/1.1/ then copying the results into the wp-config.php or do you need to change something in the MySQL database also so it makes the connections correctly?

  13. Hi Mellow – I am beginning to get extremely nervous by the questions you are asking. My post was intended as a guide for people who are probably much more familiar with file construction and permissions, etc., than you appear to be. I would most definitely not want to find myself in a situation where you make a ‘blunder’ and seriously screw up your WP installation. In short, if you don’t understand or are confused by the directions, then this level of security would be best not attempted by you. 🙂

  14. Hi Anne,

    Thanks for a very informative post – certainly opened my eyes to the things we can do to up our WP site security.

    However if a wp installation was done via fantastico, for example, do we get the secret key on the wp-config.php file ? If we do, is there a difference between a secret key generated this way (via Fantastico) and the link you provide? If we do not, then can we retro generate and utilise the secret key from your link and apply it to the wp-config.php file?

    Thanks again, Anne.


  15. Hi Cindy – Thanks for the question. Yes, you can most certainly retro-generate a secret key and apply it to a Fantastico WP installation. Just follow the directions and you will be fine. Having said that, whenever you are ‘tinkering’ with ANY file, first make a backup copy, just in case. You will then be able to revert back via your FTP program. But, I’ve added secret keys to a number of Fantastico installations and never encountered any problems.

    Best regards – Anne

  16. Thanks Anne, will certainly do a few retro-generation to spruce up the security 🙂

    Any chance we could also change the database and user prefixes for such Fantastico installations?

Leave a Reply