Security WordPress

WordPress Security Best Practices

A long overdue follow up to my immensely popular almost perfect WordPress htaccess file article.  This article of best practices should give you several more tricks up your sleeve to keep your WordPress installation secure and running smooth & below the radar of hackers and spammers.  This guide is not for WP beginners, but I also left out more advanced and obscure techniques, to keep these recommendations to the kind you could feasibly implement even if you’re not a veteran.

1.  Change $table_prefix:  By default WordPress uses a wp_ prefix to create the table names within your MySQL database.  Hackers exploit this default behavior and design their tools to look for this naming convention.  Changing this prefix from the default makes their attack tools less effective.

Ideally prior to your first install, change the prefix value in the /wp-config.php/ file to something else.  If you have already installed WordPress, there are a handful of plugins and tutorials available online to walk you through the process.  Beware! changing your table names after install is dangerous and you should follow thorough backup procedures to minimize possible down time.

 * WordPress Database Table prefix.
 * You can have multiple installations in one database if you give each a unique
 * prefix. Only numbers, letters, and underscores please!
$table_prefix  = 'wp_';

Helpful Link:

2.  Remove the “admin” username / account:  This is a technique that is simple to execute and one that can be accomplished by almost any user.  By default WordPress creates an administrator account with the username “admin”.  This default behavior is one that is exploited by hackers who use brute force to guess your admin logic credentials.  Knowing one half of your login makes gaining access that much easier for an attacker.

To address this simply create a new account and give it administrator rights.  Then logout of your “admin” account, re-login as this new user, and then delete the old admin account.  When you delete this account, make sure to assign all posts, comments etc. to the new administrator you created. If you’re installing WordPress fresh, the install procedure now allows you to change the username prior to install.

3.  Restrict wp-admin access to certain IPs:  Assuming you manage your WordPress from only a few locations and your IP address does not change frequently, restricting access to WP Admin based on a list of IP addresses can add a very thorough protection from remote attacks.

Create or modify your existing .htaccess file in /wp-admin/ to include the following.  You’ll need to customize to add your own IP

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName Access Control
AuthType Basic
order deny,allow
deny from all
# whitelist
allow from
# work
allow from

4.  Remove unused themes and plugins:  This advice is incredibly easy to execute and a no-brainer for most who run a blog that has accumulated multiple themes over time.  Old, even inactive themes can present security risks to WordPress.  Removing them is as easy as deleting the theme via FTP from the wp-content/themes/ directory, or using the WP admin (Appearance>Themes>Delete).  If you need to possibly re-activate an older theme download the files and store it locally until needed again.

5.  Secure /wp-admin/ directory:  For most, this can be accomplished via your hosting control panel, most likely some version of cPanel, or Plesk.  For unfortunate Windows users, this type of directory protection isn’t quite as simple so you’re mostly SOL.  Simply choose the /wp-admin/ directory to protect, and assign a new user to this directory.  When you visit you’ll be prompted with an additional username and password dialog.  If you don’t have a hosting control panel capable of creating this type of protection for you, the process can be done by hand but it involves a few more (but IMHO worthwhile) steps to complete.

Pro Tip:  Some of you may experience a 404 Page Not Found when attempting to access you newly protected admin direction.  To fix this you’ll need to add “ErrorDocument 401 default” to the top of your /wp-admin/ .htaccess file.

Helpful Link:

Your resulting .htaccess file should look something like this assuming you have nothing else custom present.  The AuthUserFile path should differ on your server, the AuthName can  read what ever you’d like.

ErrorDocument 401 default

AuthType Basic
AuthName "Go Away"
AuthUserFile "/home/username/.htpasswds/public_html/wp-admin/passwd"
require valid-user

6.  Lock down file permissions:  File permissions are many times loosened to make certain plugins work, or diagnose problems with a WordPress install.  Many times, they are simply wrong or too loose out of the gate.  Changing file and directory permissions however can be tricky, and can cause a multitude of problems.  The best technique is to change them slowly and test often.  Also, if you run secured permissions, don’t be surprised if your have troubles with newly installed plugins don’t work quite right without some adjustments.

Helpful Link:

Helpful Link:

7.  Hide WordPress signature:  This is another “security through obscurity” technique similar to removing the admin account or changing your table prefixes.  By default, WordPress will report a “signature” identifying the website as powered by WP and displaying the version number in the code.  Knowing that you use WP, and what specific version gives a would-be hacker an advantage.

There are three ways to address this:

a.  Remove the following (actual format may vary) from your header code:

b. Add the following to your theme/functions.php file:

remove_action('wp_head', 'wp_generator');

c. Add the following to remove this signature from the blog *and* the RSS feed.

function wpbeginner_remove_version() {
return '';
add_filter('the_generator', 'wpbeginner_remove_version');

8.  Turn WP DB errors off.  Since version 2.3.1 WordPress has by default turned this value off.  The debug feature gives you the developer lots of helpful information if things aren’t quite right, but they should be disabled when you’re not actively diagnosing issues.

Helpful Link:

9. Strong passwords. An oldie but a goody.  Make sure every user has a strong password.  There are a whole host of WordPress plugins that enforce strict passwords on all users if you don’t have the option of creating the accounts yourself.

Helpful Link:

10. Monitor or disable user registration/comments.  User registration and participation via comments while great for your blog’s community and traffic, is bad for security.  Opening your WordPress blog to user registrations allows a hacker to gain access to your site that regular users don’t have, potentially revealing vital information about your blog they can use to gain access.  Monitoring user registrations and activity are key to minimizing this threat.  If things get very bad, disabling user registration can be done via the Admin> Settings > General control panel.

11. Secure FTP.  Sometimes security isn’t about trying to stop someone across the globe but rather someone much closer.  This intruder or snooper could be sniffing network traffic and could intercept your username and/or password.  Secure FTP or SFTP encrypts the connection between you and your web server, ensuring know one in between can sniff your logic credentials.

Helpful Link:

12. Administration over SSL.  Likewise the advice for FTP, it is wise to use the WordPress admin interface over a secure connection.  Forcing SSL with the WP Admin is a little more involved than most admins will tolerate, but it should not be ignored when attempting a comprehensive security plan.

Helpful Link:

13. Secure wp-config.php with htaccess.  Most don’t know this but you can actually move the all important wp-config.php file one directory above the WP install.  This gives you another level of obscurity from attackers looking to nab that file.  Even if you don’t move wp-config.php, you should protect it with an .htaccess file.

Here’s what you add to your root directory .htaccess file:

order allow,deny
deny from all

Helpful Link:


If you made it this far congratulations, you now have a good primer on WordPress security.  Not all of these best practices are required to run a secure WordPress site, but the more important your website becomes, the more essential these types of defenses become.

Other things to worry about:

Plugins.  Even if you prune old plugins, existing even up-to-date plugins can present security risks.  Keep them to a minimum.

Flash:  Flash can be hacked.  I’ve had personal experience bailing our website owners with compromised Flash galleries.  Drop the flash and use Javascript.

Your computer:  Your computer could be compromised.  Scan often and with different software.


Twitter user @BoiteAWeb reminded me that the WP version number is stored in your root directory readme.html file. Delete it to further obscure this useful information.

Tell me why I'm wrong...