Security WordPress

WordPress Security Best Practices

A long overdue follow up to my immensely popular almost perfect WordPress htaccess file article.  This article of best practices should give you several more tricks up your sleeve to keep your WordPress installation secure and running smooth & below the radar of hackers and spammers.  This guide is not for WP beginners, but I also left out more advanced and obscure techniques, to keep these recommendations to the kind you could feasibly implement even if you’re not a veteran.

1.  Change $table_prefix:  By default WordPress uses a wp_ prefix to create the table names within your MySQL database.  Hackers exploit this default behavior and design their tools to look for this naming convention.  Changing this prefix from the default makes their attack tools less effective.

Ideally prior to your first install, change the prefix value in the /wp-config.php/ file to something else.  If you have already installed WordPress, there are a handful of plugins and tutorials available online to walk you through the process.  Beware! changing your table names after install is dangerous and you should follow thorough backup procedures to minimize possible down time.

 * WordPress Database Table prefix.
 * You can have multiple installations in one database if you give each a unique
 * prefix. Only numbers, letters, and underscores please!
$table_prefix  = 'wp_';

Helpful Link:

2.  Remove the “admin” username / account:  This is a technique that is simple to execute and one that can be accomplished by almost any user.  By default WordPress creates an administrator account with the username “admin”.  This default behavior is one that is exploited by hackers who use brute force to guess your admin logic credentials.  Knowing one half of your login makes gaining access that much easier for an attacker.

To address this simply create a new account and give it administrator rights.  Then logout of your “admin” account, re-login as this new user, and then delete the old admin account.  When you delete this account, make sure to assign all posts, comments etc. to the new administrator you created. If you’re installing WordPress fresh, the install procedure now allows you to change the username prior to install.

3.  Restrict wp-admin access to certain IPs:  Assuming you manage your WordPress from only a few locations and your IP address does not change frequently, restricting access to WP Admin based on a list of IP addresses can add a very thorough protection from remote attacks.

Create or modify your existing .htaccess file in /wp-admin/ to include the following.  You’ll need to customize to add your own IP

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName Access Control
AuthType Basic
order deny,allow
deny from all
# whitelist
allow from
# work
allow from

4.  Remove unused themes and plugins:  This advice is incredibly easy to execute and a no-brainer for most who run a blog that has accumulated multiple themes over time.  Old, even inactive themes can present security risks to WordPress.  Removing them is as easy as deleting the theme via FTP from the wp-content/themes/ directory, or using the WP admin (Appearance>Themes>Delete).  If you need to possibly re-activate an older theme download the files and store it locally until needed again.

5.  Secure /wp-admin/ directory:  For most, this can be accomplished via your hosting control panel, most likely some version of cPanel, or Plesk.  For unfortunate Windows users, this type of directory protection isn’t quite as simple so you’re mostly SOL.  Simply choose the /wp-admin/ directory to protect, and assign a new user to this directory.  When you visit you’ll be prompted with an additional username and password dialog.  If you don’t have a hosting control panel capable of creating this type of protection for you, the process can be done by hand but it involves a few more (but IMHO worthwhile) steps to complete.

Pro Tip:  Some of you may experience a 404 Page Not Found when attempting to access you newly protected admin direction.  To fix this you’ll need to add “ErrorDocument 401 default” to the top of your /wp-admin/ .htaccess file.

Helpful Link:

Your resulting .htaccess file should look something like this assuming you have nothing else custom present.  The AuthUserFile path should differ on your server, the AuthName can  read what ever you’d like.

ErrorDocument 401 default

AuthType Basic
AuthName "Go Away"
AuthUserFile "/home/username/.htpasswds/public_html/wp-admin/passwd"
require valid-user

6.  Lock down file permissions:  File permissions are many times loosened to make certain plugins work, or diagnose problems with a WordPress install.  Many times, they are simply wrong or too loose out of the gate.  Changing file and directory permissions however can be tricky, and can cause a multitude of problems.  The best technique is to change them slowly and test often.  Also, if you run secured permissions, don’t be surprised if your have troubles with newly installed plugins don’t work quite right without some adjustments.

Helpful Link:

Helpful Link:

7.  Hide WordPress signature:  This is another “security through obscurity” technique similar to removing the admin account or changing your table prefixes.  By default, WordPress will report a “signature” identifying the website as powered by WP and displaying the version number in the code.  Knowing that you use WP, and what specific version gives a would-be hacker an advantage.

There are three ways to address this:

a.  Remove the following (actual format may vary) from your header code:

b. Add the following to your theme/functions.php file:

remove_action('wp_head', 'wp_generator');

c. Add the following to remove this signature from the blog *and* the RSS feed.

function wpbeginner_remove_version() {
return '';
add_filter('the_generator', 'wpbeginner_remove_version');

8.  Turn WP DB errors off.  Since version 2.3.1 WordPress has by default turned this value off.  The debug feature gives you the developer lots of helpful information if things aren’t quite right, but they should be disabled when you’re not actively diagnosing issues.

Helpful Link:

9. Strong passwords. An oldie but a goody.  Make sure every user has a strong password.  There are a whole host of WordPress plugins that enforce strict passwords on all users if you don’t have the option of creating the accounts yourself.

Helpful Link:

10. Monitor or disable user registration/comments.  User registration and participation via comments while great for your blog’s community and traffic, is bad for security.  Opening your WordPress blog to user registrations allows a hacker to gain access to your site that regular users don’t have, potentially revealing vital information about your blog they can use to gain access.  Monitoring user registrations and activity are key to minimizing this threat.  If things get very bad, disabling user registration can be done via the Admin> Settings > General control panel.

11. Secure FTP.  Sometimes security isn’t about trying to stop someone across the globe but rather someone much closer.  This intruder or snooper could be sniffing network traffic and could intercept your username and/or password.  Secure FTP or SFTP encrypts the connection between you and your web server, ensuring know one in between can sniff your logic credentials.

Helpful Link:

12. Administration over SSL.  Likewise the advice for FTP, it is wise to use the WordPress admin interface over a secure connection.  Forcing SSL with the WP Admin is a little more involved than most admins will tolerate, but it should not be ignored when attempting a comprehensive security plan.

Helpful Link:

13. Secure wp-config.php with htaccess.  Most don’t know this but you can actually move the all important wp-config.php file one directory above the WP install.  This gives you another level of obscurity from attackers looking to nab that file.  Even if you don’t move wp-config.php, you should protect it with an .htaccess file.

Here’s what you add to your root directory .htaccess file:

order allow,deny
deny from all

Helpful Link:


If you made it this far congratulations, you now have a good primer on WordPress security.  Not all of these best practices are required to run a secure WordPress site, but the more important your website becomes, the more essential these types of defenses become.

Other things to worry about:

Plugins.  Even if you prune old plugins, existing even up-to-date plugins can present security risks.  Keep them to a minimum.

Flash:  Flash can be hacked.  I’ve had personal experience bailing our website owners with compromised Flash galleries.  Drop the flash and use Javascript.

Your computer:  Your computer could be compromised.  Scan often and with different software.


Twitter user @BoiteAWeb reminded me that the WP version number is stored in your root directory readme.html file. Delete it to further obscure this useful information.

Business Web Development

19 Things A Business Owner Can Do to Torpedo Their Website Project

In my 14+ years of professional website design and development experience I have seen and heard it all when it comes to client and business owner web project dysfunction.

Crazy Ideas

I’m Stuck – Random Design Idea Generator

I fashion myself a bit of a web designer, and sometimes after slaving away on a client’s web design proof for hours, I run into a wall of uncreative energy or as I call it “shit out of ideas”.  I have found that many times the path around or through this wall is not always that complicated and can sometimes be as simple as a random one-line suggestion.

So as usual I had an idea for a very simple web application that web designers could bookmark, and when completely out of ideas they could visit and get a quick suggestion that they would then apply to their design proof.

The humor in this comes in two areas: the web application has no idea what the designer is working on, nor does it care.  It’s simply pre-loaded with canned/design specific suggestions that may or not apply to the designer.  The point is that sometimes this may be enough, or the suggestion may re-enforce an idea you were already considering in your head or on the screen/paper.  The other humor angle is the suggestions themselves which can be as simple and benign as “It needs more red” to as wacky and insulting as “Throw it out and start over you idiot” or whatever else we (or you, see below) may think up.

Check out the demo version of this web app we call I’m Stuck over at

But wait, there’s more …

The demo I whipped up at is simple, ugly, took less than an hour to make, and really is just the basis for a site that could be much more fun.  Here are some ways that someone could expand on the idea and provide more functionality and humor:

1.  Social Rating: Give users the ability to rate the suggestions and allow the user to filter to show top rated suggestions.

2.  User Participation:  Allow users to submit their own (crazy) suggestions and give them a weblink as an inventive.

3.  Filters:  Categorize the suggestions and give the users a filter to further tailor the now less-random suggestion to their project.

Those ideas are fun, but what if we took it further:

4.  Community:  Allows users to upload proofs of their work and have other users give their own customized suggestions.  Integrate a way for authors to thank users (PayPal/badges etc.)

5.  Mobile: All the cool kid are doing it, and I could see a I’m Stuck mobile app being useful for those designers on the go needing inspiration.

6.  Beyond Design:  This idea and web application could be expanded beyond just design to encompass other subjects such as; Pick Up Lines, Economic Policy, Sitcom Plots.

So there you have it.  Not only a working proof of concept but some basic ideas for 2 or more generations of a web application and service just begging to be made.

In case you missed it above check out the demo of I’m Stuck and leave me your feedback.

Web Design

19 Things NOT To Do When Building a Website

I’ve compiled a small list (or rant) of some very basic and fundamental rules that all webmasters must learn and respect when developing a website that needs to make actual money. This list can also be used by companies looking to hire a web development firm or to evaluate an already deployed website project.

I’ll start off slow and easy…

1. DO NOT resize the user’s browser window, EVER. I know you can, I know you feel really cool when you put that little Javacrap on your page and like a little miracle the browser window resizes to your wishes, but NO. You see this atrocious web technique mostly with spam sites and when “designers” design websites. That is, someone in the photo/video/art industry who “also makes websites” (see #6 for more on that), but in reality has no idea how to make a successful ecommerce website.

Virgin Galactic's Website Sucks
2. If your website requires the visitor to load your home page, and then “launch” your real website in a pop up, YOU LOSE. Pack it up, send it home, start over. If your website doesn’t load immediately on your home page and deliver your message within a couple of seconds it’s pretty damn hard to keep people along for the show (not matter how cool and Flashtacular it is). I see this technique mostly with Flash web developers, who for some reason think all flash websites must load in a pop up window (assuming it can get past pop up blockers), and have 30 second loading sequences and look curiously like

3. If your website asks the user which version they’d like, high bandwidth or low, HTML or Flash, you ALSO LOSE. See above for the explanation on this one as they’re related. It’s like asking your customer if they’d like to enter your crappy store or your better store (but the ‘better’ store requires special glasses and a little 30 second wait…um NO THANKS), what you’re really asking them is “do you want to leave and buy from my competitor because I’ve put up a crappy roadblock before you even know what I sell?”. - Bad bad bad
4. If your website is ALL Flash, FIRE your web development company, and if you made it, add it to your portfolio under “Useless web projects I’ve done” and start over. Flash it just a tool, a wonderful powerful tool for delivering animation, video, interfaces, shopping carts, functionality etc. the list goes on, it kicks ass. This DOES NOT MEAN you need to create your entire website in Flash, and if you do you will be at a severe disadvantage to your wiser competitors. Look at it this way, even Macromedia/Adobe, the maker of Flash doesn’t have an all Flash website, do you think there’s a reason why? Oh yeah, they want to make actual money and don’t listen to ‘designers’.

5. DO NOT try to reinvent the website navigation. Put it on the top, the left, hell even the right will work but do not try to reinvent the way people interact with digital interfaces while trying to actually sell your product or service. People will get confused, then annoyed, then pissed, then gone.

6. This one is going to get me in trouble. If you are a print designer, and “do websites on the side”, STOP DOING websites and providing “advice” to your print clients about web design. Print design to web design is like designing an ad for a race car, and actually building and racing that race car. Don’t get me wrong, print is great and all, you make pretty pictures and wonderful messages crafted with great copy, but when it comes down to it, it’s still just a picture. People cannot buy the product with a print ad (yet), they can’t communicate with your business through a print ad. I can already hear the grumbling coming from the print world, and look, it’s not that I don’t see a purpose for print advertising, just stick to print and don’t nose you’re way into a medium which you do not know and wouldn’t understand (same goes for general “geeks” who do websites ‘on the side’)

7. If you do not have sufficient copy, or any REAL TEXT on your home page (not in an image), and to a lesser extent your whole site, hire a copywriter and fire your webmaster NOW. Content is King, repeat after me CONTENT IS KING. Search engines don’t index fancy graphics and Flash, they index text. Good ol’ reliable text. If you don’t know how much text, or how to write good text, hire somebody who does (it’s essential to your ranking and to selling your product or service).

8. If your website does not work in Firefox, welcome to 2007 DUMBASS. Yes in most markets Firefox only commands at most a 10-15% market share, but for some sites it’s much higher (my other site has 80% Firefox users). Furthermore, if the morons you hired didn’t make your site and functionality compatible with Firefox they obviously have no idea what they’re doing, and aren’t up on their game. I have no idea why you would need a website, or functionality system that is so dependent on IE that it simply can’t work in Firefox, and frankly it doesn’t matter because there is no good reason. The lack of Firefox knowledge by a webmaster shows they aren’t of the Internet culture, and that’s a bad sign if you’re a business owner.

9. Commandment 9 is a collection of small issues that have been beaten to death other places, and are quote common principles, but bear repeating. No blinking text, no Frontpage, no pop-ups (even requested), no scrolling text, no font downloads, and no Flash intros. If your product or service needs a flash intro to sell, it probably sucks.

10. If you use music on your site make sure the user can stop it, and it BETTER NOT start on page load without the user requesting it. Same goes for video with audio (*cough ESPN *cough), many web users surf from work and don’t enjoy their speakers lighting up with your horrible and intrusive taste in music while their boss roams the halls looking for some ass to bust.

11. Text navigations are better than images, this isn’t a big deal but it’s better to use text for your nav with some clever CSS, than to export a large and bloated mouseover image navigation. I know Dreamweaver makes it so super simple, but you’ll benefit in a lot of other ways without it. Images wisely used, just like Flash are excellent, but don’t rely always on mouseover graphics to deliver your image, design is more about content than designing the interface (do you know any of your friends that raves about the iPods elegant interface? No, and that’s the point, it just works)

12. A well thought out site map with logical sub sections is better than using “drop downs”. Simply put, drops downs never work quite right, and only a few of the ones I have seen actually are usable. Furthermore, the use of drop downs usually means that the person organizing the content did a piss poor job of it. If you have the mother of all sites and need people to access hundreds of pages, you’re probably Microsoft or CNET and you’re ignoring me anyways.

13. If your site needs a search engine for users to find information, it’s time to start over and fire the guy who came up with the site map (and those slick drop downs on your nav). Search engines are wonderful, and play a great role on some great sites, but if you lean on it for users to find content you’re pissing 50%+ of your customers off. Some people like to browse, they also like to search if they NEED to. Give them a logical browse option and they won’t need to search, but leave search there for the advanced users really digging into your vast amount of content (and you do have LOTS of content to be indexed right? If not see #7)

14. Load time is still a factor for over 50% of American web surfers. Even though you live in the wonderful world of Cable and DSL, half of America does not and hates you for it. If you design your site for only broadband users you’re sending a message, “Every other customer can bite me�?. Bloat is simply NOT ALLOWED on the home page, but it can be used deeper in when users request it specifically.

15. This one seems obvious but isn’t to some people *cough Designers *cough. Do not HIDE your message, and don’t OBSCURE what you want the user to do. Home page design is like a billboard, hit them with a message and a desired path (buy now) in 1-2 seconds, but provide information for people who want to dig deeper and research.

16. If you lead the user through a pre-determined path in order to deliver a message or demo, it’s time to get an ANT farm and take your controlling wills out on some species that will actually like it. The web is about modular content, it’s not an “experience” or a “wonder tour of magical enchantment”. If you have to have a slideshow, put thumbnails there too so people can get the content they want when they want it. If you’re demo has 20 pages, give them a table of contents or at least some next/previous buttons so they can fast forward (they’d be wathcing broadcast TV if they wanted content shoved down their throats at a pace decided by the man). Pushing people through a demo, no matter how complex 1 step at a time is a mistake and will lead to the inevitable; annoyance. And if you’re purpose of reloading the page to deliver the next slide in a slide show is to increase your ad impressions, you should DIE (see, and CNN)

17. If you’re delivering video, it better not ask the user which bandwidth or version of video they’d like. Real Player, 100K, Windows Media Player, Quicktime, WMV, 300K, AVI, Cable, DSL, Dial-Up? NO THANK YOU. Deliver your video in an embedded player in Flash. I’m sorry, Flash won this battle a long time ago (see YouTube), it has the install base, the lean interface and isn’t trying to get you to join “their world” of media player fantasy where they place system tray icons and launch helpers and pop up every time you pop in a CD or DVD. Flash is cross platform and cross browser compatible, something none of the other providers can say.

18. This is a small one, but if the user has to mouse over your graphic or small image to know what it is, or where it will take them if its a link, quit your job and be a magician or a blackjack dealer, making web interfaces is not for you.

19. This final commandment is related to many of the above ideas, and is a good guiding principle for web geeks that are excited about new tech and want to use it. Just because a technology is new, or you just discovered it does not make it suitable to put on a business website, JUST BECAUSE you can. This happened with Flash, Java, and is now happening with AJAX. Yes new technology is cool, but only integrate it on a business site if it improves the customers experience or sells more product/service. Technology for the sake of technology is silly and only belongs on your personal show-off site, or your own computer where not one will be exposed to its horrid creativity except you.

One might say that if you followed all of my commandments, the web would be a boring, dry and conformist web of sites only engineered for 1 thing; selling. And you’re right, but thankfully the world is full of plenty so called “creative” people and they keep it interesting for the rest of us.


cartooncorpse and jcs on suggested 4 more:

1. Don’t link to PDF content without disclosing the link.
2. Don’t employ any scripts to prevent the user from “Backing” out of the site with the browser’s back button. Ever try locking someone in your store? do they usually buy something?
3. if your website says “you’re” where it should say “your”, you should fire the person that wrote it.
4. If your website has LOTS of random words in all capital LETTERS because the author was TRYING to emphasize words without the or tags that were created for exactly this purpose, he should be fired.
5. It goes without saying but Taladar suggests; No pop ups and no javascript links (breaks open in new tab).


Josiah is up: Hello world

This is the first post on Josiah

Currently I’m working on A blog with subjects such as sports, tech, cars, politics, food, music, privacy and video games.