10 Ways To Improve WordPress Security

10 Ways To Improve WordPress Security

Activities and Plug-ins That Will Make Your Website Hack Proof


Wordpress Security


Due to the popularity of WordPress as one of the widely used CMS in the world, it has become the most common target for hacking. Below are the top ways to improve security and make your website hack proof.



1.       Secure all holes outside of WordPress. This means your computer, web server, network and software.

    • Use the latest version of your Operating System and set it up so you would be automatically updated and kept patched against known vulnerabilities.
    • Make it a habit to scan your terminals and defend yourself against viruses, worms and malwares. Upgrade your anti-virus software to the newest release and download the updates on a regular basis. Ensure that it is configured to give maximum protection.
    • Keep your browser and add-ons up-to-date.
    • Setup firewalls for both hardware and software – from your operating system to the router and your internet provider.
    • Turn off file and printer sharing features if they are not needed. If they are currently activated, share only within the network and as much as possible, not outside of it.
    • If you’re on a shared server (one that hosts other websites besides your own), ask your web host what security precautions they are taking and how to further protect yourself from possible attacks.
    • Always pick SFTP encryption when connecting to your server.

2.       Secure all holes inside WordPress.

    • Make sure that you are using the most recent version of WordPress. If you are using an out-of-date or insecure copy, not only will you be giving the hackers the opportunity to enter malicious codes into your website but it will also pose a danger for webspam in the SERP. If you’re an SEO or digital marketing company, your clients who employ WP as a platform may lose their search rankings and even get themselves de-listed from the index as Google now requires all WordPress sites to be up-to-date. Do not wait to update two or three versions at a time. Ensure your safety now.
    • This goes the same for plugins. Download the latest copy only from the admin panel or those that are available under the plugin directory of wordpress.org.
    • Upgrade your PHP and mySQL versions to make it compatible with your WordPress.
    • Login to Dashboard often.
    • Deactivate and uninstall unused plugins.
    • Subscribe to WordPress Releases RSS.
    • If you are running multiple blogs on the same server, maintain separate databases for each and have them managed by different users.
    • Report bugs and security vulnerabilities to WordPress Security Team. For plugins, email them here.

3.       Pick a strong and complex password both in and out of WordPress and change it frequently.

    • Rule of thumb is to keep it more than 12 characters with numbers and alphabets both in lowercase and uppercase.
    • Install a password manager or generator: LastPass, PC Tools Random Password Generator, or KeePass Password Safe.
    • Enable automatic form filling in your internet browser to minimize the chances of keyloggers accessing your site.

4.       Secure WordPress Core Files.

Move your admin panel login to a URL that is not so quickly identified and common.

    • wp-includes. Block the directory so that the database credentials and important programming scripts are safe. Append this on .htaccess.

                                         RewriteRule ^(wp-includes)\/.*$ ./ [NC,R=301,L]

For subdirectories of wp-includes:

                                         RewriteRule ^(wp-includes|subdirectory-name-here)\/.*$ ./ [NC,R=301,L]

Another alternative is to place this code outside the #BEGIN WordPress and #END WordPress tags.

                                        # Block the include-only files.

                                        RewriteEngine On

                                        RewriteBase /

                                        RewriteRule ^wp-admin/includes/ – [F,L]

                                        RewriteRule !^wp-includes/ – [S=3]

                                        RewriteRule ^wp-includes/[^/]+\.php$ – [F,L]

                                        RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L]

                                       RewriteRule ^wp-includes/theme-compat/ – [F,L]

                                       # BEGIN WordPress

    • wp-config.php. Move this file to the directory above your WordPress installation. Set a 400 or 440 permission so that only you and the web server can read the file.

Deny anyone from surfing for it via .htaccess.

                                      <files wp-config.php>

                                       order allow,deny

                                       deny from all


Disable file editing for all users by placing this line anywhere on the file:

                                      define(‘DISALLOW_FILE_EDIT’, true);

Disable custom HTML or unfiltered HTML:

                                     define( ‘DISALLOW_UNFILTERED_HTML’, true );

5.       Remove WordPress defaults and all traces that can be used as gateways to find and tamper your site.

    • Remove default posts such as “Hello World”, description such as “Just another WordPress site” and default comments as these are signals that you have a brand new website therefore it is easier to crack into.
    • Get rid of the footer line that contains “Powered by WordPress” as this is also an indication for newly installed websites.
    • Rename file and directory defaults and basically all wp_prefixes through WordPress Security Scan.
    • Delete the user named “admin”. Add a new one with an administrator role.

6.       Hide your WP version.

Install Secure WordPress Plugin to erase all references to it and prevent listing of your themes and plugin directories from non-admins.

7.       Disable public access and lock down file permissions.

    • Disallow anyone from browsing the directories. Insert this on .htaccess.

                              # Prevent folder browsing

                              Options All -Indexes

    • If you cannot edit .htaccess, upload an index.html file in your main directory, replicate the look of your site’s PHP pages and add a link to index.php as you desire. Make index.html file a 0 byte placeholder.
    • Make sure that the content of wp-content/plugins isn’t accessible to people without proper authentication.

8.       Keep the logs and analyze them often for possible suspicious activity.

9.       Hide the login error messages such as unauthorized login to prevent hackers from getting an idea if they got the correct or incorrect login information.

Edit functions.php:

                    add_filter(‘login_errors’,create_function(‘$a’, “return null;”));

10.   Back up!

Always have a backup so it’s easier to revert in case anything happens.



    • WP-DBManager

URL: http://wordpress.org/plugins/wp-dbmanager/

Downloads: 820,692

Rating: 4

    • BackWPup

URL: http://wordpress.org/plugins/backwpup/

Downloads: 770,827

Rating: 4.4

    • WP-DB-Backup

URL: http://wordpress.org/plugins/wp-db-backup/

Compatible up to: ver 3.1.4

Last Updated: 2010-12-21

Downloads: 1,585,248

Rating: 3.7

    • Online Backup for WordPress

URL: http://wordpress.org/plugins/wponlinebackup/

Downloads: 245,558

Rating: 4


    • VaultPress

URL: https://vaultpress.com/

Price: $5 to $40 per month

    • Backup Buddy

URL: http://ithemes.com/purchase/backupbuddy/

Price: $80 (2 licenses) to $150 (unlimited)

    • BlogVault

URL: http://blogvault.net/

Price: $9 to $39 per month


WordPress Plugins.

1.       WP Security Scan.

2.       Wordfence Security

3.       Better WP Security

4.       Bad Behavior

5.       WordPress File Monitor Plus

  • URL: http://wordpress.org/plugins/wordpress-file-monitor-plus/
  • Description: Monitors your WordPress installation for added/deleted/changed files. When a change is detected an email alert can be sent to a specified address.
  • Compatible up to: 3.4.2
  • Last Updated: 2012-6-11
  • Downloads: 40,767
  • Rating: 4.9

6.       Limit Login Attempts

7.       Stealth Login Page

  • URL: http://wordpress.org/plugins/stealth-login-page/
  • Description: Protect your /wp-admin and wp-login.php pages from being accessed without editing .htaccess — the FIRST one that blocks remote bot login requests.
  • Downloads: 11,773
  • Rating: 4.8

8.       BBQ: Block Bad Queries

  • URL: http://wordpress.org/plugins/block-bad-queries/
  • Description: Protects against malicious URL requests, checks all incoming traffic and quietly blocks bad requests containing nasty stuff like eval(, base64_, and excessively long request-strings. This works great for sites where .htaccess is not available.
  • Downloads: 61,945
  • Rating: 4.9

9.       Login Security Solution

10.   User Locker

  • URL: http://wordpress.org/plugins/user-locker/
  • Description: Locks user account after given number of incorrect login attempts. This makes brute force and dictionary attacks nearly impossible.
  • Compatible up to: 3.2.9
  • Last Updated: 2011-10-24
  • Downloads:  42,651
  • Rating: 4.9


Other plugins to check out:

For more information about our wordpress development services, click here.  
Leave a Reply

Connect With Us

Optimind Technology Solutions
2nd Flr CTP Building
Gil Fernando Ave., Marikina
Tel No. 632-6820173

3rd flr. Ralph Wines Bldg., 146-A Morales St. Brgy.,
Kamputhaw,Gorordo Ave.
Cebu City
+(63) 32 2394449

E-mail Us