Home » 10 Ways To Improve WordPress Security

10 Ways To Improve WordPress Security

Activities and Plug-ins That Will Make Your Website Hack Proof

Due to the popularity of WordPress as one of the widely used CMS in the world, it has become the most common target for hacking. Hackers, thieves and hijackers can plant viruses and hijack domain names, taking control of your site and locking you out of the site. Below are the top ways to improve security and make your website hack-proof.


Danger lurks in every corner of WordPress. Here are some of these.
o   Malware (or malicious software)
Malware disrupts normal computer operations, gathers sensitive information and gains access to other private systems. Intrusive as it is, a malware disguises itself as codes, scripts, active contents or other software applications.
o   Virus
Virus is a form of malware which insert a modified copy of itself into hard drive boot sectors, data files and computer programs. When it successfully injected itself and harm the areas, these will be considered ‘infected.’ A virus steals CPU time and hard disk space. It also accesses private information, corrupts data, displays malevolent messages and spams contents.
o   Brute-force attack
Also called exhaustive key search, brute-force attack is an attack against encrypted data. A brute-force attack is utilized when the hacker is not able to exploit other areas of the encryption system. The attack checks possible keystrokes and passwords systematically to find the correct one.


1. Secure all holes outside of WordPress including your computer, web server, network and software.

    • Use the latest version of your Operating System and set it up so you would be automatically updated and kept patched against known vulnerabilities.
    • Make it a habit to scan your terminals and defend yourself against viruses, worms and malwares. Upgrade your anti-virus software to the newest release and download the updates on a regular basis. Ensure that it is configured to give maximum protection.
    • Keep your browser and add-ons up-to-date.
    • Setup firewalls for both hardware and software – from your operating system to the router and your internet provider.
    • Turn off file and printer sharing features if they are not needed. If they are currently activated, share only within the network and as much as possible, not outside of it.
    • If you’re on a shared server (one that hosts other websites besides your own), ask your web host what security precautions they are taking and how to further protect yourself from possible attacks.
    • Always pick SFTP encryption when connecting to your server.

2. Secure all holes inside WordPress.

    • Make sure that you are using the most recent version of WordPress. If you are using an out-of-date or insecure copy, not only will you be giving the hackers the opportunity to enter malicious codes into your website but it will also pose a danger for web spam in the SERP. If you’re an SEO or digital marketing company, your clients who employ WP as a platform may lose their search rankings and even get themselves de-listed from the index as Google now requires all WordPress sites to be up-to-date. Do not wait to update two or three versions at a time. Ensure your safety now.
    • This goes the same for plugins. Download the latest copy only from the admin panel or those that are available under the plugin directory of wordpress.org.
    • Upgrade your PHP and mySQL versions to make it compatible with your WordPress.
    • Login to Dashboard often.
    • Deactivate and uninstall unused plugins.
    • Subscribe to WordPress Releases RSS.
    • If you are running multiple blogs on the same server, maintain separate databases for each and have them managed by different users.
    • Report bugs and security vulnerabilities to WordPress Security Team. For plugins, email them here.

3. Pick a strong and complex password both in and out of WordPress and change it frequently.

    • Rule of thumb is to keep it more than 12 characters with numbers and alphabets both in lowercase and uppercase.
    • Install a password manager or generator: LastPassPC Tools Random Password Generator, or KeePass Password Safe.
    • Enable automatic form filling in your internet browser to minimize the chances of keyloggers accessing your site.

4. Secure WordPress core files.

Get your IP address and add it to the site’s .htaccess file in the admin folder to replace xx.xxx.xxx.xxx with your own IP address.
     <Files wp-login.php>
     order deny,allow
     Deny from all
     Allow from xx.xxx.xxx.xxx
Add Allow from xx.xxx.xxx.xxx if you want to access WordPress on other computers as a new line.
Don’t use ‘admin’ as your username. Attackers assume that your site’s admin username is ‘admin.’
Move your admin panel login to a URL that is not so quickly identified and common.

  • wp-includes. Block the directory so that the database credentials and important programming scripts are safe. Append this on .htaccess.

     RewriteRule ^(wp-includes)/.*$ ./ [NC,R=301,L]
For subdirectories of wp-includes:
     RewriteRule ^(wp-includes|subdirectory-name-here)/.*$ ./ [NC,R=301,L]
Another alternative is to place this code outside WordPress tags as #BEGIN WordPress and #END.
     # Block the include-only files.
     RewriteEngine On
     RewriteBase /
     RewriteRule ^wp-admin/includes/ – [F,L]
     RewriteRule !^wp-includes/ – [S=3]
     RewriteRule ^wp-includes/[^/]+.php$ – [F,L]
     RewriteRule ^wp-includes/js/tinymce/langs/.+.php – [F,L]
     RewriteRule ^wp-includes/theme-compat/ – [F,L]
     # BEGIN WordPress

  • wp-config.php. Move this file to the directory above the WordPress installation. Set 400 or 440 permission so that only you as well as the web server will be able to read the file.

Deny anyone from surfing for the site via .htaccess.
     <files wp-config.php>
     order allow,deny
     deny from all
Disable file edits for all users by placing the line anywhere on the file:
     define(‘DISALLOW_FILE_EDIT’, true);
Disable custom HTML or unfiltered HTML:
     define( ‘DISALLOW_UNFILTERED_HTML’, true );
5. Remove WordPress defaults and all traces that can be used as gateways to find and tamper your site.

    • Remove default posts such as “Hello World”, description such as “Just another WordPress site” and default comments as these are signals that you have a brand new website therefore it is easier to crack into.
    • Get rid of the footer line that contains “Powered by WordPress” as this is also an indication for newly installed websites.
    • Rename file and directory defaults and basically all wp_prefixes through WordPress Security Scan.
    • Delete the user named “admin”. Add a new one with an administrator role.

6. Hide your WP version.
Install Secure WordPress Plugin to erase all references to it and prevent listing of your themes and plugin directories from non-admins.
7. Disable public access and lock down file permissions.

    • Disallow anyone from browsing the directories. Insert this on .htaccess.

                          # Prevent folder browsing
                          Options All -Indexes

    • If you cannot edit .htaccess, upload an index.html file in your main directory, replicate the look of your site’s PHP pages and add a link to index.php as you desire. Make index.html file a 0 byte placeholder.
    • Make sure that the content of wp-content/plugins isn’t accessible to people without proper authentication.

8. Keep the logs and analyze them often for possible suspicious activity.
9. Hide the login error messages such as unauthorized login to prevent hackers from getting an idea if they got the correct or incorrect login information.
Edit functions.php:
           add_filter(‘login_errors’,create_function(‘$a’, “return null;”));
10. Secure WordPress hosting.
Choose a company which prioritizes security. Look for features such as web application firewall, intrusion detection system, account isolation and support for the latest versions of MySQL and PHP.
11. Back up!
Always have a backup so it’s easier to revert in case anything happens.

For registrars:

1. Change the password frequently.
Use different passwords if you have multiple WordPress accounts. Combine letters (uppercase and lowercase), numbers and symbols.
2. Backup the site regularly.
Use a plugin such as BackupBuddy.
3. Keep the WordPress site updated.
Make sure that the blog is up-to-date. WordPress releases updates constantly. Use them for fixing any security holes. Today, WordPress has 460 plugins under the security tag.
4. Add whatever security layers available.
Use a plugin like Better WP Security as well as Whols protection, 2-step verification and registrar lock.


WordPress Plugins

1. WP Login Security 2

  • URL: http://wordpress.org/plugins/wp-login-security-2/
  • Description: Whitelists user IP address. Sends an email to the user and admin (optional) if the user logs in from an unknown IP address.
  • Compatible up to: 3.5.2
  • Last Updated: 2012-12-19
  • Downloads: 5,504
  • Rating: 5

2. BBQ: Block Bad Queries

  • URL: http://wordpress.org/plugins/block-bad-queries/
  • Description: Protects against malicious URL requests, checks all incoming traffic and quietly blocks bad requests containing nasty stuff. Works great for sites where .htaccess is not available.
  • Compatible up to: 3.8.3
  • Last Updated: 2014-3-5
  • Downloads: 146,266
  • Rating: 5

3. Wordfence Security

  • URL: http://wordpress.org/plugins/wordfence/
  • Description: Includes a firewall, virus scanning, real-time traffic with geolocation and more. Verifies and repairs the theme, plugin and core files. Makes the site 50 times faster.
  • Compatible up to: 3.9.1
  • Last updated: 2014-6-6
  • Downloads: 2,028,370
  • Rating: 4.9

4. WordPress File Monitor Plus

  • URL: http://wordpress.org/plugins/wordpress-file-monitor-plus/
  • Description: Monitors your WordPress installation for added/deleted/changed files. Sends an email alert to a specified address when a change is detected.
  • Compatible up to: 3.4.2
  • Last Updated: 2012-6-11
  • Downloads: 52,374
  • Rating: 4.8

5. iThemes Security (Formerly Better WP Security)

6. Login Security Solution

7. Login Lockdown

  • URL: http://wordpress.org/plugins/login-lockdown/
  • Description: Limits the number of login attempts from a given IP range within a certain time period.
  • Compatible up to: 3.8.3
  • Last Updated: 2014-3-8
  • Downloads: 342,420
  • Rating: 4.6

8. Stealth Login Page

  • URL: http://wordpress.org/plugins/stealth-login-page/
  • Description: Protects /wp-admin and wp-login.php pages from being accessed without editing .htaccess. The FIRST one that blocks remote bot login requests.
  • Compatible up to: 3.6.1
  • Last Updated: 2013-7-30
  • Downloads: 39,466
  • Rating: 4.5

9. Bad Behavior

  • URL: http://wordpress.org/plugins/bad-behavior/
  • Description: Prevents spammers from ever delivering their junk, and in many cases, from ever reading your site in the first place.
  • Compatible up to: 3.8.3
  • Last updated: 2013-12-24
  • Downloads: 642,097
  • Rating: 4

10. Acunetix WP Security (Formerly WP Security Scan)

Free Plugins

1. BruteProtect

2. Clef

  • URL: http://wordpress.org/plugins/wpclef/
  • Description: Provides the easiest and most secured WordPress entry with no passwords and temporary codes and with single sign-on/off.
  • Compatible up to: 3.9.1
  • Last Updated: 2014-5-26
  • Downloads: 36,569
  • Rating: 5

3. WP SpamShield Anti-Spam

4. BulletProof Security

5. Page Security by Contexture

6. BackWPup

7. Lockdown WP Admin

  • URL: http://wordpress.org/plugins/lockdown-wp-admin/
  • Description: Conceals the administration from intruders. Hides WordPress admin (/wp-admin/) and and login (/wp-login.php)
  • Compatible up to: 3.8.3
  • Last Updated: 2014-5-13
  • Downloads: 97,850
  • Rating: 4.2

8. Advanced Access Manager

9. WP-DBManager

10. Online Backup for WordPress

11. WP-DB-Backup

12. Total Security

  • URL: http://wordpress.org/plugins/total-security/
  • Description: Checks WordPress installations and provides detailed report about discovered vulnerabilities.
  • Compatible up to: 3.9.1
  • Last Updated: 2014-5-10
  • Downloads: 17,046
  • Rating: 3.3

Paid Plugins:

1. VaultPress

2. Backup Buddy

3. BlogVault

4. Sucuri

There is no such thing as 100% secured website. Any website is vulnerable to some of the infections and attacks. This is particularly true since the hackers, thieves and hijackers themselves are continuously looking for new vulnerabilities they can exploit. The activities and plugins above can only minimize your website’s risk securities. Use them!

Optimind Logo

Digital Marketing agency with focus on Social Media, SEO, Web Design, and Mobile Development

Google Partner
Dot PH


Optimind Technology Solutions

2nd Flr CTP Building
Gil Fernando Avenue
Marikina City
Manila 1803 Philippines

+(63) 2 86820173
+(63) 2 86891425
+(63) 2 77394337
Australia - +(61) 2 80050168
Los Angeles, CA - +19092722457