14 Effective Practical Security Tips for WordPress

wordpress tips tricks

WordPress is the most user friendly expandable blog platform around. "With power comes more responsibilities", says Spiderman’s uncle. So what if your valuable WordPress blog get hacked? You will be literally devastated, violated and humiliated. Now you need to know how a attacker or cracker hack or exploit your site.

  • They know about your security weakness points about your site
  • They know about the important directories are open and accessible
  • They know about the version of WordPress has security issues
  • They know what outdated unsecured plug-in you are using and they can take advantage of it
  • They brute force attack your site login for random username and password
  • They know WordPress uses "Admin" as the administrator name, so they keep generating passwords and keep trying

So how do you overcome these situations? Well, you just need tighten up the security principal to avoid these problems. These are very practical options to protect yourself from getting hacked. In truth, every protection can be broken but the point is not to cure but to prevent.


  1. Knowledge: Keeping backups, knowing the state of your WordPress installation at regular time intervals, documenting your modifications all help you understand your WordPress installation. Use the plug-in to schedule your database backups.
  2. Keep your WordPress install and plug-in up to date: The newest versions of WordPress automatically notify you if there is an update for your WordPress and your plugins. Keeping these up to date will keep black hats from using known vulnerabilities to gain access where they shouldn’t be.
  3. Rename the administrative account: You can do this in the MySQL command-line client with a command like

    update tableprefix_users
    set user_login='anothername'


    or by using a MySQL frontend like phpMyAdmin.

  4. Use strong password: Creating a strong password that is also memorable is one of the easiest defenses against being hacked. There are a lot of online password strength checker that you could check. Here is Lorelle’s article on blog herald called Protect Your Blog With a Solid Password, offering tips and tricks to help create a strong password that is also memorable.

  5. Disable directory browsing: An attacker can reveal your files because they have been indexed by search engines, so you can use a simple one line code inside your .htaccess file

    Options -Indexes

    also use a robots.txt file to disallow the search engine robots to index the subfolder contents. Here is an example of a robots.txt file

    User-agent: *
    Disallow: /cgi-bin/
    Disallow: /wp-content/
    Disallow: /wp-admin/
    Disallow: /wp-includes/

  6. File permissions : Some of WordPress’ cool features come from allowing some files to be writable by web server. However, letting an application have write access to your files is a dangerous thing, particularly in a public environment. It is best, from a security perspective, to lock down your file permissions as much as possible and to loosen those restrictions on the occasions that you need to allow write access, or to create special folders with more lax restrictions for the purpose of doing things like uploading images.

  7. Do not advertise the WordPress version you are running: If you are running an old WordPress version with known vulnerabilities, it is unwise to display this information to the public. Why not simply hide the WordPress version entirely? Even if you update packages as quickly as you can, there will be lag between the version release and your deployment, potentially enough time for a malicious person to carry out an attack. However, editing out all the places where WordPress advertises its version string in your theme can be a pain. It is still best to make sure you are running the latest WordPress version. An easier way to do this is with the Replace WP-Version plugin (newer and better version with more features is Secure WP).

  8. Stay on top to Security Releases: Subscribe to the WordPress Development blog. When WordPress patches a security hole or releases a new version, they announce it on that blog. If you see a security patch released, you need to upgrade or apply the patch. You leave yourself open to being hacked if you don’t upgrade.

  9. Use Captcha whenever possible: solution for the comments and login also build contact forms with or . This keeps bots from spamming and trying to crack your login.

  10. Limit access to your wp-admin directory: Protect wp-admin directory by IP address or password, which will another level of password access to the wp-admin folder: if you are using CPanel then you can use the directory protection tool to password protect folders.

  11. Restrict access to your wp-config.php: I have seen cases on web servers where the PHP install gets broken and all PHP files become readable. This is bad because your wp-config.php file contains your database username and password.

    Create a file within your WordPress root install directory named “.htaccess” if there isn’t already one. Append the following to your “.htaccess” file inside of your root directory:

    deny from all

  12. Use Plugin: This plugin doesn’t control WordPress or mess with your database, instead it utilizes fast, tried-and-true built-in Security features to add multiple layers of security to your blog. This plugin is specifically designed and regularly updated specifically to stop automated and unskilled attackers attempts to exploit vulnerabilities on your blog resulting in a hacked site

  13. Use the : This plugin along with a CGI script at Blog Security will perform version checks, XSS checks on your template and look at your plugins for vulnerabilities.

  14. Use a .htaccess based , details .



In Category: Resources, Wordpress
Show 36 Comments
  • Xx January 2, 2011, 11:20 am

    Use protectionx.info :)

  • Great Post! Really helpful. Thanks a lot!

  • Dissertation Help November 18, 2010, 12:03 pm

    >great article. thanks a lot. my sites were hacked yesterday.:( I hope these security measures will help.
    Really great article! Thanks!

  • forexhug October 7, 2010, 11:55 am

    thanx for this usefull codes

  • Nick September 20, 2010, 1:26 pm

    really nice list here. as for the ssh tip – bravo. it’s one of those really nice things that is super convenient as well as secure. soon, you find yourself using ssh for nearly every server admin task you can think of.

  • D.F. August 30, 2010, 11:36 am

    nice post. thanks for this one


  • Binoy xavier June 7, 2010, 11:02 am

    Nice tips buddy. Will try to implement some on my blog too :)

  • gjperera June 4, 2010, 6:13 pm

    #11 Did not work, I keep getting a Server 500 error…

    • Jenn February 7, 2011, 2:54 pm

      It worked for me by omitting the at the end. So it looks like:

      deny from all

      And when I type in the address to my wp-config.php file, I get a 403 error, so it looks like it works!

      • Jenn February 7, 2011, 2:55 pm

        The comment form messed up the code. Just leave out the last /files part.

  • gjperera June 4, 2010, 2:37 pm

    Great tips…what do you know about Windows Live Writer vulnerabilities? It appears that there are security issues with Live Writer, does this apply to Word 2007/2010 also?

  • Israel June 2, 2010, 3:53 am

    Help! I used WP-Optimize to delete my admin account and now I can't login and I didn't notice whether WP-Optimize creates an alternate admin account for me?

  • Mark May 23, 2010, 5:46 pm

    I use http://wpantivirus.com
    Works fine for me.

  • ravi November 4, 2009, 5:41 pm

    great article. thanks a lot. my sites were hacked yesterday.:( I hope these security measures will help.

  • ravi November 4, 2009, 12:41 pm

    great article. thanks a lot. my sites were hacked yesterday.:( I hope these security measures will help.

  • Premium Wordpress Themes September 9, 2009, 2:35 am

    great article. thanks a lot. my sites were hacked yesterday.:( I hope these security measures will help.

  • Munawar Am August 18, 2009, 11:09 pm

    Useful Tips, remind me that blogging security are the important one, and I have bookmark its.

  • Ruhani Rabin July 13, 2009, 1:41 pm

    Actually you've got a point my friend that I would agree too. I should've
    written minor updates not the major ones.. minor ones are more important..
    major updates can be hassle.. thank you so much for the insight :D

  • Arun Basil Lal July 13, 2009, 1:29 pm

    I have a small disagreement to the tip : Update as soon as an update is available. I would prefer to wait for a few days and see if its working fine for others. What if the new version have a bug and all the updated blogs are attacked?

    I would wait for at least a day :)

  • Ruhani Rabin July 5, 2009, 5:37 pm

    Thanks that is useful too .. :) Will update the post later on

  • BSM July 5, 2009, 1:53 pm

    Also important, use the wordpress ban plug in.
    You can ban all the spammers. It is unbelievable, I use it and I saw over than 200 attempts of the banned spammers to access my account.
    DO NOT ban your IP

  • aries May 6, 2009, 12:35 pm

    Nice post…thanks for sharing it with us… cheers :)

  • aries May 6, 2009, 10:35 am

    Nice post…thanks for sharing it with us… cheers :)

  • Mike Liwsi May 5, 2009, 3:08 pm

    thanx! very good article about wp.

  • Ruhani Rabin May 2, 2009, 11:13 am

    Yes you are right my friend .. the reason i've posted the robots.txt is to prevent search engines to crawl inside those folders that's all :)

  • Bipin Upadhyay April 30, 2009, 11:42 pm

    Although your concern regarding usage of robots.txt is valid, it doesn't apply here. Everyone (at least those who wish to attack a WP installation) knows about the directory structure.

    Come to talk about it, using robots.txt won't solve any real issue per se.

  • Syed M. Ruhani Rabin March 13, 2009, 12:01 am

    Yup Nilen, You've made a very good point such as rely on .htaccess protection and not completely rely on plugins , I'm going to hook up your post over here.

  • Nilen March 12, 2009, 10:23 pm

    My suggestion if you are self-hosted and not planning use cgi, then delete the cgi-bin folder. Also remove any unnecessary files you do not need. You can also use Recaptcha in WordPress too in orer to protect comments. For contact forms, I prefer Dagon Designs formmailer plugin.

    I think it is okay to reveal what version you are using if you have taken other precautions, especially with the htaccess functions. If you deny access to these files, then they will not be seen unless your host gets hacked. I illustrated this in my tutorial section, mainly focusing on the htaccess. Never rely totally on plugins to do the job.

  • robet February 28, 2009, 5:24 am

    tutorial yang sangat bagus

  • free satellite keys February 27, 2009, 11:28 am

    Development of digital technologies occurs prompt rates. Does not lag behind progress and digital TV. Speaking about digital TV, we first of all mean satellite TV. The digital satellite TV becomes more and more accessible to simple users. The market paid satellite tv also is not necessary on a place. The new digital standard of TV of high clearness HDTV actively develops and takes root. The satellite TV becomes more and more directed on the spectator. Besides digital quality of the image, advantage of satellite systems also is also the extensive cover zone of the companion.

  • Ruhani Rabin February 26, 2009, 6:14 am

    Thanks @AskApache for dropping by, You yourself is a very respectable person. You Made the awesome AskApache plugin :)

  • AskApache February 26, 2009, 4:52 am

    Nice list… these are still so very true even with the newest release. Dugg!

  • NewsShit! January 25, 2009, 7:38 pm

    That’s a fine compilation of things to secure a WordPress installation. But I don’t like this “robots.txt” thing:

    With all the directories listed inside the robots.txt you invite people to have a view into them. Because they know now that those directories do exist :)

  • NewsShit! January 25, 2009, 11:38 am

    That’s a fine compilation of things to secure a WordPress installation. But I don’t like this “robots.txt” thing:

    With all the directories listed inside the robots.txt you invite people to have a view into them. Because they know now that those directories do exist :)

  • Joshua December 26, 2008, 12:08 pm


    Great article there…

    Didn’t know u’re a WP aficionado ;)

  • Joshua December 26, 2008, 4:08 am


    Great article there…

    Didn’t know u’re a WP aficionado ;)