14 Effective Practical Security Tips for WordPress

wordpress tips tricks

WordPress is the most user-friendly expandable blog platform around. “With power comes more responsibilities”, says Spiderman’s uncle. So what if your valuable WordPress blog gets hacked? You will be literally devastated, violated, and humiliated. Now you need to know how an attacker or cracker hack or exploit your site.

  • They know about your security weakness points about your site
  • They know about the important directories are open and accessible
  • They know about the version of WordPress has security issues
  • They know what outdated unsecured plug-in you are using and they can take advantage of it
  • They will use brute force to attack your site login for random username and password
  • They know WordPress uses “Admin” as the administrator name, so they keep generating passwords and keep trying

So how do you overcome these situations? Well, you just need to tighten up the security principle to avoid these problems. These are very practical options to protect yourself from getting hacked. In truth, every protection can be broken but the point is not to cure but to prevent.


Keeping backups, knowing the state of your WordPress installation at regular time intervals, documenting your modifications all help you understand your WordPress installation. Use the WP-DB backup plug-in to schedule your database backups.

Keep your WordPress install and plug-in up to date

The newest versions of WordPress automatically notify you if there is an update for your WordPress and your plugins. Keeping these up to date will keep black hats from using known vulnerabilities to gain access where they shouldn’t be.

Rename the administrative account

You can do this in the MySQL command-line client with a command like

update tableprefix_users
          set user_login='anothername'

Use strong password

Creating a strong password that is also memorable is one of the easiest defenses against being hacked. There are a lot of online password strength checkers that you could check. Here is Lorelle’s article on blog herald called Protect Your Blog With a Solid Password, offering tips and tricks to help create a strong password that is also memorable.

Disable directory browsing

An attacker can reveal your files because they have been indexed by search engines, so you can use a simple one-line code inside your .htaccess file

Options -Indexes

also, use a robots.txt file to disallow the search engine robots to index the subfolder contents. Here is an example of a robots.txt file

 User-agent: *
 Disallow: /cgi-bin/
 Disallow: /wp-content/
 Disallow: /wp-admin/
 Disallow: /wp-includes/

File permissions

Some of WordPress’s cool features come from allowing some files to be writable by the webserver. However, letting an application have to write access to your files is a dangerous thing, particularly in a public environment. It is best, from a security perspective, to lock down your file permissions as much as possible and to loosen those restrictions on the occasions that you need to allow write access, or to create special folders with more lax restrictions for the purpose of doing things like uploading images.  

Do not advertise the WordPress version you are running

If you are running an old WordPress version with known vulnerabilities, it is unwise to display this information to the public. Why not simply hide the WordPress version entirely? Even if you update packages as quickly as you can, there will be a lag between the version release and your deployment, potentially enough time for a malicious person to carry out an attack. However, editing out all the places where WordPress advertises its version string in your theme can be a pain. It is still best to make sure you are running the latest WordPress version. An easier way to do this is with the Replace WP-Version plugin (newer and better version with more features is Secure WP).  

Stay on top of Security Releases

Subscribe to the WordPress Development blog. When WordPress patches a security hole or releases a new version, they announce it on that blog. If you see a security patch released, you need to upgrade or apply the patch. You leave yourself open to being hacked if you don’t upgrade.  

Use Captcha whenever possible

Captcha solution for the comments and login also build contact forms with Contact Form 7 or CFORMS II. This keeps bots from spamming and trying to crack your login.  

Limit access to your wp-admin directory

Protect wp-admin directory by IP address or password, which will another level of password access to the wp-admin folder: if you are using CPanel then you can use the directory protection tool to password protect folders.  

Restrict access to your wp-config.php

I have seen cases on web servers where the PHP install gets broken and all PHP files become readable. This is bad because your wp-config.php file contains your database username and password. Create a file within your WordPress root install directory named .htaccess if there isn’t already one. Append the following to your .htaccess file inside of your root directory:

deny from all

Use AskApache Password Plugin

This plugin doesn’t control WordPress or mess with your database, instead, it utilizes fast, tried-and-true built-in Security features to add multiple layers of security to your blog. This plugin is specifically designed and regularly updated specifically to stop automated and unskilled attackers attempts to exploit vulnerabilities on your blog resulting in a hacked site  

Use the WordPress online security scanner

This plugin along with a CGI script at Blog Security will perform version checks, XSS checks on your template, and look at your plugins for vulnerabilities.  


Hardening WordPress

3 tips to protect your WordPress installation

10 Ways to Secure your WordPress install

WordPress security tips and hacks

Some of the link on this post may have affiliate links attached. Read the FTC Disclaimer.

Comments are closed.