22 Tips to Secure Your WordPress Blog

0 Flares 0 Flares ×

There is no doubt that WordPress is the best CMS for a self hosted blog. WordPress being a popular and open source means more security threats as the full source code is in the hands of the hackers. So if your are running a self hosted WordPress website or blog you need to be more concern about the security of your blog. This article covers all major parts where you need to be more concerned. Here I have tried my best to provide all the security tips for WordPress. So here goes “22 Tips to secure WordPress Blog”.


1. Keep your WordPress installation up to date


Always update your WordPress installation with the latest one if available. The latest version of WordPress contains major security fixes with other features. So to be at a safe side always use the latest version of WordPress.


2. Make your login Encrypted


You should make your login encrypted so that no one can hack your user name and password by hacking the network. There is an easy way to encrypt the login by using the Semisecure Login Reimagined WordPress plugin. This plugin increases the security of the login process by using a combination of public and secret-key encryption to encrypt the password on the client-side when a user logs in. This plugin is very useful when you do not have an SSL available. This is highly recommended.


3.  Avoid plugins that are not in the WP plugins directory


As mush as possible try to avoid using the plugins which are not available in the WordPress plugin directory. Using plugins from unknown source may contain harmful code which can send potential information like admin account details to the plugin author, but plugins in the WordPress directory are safe to use as those plugins have passed the security assessments.


4. Do not give a chance for Brute Force attack


Hackers can hack your blog by Brute force attack, so you need to be careful and do not give a chance to the hackers for brute force attack. You can use Login Lock plugin to decrease the chance of brute force attack. Once installed and activated the plugin records the IP address and timestamp of every failed login attempts. If more than a certain numbers of failed login attempts are detected within a certain time interval from the same range of IP then the login functionality will be disabled for that IP range for a certain period of time. This will prevent any brute force attack.


5. Setup regular backup service


One of the most important aspect of securing your WordPress site is “back up service”. You need to setup back up service for your site to prevent any unwanted data loss and if any point of time something goes wrong you can restore your blog or web site.


6. Change the default admin username


After installation the default admin user name is “admin”, so do not use this user name as the chances of hacking is more. Change your admin user name to some thing else after installation. You can check the procedure to change admin user name.


7. Hide the WP version


Do not show your WordPress version. There is an article which tells how to hide the WP version


8. Hide the wp-content directory


Wp-content directory contains all vital contents of your blog, it contains plugins, themes etc. So you need to hide the wp-content directory to be at more secure side. You can use a .htaccess file to hide the content of your wp-content directory. Alternatively you can put a blank index.html file inside the wp-content directory to prevent directory access.


9. Prevent direct directory listing by using proper .htaccess rules


Direct directory listing can cause a big problem for your website, so use proper .htaccess file and appropriate rules to prevent direct directory listing of your important directories.


10. Block all wp-* directory from being indexed by search engines


All the wp-* directories should be kept away from being indexed by the search engines. wp-directories are the most important things for WordPress, so those directories should not be indexed. You can make use of robots.txt file to disallow the indexing of the wp-* directories. Add the below code to the robots.txt file of your site:

Disallow: /wp-admin/
Disallow: /wp-includes/
Disallow: /wp-content/


11. Do weekly security audit/scan on your blog


Security audit or security scanning is one of the most important thing for securing a website. Hence try to perform regular security audit on your WordPress site to make it more secure.


12. Use strong password policy and change password regularly


Make sure that you use strong password policy and change it on a regular basis to decrease the leaks. If you have installed Login Lock plugin you can configure password policy related settings from the Login Lock settings options.


13. Keep your theme and plugins updated with latest version


If your are using theme from a vendor or from a third party or you have made it of your own then make sure that you find the security leaks and update the themes to the latest version to be at safe side. Similarly plugins can also be a path to security leak for your site, hence it is always better to use the latest version of the plugins.


14. Make use of SFTP while transferring files to your hosting server


If you are using FTP file transfer system then change it to SFTP to make sure that no one else will be able to hack your files. Use of SFTP will encrypt your files while transferring and thus it will not be possible for others to hack your content.


15. Disable direct user registration


WordPress provides user registration functionality, but some times it can be harmful for your website as hackers can register with your website and can perform harmful activities. So it is always better to disable any kind of user registration on your website. If your want you can create user account on request basis if you feel the person is authentic.


16. Protect the wp-config.php file from being accessed publicly


The wp-config.php file is the heart of WordPress installation and it contains all configuration related settings. Hence no one should be able to see the content of the wp-config.php file. So protect the access of wp-config.php file from being accessed publicly by using a proper .htaccess file.


17. Change the DB table prefix


The default installation of WordPress makes the DB table prefix as wp-, which is well known to all. So to prevent any kind of SQL injection change the DB table prefix to something else. Do not worry if you have already installed your WordPress you can make the changes by following the procedure here.


18. Setup DB backup service on a regular basis


To be at more safe side take the DB backup on regular basis. It is advisable to take nightly backup of your data base. But if your are using VaultPress service then no need to worry as it  will take the real time backup.  


19. Create Custom login links


The login link for a WordPress site is very common and everybody knows that. So to hide default login link you need to create a custom login link. You can make use of the Stealth Login plugin to create custom login link.


20. Password protect wp-admin directory


To access wp-admin directory you need the admin rights which only an admin user holds. But if you add a password protection to the wp-admin directory it would be a second level security to the admin area. If you are using cPanel then easily you can give a password protection to the wp-admin directory, alternatively you can use a .htaccess file to password protect your wp-admin directory. Even you can use AskApache Password Protect plugin to protect the desired directory with a password.


21. Disable html codes in comments


You should never allow html codes in the comment section. Hackers can inject unsafe scripting codes to the comments which will lead your site to be hacked. So disable the html in comments. You can do so in the setting of the WordPress.


22. Moderate the comments and Regularly delete all spam comments from your blog


You should set moderate mode for the comments, so that before any comment is published you can review it and then either your can approve it or reject it. Delete the spam comments on regular basis to protect your WordPress site.


+Ayodhyanath Guru holds a B.Tech degree in Electrical Engineering and has worked with various prestigious clients in the IT industry and presently working as a Software Engineer. He is a part time blogger and presently authors the Jafaloo.Com blog. Being a tech enthusiast Guru likes to surf the web and blogs about interesting technical topics like How-To guides, freewares, Tutorials, Software, Gadgets, web applications etc. Apart from blogging he likes coding in Java/J2EE and PHP.

You may also like...

4 Responses

  1. sandeep kumar says:

    Hi Guru,

    I was surprised why there is no comment/feedback on this article.
    You have done a gr8 job my friend.
    I was looking for tips to secure my wordpress blog your article is exactly what i was looking for.

    Thanks once again….

    mine blog is http://www.firstdestination.co.in

    • Guru says:

      Hi Sandeep,
      Thanks a ton for your comments and appreciation. I hope this article was useful to you in securing your word-press installation. We do not have a strong user base for this blog yet as it was started just 3 months back, that is why no comments. But we are growing very fast and hoping to get a strong user base soon.

  2. That’s interesting article!

    One more tip:

    If you are using a WordPress theme with your mobile WordPress web site then it is highly likely that the Timthumb WordPress Hack can be exploited on your site. so keep your WordPress Theme updated if the one you have installed FREE…

  3. joomlaserviceprovider says:

    We are pleased to announce the release of wSecure. wSecure hides your WordPress admin URL with a special key so that only you can access. The problem with WordPress is that anyone can tell if your site is WordPress by simply typing in the default URL to the administration area (i.e. http://www.yoursite.com/wp-admin). wSecure helps you hide the fact that your website is built with Worpdress from prying eyes.

    Check out wSecure in action here: http://wp.joomlaserviceprovider.com/

0 Flares Twitter 0 Facebook 0 Google+ 0 LinkedIn 0 0 Flares ×