Tutorial Details
- Program: WordPress
- Version (if applicable): 3.x
- Difficulty: Intermediate
- Estimated Completion Time: 1-2 Hours
WordPress is the most used open-source platform nowadays for any type of websites: whether it is blog, CMS or any other custom solution. WordPress is naturally based on PHP (among other languages), so, as a PHP developer I always make sure to cover/apply some tips for WordPress to make secure and speedup the site which I develop. In this WordPress tutorial you will find tips and tricks for securing WordPress and otimizing your WordPress blog.
This section will going to cover the tips related to securing your WordPress site. Tips includes protecting files, login restriction, WordPress admin restriction, database protection, etc.
Security Tip 1: Stay Updated
The most important tip for securing the self hosted WordPress websites is also the most obvious; WordPress provides updates with security fixes all of the time. When you get the notification in admin panel, don’t ignore it! It’s the single most effective way to secure your site from attacks, and yet so many people leave their site (and their client sites) un-updated for fear of breaking their themes and/or plugins.
Here’s the real tip though: If you themes and plugins don’t work with the latest version of WordPress, they’re probably not all that secure to begin with 
Security Tip 2: Create Custom Secret Keys for Your wp-config.php File
All of the confidential details for your WordPress site are stored in the wp-config.php in your WordPress root directory. Secret keys are one of the bits of information stored in that file… so make sure you change the default secret keys to something else.
If you are not sure for what to place in the default values, go to this link, and it will generate the random keys for you.
Security Tip 3: Change the Database Prefix
A lot of the basic setup stuff for WordPress is the same across lots of sites… especially if you use a one-step install wizard through your webhost. This is super convenient, but lots of common setup values like, your database prefix(es), are known to hackers as a result. If you don’t change the database prefix, the table names of your site’s database are easily known to the person who trying to hack your site.
Security Tip 4: Protect Your wp-config.php File
As mentioned earlier, the wp-config.php file contains all the confidential details of your site. So it’s pretty important that you protect it at all costs. An easy way to protect this file is to simply place the following code in your .htaccess file on your server.
<Files wp-config.php> order allow,deny deny from all </Files>
Security Tip 5: Protect Your .htaccess File
We can protect our wp-config.php file as mentioned above, but what about protecting the .htaccess file itself? Don’t worry, we can use the same .htaccess file to protect itself from being preyed upon. You just need to place below code in your .htaccess file.
<Files .htaccess> order allow,deny deny from all </Files>
Security Tip 6: Hide Your WordPress Version
Another good idea is to remove the generator meta for the WordPress. This meta shows the version of your WordPress site. If you have enabled the WordPress version, then hackers will know the security lacking of your website. If you absolutely can not update your WordPress version (tip #1), this is a good failsafe to at least hide the fact that you’re not on the most current version.
To do this you need to place below code in function.php of your active theme.
remove_action('wp_header', 'wp_generator');
You can go one step further and additionally remove it from RSS feeds using this:
function wpt_remove_version() {
return '';
}
add_filter('the_generator', 'wpt_remove_version');
Security Tip 7: Install WordPress Security Scan Plugin
This is a good plugin which scans your WordPress installation and give the suggestion accordingly. This plugin will check for below things:
- Passwords
- File Permissions
- Database Security
- WordPress Admin protection
Download the plugin from here.
There are other security scans as well – for instance, VaultPress (which we’ll mention below) will do this as well as part of a much bigger package of security services.
Security Tip 8: Limit The Number of Failed Login Attempts
This nice plugin can limit the number failed login attempts; Useful in case of someone is trying to guess your password manually or using a robot.
You can download plugin from here.
Security Tip 9: Ask Apache Password Protect
Here is one more good plugin provided by the Ask Apache. which gives you more control over your blog in terms of security.
You can protect your site with 401 authorization in easy steps. All these you can manage from the WordPress admin panel.
You can download this plugin from here.
Security Tip 10: Don’t Use “admin” As Your Username (and Pick Strong Passwords)
This one’s perhaps the easiest of them all – WordPress normally will setup your main admin account name as “admin”, so it’s usually the first username that hackers will try using. As of version 3.0 you can change this during the initial setup, but it’s easy to forget that you can go back and change it even if you setup your site before version 3.0. So, pick a new name other than admin
Additionally, picking strong passwords for all of the users on your blog (and your MySQL database) are fundamental ways to boost your security. Use the Strong Password Generator if you can’t come up with one on your own.
Security Tip 11: Last but not Least, Backup!
I have placed the backup as the last item here. but don’t consider it as a less important. Regular backup of your site will make you fill safer than any other above. There are several plugins available for WordPress which manage the backup for you.
Here are some free plugins for WordPress backup.
But if you are more serious about the backup for your blog then you should go with the paid solution. The two biggest premium solutions out there right now are Backup Buddy and VaultPress.
Conclusion
There are many more tips and tricks to go with this, but I’ve tried my best to present the best “bang for your buck” tips for anyone out there just looking to get started with WordPress security. Be sure to check out our other WordPress security articles for more information! Share your thoughts on this below!
Enjoyed this Post?
Subscribe to our RSS Feed, Follow us on Twitter or simply recommend us to friends and colleagues!
By Avinash Zala M
Rockstar WordPress Designer 2
Want to take your WordPress theme designs to the next level? Rockstar WordPress Designer 2 picks up where the original Rockstar WordPress Designer left off and teaches you the advanced tools for WordPress mastery!
Join our newsletter!
U-Design WordPress Theme only $35.00 
Karma - Clean and Modern Wor ... only $35.00 WordPress Basix
Just getting started? Start with our basix tutorials on the fundamentals. View All Basix Tutorials
Create a Tutorial, Get Paid!
Have something to teach the world? Want to earn money doing it? Tutorials, screencasts, and articles published here on Wptuts+ are largely contributed by readers just like you! We'll pay you great money for good content. Find Out More
Would changing the directories of “wp-includes” and “wp-content” be necessary on the list? One of the biggest concerns would be changing “wp-admin” to a different directory, but currently it’s nearly impossible as far as my knowledge goes.
As I understand it, the Ask Apache plugin helps protect those directories… but perhaps Avinash can provide a bit more insight
@Terrence Campbell:
As per my knowledge goes, We can protect wp-admin, wp-include, etc folders using the Ask Apache but till word press has not released any official way to perform this task. What you think?
Well yes, that is a necessary way. I forgot a certain method that usually helped a lot of people. Only allowing certain IP’s and redirecting once attempted! Sometimes it can fool people, but who couldn’t recognize a WordPress site?
have you been following what is happening at css-tricks.com?
Al
That domain is transferred to another account by some person, this is not the case for this domain only. There are other few domains which have a same problem.
This isn’t a security step at all. Your best bet is to stay updated.
First, automated attacks more often than not don’t bother checking for a version, they simply try an attack. Second, none of the steps you provided actually hide the version of WordPress a site is using. Actually hiding the version would be so difficult it would likely require breaking your WordPress install.
Great Article Avinash
Good Job
Thanks For this article
10 or 11 quick tips? lol
What about moving your wp-config file up one level out of the root?
Additional :
WordPress 3.2.1 Core (post-template.php) Improper Sanitizing(Persistent XSS)
Author : Darshit Ashara
Date : 21/08/2011
Vendor : WordPress
Version: 3.2.1
Improper sanitized code in WordPress Core Module(post-template.php)
Causing Cross site Scripting.
Author can simply Update his Post title to alert(’1′);
and its will give out alert on index page and post page.
Below are the temporary patches for fixing.
Vendor notified about this vulnerability.
/*This will patch XSS in Index Page*/
Vulnerable Code Part 1
function the_title($before = ”, $after = ”, $echo = true) {
$title = get_the_title();
if ( strlen($title) == 0 )
return;
$title = $before . $title . $after;
if ( $echo )
echo htmlentities($title); /* Line No 52 Patch*/
else
return htmlentities($title); /* Line No 54 Patch*/
}
Vulnerable Code Part 2
function the_title_attribute( $args = ” ) {
$title = get_the_title();
if ( strlen($title) == 0 )
return;
$defaults = array(‘before’ => ”, ‘after’ => ”, ‘echo’ => true);
$r = wp_parse_args($args, $defaults);
extract( $r, EXTR_SKIP );
$title = $before . $title . $after;
$title = esc_attr(strip_tags($title));
if ( $echo )
echo htmlentities($title) ;/* Line No 87 Patch here By adding htmlentities*/
else
return htmlentities($title); /* Line No 89 Patch*/
}
/*This will Patch XSS in Post page*/
Vulnerable Code Part 3
function get_the_title( $id = 0 ) {
$post = &get_post($id);
$title = isset($post->post_title) ? $post->post_title : ”;
$id = isset($post->ID) ? $post->ID : (int) $id;
if ( !is_admin() ) {
if ( !empty($post->post_password) ) {
$protected_title_format = apply_filters(‘protected_title_format’, __(‘Protected: %s’));
$title = sprintf($protected_title_format, $title);
} else if ( isset($post->post_status) && ‘private’ == $post->post_status ) {
$private_title_format = apply_filters(‘private_title_format’, __(‘Private: %s’));
$title = sprintf($private_title_format, $title);
}
}
return htmlentities(apply_filters( ‘the_title’, $title, $id )); /* Line No 119 Patch*/
}
How about explaining what all this means? It “looks” official. What does it do? and Why is it necessary?
This is a false alarm, don’t worry about it.
Apparently some enthusiastic hacker didn’t know that WordPress allows users with Admin or Editor privileges post unfiltered html.
Another decent free backup is called updraft.
Forgive me but this tut leaves me flat. It leaves more questions unanswered than it answers – for every section! For example, you give a link for new secret keys but say absolutely nothing about what they are, how to change them (certainly they are not even visible to the WP editor), and what will happen to existing installations once we change them – are we going to have to remember them or not be able to get back in??? “Change the Database Prefix” – “Protect Your wp-config.php File” — you couldn’t add a sentence or two to explain what the code you gave was intended to do and why?
Maybe simple questions to you; but, YOU aren’t the one reading the tut! And it was like that for me on nearly every “tip” you made. Your tut was more like a “checklist” for programmers who already knew the stuff to use rather than an actual tutorial for general use.
Your gross generalization: “If you (sic) themes and plugins don’t work with the latest version of WordPress, they’re probably not all that secure to begin with
” is absurd. The vast majority of plug-ins have nothing to do with security holes; which, by sheer statistics, makes it most probable that a plug-in which doesn’t work after an upgrade has more to do with “convention changes” or some such than any plugged security hole. And certainly NOT ALL the changes that WP makes are for security reasons.
WPs greatest asset, I feel, is that it is community based and as such conglomerates code from tons of users; HOWEVER, its greatest weakness is also that it is community based and as such conglomerates code from tons of users! “Fixes” are changes and can (and often do) create other problems; so, the decision to upgrade is more than just a “knee-jerk” – I wish it wasn’t, but there you are! Perhaps WP should split uploads into “enhancements” and “strictly security fixes” so users would be more “in the know” about what was being pushed down the pipe.
It does take time to prepare a tut and we shouldn’t complain about getting something for free but the title caused me to have expectations that weren’t fulfilled. I am no more able to secure my site after reading your tut than I was before seeing it; except, perhaps, that now I have a list of items that I can Google about and find someone else to teach me how to do it. So, for at least that, I am grateful for the time you spent in creating the checklist.
if tuts team explain each and every topic in this article then I guess they would need separate article for each tips mentioned above. And as the name “Quick Tips” we should not expect more than just a way rather than full path to reach the destination.
The tips were pretty straightforward to me. You can always hmmm you know, find out on your own how to do the things you don’t know how to do them/
Furthermore, the level at the top of the article says intermediate. Again, I don’t consider myself an expert, but they were pretty straightforward tips to me.
what is the advantage of creating custom keys
I have read numerous places that just using 2 or 3 simple unrelated words as a password is the BEST password.
It could take “1,163,859 years using a brute-force method”, which is pretty phenomenal considering bananabankuntensil is super easy to remember and would take so long to brute-force.
Great article, hope this was some useful information on password security!
http://www.readwriteweb.com/enterprise/2011/01/why-using-2-or-3-simple-words.php
Great article – thank you
Indeed these are the main security steps everyone concerned about security should be following.
I can’t help but read it because I’ve been hearing horror stories from people who’s sites were transferred to a different domain registrar so these tips will definitely come in handy.
I keep my WordPress up-to-date and use plugins to combat spam comments and stuff. I always do the Security Tip 4-6 to keep my site protected.
Great article and very useful! Until now I only had a basic .htaccess, but this is going to change! Good job, tutsplus!
Thanks for the info – agree that in case else fails, a good backup routine is absolutely essential.
I would add that you should use SMTP authentication (with a strong password) rather than PHPMail for notifications and contact forms etc as PHPMail is more likely to be attacked – configure it manually or use a plugin like WP-Mail-SMTP to do it.
Great !
Thanks For this article. it’s very use full for me.
Hi Avi,
Can we hide wordpress information by renaming wp-content and wp-include?
I saw these days many of wordpress sites are hacked ..
Will Tip #5 affect the ability to create 301 redirects in my control panel that write in my .htaccess?
Nice article with easy to implement ideas. Thanks! =)
Thanks for your updates.
But none of the tricks is working on my WP 3.2.1 version on the following sites:
http://www.rbizsolutions.biz
http://www.dhrubajyotideka.com
http://www.timesofassam.com
thanks bro….
good info….
Hey that is a good post & a good set of coversations too. Keep sharing, that is good…
Hey that is a good post & a good set of coversations too. Keep sharing, that is good…
i found earlier tips on securing wordpress by Fouad Matin on Sep 16th 2011 (http://wp.tutsplus.com/tutorials/10-steps-to-securing-your-wordpress-installation/). he said use to hide the WordPress version. But in this article, the code was remove_action(‘wp_header’, ‘wp_generator’);. see the differences? wp-head and wp-header. which one should I use. thank you for the great article.
this was very useful to me, i found other admin user in my website, i said omg someone hacked me, and then of hours to find the hacker and trojans that he put in my website, i deleted it, I changed all passwords (including mysql and user pass) and use all information of this post, and now I feel better and more secure…thanx for the post